While the government has been at pains to address privacy concerns about the COVIDSafe app, cybersecurity analysts believe the data could be mined for other uses. By Karen Middleton.
How the COVIDSafe data could be used
The technology behind the Australian government’s new COVIDSafe tracing app could create a comprehensive social contacts map of the nation – a potentially valuable dataset to foreign governments and Australian law enforcement.
That’s the view of one analyst, Professor Dali Kaafar, executive director of the Optus Macquarie University Cyber Security Hub, who has studied the app’s functions and the source code of the Singaporean version, which he says the Australian app very closely matches.
He argues that if the entire dataset were to become centrally located and accessible, it would likely be of great interest to governments and other organisations.
Under current Australian law, only state and territory health officers tracing coronavirus contacts will have access to the data COVIDSafe collects and, even then, only parts of it, under very strict conditions.
But Kaafar says that if the security provisions changed, the COVIDSafe data could be crossmatched with other personal data, including open-source information about personal activities posted on social media sites.
That could provide a very accurate and revealing portrait of Australians’ movements, who they spend time with, precisely when and ultimately even where.
“You could, essentially, absolutely build a social relationship graph of exactly who is meeting with whom and who is really in close contact with whom,” Kaafar tells The Saturday Paper.
Under a new federal government biosecurity determination, it would be illegal to use the information in this way.
But Kaafar argues there should be public consideration of the implications if it could be accessed.
Some tech observers suggest the selection of United States tech giant Amazon Web Services (AWS) as the data manager for COVIDSafe could put data collected by the app within reach of the US government.
Government sources insist AWS will be subject to Australian law, which prevents that foreign access. They also say the company must use an Australian-based server for the data, and one that does not have any Chinese ownership.
A document published by WikiLeaks in 2018 showed that Sydney’s Global Switch data centre, now Chinese owned, was among six existing AWS server sites in Australia.
Some legal experts believe the selection of AWS could set Australian law on a collision course with America’s PATRIOT and CLOUD acts, which allow US security agencies to compel American companies under warrant to make data available, even if it is stored on foreign soil.
The CLOUD Act allows access via warrant for the purposes of criminal investigation, while the PATRIOT Act governs counter-terrorism.
Such a conflict would put Amazon in a difficult position, should the information ever become of interest to the US government.
AWS country public sector director for Australia, Iain Rouse, said Australia’s Digital Transformation Agency, which is managing the contract, is one of many agencies worldwide that AWS was supporting with secure services in battling Covid-19.
“With comprehensive services and features that enable customers to meet the highest security and compliance requirements, AWS can empower customers to move at the speed necessary to have an impact,” Rouse said in a statement to The Saturday Paper. “As always, customers must adhere to applicable security and privacy laws in their jurisdictions.”
Kaafar notes that the US government has previously accessed information stored by Google in Europe, so there is precedent.
There are those who dispute how much value the COVIDSafe app’s information would have to foreign governments.
One source in the cybersecurity community told The Saturday Paper that while hostile governments might see it as useful, allies such as the US would be unlikely to bother.
They argue the US could obtain any information it wanted about individuals – and in a more curated and targeted form – by asking the Australian government directly.
They also note the centrally stored dataset from the app will be a subset of a subset, only including the contacts of those who have downloaded the app and either tested positive or been near someone who has.
Former national cybersecurity adviser and now chief strategy officer at CyberCX Alastair MacGibbon rejects suggestions that selecting an American company could leave the data vulnerable to retrieval by the US.
“I think the discussions around the PATRIOT Act and the CLOUD Act are a red herring,” MacGibbon says. “That flies in the face of corporations and governments all around the world using Amazon and Microsoft as hyperscale cloud providers.”
The COVIDSafe app was rolled out last Sunday, just two days after the government-commissioned privacy impact assessment was completed and one day after it was published.
By late this week, almost three million Australians had installed the app.
Prime Minister Scott Morrison has urged “millions and millions and millions more” to do the same.
The app’s assessors, law firm Maddocks, noted they had been unable to undertake the usual consultation because of the short time frame. The government’s response, also published on April 25, accepted their recommendations for improvements.
Kaafar and other cybersecurity analysts say the app appears secure.
“We know that this app is really safe,” he says. “It’s really private from one user to the other. I think this is something that has been clarified … Don’t worry about other people really snooping in your data, for example, because the app is safe, from that side of things.”
Kaafar says the most important information it collects, such as personal identifiers, is transferred to the central data store in an encrypted form.
But he also says there are some differences between the way the app is being described publicly and the way it actually functions.
For example, some of the information it gathers – including the time that a so-called digital handshake between users is recorded, the phone models involved and the Bluetooth signal strengths – is not encrypted at all.
COVIDSafe works by logging these “handshakes” between users. Using Bluetooth technology, it searches for signals about once a minute – an analysis by Q Team IT research and development specialists suggests it’s about every 36 to 43 seconds – and records every passing interaction with other devices also running the app.
If a user tests positive to coronavirus, they will be asked to upload their data.
A health officer then notifies that person’s close contacts, as revealed by the data. If any of those contacts then also test positive, they will be asked to upload their app’s data to allow their contacts to be traced.
However, some of the fine print about the app’s precise functioning has been shorthanded in public messaging.
Government ministers emphasise that only those contacts who have been within 1.5 metres of an infected person for more than 15 minutes will be notified.
But the app records every contact with another app user and, if the data is uploaded, all those handshakes are included.
The compilation and filtration of the data into “close contacts” is done by algorithm at the secure central data point and made available to state and territory health officials. Those officials only access somebody’s records after they – or someone they’ve been near – tests positive.
The definition of a “close contact” is not as clear as the “15-minute” test would suggest. The Health Department told The Saturday Paper it involves contact with devices that are at most 1.5 metres away for a total period of 15 minutes or more – but not necessarily 15 consecutive minutes. Essentially, the threshold can be passed by multiple shorter contacts over seven days, starting from two days before the infected person first notices symptoms.
Due to technical differences between phones, establishing whether app users were within 1.5 metres of one another isn’t automatic. To establish the distance, the signal strength is crossmatched at the central storage point against information about the various signals that different devices emit.
The data is automatically deleted from a user’s phone or other device after 21 days. But it isn’t automatically deleted from the central data storage cloud. That only occurs when a user applies to have it removed.
Under the biosecurity determination the government has made – an interim legal measure until legislation is passed next month – the entire database must be deleted once the pandemic is over.
But that circumstance is not defined.
The Health Department spokesperson said the chief medical officer, currently Professor Brendan Murphy, would determine when the pandemic was over.
The law stipulates that the COVIDSafe data can only be used for Covid-19 tracing, or for prosecuting anyone who breaches the law governing the app’s use. It can’t be stored or transferred overseas, except in the course of undertaking the tracing.
The app is effectively exempt from the Privacy Act, governed instead by its own specific privacy protections.
It is illegal for any unauthorised person to decrypt the data, or to coerce anyone to install the app or upload their data. The law also bans discrimination against individuals who choose not to install the app.
Australian Privacy Foundation chair David Vaile is concerned the government is pitching the app as a choice between safety and privacy.
“It is a more manipulative, rather than a straightforward, approach,” he tells The Saturday Paper.
Vaile was among 30 representatives of non-government organisations who took part in a teleconference on Tuesday, convened by the Australian Communications Consumer Action Network, to discuss the app and its implications.
The next day, Morrison described the app as being like “putting on sunscreen”.
But Vaile points to Singapore and says its second wave of infections despite using a similar app – which had a relatively low take-up rate – proves the analogy is not accurate. “This will not keep you safe,” Vaile says. “This will not prevent you from getting infected. Also, this will not tell you if you are near someone who is infected [until later].”
Privately, government officials acknowledge this, saying the app is about preventing the spread of infection through better tracing. They also acknowledge COVIDSafe will have greater application as national physical-distancing restrictions ease and people mix more freely.
But the app will not help notify anyone an infected person encounters unless they spend long periods in close proximity. Exchanging money or passing goods at the supermarket checkout, for example, will not qualify as a close contact, even though both people may touch the same items.
The Health Department emphasises that the app is an additional tracing tool, not a replacement. “COVIDSafe contact tracing augments the existing manual contact tracing process,” its spokesperson says.
Professor Dali Kaafar acknowledges the app’s potential usefulness. But he also warns that the decision to use a central data store – an option rejected by some other countries – is what raises questions about possible other uses.
“There are heaps of potential inferences to be made [from the app’s data],” he says. “We shouldn’t really underestimate the power of data mining, the power of information retrieval techniques, the power of how certain technologies in data processing have advanced…
“All we need is a bit of information to realise that, you know, a certain politician is very much linked to these people and not the others, or whatever. That’s, again, sensitive data that some people might consider very, very valuable.”
This article was first published in the print edition of The Saturday Paper on May 2, 2020 as "All over the app".
During the final week of the election campaign we are unlocking all of our journalism. A free press is one you pay for. Now is the time to subscribe.