COVIDSafe


COVIDSafe is a digital contact tracing app announced by the Australian Government on to help combat the ongoing COVID-19 pandemic. The app is based on the BlueTrace protocol developed by the Singaporean Government, and was first released on. The app augments traditional contact tracing by automatically tracking encounters between users, and later allowing a state or territory health authority to warn a user they have come within 1.5 metres with an infected patient for 15 minutes or more. The functionality is not part of the previously published Coronavirus Australia app.

History

COVIDSafe first began development shortly after the Morrison Government showed interest in Singapore's TraceTogether app in late March. It was announced that an app was in development on, with plans to release it for Android and iOS within a fortnight. The app had a budget of over, of which went to AWS for hosting, development, and support. The announcement was immediately met with concerns about the privacy of the app, and there was confusion over whether the app would be a feature of the existing Coronavirus Australia app or completely separate. Adding to the confusion, many news reports used images of Coronavirus Australia, and upon launch the COVIDSafe website temporarily linked to the Coronavirus Australia apps.
The app launched on. However, there were early reports that some users had problems with the sign-up. For example, those with non-Australian phone numbers did not receive a registration pin to the phone number they provided.
Within 24 hours of COVIDSafe's release more than a million people had downloaded it, and within 48 hours more than two million. By the second week more than four million users had registered. Despite this state and territory health authorities were not yet able to access data collected through the app, although the Department of Health expected the app to be fully operational sometime during the first weeks of May.
Accompanying the release, Peter Dutton, the Minister for Home Affairs, announced new legislation that would make it illegal to force anyone to hand over data from the app, even if they had registered and tested positive. A determination, titled Biosecurity Determination 2020, was put in place, with the Privacy Amendment Bill 2020 being later introduced on to codify it. The legislation governs how data collected by the app will be stored, submitted and processed.
On the Senate Select Committee on COVID-19 held a public hearing on the COVIDSafe app, with particular focus towards its effectiveness and privacy implications.
On, the source code for the app was released publicly.
On, the Australian Chief Medical Officer announced that the app was fully functional. The next day it was reported that the app had reached 5.7 million downloads, approximately 23% of Australia's total population.
On, the first patient data was accessed, following an outbreak at Kyabram Health in Victoria.
By mid June, over a month since the launch of the app, the app had yet to identify any contacts not already discovered through traditional contact tracing techniques, further strengthening growing concerns over the effectiveness of the app. Adding to this, some estimates put the likelihood of the app registering a random encounter at ~4%. At the same time, the Google/Apple exposure notification framework began rolling out to users, with the Italian Immuni being the first app to make use of it.
In late June, following a "second wave" in Victoria sparked by family gatherings, COVIDSafe data was accessed by contact tracers over 90 times. The app continued to fail identify anyone not already known to contact tracers. At the same time, a COVID-19 positive protester who attended the Melbourne Black Lives Matter rally on was criticised in the media for having not downloaded the app. Despite the identification of at least two further cases in attendance, to date no transmission has been found to originate from the protests. With the incubation period of the virus having passed, it is likely this fact will continue to hold.
On the government was criticised for contracting out part of the app's development and support to a company with ties to the Liberal Party. Mina Zaki, the wife of the CEO of Delv Pty Ltd is a Liberal Party Canberra candidate. Delv was engaged after the initial release of the app to assist with development, and was also the primary developer of the Coronavirus Australia app.
In a Sky News interview, Minister for Government Services Stewart Robert blamed the failure of COVIDSafe on the unwillingness of Apple and Google to modify their existing globally deployed Exposure Notification framework to work with the app. ENF is an alternative, entirely incompatible, digital contact tracing protocol that is more reliable at detecting contact traces than competing protocols. For the app to take advantage of the framework, either the framework or app would need to be almost completely rewritten.

Contact tracing

The app is built on the BlueTrace protocol originally developed by the Singaporean Government. A major focus of the design was the preservation of privacy for all users. To achieve this, personal information is collected only once at point of registration and used only to contact potentially infected patients. Additionally, users are able to opt out at any time, clearing all personal information. Contact tracing is done entirely locally on a user's device using Bluetooth, storing all encounters in a contact history log chronicling contact for the past 21 days. Users in contact logs are identified using anonymous time-shifting "temporary IDs" issued by the Department of Health. This means a user's identity cannot be ascertained by anyone except the DoH. Additionally, since temporary IDs change on a regular basis, malicious third parties cannot track users by observing log entries over time.
Once a user tests positive for infection, the DoH requests the contact log. If the user chooses to share their log, it is sent to the health authority where they match the temporary ID with contact information. Health authorities are not able to access log entries about foreign users, so those entries are sent to the appropriate health authority to be processed there. Once a log has been processed, the DoH or appropriate health authority contacts the users contained within.
Although commonly claimed that the app only logs encounters longer than 15 minutes and closer than 1.5 metres, the app actually indiscriminately logs most encounters, and it is only once the health authority receives a contact log that it is filtered to encounters within 1.5 metres and longer than 15 minutes.

Reporting centralisation

One of the largest privacy concerns raised about the BlueTrace protocol currently used by the app is the centralised report processing architecture. In a centralised report processing protocol a user must upload their entire contact log to a health authority administered server, where the health authority is then responsible for matching the log entries to contact details, ascertaining potential contact, and ultimately warning users of potential contact. Alternatively, the Exposure Notification framework and other decentralised reporting protocols, while still having a central reporting server, delegate the responsibility to process logs to clients on the network. Instead of a client uploading it's contact history, it uploads a number from which encounter tokens can be derived by individual devices. Clients then check these tokens against their local contact logs to determine if they have come in contact with an infected patient. Inherent in the fact the protocol never allows the government access to contact logs, this approach has major privacy benefits. However, this method also presents some issues, primarily the lack of human in the loop reporting, leading to a higher occurrence of false positives; and potential scale issues, as some devices might become overwhelmed with a large number of reports. Decentralised reporting protocols are also less mature than their centralised counterparts.

Protocol change

During the Senate Select Committee public hearing on COVID-19 and the COVIDSafe app, it was revealed the DTA was looking into transitioning the protocol from BlueTrace to the Google and Apple developed Exposure Notification framework. The change was proposed to resolve the outstanding issues related to performance of third-party protocols on iOS devices. Unlike BlueTrace, the Exposure Notification frameworks runs at the operating system level with special privileges not available to any third-party frameworks. The adoption of the framework is endorsed by multiple technology experts.
Transitioning from BlueTrace to ENF presented several issues, most notably that, as the app cannot run both protocols simultaneously, any protocol change would be a hard cut between versions. This would result in the app no longer functioning for any users who had not yet updated to the ENF version of the app. Additionally, the two protocols are almost completely incompatible, meaning the vast majority - all but the UI - of the COVIDSafe app would have to be redeveloped. Similarly, because of the change from a centralised reporting mechanism to a decentralised one, very little of the existing server software would be usable. The role of state and territory health authorities in the process would also change significantly, as they would no longer be responsible for determining and contacting encounters. This change would involve retraining health officials and penning new agreements with states and territories.
Up until at least, the DTA was experimenting with ENF, however in an interview with The Project held on, Deputy Chief Medical Officer Dr Nick Coatsworth stated COVIDSafe would "absolutely not" transition to ENF. He reasoned the government would never transition to any contact tracing solution without human-in-the-loop reporting, something that no decentralised protocol can support.

Issues

Issues on iOS

Versions 1.0 and 1.1 of COVIDSafe did not scan for other devices when the application was placed in the background on iOS, resulting in much fewer contacts being recorded than was possible. This was later corrected in version 1.2 with improved behaviour. Additionally, until the update, a bug existed where locked iOS devices did not fetch new temporary IDs. This meant that a device's temporary ID pool could easily be exhausted unless the phone was unlocked when the app tried to refresh the pool.
However, all digital contact tracing protocols, with exception to the first party developed Google/Apple protocol, experience degraded performance on iOS devices. These issues occur when the device is locked or the app is not in the foreground. This is a limitation of the operating system, stemming from how iOS manages its battery life and resource priority. The Android app does not experience these issues because it can request the operating system to disable battery optimisation, and because Android is more permissive with background services.

Country calling code restrictions

COVIDSafe requires an Australia mobile number to register, meaning foreigners in Australia need a local sim card. Initially, residents of Norfolk Island, an external territory of Australia, were unable to register with the app as they used a different country code to mainland Australia, +672 instead of +61. The Australian government released an update resolving the issue on.

Privacy concerns

Upon announcement, the app was immediately met with wide criticism over the potential privacy implications of tracking users. While some criticism can be attributed to poor communication, fears were further stoked when Prime Minister Scott Morrison and Deputy Chief Medical Officer Paul Kelly refused to rule out the possibility of making the app compulsory, with Prime Minister Morrison stating the next day it would not be mandatory to download the app. Additionally, several privacy watchdogs raised concerns over the data collected by the app, and the potential for the centralised reporting server to become a target for hackers. To address concerns, the Attorney General launched an investigation into the app to ensure it had proper privacy controls and was sufficiently secure. The Minister for Home Affairs, Peter Dutton, also announced special legislation to protect data collected through the app. The app was supposed to be open sourced to allow it to be audited and analysed by the public, however this was delayed until a review by the Australian Signals Directorate had been completed. On the source code was released.
Issue was also taken with the fact the backend of the app runs on the Amazon Web Services platform, meaning the US Government could potentially seize the data of Australian citizens. Data is currently stored within Australia in the AWS Sydney region data centre. In a public hearing on COVIDSafe, Randall Brugeaud, CEO of the Digital Transformation Agency, explained that the decision to use AWS over purely Australian owned cloud providers was done on the basis of familiarity, scalability, and resource availability within AWS. The AWS contract was also drawn from a whole of government arrangement.
Following the global rollout of the Google and Apple developed Exposure Notification Framework in late, public concerns were raised that the government or the companies were tracking users without their knowledge or consent. These claims are false, as COVIDSafe and ENF are completely incompatible, and ENF is disabled until a compatible app is installed and explicit user consent is given. Even if a third party were to obtain the encounter log of a user, no persons could be identified without also holding the logs of other users the client has encountered.

Attorney General privacy impact assessment

On the Attorney General report and subsequent response by the Department of Health was released, the following recommendations were made:
In the Department of Health's response, they agreed to all suggestions with exception to "rectification of personal information". Rather than building a process to do so, a user can simply uninstall and reinstall the app to change their personal information. A process to formally correct information is to be introduced later.

Independent analysis

On, a group of independent security researchers including Troy Hunt, Kate Carruthers, Matthew Robbins, and Geoffrey Huntley released an informal report raising a selection of issues discovered in the decompiled app. Their primary concerns were two flaws in the implementation of the protocol that could potentially allow malicious third parties to ascertain static identifiers for individual clients. Importantly, all issues raised in the report were related to incidental leaking of static identifiers during the encounter handshake. To date, no code has been found that intentionally tracks the user beyond the scope of contact tracing, nor code that transmits a user's encounter history to third parties without the explicit consent of the user. Additionally, despite the flaws discovered through their analysis, many prominent security researchers publicly endorse the app.
The first issue was located in, the class responsible for advertising to other BlueTrace clients. The bug occurred with a supposedly random, regularly changing three-byte string included in that was, in fact, static for the entire lifetime of an app instance. This string was included with all handshakes performed by the client. In OpenTrace this issue did not occur, as value changes every 180 seconds. While likely not enough entropy to identify individual clients, especially in a densely populated area, when used in combination with other static identifiers it could have been used by malicious actors to determine the identity of users. This issue was addressed in the update.
The second issue was located in, the class responsible for managing BLE peripheral mode, where the cached read payload is incorrectly cleared. Although it functioned normally when a handshake succeeded, a remote client who broke the handshake would have received the same TempID for all future handshakes until one succeeded, regardless of time. This meant a malicious actor could always intentionally break the handshake and, for the lifetime of the app instance, the same TempID would always be returned to them. This issue was resolved in OpenTrace, yet was unfixed in COVIDSafe until the update.
Other issues more inherent to the protocol include the transmission of device model as part of the encounter payload, and issues where static device identifiers could be returned when running in GATT mode. Many of these are unfixable without redesigning the protocol, however they, like the other issues, pose no major privacy or security concerns to users.

Legislation

The Biosecurity Determination 2020, made with the authority of the Biosecurity Act 2015, governs how data collected by the COVIDSafe app is stored, submitted, and processed. Later a separate bill was introduced to codify this determination, the Privacy Amendment Bill 2020. The determination and bill makes it illegal for anyone to access COVIDSafe app data without both the consent of the device owner and being an employee or contractor of a state or territory health authority. Collected data may be used only for the purpose of contact tracing or anonymous statistical analysis, and data also cannot be stored on servers residing outside Australia, nor can it be disclosed to persons outside Australia. Additionally, all data must be destroyed once the pandemic has concluded, overriding any other legislation requiring data to be retained for a certain period of time. The bill also ensures no entity may compel someone to install the app. Despite this there have been reports of multiple businesses attempting to require employees to use the app.