iTWire - Why do we not trust the COVID-19 app?

iTWire

Wednesday, 29 April 2020 01:50

Why do we not trust the COVID-19 app?

By David Heath

Comments:13 Comments

The federal government has a long history of 'bait and switch,' that's why.

It is unfortunate that, when it is most necessary for the public to trust the government in the matter of an information system, their heritage leaves everyone hanging.

For some recent history, we have the MyHealthRecord debacle where it became very clear that despite initial promises of total security and privacy, our health data wasn't as safe as we would prefer it to be. This writer opted the entire family out.

We also have the current metadata legislation that 'guarantees' that the content of our communications will not be passed to various government investigators, but will happily provide them the metadata. So, (for a hypothetical example) if someone calls the venereal disease clinic, then a couple of days later, their device location data shows them attending the clinic. And then a few days after that a call from the clinic and then immediately after that the person calls their 'significant other,' there is absolutely no need to know the content of the calls!

The metadata tells everything.

Of course, if the content of the call was more serious, we have the "Australian Assistance and Access Bill." Such a quaint name for a privacy-destroying piece of legislation. For those who have forgotten, this bill was slid through federal parliament while no-one was really looking, just before Christmas 2018. For those who may remember, the ALP opposition insisted it was flawed, but agreed to pass it anyway, with a promise that they would fix it after being elected to government in the May 2019 election. Bzzzzt.

This bill essentially legislates for federal agencies to compel companies and individuals to provide sensitive data, even if that requires the creation of back doors into software in order to access the private communication of an identified person. Further, at no time may the individual or company disclose that they have undertaken the required action. Umm… good luck getting that back door through code review!

There are other laws, but I think you get the picture.

Which brings us to the government's COVID-19 tracing app. Overall, the intention is admirable. The app (relatively) anonymously tracks the location of the user and identifies anyone who was within 1.5m of the user for at least 15 minutes. Should the user report positive contact with a sufferer, or suffer from the virus itself, the location data is available for contact tracing. A coupe of minor quibble — firstly, relying on Bluetooth (as it does), the app cannot accurately rely on the 1.5m distance — my own phone will connect to a speaker over 10m away. Secondly, at least for iPhone users, the app must be running in the foreground in order to work — this is a design feature of the iPhone — and background tasks cannot access Bluetooth, and of course foreground tasks will chew through the battery.

Broadly, I believe this to be a great idea, although the promised release of the software source code has yet to occur, even though we were told it would be available immediately. No matter, experts smarter than I have decompiled the code and are generally happy with it – there are some "quibbles", but nothing too serious.

However, the issues are wider than that. Last week, the Federal Government announced that any collected data would be stored on Amazon Web Services cloud systems. Personally, I have no issue with the company, but we know that there are a number of data centres in Australia that are approved for secure government data, but AWS isn't one of them [Correction: I have since learned that I'd been given incorrect information. AWS IS on the approved cloud storage list]! Further, it is understood that the tender for the storage services was very limited in the number of organisations asked to bid. The number ONE springs to mind!

Further, the privacy statement for the app leaves a lot to be desired. From a cursory reading, it seems to only barely meed the needs of the current privacy legislation and is silent on the privacy of the users who are 'matched' as having been in contact if a positive infection is determined.

Beyond that, the app (from a reading of the privacy statement) seems desperate to collect as little information as possible… possibly too little. Further, it is totally silent on the outcome in the situation where…

• Person 1 and Person 2 both have the app installed and flag each other as satisfying the proximity requirement - that data is stored in both phones (and on the AWS server? That's not entirely clear).

• Person 2 removes the app and all accumulated data, for whatever reason.

• Person 1 advises that they have been infected. The authorities then start tracing contacts. Is Person 2 included in the trace, or not? It would seem that they would remain listed in Person 1's database - the privacy statement claims that a request by Person 2 to remove data ought to be honoured, but the wording seems unclear as the data relates to two people - one who wants to have the data retained, and one who does not.

We also have a further issue. The government is (hand on heart) promising that the app will "play nice". "Trust us!" However, most of us will happily permit auto-update to occur – I have already seen mention of an update due later this week. My issue is that after a few weeks, we will become somewhat complacent and won't bother checking the "niceness" of the app and at around "update number 23" the code base may change to start doing less-nice things. Who would notice?

Our other objection is related to auto-removal. If the government really wanted to play nice, they would ensure that once the 'panic' was over, they would send a 'self-destruct' signal to the app to have it removed from every device. Somehow, in conjunction with our fear in the previous paragraph, we strongly doubt that will ever happen.

Finally, just to show that this isn't purely a personal paranoia, we asked Jon Oliver, Director and Data Scientist at Trend Micro for his thoughts.

"The health and safety of Australians during the COVID-19 pandemic is the paramount concern, and primary goal with regards to the release of the COVID-19 contact tracing app, COVIDsafe. However, that being said, the privacy and data security of those voluntarily signing up to the app still needs to be ensured.

"It is encouraging to see statements that suggest the source code will be released, as this will be extremely important to ensure the security and data integrity of the app, and exist as a point of transparency to encourage more people who may currently be skeptical to download the app. Obscurity is never a good security solution, particularly with such an anticipated widely used consumer app such as this, so once the source code is released, software and security experts will be highly motivated to analyse it. With multiple teams of experts readily processing the code both manually and with security tools, any potential vulnerabilities should be able to be identified quickly and efficiently."

I am not convinced of the safety of this app – it may be fine now, but I seriously doubt the government's ability to keep their grasping fingers off it. After-all, we have been reminded time and time again that HomeAffairs Minister Dutton is an ex-policeman… and every time we look, it seems he brings a policeman's mentality to the problems before him.

To channel my inner Simon Cowell, "it's a no from me."

Note, a follow-up to this piece is available here.

Read 10504 times

Please join our community here and become a VIP.

Subscribe to ITWIRE UPDATE Newsletter here
JOIN our iTWireTV our YouTube Community here
BACK TO LATEST NEWS here

EXL AI IN ACTION VIRTUAL EVENT 20 MARCH 2025

Industry leaders are looking to transform their businesses and achieve measurable outcomes with AI.

As organisations across APAC navigate the complexities of AI adoption, this must-attend event brings together industry leaders, real-world demonstrations, and visionary panel discussions to bridge the gap between proof-of-concepts and enterprise-wide AI implementation.

Learn how to overcome common challenges in deploying AI at scale.

Unlock cost savings, efficiency, and better customer experiences with AI.

Discover how industry expertise and data intelligence enable practical AI deployment.

Register for the event now!

REGISTER!

PROMOTE YOUR WEBINAR ON ITWIRE
It's all about Webinars.

Marketing budgets are now focused on Webinars combined with Lead Generation.

If you wish to promote a Webinar we recommend at least a 3 to 4 week campaign prior to your event.

The iTWire campaign will include extensive adverts on our News Site itwire.com and prominent Newsletter promotion https://itwire.com/itwire-update.html and Promotional News & Editorial. Plus a video interview of the key speaker on iTWire TV https://www.youtube.com/c/iTWireTV/videos which will be used in Promotional Posts on the iTWire Home Page.

Now we are coming out of Lockdown iTWire will be focussed to assisting with your webinars and campaigns and assistance via part payments and extended terms, a Webinar Business Booster Pack and other supportive programs. We can also create your adverts and written content plus coordinate your video interview.

We look forward to discussing your campaign goals with you. Please click the button below.
MORE INFO HERE!

BACK TO HOME PAGE

Published in Whiskey Tango Foxtrot!

Tagged under

David Heath

Federal Government

COVID19

App

iPhone

Trend Micro

Jon Oliver

David Heath

David Heath has had a long and varied career in the IT industry having worked as a Pre-sales Network Engineer (remember Novell NetWare?), General Manager of IT&T for the TV Shopping Network, as a Technical manager in the Biometrics industry, and as a Technical Trainer and Instructional Designer in the industrial control sector. In all aspects, security has been a driving focus. Throughout his career, David has sought to inform and educate people and has done that through his writings and in more formal educational environments.

Latest from David Heath

Rockwell’s Scott Wooldridge reflects on the Asia Pacific Market

Rockwell Automation and Microsoft to Accelerate Industrial Transformation

Rockwell Automation links with NVIDIA Omniverse

Autonomous Black Hawk helicopter extinguishes fires at a recent demonstration

Related items

Anti Scam Investment Much Needed

Executive employment keeps falling, business sectors brace for more falls: report

Sovereign Australian Prime Alliance (SAPA) welcomes much needed reforms to Commonwealth procurement rules

Netflix’s Zero Day is a Half-Truth About Cyber Warfare

More in this category: « Christmas music is bad for our mental health COVIDSafe App – an update to why it should be avoided »
Share News tips for the iTWire Journalists? Your tip will be anonymous

back to top

Subscribe to Newsletter

* Enter the security code shown:

Home
Latest News
Your IT
Business IT
IT Industry
NEWSLETTER
MAGAZINE
IT People
Government
RSS

Services

Promotional News & Content

Sponsored Announcements

Self Posting

JobZilla IT Jobs

See Newsletter

Our Journalists

Company

About

Contact

Advertising Specs

Advertise NOW

Privacy

Editorial Guidlines& Complaints Handling

Sitemap

Connect

Facebook
Twitter

Cloud Hosting by Digital Pacific