Australia’s contact tracing app will be critical to tracking and minimising the spread of coronavirus, according to the federal government, which has positioned the technology as a way to speed up the easing of lockdown measures.
But some privacy experts are concerned about the proportionality and design of the tool which allows the state to log the interactions of its citizens.
While several security and privacy protections are in place, the government says it has not had time to consult many of the groups which would typically be involved in such a controversial project.
And a critical piece of the debate – the application’s source code – is still missing, awaiting clearance from Canberra’s security agencies.
But even without the code, and some mixed early messaging – the Prime Minister did not initially rule out making the app mandatory and the minister in charge, Stuart Robert, suggested it worked by linking “phone numbers” – Australians jumped at the chance to download “COVIDSafe”.
Since launching on Sunday night, the contact tracing app has been downloaded more than 2 million times. It’s a staggering early adoption rate but a long way off what the government has previously said it is aiming for the app to be successful: around 40 per cent of the population.
Even for those who want to download the app, there are reports that it will not be effective on iPhones because of the way Apple’s smartphone handles bluetooth.
The app works by using bluetooth to record any other person using the app you have been in close contact with (approximately 1.5 metres) for more than 15 minutes – what the government calls “digital handshakes”. If an individual contracts coronavirus they can consent to have their logs and some personal information uploaded to a government server.
That information is shared with state health authorities to help contact other people who had been in close proximity to an infected person. The information is expected to help identify coronavirus “hotspots” and allow people to self isolate earlier, ultimately slowing the pandemic.
Health minister Greg Hunt has stressed the information won’t leave devices unless a user who has become infected consents and the data will then be stored on a secure server accessible only by state health authorities.
“It cannot leave the country. It cannot be accessed by anybody other than a state public health official. It cannot be used for any purpose other than the provision of the data for the purposes of finding people with whom you have been in close contact with and it is punishable by jail if there is a breach of that.
“There is no geolocation. There is no Commonwealth access and it is stored in Australia and importantly it is deleted from your phone after 21 days.”
The government has committed to legislating to protect against any additional use of the data but parliament won’t sit until May. Until then it will rely on a determination under the Biosecurity Act to protect the data from any other access, a mechanism legal experts have reservations about.
The Department of Health has also agreed to all 19 recommendations of a Privacy Impact Assessment prepared by law firm Maddocks to improve protections. While the PIA did involve the privacy regulator and the Australian Human Rights Association it did not include stakeholder consultation beyond government entities because of what Maddocks described as “an extremely compressed timeframe”.
One particularly key recommendation from the PIA, according to experts Which-50 has spoken with, is the release of the app’s source code. The code would be a gesture of transparency but, importantly, it would also allow experts to scrutinise the code and detect vulnerabilities.
The government has agreed to release the code but not before it has been checked out by the Australian Signals Directorate’s Australian Cyber Security Centre. So while the app is now on the phones of a million Australians, the source code is yet to be seen, sparking concern from privacy and security experts.
The horse has bolted
“I think that the horse is already bolted,” says Dr Monique Mann, a senior lecturer in criminology at Deakin University and co-chair of the Australian Privacy Foundation’s Surveillance Committee.
“You’ve already got a million people with this app downloaded onto their phone and we don’t really know how it works.”
Mann says it’s difficult to trust the Australian government with citizens’ privacy given its track record and a series of “IT omnishambles”.
Last week the Australian Privacy Foundation called for more oversight and independent assessment of the app prior to its release, including an independent privacy impact assessment and the publication of the source code.
The government has not consulted with the leading national privacy foundation or other leading civil groups about the controversial app or its roll out despite widespread calls for more scrutiny, according to Mann.
She cautions against downloading and using COVIDSafe.
“I’m definitely not going to be doing that and in the event that the government makes [COVIDSafe] mandatory I will not have a phone,” Mann tells Which-50.
“What we’ve seen from the Australian government across the board with metadata, with facial recognition [means] we really can’t trust them with expanded surveillance powers. And we really can’t trust them with big data IT projects.”
Security researcher Troy Hunt is keen to see the source code too, but is more confident in the privacy tradeoffs in Australia’s contact tracing app. Hunt tells Which-50 the design of the app – only infected users will upload information – and the security protections for the uploaded data are enough for him to download the app.
“[It is] very low risk in terms of what information that it actually collects [in terms of] what that looks like compared to all the other information I willingly share as it is or what the government already has access to.
“And on the flip side the potential upsides are enormous because they relate to the health of people like my parents. They’re in their 70s, I don’t want to see them catch this thing.”
Hunt says, based on what has been put forward so far, the security of the app appears “very solid”. But he too notes the source code needs to be released as soon as possible.
“I’d like to see it open-sourced because I want people to be able to go through and verify the claims about what’s collected, how it’s managed [and] what’s uploaded.”
Hunt says he’d also like to see stronger measures to ensure the data is permanently deleted once the pandemic ends. The government has made this commitment but is yet to provide details on how that will be guaranteed – the health minister’s determination requires app data to “be deleted after the COVID‑19 pandemic has concluded”.
Currently, when data is uploaded for an infected person it is stored on a government server hosted by American public cloud computing giant Amazon Web Services. The government has also accepted the recommendation that this contract be reviewed to ensure the American company has no access to data.
The announcement of AWS as the data storage provider following a limited tender process sparked some concern about data sovereignty and the government’s decision to go with a foreign company rather than a local option.
Several local companies have the necessary security clearance to store COVIDSafe data but Hunt argues AWS is a safer option and its local data centres mean the data should never leave Australia. Amazon, along with Microsoft dominate the public cloud market with Google’s cloud offering a distant third.
“They are the world’s largest cloud providers,” Hunt says. “They are better equipped than anyone not only to look after data but to encrypt it and secured it and everything else.
“Much more so than the [local] alternatives.”
The downside of AWS is that whatever guarantees the Australian government offers, the ABC reports AWS may be required under US law to hand over the data to the US government if it is issued with a subpoena.
Under the hood
Dali Kaafar, a Macquarie University professor and executive director of the school’s Cyber Security Hub is currently examining the app.
“We have been looking into the different pieces of code used and essentially reconstructing the source code approximately as if it was open [sourced].
“But I’ll be waiting for the technical documentation and for much more transparency regarding how the code has been developed and where the data will be stored [before using it]. So there’s a number of unknown yet, that essentially are putting me off from installing it yet.”
Kaafar tells Which-50 there are positive signs so far in the app which, as expected, lends heavily from the Singaporean TraceTogether app. He says the privacy protections are fundamentally the same.
The notable differences Kaafar and his team have detected so far are changes to allow for data storage with Amazon (TraceTogether used Google storage) and how often the temporary identifiers used to log interactions are changed.
“It was every 15 minutes for the TraceTogether app and it’s being changed to every two hours in the Australian one. It’s probably because of the concern about draining too much of the battery. And so that’s an attempt to reduce that.”
It’s still too early to say whether there are serious vulnerabilities with the app, Kaafar says. But opening up the source code will certainly be a way to increase the “friendly help” for detecting them.
“Now you have only a very limited set of experts – including ourselves – looking at this but the more you open this code the better.”
He also notes the government has opted for a centralised model of data storage where information is stored on a government server rather than the decentralised or local storage option several European countries are considering.
“There are some protocols out there that operate in a decentralised way, and that would make tracing efficient and possible without having these limitations on the privacy settings.”
Kaafar says he will continue to investigate the app but will wait till a legislative framework is in place to clarify and protect data storage.
Legislation vs determination
Law Council of Australia president Pauline Wright this week welcomed the government’s opt-in approach to contact tracing and some of the data protections. But she says she is concerned about the strength of Health Minister Greg Hunt’s determination and the potential “legal ambiguity” around whether security agencies could override it.
“The Law Council does not consider that an executive order is the optimum way to make laws, especially laws that determine criminal offences and make provisions for important protections of privacy and security of personal information, so it is critical that legislation be introduced as soon as possible,” Wright said in a statement.
“As an executive instrument, the determination is inherently susceptible to unilateral executive amendment or repeal and must be considered as a strictly interim measure, pending the introduction of legislation in the Parliament to put the regulatory framework on a comprehensive statutory footing.”
On Monday night the Prime Minister tweeted that more than 2 million people have now downloaded the app and called on others to help keep families, doctors and nurses safe by downloading it.
“It seems the government is essentially rolling the dice and seeing how many people will sign up based on ‘Team Australia’ messaging, rather than transparent processes and design which optimises effectiveness and privacy,” says Dr Katharine Kemp a digital privacy expert and senior lecturer at the UNSW Faculty of Law.
“That’s definitely a gamble,” she tells Which-50. “If they lose trust now due to vulnerabilities in data protection or difficulties in making the app work on iPhones, for example, they will lose the ‘swing votes’ which are vital for a sufficient uptake.”
Kemp says she won’t be downloading the app yet either and will wait for further protections.
“If we must have a centralised model like COVIDSafe, we should have legislated protections rather than depending on a determination by the Minister. The government has included some worthwhile protections in the determination, but there are further definitions and limits that will need to be imposed in the interest of data protection and a genuine consent-based system.”
The government’s “chequered history” on privacy means it is even more important that it take a disciplined approach to the app and privacy protections, according to Kemp.
“People have quite a fresh memory, for example, of the government releasing ‘de-identified’ Medicare data that was linked back to individual patients; and publishing the private information of a journalist who criticised Centrelink.
“It makes people justifiably sceptical.”