I believe the privacy policy has a fatal flaw that must urgently be fixed, although it is not obvious how.

I wrote previously about issues with the Australian Government's recently-released COVIDSafe app for Android and iPhone and how the government's past history with data protections left everyone rather wary. I strongly suggest you read that piece before continuing.

Since the release at 6pm last Sunday, there have been approximately 4 million downloads

well short of the 40% they claim would be required to achieve sufficient coverage. Statistics I've seen suggest around 16.5 million Australian adults have at least one smartphone, so 40% would be around 6.6 million. Demographic data suggests that Australia's total population is 25.5 million (approx.) with around 6 million aged below 16 (and not directly authorised to install it), meaning 19.5 million people are eligible to have the app and 3 million with no phone to install it on. So, we're not even half-way there. And the take-up rate appears to be declining.

That's 24% of phones have installed the app (with no statistics on how many have subsequently removed it) and 20.5% of the total adult population I have never been clear on whether the government's 40% penetration related to phone ownership or total adult population but either way I strongly doubt we will ever get there. Perhaps if the app was launched two months ago at the beginning of the problem, it would have been more useful.

It seems the government has poisoned this well too many times. By the way, when the app's official launch happened (a little over a week ago) did anyone else notice that the Minister was surrounded by medical people all asking us to help them, but there wasn't one single person there with IT, privacy or security credentials. Telling, I thought.

Further, there have been warnings in a tweet from Diabetes Australia that the app is interfering with sub-skin continuous glucose monitor (CGM) systems. These devices constantly monitor glucose levels for diabetics and communicate (oddly enough) using Bluetooth.

Diabetes Australia has recommended CGM users uninstall the app if they have it.

Over the weekend we learned that despite the app being live for over a week, there is currently no ability for state health authorities to access and use the contact data. This means that if I found out LAST MONDAY that I was either afflicted or had come in contact with someone who was, I'd obviously hit the "I'm Unclean" button.

And then, NOTHING WOULD HAPPEN. We're told that the rules will be finalised later this coming week. I think the technical term is "couldn't organise a <nice activity> in a <suitable location>."

In my earlier piece, I touched on the Privacy Policy and pointed out some deficiencies.

After a deeper reading, it seems there is a fatal flaw.

The policy discusses that you can use a pseudonym and also that you must provide your mobile number. That is enough to constitute personal information. That's fine, the policy describes storage rules, usage, correction and deletion.

However, we also know that when a contact is established, details are exchanged between the two devices. Personal information.

Of course, we can delete the app from our device, and we're promised that our data also goes. But here is where the difficulty comes in.

If I have been close to you for 15 minutes, and we both have the app, we will exchange the appropriate personal information. Next, I get cold feet and delete the app.

Despite the fact that my information is deleted from my device, it is NOT deleted from your device. In fact there is no way to achieve this. The app is all or nothing - the only way my information could be removed is if you delete it too.

Worse, if you hit the 'I'm unclean' button my details will be uploaded as part of the contact package. If that happens, there is no way to remove it. The privacy statement is very clear: "To ensure maximum security of your COVIDSafe data, you will not be able to access your data held in the data store."

My reading of current privacy legislation is that this is not legal.  Please, someone correct me if I'm wrong.

As a final "aside", if any European citizen is currently in Australia and installs the app, GDPR will apply. I believe it too identifies the same problem.

The Department Privacy Officer has been contacted, but as this was written in the early hours of Monday morning, no response is expected immediately.  An update will be provided if appropriate.