COVID-19: Should I install the app?

COVID-19: Should I install the app?

On Sunday evening the Australian Government released its COVIDSafe app for mobile devices (iOS and Android). Since then, almost 1.5 million people have downloaded the app. The question that keeps coming up is: should I install it?

Most of us will have many less secure, more pernicious apps on our phones, which capture all sorts of data and use – and even on-sell – that data in ways we are not even aware of. Don’t even get me started on Facebook. But just because we’ve taken a given risk, doesn’t mean we should close our eyes to new ones, especially if the government’s demonstrated thirst for our information is in the mix.

What does it do?

The government and many high profile people have made clear and compelling arguments as to why we should all be installing the app. The purpose is noble: the safest way to start relaxing restrictions is to be able to trace and track any outbreaks of COVID-19 in the community. Apart from ramping up testing, tracing and contacting those people who have come into contact with someone who’s tested positive for COVID-19 as quickly as possible, to allow them to self-isolate, watch for symptoms and get tested if they show will help control outbreaks. At the moment this process is time-consuming, manual and relies on the memory of those who have tested positive as to who they were in contact with. The app gives health authorities the ability to reliably find out who an infected person has come into contact with since becoming so, and then notify those people. This way, outbreaks can be quickly controlled; an uncontrolled outbreak would likely lead to widespread restrictions being reintroduced.

How does it work?

When you download the app, you sign up with some personal details: your name (which can be a fake name if you like), age-range, mobile number (for notifications), and residential postcode, which helps determine which health authority should take action if needed. That process generates a unique identifying number that hides those details from everyone except the government. The unique ID generated remains tied to your set of details from then on. For it to work, you need to have the app running, and Bluetooth enabled. Once it’s running, the app uses Bluetooth to track those devices who are also running the app, and which come into close proximity with your device for a period of 15 minutes or more. The app records the date, time, proximity and ID of the proximate device. It doesn’t record location. The tracing data is kept for a rolling 21-day window (22 days and older being deleted), to cover enough history to capture those contacts which may have occurred before symptoms and testing. 

When someone running the app tests positive for COVID-19, health authorities will suggest they upload the contact tracing data from their app, at their sole discretion. The data is uploaded to a government-controlled data store and then passed back to the relevant health authority dealing with that case. The unique ID from each instance of the app can then be reverse-looked-up to allow that health authority to contact all those people (at this stage, it doesn’t seem this will occur through the app, though that seems like a logical way to automate it in future). The details of who was infected are not shared with those contacts.

When the pandemic is over, you can delete the app and it will also remove all the data on the device associated with it.

How does it protect my privacy?

The government has gone to some length to allay fears that the app could leak information or be subject to hackers causing your information to be leaked. The processes of generating the unique ID, storing your personal data, uploading the contact history and sharing it with health authorities all utilise existing, well-tested and robust security technology. The software is understood to be based on an open-source platform that was used to create a similar app for the Singapore government.

Security researchers and independent legal teams have assessed the app to ensure it meets privacy principles. The Health department has also responded to recommendations made in the assessment, and all of this is publicly available. One of the most important of these is ‘the right to be forgotten’, and that can be achieved by asking the government to delete any data you gave them when downloading the app, or that your app has uploaded.

The general consensus has been that the app doesn’t pose a risk to your privacy if it works and is used as advertised. To be really sure of this, experts need to see the source code of the app so they know how it works, and see if they can find security holes. The long and painful history of security breaches has shown that where source code for software is made public, it can be subjected to peer review by the wider security community and issues found more readily.

Can the government use this technology to spy on me?

There has been a steady progression of more comprehensive, intrusive and potentially sinister abilities for spying agencies and police to access personal information in the name of public interest, such as the fight against terrorism, drug trafficking, people smuggling and child abuse. Plenty of people have therefore been rightly asking the question, “What else will the government do with this technology?” It’s clear that the government is very keen for these fears not to impact its uptake – without making its use mandatory as some were first suggesting. The more people running the app, the more effective it will be in achieving its stated purpose. The government is taking an approach of as much transparency as possible to overcome fears, and says it will put in place checks and balances to prevent its use outside the stated purpose.

Federal Health Minister Greg Hunt has said that legislation will be passed which makes it an offence for anyone other than state health authorities to use the uploaded information, and for it to only be used for contact tracing and notification. A determination has also been made to restrict and control the use of the information. According to that restriction, the app and its data can’t be used for any other law enforcement purpose, including enforcing quarantine for those who test positive to COVID-19. It’ll also be an offence to deny anyone service based on contact tracing performed using the app. We’re yet to see the legislation, so we will have to see.

The government has also said it will release the source code once it has passed the internal processes of the Australian Cyber Security Centre in due course, and shadow health minister Chris Bowen has supported this stance. Releasing the source code and having it reviewed will help to ensure the security is robust, the software doesn’t present a privacy risk, and that it really is only being used for its stated purpose. Of course, future updates to the app could change this, but that’s a risky abuse of public trust and may undo the good work of helping return life to normal.

The problem comes with the tracing data, which will normally reside on someone’s device, but may also be voluntarily uploaded to the government data store via the app. On its own, it can’t locate you or anyone you came into contact with. But when combined with other data, such as location tracking, it could be used to infer the location of others whose location may have otherwise been hidden from authorities (for example by disabling location tracking on a mobile device). It could also be used to determine who you have been associating with, when and for how long. We’ve seen plenty of examples where governments have come into conflict with device manufacturers when demanding encryption be broken and data held on a users’ device released.

In December 2018, the federal government passed laws which allow law enforcement agencies to require technology companies assist them in breaking into devices and accessing this sort of data. There are a few levels of assistance companies would need to provide under the legislation, but at the time introduced, it was widely criticised for overreach and a lack of checks and balances. Amendments to address some of these concerns were proposed and supposed to be put before parliament prior to the 2019 federal election (they weren’t, and the laws stand as passed). They go so far as to make it a criminal offence to tell anyone a request from law enforcement has been received, or complied with, which is seen as very sinister indeed.

Whether the government would use the technology for these other purposes now is probably moot – the core purpose is too important to risk. But after the pandemic? Anything is possible.

Okay, so should I install it?

There is no doubt the app will enable more rapid relaxation of restrictions and their disruption to our way of life and economy. Installing the app on the basis of its stated purpose sounds like a no-brainer. But when considering privacy and security, you always need to make your own risk assessment.

My recommendation is to install it, given the consensus on its relatively low risk and for the greater good, but unless we get some of the following things addressed, soon, I’d be uninstalling it again:

  • An assessment of the source code by the security community, to make sure it really is secure, maintains privacy and only does what the government says it will. The code as it stands is non-obfuscated (it can be decompiled and read by a human, to some degree) and the early efforts to do this haven’t raised any concerns.
  • Seeing the proposed legislation that is designed to prevent the technology’s misuse and to protect the data from being combined with other information for law enforcement purposes (which restriction isn’t specifically proposed)

Other things to look out for (ensuring the app is updated with these features):

  • Fixing the app so it doesn’t need to run in the foreground all the time (this is coming in a future version)
  • The first round of bug fixes (resulting from the source code review, and also in the field testing which will undoubtedly find issues)

When the pandemic is over, I’d also want to see legislation passed that prevented a future government reaching back into the store of tracing data that was uploaded, to use it for other purposes, or better yet, to see it deleted (the question being: who else could have squirrelled away a copy beforehand?) Legislation can always be amended or repealed, but at least putting governments on notice that they need to stand by their word on the stated purpose, and continue to be transparent about gathering and using personal data, will help.

If there’s a silver lining in all of this, it’s that folks are in general becoming more literate and aware of their privacy rights and more aware of the need to consider information security.

Governments are having to be more transparent and clearly show the purpose of any potential mass-surveillance tooling on its citizens, and prove they are following best practice, getting the IT security community on side by letting them review their work, and involving themselves in public debate that considers the balance of outcomes and risks. That can only be a good thing.

Anthony Woodward is founder and CEO of Accelera