Information | Opinion
COVIDSafe. But is your data?
David Wilson - Apr 27, 2020
Understandably, Australians are now more than ever concerned about their health, safety and privacy. So when the Australian Government releases an app to track COVID-19 cases — people begin to speculate.
What is the app?
The idea of the app is to be able to quickly identify if someone has been in close contact with an individual with COVID-19. It’s quick to set up and asks for your name, age range, postcode and contact number – all required to identify you and increased risks based on your age and location. The app creates an anonymous and encrypted key to identify you and then runs in the background, so once installed and set up, there is no further action required (apart from the usual safe distancing, of course).
How does it work?
The app utilises the BlueTrace protocol which will recognise other devices with the COVIDSafe app installed (and Bluetooth enabled). It will take note of the date, time, distance and duration of the contact detected and the other user’s key. On the official page, they state that the app “does not collect your location”. It will keep a record of the other user’s keys you’ve come across in the last 21 days and, in the event of developing any symptoms and getting a test that returns positive, you will need to consent to trigger an upload of the keys stored to the Health Department. They will then be able to decrypt the keys and get in contact with the user’s to inform them of the potential exposure.
At the user’s discretion, the app can be deleted which will trigger the information stored on your phone, or, when prompted at the end of the pandemic, the information stored on their systems will be destroyed. If you would like it deleted sooner, you can complete the request for data retention form.
Is it a privacy concern?
Do you think about this every time you download an app to your phone and willingly give more details to a delivery service than the government? Probably not.
The key takeaway here is that the app does not record your location. This is outlined on the health.gov.au website and has also been confirmed by third-party software developers who have decompiled the Android version of the app. The purpose of the app is to identify relationships between users of the app, but not where they were located at the time when that relationship was formed.
Like most things digital, the app would not be adverse to hacking attempts on servers and other back-ends. The primary concerns with this app will relate to how data is being sent from the end-user's device to the government, and also the dependence on Bluetooth. In 2019 a general security flaw was found with Bluetooth that exposed devices to attack. As CovidSafe is dependent on Bluetooth, an attack vector could be found here that could represent a security flaw.
In regards to privacy, we believe it ultimately comes down to the people’s lack of trust in the government that has dwindled and caused concern. To those that think it will become a location beacon of sorts to track your location – let’s face it, on the surface this is not a concern due to this app. If they wanted to find out where you are – they could. Perhaps you could put your mind a little at ease by checking your phone’s location settings for the app and making sure they’re disabled.
At the end of the day, it’s a precedent that has justification this time – but maybe not next time.