SPEECH: COVIDSafe Contact Tracing App
I am pleased to have the opportunity to speak on the Privacy Amendment (Public Health Contact Information Bill).
We all have a role to play in our nation’s fight against the COVID-19 pandemic and I am pleased that for this week, Parliamentarians are being allowed to do their job in this place – providing representation for our communities and scrutiny of the government.
If footy players are getting back onto the training pitch, we can certainly do our jobs in this place.
On the whole, the Bill before the house is a good one.
This bill provides an enduring legislative framework for the protection of information collected by the government’s new COVIDSafe contact tracing app.
In many ways the privacy protections included in this bill are – to use the word of our times – unprecedented in Australian law.
These protections are important not only for delivering important privacy outcomes, but also to boost public confidence and help increase its take up.
Labor has worked with the Government on amendments to further strengthen these privacy protections and I thank the Shadow Attorney General for his work in this regard and the government for its cooperative approach.
The result is that this bill will provide the strongest privacy protections for any data ever collected in Australia.
The way that Labor has constructively worked with the government on this bill reflects our support for the idea of a contact tracing app to assist our public health experts in the next stage of our response to COVID19.
Many Australians – around 5 million people or about 20% of the population – have also shown their willingness to do their bit to support this endeavour by downloading the app to their phones.
The government has been able to tap into an enormous wellspring of solidarity and community support in reaching this level of take up.
It is a genuinely impressive response from the Australian community that we can all be proud of.
However, the ultimate effectiveness of this app will depend on more than just this initial public response.
Those who want this app to succeed should be clear eyed about these challenges.
We need to understand the apps limitations so that the government can continue to improve it and the public can adapt its behaviour to take it into account.
The first thing that it’s important for everyone to understand is that the COVIDSafe app’s objective is to protects the community, not the individual.
The contact tracing enabled by the COVIDSafe app is designed to stop the spread of COVID throughout the community, making us all collectively safer.
But the public must understand that installing this app will not provide any form of individual protection to you. It’s not a preventative.
It is misleading to describe this app as being like sunscreen.
That might be effective as a sales job to drive downloads, but it is misleading as to the COVIDSafe app’s individual health benefits.
Unfortunately, there is an emerging misconception amongst some in the community that the app provides some form of personal protection or warning if they are near infected people.
It doesn’t – and it’s important that people who have installed the app do not behave as if it does.
If people think installing the app is a licence to engage in risky behaviour, it will undermine the work of the public health officials its designed to assist.
Even if you have installed the app, you still need to carefully follow the medical advice of the health experts in your state on social distancing.
The second challenge to the effectiveness of the app that needs to be confronted is its performance limitations.
The COVIDSafe App is not a silver bullet for contact tracing.
The government, health officials and the general public need to be aware of its technological limitations to guide their behaviour.
Unfortunately, a fortnight after the public release of this app, the functionality of the app on IOS devices – nearly half of the market – is still unclear.
Troublingly, the statements from the government about the way the app works on IOS devices have varied over time.
In the hours before the app was launched by the Prime Minister, the government’s COVIDSafe information page stated:
“COVIDSafe app needs to be open to work effectively. Keep the app open and notifications on when you’re out and about, especially in meetings and public places. Activate the in-app power saver mode (flip your unlocked device upside down or face down while the app is running). This keeps the app open with a dimmed screen so that it can detect other devices running COVIDSafe app.”
But shortly before the PM’s press conference, this text was altered to:
“Keep COVIDSafe running and notifications on when you’re out and about, especially in meetings and public place (sic).”
This inconsistent messaging was reflected in statements from government ministers and public servants.
On the day of the launch of the app, the Government Services Minister Stuart Robert declared
“To be effective, users should have the app running in the background when they are coming into contact with others. Your phone does not need to be unlocked for the app to work.”
Yet later, the head of the Digital Transformation Agency Randall Brugeaud hedged
“The quality of the Bluetooth connectivity for phones that have the app installed, running in the foreground is very good. It progressively deteriorates and the quality of the connection is not as good as you get to a point where the phone is locked and the app is running in the background.”
This has only been compounded when these statements about how the app worked were tested against the real-world performance of the app by the Australian tech community – with mixed results.
Today, the actual effectiveness of the app on iphones in background mode remains obtuse.
It certainly isn’t catching all potential contacts between locked iphones or between iphones where the app is operating in the background.
These performance issues have real consequences.
The most obvious is its impact on the public messaging required from the government.
Public health messaging shouldn’t require citizens to follow github forks to know what to do if they want to use the app the right way.
If the app requires users to take actions in order to use the app effectively, government messaging needs to make this clear.
It’s not just users who need to understand this either – these technical limitations may well have implications for employers.
Mobile Device Management policies frequently require the automatic locking of devices – including the policies of the Department of Parliamentary Services – those managing those systems need to understand the impact of these policies on the operation of the app.
Public Health officials need to understand this too in order to be able to judge the tracing capability available to them through this app for managing further outbreaks.
Epidemiologists studying the transmission dynamics of COVID19 have sought to model the effects that app-based contact tracing could have in helping to contain the epidemic in a country.
Oxford University epidemiologists have found that around half of COVID19 transmission occurred before individuals were symptomatic and looked at how a contact tracing app could help reduce this form of onward transmission.
Their modelling tested the impact of a contact tracing app based on a range of take up assumptions and concluded that if 80% of smart phone users or 56% of the population used the app, it could effectively contain the epidemic in a country.
Lower take up rates for the app could still assist in reducing infection and death rates as well as the prospects of subsequent lock downs.
Importantly however, underpinning each of these scenarios in the Oxford University modelling was an assumption that:
“80% of modelled contacts are registered by the app, either for technical reasons, or due to some contacts involving people not carrying their phones.”
We’ve seen a series of take up targets for the COVIDSave app floated by the government in recent weeks, ranging from 40% of the Australian population, to 40% of mobile phone users, to ‘at least a third of Australians’.
We haven’t, however, been told what proportion of potential contacts between apps the government is expecting the current configuration of the app to register.
This figure has big consequences.
As Dr Adam Dunn, a biomedical informatics expert at the University of Sydney explained to the ABC, if 70% of Australians downloaded the app and the app registered all potential contacts up to half of all contacts could be caught by the app.
In contrast, if 40% of the population downloaded the app, but only half of the potential digital handshakes between downloaded apps were completed, then only 4% of all contacts – less than 1 in 20 contacts – would be caught by the app.
This is why the effectiveness of the app the government has designed in registering contacts matters.
We should be clear, the reduced effectiveness of the COVIDSafe app on IOS devices is the result of design decisions taken by the government – specifically its decision not to wait for the new Apple-Google API for contact tracing.
The Prime Minister’s decision to move away from his original rejection of the need to use the Apple-Google API for this app in mid-April is welcome, but it’s now important that the government prioritises incorporating the Google/Apple API/OS integration as soon as possible to maximise the number of potential contacts caught.
Once this new version is released, we’ll need a new public information campaign to encourage people to update their app to catch the 10–20% of users who don’t regularly update their apps.
This app could play an important role in helping us move beyond current coronavirus restrictions – so it’s important that the government gets its implementation right.
Cyber Security
Finally, I want to make a few comments on this bill from the perspective of my Cybersecurity portfolio.
The provisions of this bill, and the government’s overall approach to this app highlight an ongoing philosophical problem in the government’s approach to security.
For this government, security seems to be founded on secrecy and obscurity.
They won’t be accountable to the Parliament about the cyber security posture of commonwealth entities because they believe talking about security posture is a security risk – as though adversaries rely on Senate Estimates for vulnerability scanning.
They respond to good faith reports of security issues by threatening the employment of academic researchers and seeking to make independent security research a crime.
They gag security researchers with views that scare them from speaking at government security conferences.
They instinctively over-classify, creating needless obstacles to cyber security threat intel sharing and genuine engagement with private sector stakeholders.
Security doesn’t work this way.
Transparency doesn’t create security threats, it reveals them.
Security vulnerabilities continue to exist whether you talk about them or not.
Accountability doesn’t undermine security, it strengthens it by identifying problems and creating incentives to fix them.
The broader technology and security communities isn’t a threat to be managed, it’s an opportunity to be engaged.
While the process the government has pursued in the development and release of this app has offered more transparency than is usual from this government in this space, it is still falling short of that seen in peer nations.
I want to thank Vanessa Teague for her diligent work compiling the following international comparisons of government transparency and accountability in contact tracing app development and bringing them to public attention.
It wasn’t until two weeks after its public launch that the government released the source code of the IOS and android versions of the app.
In comparison both the UK and Singapore released the source code for their apps either before their launch or at the time of the launch.
The Australian government has stated that it will not be releasing the source code for the National COVIDSafe server supporting the app.
In contrast Singapore has released the source code for both the app and the server.
Both Singapore and the UK released white papers explaining the security and encryption decisions made in the implementation of the app.
The UK has indeed published a detailed paper from the technical director of the National Cyber Security Centre.
We haven’t seen anywhere near the same security transparency from the Australian bodies who have reviewed the app.
We’re told that it received the thumbs up, but there isn’t anything detailed for external researchers to engage with to validate this.
We don’t know for example why the COVIDSafe design team chose to rotate handset encrypted IDs every 2 hours instead of every 15 mins.
Or why they chose to obtain only a single new tempID from a central server at a time (contrary to the recommendation in the TraceTogether whitepaper that daily batches are downloaded), leaving handsets without a new ID if they are outside internet coverage.
Finally, there is no public Vulnerability Disclosure Process for this app.
Members of the Australian tech community, public interest technologists, have donated countless hours to analysing the code of the COVIDSafe app looking for bugs and vulnerabilities.
And they found issues – with both the security and the performance of the app.
While on the whole, most researchers believed that the bugs/vulns they found would not have dissuaded them from downloading the app given the potential public benefits, it would be better for this unintended privacy issues to be remedied.
As one researcher, Jim Mussared, put it
“Don’t Panic!! Users are advised to be aware of these issues but in most cases might reasonably conclude that they are not significant enough to warrant not using the app. I still have the app installed (Android) and will continue to do so.”
“I support the COVIDSafe application and want to see lives saved, but at the same time it’s very important to me that these privacy issues are addressed.”
But when Jim disclosed security issues via the public facing email address for the app (as well as the emails of DTA, ASD, ACSC and the Cyber Security CRC) he received no response for 8 days.
It was only when the issue attracted media attention that he received a one line acknowledgement email.
An update to the app released the day he received a response did not address the issue he raised.
At a minimum, a functioning vulnerability disclosure process should set expectations for how the organisation will engage with reports and subsequently respond.
An email address that operates as a blackhole is not a vulnerability disclosure process.
The best technology companies in the world do this, the US military does this and the UK government has a government wide vulnerability disclosure platform operated by Hackerone – Australia should follow suit.
We shouldn’t exaggerate their impact – vulnerability disclosure process and their extension – bug bounty programs – are supplements to good security practice, not replacements for it.
But we’ve already seen the value that an extra set of eyes can offer to improving the security and performance of this app and the government should avail itself of this.
The government should listen to these voices.
