Is COVIDSafe safe?

Published Apr 29, 2020 by Xiph

Here’s what you need to know about the controversial coronavirus tracing application

On Sunday 26 April, the federal government rolled out a mobile application in an endeavour to further reduce the spread of COVID-19. Available on both Google Play and Apple’s App Store, COVIDSafe aims to assist health officials in identifying people who may have come into contact with those infected with the virus. 


 

COVIDSafe

While anything that reduces the coronavirus threat and therefore increases the likelihood of eased restrictions is more than welcome, a number of questions surrounding government transparency and user privacy have arisen and are worthy of exploration.

Let’s take a look under the hood.

What is COVIDSafe?

Based on TraceTogether, Singapore’s “community-driven contact tracing” application, COVIDSafe automates the process of determining who has been in close contact with COVID-19. The idea is that if you spend time within 1.5 metres of someone else with the application, contact information will be recorded via a Bluetooth handshake. If that person has been infected with the virus, you will be alerted by health officials and can take appropriate measures.

Downloading COVIDSafe is voluntary and by all accounts, user information is anonymous. Government officials claim that the undertaking will be largely ineffective unless 40 per cent of Australians (roughly 10 million) register to use the application. The initial response has been promising, with 1 million Australians reportedly downloading COVIDSafe within five hours of its release. So far, so good. However, if there is a concern set to interfere with the government’s plans, it’s user privacy.

Cloudy matters of transparency

When the app was announced on 14 April, the government stipulated that the source code for COVIDSafe would be released to the public. Tick. This promise of transparency went a long way in comforting those with privacy concerns, as it would allow techies to place the code under forensic scrutiny.

Since then, that promise has been broken… or perhaps simply amended. By April 21, health minister Greg Hunt had repositioned his government’s stance by claiming that “everything that can be released, will be, for sure”, then going onto suggest that in order to stave off hackers, only a portion of the code would see the light of day. Which, as anyone with a modicum of technical knowledge will know, flies in the face of what constitutes open source. Without the complete source code, it’s impossible for security flaws to be found and fixed.

Whether Hunt was merely mistaken due to limited technical knowledge, or perhaps due to pressure from digital rights advocates, we’ve now been told that the entire source code will be released sometime in the second week of May. The reasoning behind the delay is so that the app’s safety and security can be assessed and reviewed, to ensure there is “absolute protection of privacy above all else”. Which sounds lovely and noble, but if the app is already in the hands of millions of Australians, then shouldn’t the code already have been afforded such scrutiny?  

Who can access what?

Prime Minister Scott Morrison has called downloading the app a civic duty, so if we’re going to fulfil it, it’s only reasonable to wonder who gets access to the collected data. Hunt has attempted to soothe any concerns that law enforcement or other agencies could make use of the pervasive monitoring by calling such actions prohibited. Consensus says that only health officials are allowed to access the data and only in cases of a positive diagnosis and that even then, such individuals must select to push the contact data up to those officials. This means that specific contact data cannot be accessed by:

   • Any government bodies outside of health

   • Law enforcement or similar agencies

   • Telco or tech companies

   • Third-party data investors

   • Individuals themselves (app users cannot find out who they’ve come into contact with)

This is all well and good, though a question arises over what happens when an individual is too sick or incapacitated to push the diagnosis up to health officials – and whether the government will find a way to retroactively access user devices and/or information without consent.

It’s not the product, it’s the salesman

When viewed from within a vacuum, it’s difficult to argue against COVIDSafe’s value. If over 40 per cent of Australians download the application and use it correctly, then we could perhaps see a dramatic drop in the spread of COVID-19 and eased restrictions within a matter of weeks. That is a result worth working towards, even if it is via a data-collecting application, at least in theory. The issue is not with the technology itself, but with those spruiking it – a government that has routinely pushed for legislation that erodes the people’s right to privacy while at the same time, swearing to respect it.

Australia’s anti-encryption laws are some of the most Orwellian in the Western world. 2015 saw the government’s metadata retention scheme forcing Telcos to store user metadata for a period of two years so that 21 law enforcement agencies could access it without a warrant. Dutton’s Assistance and Access Bill increased government powers to penetrate user-encrypted messaging and his voluntary code of practice proved less means to regulate the tech industry and more an empty gesture to silence naysayers.

In other words, when we’re told that the government is acting in our best interests or in a way that prioritises our privacy and security, we can’t be faulted for raising our eyebrows. We’d hope that such sinister behaviours would never come into play during a global crisis, but you only have to look at the USA’s post-9/11 mass surveillance measures (to which Australia was not immune) to feel that it isn’t impossible.

The only thing we can do is remain as informed as possible. Read privacy policies (luckily COVIDSafe’s are brief and easily digestible, at least, for the moment), cross-reference reliable sources and make decisions based on what you think is in your best interest. Even after listening to and fielding the opinions of experts, the only person who can tell you whether to push the COVIDSafe button, is you.


Posted in: Security