Australia eyes payment card data for contact tracing

Going where South Korea and Taiwan dared not go.

Australian health officials have been asked to investigate tapping card payment data to track the spread of COVID-19 infections.

It’s an extreme measure, especially for a country whose response to COVID-19 compares favourably to most of its global peers. The idea was put forward as part of a national review of contact tracing methods by Australia’s policy makers, chaired by its chief scientist, Dr Alan Finkel.

Dr Finkel’s final report recommends the Australia’s Department of Health lead “arrangements between states and territories and payment card providers so that contact tracers from the states and territories will be able to request contact details of persons who have made a transaction at a hotspot venue.”

Australia wouldn’t be the first country to tap credit card data for contact tracing, but this would cross a line other countries haven’t dared to. Contact tracers in the Czech Republic and South Korea can seek consent from people that test positive to COVID-19 for temporary permission to read bank statements data to help identify hotspots, but they don’t use payments data to directly identify other people that attended the hotspot. Officials in Taiwan considered using payment data for contact tracing during an outbreak there, but were stymied by unspecified “access difficulties” and privacy concerns. As Professor Chang-Chuan Chan of National Taiwan University told Risky Biz this week, credit card data would have to be a lot more useful for contact tracing before people in Taiwan would be willing to give up their privacy for it.

Contact tracers in New South Wales have reportedly already used credit card data once in a scramble to locate the passengers of a Sydney taxi driver, with mixed success. Dr Finkel’s review notes that some states might need to pass new legislation to use payments data on an ongoing basis, but representatives from his office wouldn’t comment on what laws stand in the way.

I’m not entirely convinced that privacy laws would need modification. Australia’s Privacy Act makes exceptions for sharing data when there is an “immediate threat lessening or preventing a serious threat to the life, health or safety of any individual, or to public health or safety.” But the government might need to pass other enabling legislation to ensure that a complex payment ecosystem can produce data that’s actually effective for contact tracing purposes.

Let’s say, for example, that a person that tested positive dined in at a fast food outlet while they were symptomatic and contact tracers want a faster means of identifying people that ate there at the same time.

In an ideal world, proximity-based contact tracing apps would have solved this problem, but as we’ve previously reported, the Australian Government spent tens of millions on an app that was always going to fail a large subset of users. (We especially loved how politely the report rubbished COVIDSafe).

Attendance registration apps, which help workplaces and public spaces like restaurants keep records of who enters the premises, are where state authorities see more promise. New South Wales, for example, has made it mandatory for certain classes of businesses to adopt a check-in app, and offers up its own QR-based system for one-click attendance registration.

Dr Finkel’s report bemoans a proliferation of third-party attendance registration apps that “request unnecessary information from customers”, often for marketing purposes. Many of these apps rely both on the record-keeping vigilance of a business or the honesty of customers, none of which can be guaranteed. The report recommends that every state mandate their own attendance apps or force third parties to offer apps that comply with a state standard. It also recommends an inter-state exchange of contact tracing data (connected via API, or failing that, providing guest log-ins to contact tracers in other states) to manage outbreaks that cross state lines.

These are probably going to be easier recommendations to land. Using transaction data to solve the same problem introduces a few challenges.

For the sake of accuracy, health authorities would want to compel a payment acquirer (the restaurant’s bank for merchant services, in our example) to provide a list of identifiers for payment terminals in a hotspot to submit to card issuers (all the banks, credit unions and other firms that issue cards in Australia) to resolve them against the information they store about customers. To complicate matters a little, some merchants use multiple payment terminals from different acquirers in one location (taxi drivers might offer several payment terminals, for example), and in the case of mobile payments, several intermediate steps are required before you could identify customers using a specific terminal.

Some merchants might be able to provide their Merchant ID or Terminal ID on the spot, but there are a few thorny issues to consider if you cut acquirers from the process. Card issuers are far more numerous than acquirers, they include non-bank organisations like the loyalty programs of grocery chains and airlines, and there are probably still a lot of cards issued by foreign-owned banks to enrol in the scheme. Health authorities should also expect to come across merchants that use the same IDs for multiple terminals in different locations.

So even if Australians could stomach the idea from a privacy perspective, there’s a bit of homework to do on this one.