COVIDSafe, Australia’s contact tracing mobile app, is being hailed a success with 6 million downloads and a demonstration in the new “gold standard” of government tech delivery. But a month since launch it is unclear how much utility the app provides health authorities.
The commonwealth government now reports privacy protections that restrict COVIDSafe data access to state and territory health authorities mean they can not access usage information about the app.
The number of coronavirus cases since the app was released has remained low across the country, making it difficult to assess the value of the app to the state and territory health authorities so far. Outside of a single case in Victoria none have relied on data from the app to locate an at risk individual.
Some experts are concerned the lack of information on actual use of the app makes it difficult to tell if it can be more useful in contact tracing efforts as lockdown conditions ease and the app becomes more important.
Government ministers have routinely declared the total download figure to show the app is effective, describing COVIDSafe as the “world-leading” contact tracing app.
“The number of downloads obviously is not a good proxy or is not a good indicator of how many users are really using it,” says Dali Kaafar, a Macquarie University professor and expert in digital privacy.
Kaafar has been examining the source code of COVIDSafe since it was released a week after the app was available. He says the app is largely safe in terms of privacy protections but its efficacy as a contact tracing tool remains unclear.
The downloads figure includes a significant number of users yet to activate the app and those who abandon it when it asks for information or they encounter its technical problems, he said, adding that it is important to better understand usage of the app to ensure it is operating as intended.
“We’re projecting to be using this app in post-COVID lockdown settings,” Kaafar told Which-50. “It’s really really critical to understand the way that users are interacting with this app … It’s very very important people are actively managing the app so that it collects the data that we’re interested in collecting.”
Jumping the gun
COVIDSafe exchanges “digital handshakes” with other users of the app when they are in close proximity for 15 minutes or more. It does so using bluetooth, rather than location tracking, and individual IDs are cycled regularly to improve privacy. The contact information is stored on the device but can be uploaded to a government server, when the user consents following a COVID-19 diagnosis. That information resides on a central server and can only be legally accessed by state and territory health authorities to assist in contact tracing.
The government chose a centralised server model based on Singapore’s TraceTogether contact tracing app which was deployed very early, rather than a decentralised models that followed and are now being used in some European countries.
After a rapid four week development and a messaging blitz from government linking the app to easing social distancing restrictions, Australians flocked to download COVIDSafe, with 6 million total app downloads in less than a month.
COVIDSafe is now the fastest downloaded Australian government app of all time and its swift roll out “set a new gold standard for the design, development, and deployment of government services”, according to advocates.
But others have challenged that claim, citing multiple bugs, privacy, and security concerns with the app, as well as a lack of a verifiable measure of effectiveness.
Managing director of Centre for Digital Business Marie Johnson, told InnovationAus last week the app was rushed out without due consideration for how it could be evaluated.
“There appears to be this zeal for apps without really understanding how they are going to be used and evaluated, and the impact on people – particularly vulnerable people,” Johnson said.
“There was this rush to get this app out and there were no options considered, and the advice of the experts has come in a very chaotic way. For me, this is a case for how government services should not be done in the future.”
In recent weeks downloads have dropped considerably, leaving the government short of its initial target of 40 per cent of the population. Data from SensorTower, a mobile app analytics company, shared with Which-50 shows the app has only averaged about 23,000 installs per day for the past seven days.
Asked about active users, the government’s Digital Transformation Agency, which is managing the app, referred Which-50 to the Department of Health. A spokesperson for the department said the commonwealth government does not have access to usage information.
“The strict privacy legislation, which restricts access to data from the COVIDSafe app to health authorities in the states and territories for the sole purpose of COVID-19 contact tracing, means information about current users is not available to the Commonwealth Government,” the spokesperson said.
It is an offence to use COVIDSafe data relating to a person for any reason other than contact tracing by state and territory health officials. However, the legislation notes exemptions for “de‑identified statistical information about the total number of registrations through COVIDSafe”.
Information on active use of the COVIDSafe app is available to the central server, according to Vanessa Teague, adjunct associate professor at the Australian National University and chief executive of Thinking Cybersecurity.
“The AWS server should be getting regular (2-hourly) messages from everyone who is actively using the app, assuming their device is connected to the Internet. So the active-usage data shouldn’t be hard to derive.”
Teague says it is concerning if Australia has developed a privacy model that allows the server provider, American tech giant AWS, to receive identifiable information – which includes, at a minimum, a real phone number, even if you used false name information – but the commonwealth can not access it.
“It seems to me to emphasise the advantages of a model in which that sort of information isn’t conveyed to anyone,” Teague told Which-50. “Neither the UK’s (centralised) app, nor the decentralised apps built around the Apple-Google exposure notification API, need to convey such frequent usage information to anyone.”
Use so far
The relatively low number of coronavirus cases in Australia makes use of COVIDSafe data by state and territory health authorities difficult to evaluate too. But health departments say improvements are needed.
Two weeks ago Victoria became the first state or territory to reveal it was using data from the app, amid conflicting reports of state and territories’ ability to access the data.
On May 20th Victorian health officials confirmed it had successfully used COVIDSafe data to notify and quarantine a man who had been exposed to a coronavirus infected person with the app installed. But reports from The Guardian that same week claimed similar use in NSW, the most populous state and with the worst rate per capita of deaths, was not possible because health authorities could not incorporate the data into its contact tracing due to technical issues.
On Thursday, a NSW Health spokesperson confirmed the authority can now access COVIDSafe data and use it in contact tracing under strict privacy rules. But data from the app was yet to provide additional assistance to the 150 NSW Health staff conducting contact tracing.
“Members of a contact tracing team can, and have, accessed App data using strict privacy rules,” a NSW Health spokesperson told Which-50.
“Data from the App reflects details already obtained by these teams. NSW Health, together with other jurisdictions, is actively collaborating with the Digital Transformation Agency to prioritise enhancements to the App.
“We will continue to work with the Commonwealth while a formal evaluation of the contact tracing app is underway.”
Spokespeople for health authorities in QLD, WA, SA, the ACT confirmed access to the data was possible but was so far unnecessary because they were yet to have a case utilising the app.
Tasmania has access to data from the COVIDSafe app too, and it has been used as a part of contact tracing of the one case that has been diagnosed there since the app launched.
But it is not clear if the app data provided any extra contact tracing information.
Northern Territory officials did not provide a comment in response to questions on COVIDSafe data use.
Last week Google and Apple released the first iteration of their own contact tracing tools, an API that allows developers to build contact tracing apps based on a decentralised model with notifications built directly into the two major phone operating systems.
Over the weekend Switzerland launched the world’s first contact tracing app based on Apple and Google API, with Swiss developers declaring their decentralised approach and direct integration with major operating systems a “no brainer”.
A spokesperson for the DTA told Which-50 the Apple and Google API is being considered for future use with COVIDSafe.
“The DTA and the Department of Health have been working with Apple and Google to understand and test the Exposure Notification Framework since it was released to see how it can be applied in Australia. That testing is ongoing.”