Wednesday, 29 April 2020 01:50

Why do we not trust the COVID-19 app?


The federal government has a long history of 'bait and switch,' that's why.

It is unfortunate that, when it is most necessary for the public to trust the government in the matter of an information system, their heritage leaves everyone hanging.

For some recent history, we have the MyHealthRecord debacle where it became very clear that despite initial promises of total security and privacy, our health data wasn't as safe as we would prefer it to be. This writer opted the entire family out.

We also have the current metadata legislation that 'guarantees' that the content of our communications will not be passed to various government investigators, but will happily provide them the metadata. So, (for a hypothetical example) if someone calls the venereal disease clinic, then a couple of days later, their device location data shows them attending the clinic. And then a few days after that a call from the clinic and then immediately after that the person calls their 'significant other,' there is absolutely no need to know the content of the calls!

The metadata tells everything.

Of course, if the content of the call was more serious, we have the "Australian Assistance and Access Bill."  Such a quaint name for a privacy-destroying piece of legislation. For those who have forgotten, this bill was slid through federal parliament while no-one was really looking, just before Christmas 2018. For those who may remember, the ALP opposition insisted it was flawed, but agreed to pass it anyway, with a promise that they would fix it after being elected to government in the May 2019 election. Bzzzzt.

This bill essentially legislates for federal agencies to compel companies and individuals to provide sensitive data, even if that requires the creation of back doors into software in order to access the private communication of an identified person. Further, at no time may the individual or company disclose that they have undertaken the required action. Umm… good luck getting that back door through code review!

There are other laws, but I think you get the picture.

Which brings us to the government's COVID-19 tracing app. Overall, the intention is admirable. The app (relatively) anonymously tracks the location of the user and identifies anyone who was within 1.5m of the user for at least 15 minutes. Should the user report positive contact with a sufferer, or suffer from the virus itself, the location data is available for contact tracing. A coupe of minor quibble — firstly, relying on Bluetooth (as it does), the app cannot accurately rely on the 1.5m distance — my own phone will connect to a speaker over 10m away. Secondly, at least for iPhone users, the app must be running in the foreground in order to work — this is a design feature of the iPhone — and background tasks cannot access Bluetooth, and of course foreground tasks will chew through the battery.

Broadly, I believe this to be a great idea, although the promised release of the software source code has yet to occur, even though we were told it would be available immediately. No matter, experts smarter than I have decompiled the code and are generally happy with it – there are some "quibbles", but nothing too serious.

However, the issues are wider than that. Last week, the Federal Government announced that any collected data would be stored on Amazon Web Services cloud systems. Personally, I have no issue with the company, but we know that there are a number of data centres in Australia that are approved for secure government data, but AWS isn't one of them [Correction: I have since learned that I'd been given incorrect information.  AWS IS on the approved cloud storage list]! Further, it is understood that the tender for the storage services was very limited in the number of organisations asked to bid. The number ONE springs to mind!

Further, the privacy statement for the app leaves a lot to be desired. From a cursory reading, it seems to only barely meed the needs of the current privacy legislation and is silent on the privacy of the users who are 'matched' as having been in contact if a positive infection is determined.

Beyond that, the app (from a reading of the privacy statement) seems desperate to collect as little information as possible… possibly too little. Further, it is totally silent on the outcome in the situation where…

• Person 1 and Person 2 both have the app installed and flag each other as satisfying the proximity requirement - that data is stored in both phones (and on the AWS server? That's not entirely clear).

• Person 2 removes the app and all accumulated data, for whatever reason.

• Person 1 advises that they have been infected. The authorities then start tracing contacts. Is Person 2 included in the trace, or not? It would seem that they would remain listed in Person 1's database - the privacy statement claims that a request by Person 2 to remove data ought to be honoured, but the wording seems unclear as the data relates to two people - one who wants to have the data retained, and one who does not.

We also have a further issue. The government is (hand on heart) promising that the app will "play nice". "Trust us!" However, most of us will happily permit auto-update to occur – I have already seen mention of an update due later this week. My issue is that after a few weeks, we will become somewhat complacent and won't bother checking the "niceness" of the app and at around "update number 23" the code base may change to start doing less-nice things. Who would notice?

Our other objection is related to auto-removal. If the government really wanted to play nice, they would ensure that once the 'panic' was over, they would send a 'self-destruct' signal to the app to have it removed from every device. Somehow, in conjunction with our fear in the previous paragraph, we strongly doubt that will ever happen.

Finally, just to show that this isn't purely a personal paranoia, we asked Jon Oliver, Director and Data Scientist at Trend Micro for his thoughts.

"The health and safety of Australians during the COVID-19 pandemic is the paramount concern, and primary goal with regards to the release of the COVID-19 contact tracing app, COVIDsafe. However, that being said, the privacy and data security of those voluntarily signing up to the app still needs to be ensured.

"It is encouraging to see statements that suggest the source code will be released, as this will be extremely important to ensure the security and data integrity of the app, and exist as a point of transparency to encourage more people who may currently be skeptical to download the app. Obscurity is never a good security solution, particularly with such an anticipated widely used consumer app such as this, so once the source code is released, software and security experts will be highly motivated to analyse it. With multiple teams of experts readily processing the code both manually and with security tools, any potential vulnerabilities should be able to be identified quickly and efficiently."

I am not convinced of the safety of this app – it may be fine now, but I seriously doubt the government's ability to keep their grasping fingers off it. After-all, we have been reminded time and time again that HomeAffairs Minister Dutton is an ex-policeman… and every time we look, it seems he brings a policeman's mentality to the problems before him.

To channel my inner Simon Cowell, "it's a no from me."


Note, a follow-up to this piece is available here.

Read 6836 times

Please join our community here and become a VIP.

Subscribe to ITWIRE UPDATE Newsletter here
JOIN our iTWireTV our YouTube Community here


Hybrid cloud promises to bring together the best of both worlds enabling businesses to combine the scalability and cost-effectiveness of the cloud with the performance and control that you can get from your on-premise infrastructure.

Reducing WAN latency is one of the biggest issues with hybrid cloud performance. Taking advantage of compression and data deduplication can reduce your network latency.

Research firm, Markets and Markets, predicted that the hybrid cloud market size is expected to grow from US$38.27 billion in 2017 to US$97.64 billion by 2023.

Colocation facilities provide many of the benefits of having your servers in the cloud while still maintaining physical control of your systems.

Cloud adjacency provided by colocation facilities can enable you to leverage their low latency high bandwidth connections to the cloud as well as providing a solid connection back to your on-premises corporate network.

Download this white paper to find out what you need to know about enabling the hybrid cloud in your organisation.



It's all about Webinars.

Marketing budgets are now focused on Webinars combined with Lead Generation.

If you wish to promote a Webinar we recommend at least a 3 to 4 week campaign prior to your event.

The iTWire campaign will include extensive adverts on our News Site and prominent Newsletter promotion and Promotional News & Editorial. Plus a video interview of the key speaker on iTWire TV which will be used in Promotional Posts on the iTWire Home Page.

Now we are coming out of Lockdown iTWire will be focussed to assisting with your webinars and campaigns and assistance via part payments and extended terms, a Webinar Business Booster Pack and other supportive programs. We can also create your adverts and written content plus coordinate your video interview.

We look forward to discussing your campaign goals with you. Please click the button below.


David Heath

David Heath has had a long and varied career in the IT industry having worked as a Pre-sales Network Engineer (remember Novell NetWare?), General Manager of IT&T for the TV Shopping Network, as a Technical manager in the Biometrics industry, and as a Technical Trainer and Instructional Designer in the industrial control sector. In all aspects, security has been a driving focus. Throughout his career, David has sought to inform and educate people and has done that through his writings and in more formal educational environments.

Share News tips for the iTWire Journalists? Your tip will be anonymous