Why the COVIDSafe App is an Epic Fail
We certainly live in interesting times. Not too long ago, there was controversy when legislation was rushed into law that appeared to contradict the point of encryption technologies and potentially breach the privacy of Australian citizens. It sparked a wave of debate and arguably distrust with the federal government that is still ongoing.
With the rapid spread of the COVID-19 pandemic, we have now been introduced to the COVIDSafe mobile app, which we are told is designed to “…slow the spread of COVID-19”.
But what exactly does it do and how does it work? On face value, it appears to do a very limited set of functions. These include utilising Bluetooth to register contacts with other mobile devices running the COVIDSafe app when they are within close proximity for 15 minutes or more. A unique ID is generated, encrypted and centrally stored. This is subsequently linked to a mobile phone number, which means it can be utilised to trace others who may have come into contact with the virus if an infection is identified.
The first ‘fail’ relates to the general distrust, or perception of ineptitude of the federal government, when it comes to sufficiently protecting the privacy and security of Australian citizens. They have an established track record of blatant disregard for the privacy of sensitive information belonging to the Australian people (My Health Record anyone?) in addition to repeated displays of ineptitude operating secure government services . After all of the prime examples of their repeated missteps, we are now expected to just take it on faith that this time they have got it right and won’t accidentally (or on purpose) put our sensitive information at risk? Are we really convinced that there will be no gradual scope creep?
The second ‘fail’ for the COVIDSafe app relates to its centralised storage of information. This is an obvious target for criminals and goes against industry advice to operate via a decentralised model. This model has been utilised for other government sponsored technology platforms, which have subsequently been breached.
The third ‘fail’, is the 15 minute time frame before recording a contact. Anything less is not recorded. How likely is it to be in close proximity to anyone for 15 minutes or longer in public environments? It seems to be an arbitrary (possibly ineffectual) number. How was this timer decided? This leads to the final point of contention.
The final ‘fail’ in the coffin for the COVIDSafe app? The first three points raised ultimately signal a flawed design, consultation and rollout process. There has been no public consultation in regard to its design or feedback/recommendations from industry prior to release. There has been no public release of its source code for thorough analysis. No firm/tangible commitment to the security/privacy of the application itself.
Essentially what we have been handed is an app that, if taken on face value, is of dubious value in relation to its functionality, adopts security principles that are likely against industry advice and is being managed by a government that has a less than stellar track record in protecting private information. In simpler terms, the app delivers little towards its stated functionality goals and has a real potential to collect/leak private information either accidentally or by design.
What can we do you ask? Make your opinion known. Contact your local Federal MP. Encourage/support your industry body of choice (such as ITPA) to sign the petition at: https://covidapp.opentransparent.org/