COVIDSafe: Is your sensitive data in danger?

On 26 April 2020, the Federal Government launched an app to combat the spread of coronavirus. Its launch has been plagued with controversy.

The COVIDSafe app is downloadable from Apple’s App Store, or from Google Play for Android. The app is intended to trace contact with other users via Bluetooth, so that, in the case that a user tests positive to COVID-19, they can upload this information to the app, and people who have potentially been exposed due to proximity recorded through the app will be notified. This automates and streamlines the process of informing potentially infect people, without relying on one individual’s memory of contact and the ability to get in touch with every individual they’ve contacted while contagious.

This is a goal that few could criticise – but the app’s launch has caused no small measure of consternation for privacy experts and tech developers. Let’s look at what the app is, and why it has caused concern. 

WHAT COVIDSAFE DOES

COVIDSafe records who you have been in contact with and for how long, in the event that you are diagnosed with COVID-19. Its primary purpose is to automate the process of recording and relaying information to people who you have potentially inadvertently exposed to the virus.

The app runs in the background on your smartphone, using Bluetooth to automatically record the other app users you might come into contact with. It also records details about the contact – date, time, distance, and duration of contact. It does not record location. These details cannot be accessed by anyone, including the user, and are stored in the phone for 21 days. This period allows for a hypothetical incubation period of 14 days, and a further 7 days to get test results. 

In the event that a user is diagnosed with COVID-19, the Department of Health recommends that ‘State and territory health officials will ask you for information about everyone you have been in contact with recently. You can choose to give them access to the information captured by the app about people you have been in close contact with – within 1.5 metres for 15 minutes or more.’

Downloading and using the app is voluntary, but the Federal Government recommends that a high usage rate will be most effective, with a goal of 40% uptake, or around 10 million people. 1.2 million have downloaded the app since the launch, which has been plagued with issues both bureaucratic and ethical in nature.

USABILITY issues 

COVIDSafe requires at least iOS 10, or Android 6.0 Marshmallow, with the Department of Health citing both security concerns and Bluetooth capacity as well as barriers to adapting the app for older operating systems and hardware. For this reason, the app can only run on an iPhone 5S or more recent models, and there has been no official list of compatible Android devices currently in existence.

According to the Deloitte Mobile Consumer Survey 2019, just over 10% of Australians record having ‘no ready access’ to a smartphone. Presumably, rates of individual ownership are even lower. A study from the same year shows that the lowest ownership rates are in those 55 or older. 

Users have also encountered issues with verification and sign-up. People with overseas mobile numbers cannot register, even if they are based on Australia. The region-specific issues don’t end there: if a potential user’s Google Play or Apple account is registered to another country, they will not be able to sign up to COVIDSafe. 

Some potential users with Australian numbers have struggled to register their mobile numbers successfully as well. The Department of Health has offered a range of troubleshooting recommendations, including inputting the number with and without the 0 at the start, and revising answers on the previous screen so they include no special symbols (including simple grammar points like full stops and question marks). The app needs to remain running in the background to record data, which also drains battery life, requires manual reopening after every shutdown.

App developer Quentin Zarvaas believes a decentralised approach would be more appropriate for an app with a usage this wide: ‘An approach like Apple’s ExposureNotification framework should be the end goal. This will minimise the app’s impact on battery life, and issues with having it running in the background, while also minimising what the government sees.’ 

He believes that a contact tracing app is a positive step, but he has concerns about the lack of transparency around the app’s development and updates. He also has concerns about the secrecy of its development, and its unintuitive usage. He believes a decentralised approach would be more appropriate for an app with a usage this wide. 

‘The overall goal should be to make the app available to as many people as possible while collecting as little data as is necessary.’ 

Quentin Zarvaas

Morrison’s bad track record on privacy 

But the issues with COVIDSafe aren’t just functional. Many have voiced concerns about the app’s license to track movement, while doubts about the Government’s ability to adequately protect sensitive user information are rife. The Morrison government has a history with privacy and security that might be described as chequered at best.

They have already weathered scandal after scandal following the botched implementation of digital health tool My Health Record, an opt-out system which stored its users medical data. The system allows third parties, including medical and public health researchers, as well as representatives from pharmaceutical companies, to apply for access to personal medical information of its user base; most shockingly of all, the system allowed police to access users’ personal medical records without consent from the user, until public outcry saw this legislation changed. On top of these privacy bungles, system glitches saw medical struggle to upload sensitive data. During the extended three month opt-out period, over 2.5 million Australians chose to remove their records from the system. 

While the Department of Health has stated that all collected data will be destroyed after the pandemic is over, the Australian State and Federal Governments have a similarly poor track record with adhering to privacy legislation. 

In February of 2020, the Australian Parliament’s national security committee accused state and federal government agencies of displaying ‘cavalier disregard’ to citizen’s privacy. Deputy Chair, Minister Anthony Byrne, cited findings of over 8000 counts of accessing data collected under the mandatory data retention legislation in the 2018-9 financial year, despite access being expressly forbidden by the legislation.

This disregard spread to police raids on journalists, which saw at least one instance of the AFP accessing journalists’ metadata without a special warrant, and illegally recording website and search histories of up to five years ago.

While COVIDSafe doesn’t track highly sensitive data, privacy experts are wary of its secretive development, combined with the Government’s poor  with protecting and respecting private data. 

OUR PRIVACY post-PANDEMIC 

Zarvaas is more concerned about ‘feature creep’ (a term used to describe the unnecessary expansion of a program or application’s features) than he is of the kind of data the app is currently collecting.

He elaborates, ‘What I really want to see is the Government releasing the source code to COVIDSafe. And not just once – the up-to-date source should always be available. While a number of analysts have reverse-engineered what the app is doing so far, we need to make sure there isn’t any additional data that they suddenly start collecting.’

He would also like to see a full review of all policies put in place during the pandemic, to ensure that no crisis policies that impede on personal privacy rights carry forward, though he notes the Government’s failure to adequately review the controversial encryption-cracking bill, which allows law enforcement to covertly obtain information directly from a device. 

Despite these concerns, Zarvaas believes that the government are ‘acting in good faith,’ despite their track record: ‘My concerns are primarily technical, that I don’t think it’s going to be as effective they’re claiming. I don’t want perfection to be the enemy of good, so this will have to do for now,’ he concluded.
 

Jini Maxwell is a writer and curator who lives in Naarm. They are an assistant curator at ACMI, where they also host the Women & Non-binary gamers club. They write about videogames and the people who make them. You can find them on Twitter @astroblob