More than three million Australians have chosen to download the Governments voluntary COVIDSafe contact tracing app, but with a goal of more than 10 million people, some still have their reservations. Privacy concerns were flagged well ahead of time, but there are also problems with the performance of the app itself.
The release of the app’s source code for public scrutiny we’ve been promised could still be weeks away as well.
“The Government intends to release the source code in the coming couple of weeks, subject to final advice from cyber security agencies,” a spokesperson for the COVIDSafe Administrator, the Digital Transformation Agency (DTA) told news.com.au.
RELATED:Follow all the latest coronavirus updates
RELATED:What the Government’s new contact tracing app looks like
The DTA’s Digital Service Standard has 13 criteria “to help government agencies design and deliver services that are simple, clear and fast”.
The eighth criteria is to “make all new source code open by default”.
According to the agency, making source code open saves money, increases transparency, and adds benefits through improvements by other developers.
By the time an app goes live, the DTA said the developers should be able to show how they are making the source code open and reusable, provided guidance for open source contributors, and detailed how they are going to handle bug fixes and updates to the code.
The Agency is yet to confirm whether those criteria apply to COVIDSafe.
You don’t have to download the app and the Government has said making it mandatory would be “unacceptable” for Australia.
And while around 15 per cent of the population has already downloaded the app, it’s thought many more still need to do it before it can be effective.
At first it was said around 40 per cent of the population needed to download the app, but chief medical officer Dr Brendan Murphy thinks even more people will download it.
“Good uptake, in my mind, would be well over half the people and I think we will get it because I think Australians will rise to the challenge because they have risen to the challenge of distancing,” chief medical officer Dr Brendan Murphy said at the announcement of the app’s release on Sunday.
Some experts disagree however, and think the Government will have to hurry up and release the source code for scrutiny if they want more people to download.
“The Government released their privacy impact analysis statement and said it would release the source code, so they’ve released the statement which talks about the privacy implications and in that they said the source code should be released,” RMIT’s Cyber Security Research Centre director Professor Matt Warren told news.com.au.
“The Government then released a statement saying it would take two weeks for the data to be released, and that was so Government entities could look at it.”
Prof Warren said the public will also need non-Government voices on the app’s code.
“From a transparency in governance perspective, they should release that source code for independent evaluation, I think it’s really important to have that independent evaluation not necessarily evaluation by entities linked to the Australian Government.”
Prof Warren said the app should be released for evaluation, and then independent organisations that evaluate it should release public reports of their assessment.
He said while there are potential problems with releasing the code, the consequences are minor and unlikely.
“The problem with making it public is that if there are any vulnerabilities, then potential threat actors or national state threat actors could potentially exploit it.
“When we talk about the app … we’re talking potential Bluetooth vulnerabilities and that’s localised to an individual person’s phone; there isn’t a mass attack threat vector for the app.
“I think what people are more concerned about is how the data can be used, who has access to the data … there’s no information provided about what the states and territories have in place to protect that data.”
The Government has said it will be illegal for anyone but the DTA and state and territory health authorities to access the data held on the Amazon server app users upload their data to, and that the data can’t be used to prosecute any crime.
Prof Warren thinks any threat to the COVIDSafe app would come from state-sponsored actors rather than financially motivated cyber-criminals.
Due to the app being designed to collect as little personal information as possible (your name which doesn’t have to be real, your postcode so health authorities can identify virus clusters, your age range to help them prioritise notifications to at-risk groups, and your phone number so they can call you), there was little a hacker could do to make a profit from the information.
“There wouldn’t be any real financial gain because in terms of cyberhackers, they’re motivated by financial gain, the only concern you have is state threat actors who would potentially like to embarrass the Government or discredit the Government, that’s the sort of impact you’d be looking at, there’s no real financial gain.”
He said the Government itself would be the real target and victim of any hack.
“We’ve started to see COVID SMS messages, so if people had your mobile number they could potentially send you a scam message regarding COVID – it’s those sort of lower level types of potential scams in a worst-case scenario.
“You would then have to question the motivation behind that attack, it wouldn’t be a criminal activity because there isn’t then that financial motivation in terms of trying to direct people to scams. We’ve seen this with the attack of the online Census a few years ago, so again it was really to discredit the Government rather than trying to spread misinformation,” Prof Warren said.
RELATED:Hoax texts you can ignore
The balance between wanting to protect your privacy and wanting to protect public health was throwing up some “unfortunate questions” for those debating whether they should download the app, according to data protection and surveillance lead at UNSW’s Allens Hub for Technology, Law and Innovation David Vaile.
He said those unfortunate questions stemmed from “the Government’s reliance on attempted persuasion rather than providing the full information needed for ‘informed consent’ prior to releasing the app, and their preference for avoiding wide consultation and review by expert and civil society bodies”.
“In principle for something like this that potentially creates a centralised store of social graph information, reliant on legal and technical fixes for protection, you would advise caution. The public health concerns are however also very important, which is why it is hard,” Mr Vaile said.
He also said the Government’s track record didn’t make it easier.
“The last Census, council exploitation of metadata retention, ‘Robodebt’, laws undermining encryption, and compulsory registration for an empty My Health Record loom large in public memory.
“The way this app has been released, with incomplete information, incomplete protections and no consultation, is very disappointing,” said Mr Vaile, who’s also chair of the Australian Privacy Foundation.
While the privacy concerns have been around prior to the app release, and the Government sought to address many of them at its announcement, other problems with the app itself could put some off downloading it.
Chief among that group are Apple users, given the app doesn’t work as well on iPhones as it does on Android smartphones, partially because of Apple’s own privacy and security measures.
App users on iPhones have to keep the app running and activate a low power mode to preserve battery.
“There is a major chink in the design. And little attention was placed on user device performance,” University of Wollongong engineering and information sciences Professor Katina Michael said following the app’s release.
“Here we have a purported app that allegedly works (I don’t know how the user will be sure it is actually working as it should be) and we have not tested this for performance and battery usage. How much market share does iOS have in Australia? Significant,” Prof Michael said, citing a 40 per cent figure, in line with the Government’s original goal for uptake.
She also expressed concern the app could give people a false sense of security.
“The attitude that says: ‘I can be out and about now, because I have the app’ … Watch this space. The paradox? The more security we perceive we have, the more insecure we actually are,” Prof Michael said.
RELATED:20-year drag into ‘police state’
Others have said that downloading the app should be a prerequisite for those wishing to re-enter society following the relaxation of restrictions that has started taking place around Australia.
The McKell Institute CEO Sam Crosby recently likened downloading the app to putting on pants: Something you don’t have to do in your own home but should before entering society.
The Government has also used the potential relaxation of restrictions as a carrot to get people to download the app against the stick of forcing them to.
Digital Rights Watch chair Lizzie O’Shea said this was the wrong approach, and that the Government didn’t have the trust of the public to make it work.
“Trusting the Government to administer this capability is asking people in Australia to take a huge leap of faith, faith they’re a long, long way from earning … No public trust means people will hesitate to install the app, and not-very-subtly coercing people by saying restrictions could ease if surveillance increases is an appalling way to start,” Ms O’Shea said, adding to the chorus calling for the code to be released and saying it should have been done before the app was published.
“Releasing the source code, not just of the app but of the system as a whole, is best practice for ensuring privacy concerns have been properly addressed. This is the minimum standard the Government should have reached before the public launch of the app,” Ms O’Shea said.
She also doubted the Government will be able to reach its download goals without further transparency.
“The Government has previously said they need 40 per cent of the population to use the app for it to be effective. Experts overseas put this number much higher. Releasing the code for independent assessment will increase the public trust in this system, making it more successful. If they’re serious about wanting it to work they should be doing everything they can,” Ms O’Shea said.
“Even without the atrocious track record our Federal Government has when it comes to surveillance, getting sufficient buy-in with a voluntary app seems to be very difficult in other countries. We’ve seen uptake at 10-20 per cent of populations overseas, and it’ll take twice that to be remotely useful. Such technological tools need a social licence to operate effectively, and the Government has a long way to go before it comes close to earning it.”
She added that “years of governments giving themselves extraordinary invasive surveillance powers, disregarding the meagre safeguards those powers came with, and applying those capabilities in precisely the ways critics warned about” would put some off downloading.
“Even if the Government is genuine about protecting privacy, they could just as easily bungle it by accident,” she said.
Have you downloaded the COVIDSafe app? Have your say in the comments below.
More Stories
As the pandemic wreaks havoc on TV and movie ‘love lives’, intimacy coordinators need to find ways to adapt