CovidSafe?

The first iteration of Australia's contact tracing app seems to stack up, but privacy concerns relating to future changes to the app, as well as limitations on government data-use remain, with good reasons. I hope this summary of what we know so far and some analysis from different sources assists in making a free and informed choice. A free, informed, and evidence-based choice is obviously of paramount importance in deciding whether or not to grant serious powers of surveillance to our government. Trade-offs of personal privacy for the greater good can only be exchanged in good faith if we know exactly what, and how much, we're giving up.

People are right not to automatically trust governments. Refusing to adopt in-principle faith in the powers that be is central to healthy democracy, and the integrity of those in authority should never be taken for granted. As Noam Chomsky said "Any form of authority & domination has a burden of proof to bear to demonstrate it's legitimate." This is especially true in Australia, of a government who are infamously duplicitous and dangerous, and who's liberal use and misuse of data is well documented. In this case, though, at least in its initial form, Australia's CovidSafe contact tracing app seems to meet this burden of proof. That is, at least this first version of the app does. But it remains to be seen if government use of our volunteered data will be adequately constrained to meet similar standards of integrity.

Context and the government's claims.

On the 26th of April, Health Minister Greg Hunt launched Australia's contact tracing app, CovidSafe. The app is based off source code from a similar app used by the Singapore government. Whether or not we agree such an app should be launched before attempting sharper lockdown measures, the app is here now, so let's look at it on its merits. Let's look at what the Coalition has alleged the contact tracing app can and will do. This includes in their public statements and in the determination (a placeholder for legislation) published by Greg Hunt under the Biosecurity Act, the evocation of which is has allowed such drastic social distancing measures to come into force without the passage of laws. The government claims the following:

1. The app will work by bluetooth and won't track your location
2. At registration, the user provides their name, phone number and postcode, and selects their age range, this generates an encrypted code, an anonymised bluetooth ID. Greg Hunt has stated that you may provide a pseudonym or other inaccurate information if you wish, but that it would assist more if it was accurate.
3. If you come within range of someone else who also has the app installed, your two devices will 'ping' off one and other, exchanging their information contained in their encrypted IDs by bluetooth. 
4. This data will be secured locally only, on your phone's internal storage, for 21 days, after which it will be erased.
5. If you are found to have contracted Coronavirus, you may then consent to upload your data to a government server provided by Amazon Web Services.
6. The government can then decode the anonymised IDs and call all those you had close contact with to advise them to self-isolate and get tested.

So does CovidSafe live up to this?

CovidSafe Mark I : Decoded.

Despite earlier assurances, the source code for Australia's app is yet to be released, but Australian app developers and privacy experts have already decompiled and analysed the code making up this first version. The general mood from those privacy-savvy coders was that the app, at least as it currently stands, effectively does what it sets out to and nothing more. But they still see some minor issues with it. Let's compare their findings with the above summary of the government's claims, they found that:

1. The app does work by bluetooth and cannot track your location. The app will ask for permission to access your location, it's understood that this is a quirk of Android, to grant bluetooth permissions one must grant location permissions. But the app is not capable of tracking your spatial location data. Worryingly though, software engineer, Geoffrey Huntley, writes that it would be "Potentially possible for GPS functionality to be shipped in a software update later down the track as users have already consented to fine grain location access (a requirement for bluetooth LE scanning)"
2. The app creates an anonymised bluetooth ID for each user. These encryptions are recycled and replaced every 2 hours for added security. Vanessa Teague of Thinking Cybersecurity points out that this is a downgrade from recycling IDs every 15 minutes in the case of Singapore's app.
3. Despite poor reporting claiming otherwise, the app will exchange its "bluetooth handshakes" with anyone using the app who is within bluetooth range, not just those who come within 1.5 metres for 15 minutes. This 1.5 metre, 15 minute classification is referred to as "close contact" by the Department of Health. This is an important distinction. The government may have hoped we mistakenly assumed that only our "close contact" encounters would be recorded, this doesn't seem to be true, this greatly expands the volume of data being documented. The distance involved in each bluetooth handshake is gauged by the recorded bluetooth signal strength once decrypted and may vary with environmental factors (impeding objects, bluetooth quality, etc), making it approximate. Another piece of information recorded to assist with this is the exact model details of each phone, these are exchanged in each bluetooth handshake too. It's understood this will be used to account for differing signal strengths between phones when calculating distance. This information is not encrypted.
4. This data is held locally on your phone's internal storage. The app design ensures this. Other apps cannot access this database unless your phone is jailbroken or "rooted".
5. The app requires additional consent, once you are confirmed to have contracted Coronavirus, to upload your data to the government server. Only then can it be accessed by anyone else.
6. Contact tracing would then be carried out as the government outlined.

Matthew Robbins, a mobile app development expert, summed up his own analysis of the app's code and design in a tweet, in which he said "From what I can see, everything in the #covidsafe app is above board, very transparent and follows industry standard." Paul Haskell-Dowland, from Edith Cowan University's Computing and Security department concluded "that the data that is being captured is suitably anonymised, suitably protected and access to it is reasonably restricted...the opportunity for misuse is incredibly small."  Mahmoud Elkhodr from QC University Queensland drew similar conclusions. 

But this is all based on the current version of the app. Some have suggested the government could shoehorn in changes as it pleases in future updates. Could it even coerce the creators of the app to sneak in changes? So far tech-heads are satisfied with the integrity of the software, but what happens to our data when we do consent to uploading it to government servers? We need legislation to entrench strict limitations on government data use.

The legality of government data use.

The current determination relating to CovidSafe, pending legislation in May, asserts that data can only be used for contact tracing purposes and that alone. Well, let's wait and see if this constraint survives in the same form in the government's bill next month. Even if it does, though, Australia's Digital Rights Watch have made clear they're concerned that Australia's recent encryption laws could allow intelligence agencies or law enforcement access to the data. In a recent statement they said: "They [the government] can also issue a directive to create or modify features [of a software]. It is an offence for anyone receiving such an order to even reveal its existence, or to fail to comply with it. The developers of the contact tracing app may have already received such a directive, and implemented a mechanism to give data to law enforcement or other agencies. They would risk imprisonment if they answered any questions about a directive, or alluded to its existence." Perhaps the government could legislate an exemption in its encryption laws for CovidSafe, which would bar access to the data for anyone except contact tracing personnel. We don't want to see this surveillance architecture being used for Orwellian law enforcement.

Digital Rights Watch also raises concerns about Australia's mandatory data retention laws. In this case though, according to the current determination under the Biosecurity Act, and assuming it translates into law this May: "The Commonwealth must cause COVID app data in the National CovidSafe Data Store to be deleted after the COVID‑19 pandemic has concluded...Note: The requirements in this section will override any obligation under an Australian law to retain data for a longer period." It seems that this, if enshrined in legislation, would legally guarantee the deletion of CovidSafe data post-pandemic.

More broadly, Amazon Web Services will be providing the secure server on which the government will store and access this CovidSafe data. Besides the obvious issue that we have outsourced this service to an American company of questionable conduct, it'll be interesting to see what the upcoming senate inquiry reveals about the robustness of this data storage system. We should seek assurances that this server is protected from third-party hackers as well as private use by Amazon itself. The governments determination that the data remain in Australia must make its way into law and be strictly enforced. In general a body overseeing the implementation and use of this app could ensure the CovidSafe infrastructure is not abused. So far, though, the Law Council of Australia say they've seen "no provision for oversight and reporting on its use".

There's also speculation that Australia needs to become recognised as a 'qualifying foreign government' under America's CLOUD Act, to exclude our data from US access. Under current arrangements it's unclear if the US could access our data under these laws because Amazon is an American company. Despite assurances from the Coalition that the US laws couldn't be enacted to access our data due to it belonging to the Australian commonwealth and not Amazon, this is still contested.

Final thoughts: government scrutiny vs tech-giant free pass

Its critical that we scrutinise any attempt by our government to expand its already invasive and authoritarian surveillance. But why aren't we applying this same level of scrutiny to the private tech sector, whose data-mining, behaviour-programming, and behaviour-predicting industry constitutes one of the biggest markets in the world? It's appropriate that CovidSafe has received so much analysis and attention in Australia, but how often do we sign away and monetise our information and activity to tech giants who consistently evade paying any tax in this country with zero hesitation? What our government may do with additional data is a concern, yes, but what tech companies already do with far richer stores of our data is sickening, and we should care.

As Shoshana Zuboff, author of Surveillance Capitalism, explains, Facebook and Google send the data we provide through a network chain of businesses. In the case of the photos we upload, Zuboff says buyers and users of our data "use information from our faces...to train models for facial recognition, those models are then sold to military operations, some of them in China, and those Chinese operations do many things, including imprisoning the Uighurs, a subset of the Muslim population in China, in what is rightly regarded as an open-air prison." We need to apply scrutiny and checks to constrain both public and private tyrannies.

Anyway, I hope all of this has helped provided the information and context needed to make an independent choice.