It is unfortunate that, when it is most necessary for the public to trust the government in the matter of an information system, their heritage leaves everyone hanging.
For some recent history, we have the MyHealthRecord debacle where it became very clear that despite initial promises of total security and privacy, our health data wasn't as safe as we would prefer it to be. This writer opted the entire family out.
We also have the current metadata legislation that 'guarantees' that the content of our communications will not be passed to various government investigators, but will happily provide them the metadata. So, (for a hypothetical example) if someone calls the venereal disease clinic, then a couple of days later, their device location data shows them attending the clinic. And then a few days after that a call from the clinic and then immediately after that the person calls their 'significant other,' there is absolutely no need to know the content of the calls!
Of course, if the content of the call was more serious, we have the "Australian Assistance and Access Bill." Such a quaint name for a privacy-destroying piece of legislation. For those who have forgotten, this bill was slid through federal parliament while no-one was really looking, just before Christmas 2018. For those who may remember, the ALP opposition insisted it was flawed, but agreed to pass it anyway, with a promise that they would fix it after being elected to government in the May 2019 election. Bzzzzt.
This bill essentially legislates for federal agencies to compel companies and individuals to provide sensitive data, even if that requires the creation of back doors into software in order to access the private communication of an identified person. Further, at no time may the individual or company disclose that they have undertaken the required action. Umm… good luck getting that back door through code review!
There are other laws, but I think you get the picture.
Which brings us to the government's COVID-19 tracing app. Overall, the intention is admirable. The app (relatively) anonymously tracks the location of the user and identifies anyone who was within 1.5m of the user for at least 15 minutes. Should the user report positive contact with a sufferer, or suffer from the virus itself, the location data is available for contact tracing. A coupe of minor quibble — firstly, relying on Bluetooth (as it does), the app cannot accurately rely on the 1.5m distance — my own phone will connect to a speaker over 10m away. Secondly, at least for iPhone users, the app must be running in the foreground in order to work — this is a design feature of the iPhone — and background tasks cannot access Bluetooth, and of course foreground tasks will chew through the battery.
Broadly, I believe this to be a great idea, although the promised release of the software source code has yet to occur, even though we were told it would be available immediately. No matter, experts smarter than I have decompiled the code and are generally happy with it – there are some "quibbles", but nothing too serious.
However, the issues are wider than that. Last week, the Federal Government announced that any collected data would be stored on Amazon Web Services cloud systems. Personally, I have no issue with the company, but we know that there are a number of data centres in Australia that are approved for secure government data, but AWS isn't one of them [Correction: I have since learned that I'd been given incorrect information. AWS IS on the approved cloud storage list]! Further, it is understood that the tender for the storage services was very limited in the number of organisations asked to bid. The number ONE springs to mind!
Further, the privacy statement for the app leaves a lot to be desired. From a cursory reading, it seems to only barely meed the needs of the current privacy legislation and is silent on the privacy of the users who are 'matched' as having been in contact if a positive infection is determined.
Beyond that, the app (from a reading of the privacy statement) seems desperate to collect as little information as possible… possibly too little. Further, it is totally silent on the outcome in the situation where…
• Person 1 and Person 2 both have the app installed and flag each other as satisfying the proximity requirement - that data is stored in both phones (and on the AWS server? That's not entirely clear).
• Person 2 removes the app and all accumulated data, for whatever reason.
• Person 1 advises that they have been infected. The authorities then start tracing contacts. Is Person 2 included in the trace, or not? It would seem that they would remain listed in Person 1's database - the privacy statement claims that a request by Person 2 to remove data ought to be honoured, but the wording seems unclear as the data relates to two people - one who wants to have the data retained, and one who does not.
We also have a further issue. The government is (hand on heart) promising that the app will "play nice". "Trust us!" However, most of us will happily permit auto-update to occur – I have already seen mention of an update due later this week. My issue is that after a few weeks, we will become somewhat complacent and won't bother checking the "niceness" of the app and at around "update number 23" the code base may change to start doing less-nice things. Who would notice?
Our other objection is related to auto-removal. If the government really wanted to play nice, they would ensure that once the 'panic' was over, they would send a 'self-destruct' signal to the app to have it removed from every device. Somehow, in conjunction with our fear in the previous paragraph, we strongly doubt that will ever happen.
Finally, just to show that this isn't purely a personal paranoia, we asked Jon Oliver, Director and Data Scientist at Trend Micro for his thoughts.
"The health and safety of Australians during the COVID-19 pandemic is the paramount concern, and primary goal with regards to the release of the COVID-19 contact tracing app, COVIDsafe. However, that being said, the privacy and data security of those voluntarily signing up to the app still needs to be ensured.
"It is encouraging to see statements that suggest the source code will be released, as this will be extremely important to ensure the security and data integrity of the app, and exist as a point of transparency to encourage more people who may currently be skeptical to download the app. Obscurity is never a good security solution, particularly with such an anticipated widely used consumer app such as this, so once the source code is released, software and security experts will be highly motivated to analyse it. With multiple teams of experts readily processing the code both manually and with security tools, any potential vulnerabilities should be able to be identified quickly and efficiently."
I am not convinced of the safety of this app – it may be fine now, but I seriously doubt the government's ability to keep their grasping fingers off it. After-all, we have been reminded time and time again that HomeAffairs Minister Dutton is an ex-policeman… and every time we look, it seems he brings a policeman's mentality to the problems before him.
To channel my inner Simon Cowell, "it's a no from me."
Note, a follow-up to this piece is available here.