It’s alright, It’s ok? Or should we look the other way? Navigating the FUD and Stayin’ Alive with COVIDSafe

The COVIDSafe App has attracted significant attention — both good and bad — in the last two weeks

On Sunday evening April 26th, the Australian Government officially released its COVID-19 contact-tracing smartphone app (known as ‘COVIDSafe’) for download on the Apple and Google Play stores.

Given the flurry of debate which has dominated public discourse over the last two weeks regarding the app, it’s likely that many Australians would be getting lost in the noise being generated about it, and/or stuck in ‘analysis paralysis’ as to whether or not they should install it.

The appropriateness of using the app from a security and public policy perspective is something that is unlikely to ever reach anything approaching a broad universal consensus. However, given the rapidly evolving nature of the pandemic and the Government’s stated ambitions to have at least 40 percent of the population — roughly 10 million people — using the app for it to be sufficiently effective, it’s important that people feel comfortable to make a decision sooner rather than later[1].

And, with little else in the news at the moment outside of COVID-19, it’s likely that many of the security and privacy concerns around the app are being amplified even more than they would normally, just as has been the case with Zoom and the security concerns expressed around its use.

So, let’s take a look at the debate a bit more closely, and try and put some of the common arguments and threads of discussion in perspective.

A screenshot from COVIDSafe

The basics

Many readers will already know the basics regarding the app. While this article isn’t intended as a detailed technical analysis of its inner workings, in brief:

• Once a user downloads and installs the app, they are asked to provide their full name, postcode, mobile number and the age range they fall within. The user’s phone number is then verified, after which the user’s registration information is stored encrypted in a central database.
• A temporary unique ID is generated for each user, which is stored on their phone and updated every two hours. The app uses Bluetooth to identify any other phones in the vicinity with the app installed that are also sending out a corresponding Bluetooth signal. When a signal is detected, that information (including each user’s unique ID) is recorded as a ‘digital handshake’ and stored on each user’s phone in an encrypted file for a period of 21 days.
• Beyond this, the app does not collect any location information about users and their movements.
• If a user uninstalls the app, all digital handshakes recorded on their phone are deleted. However, if they have come into contact with someone using the app, their ID will still be captured on that other user’s phone for 21 days.
• When a user of the app tests positive, that user can consent to all details regarding digital handshakes recorded on their phone for the previous 21 days to be uploaded to the central database. The unique IDs captured in the handshakes are used to identify the registration information (already in the database) of users who came into contact with the person who tested positive (i.e., within 1.5 metres) . Currently only handshakes that represent a contact risk — that is, involve 15 minutes of contact at 1.5 metres, will be flagged[2]. This information is decrypted and provided to health officials for contact tracing efforts[3].

The design of COVIDSafe has been led by the Digital Transformation Agency, and is understood to be based on Singapore’s version of the app, known as TraceTogether.

The concerns

Some of the concerns being expressed around potential security and privacy risks to people’s data from the COVIDsafe app are probably quite fair. It is however difficult to precisely quantify the level of that risk at this point in time, given that:

• While the government has committed to releasing the source code for the application, this will not occur for another 14 days, and in the meantime, Australians are being encouraged to download the app and start using it;
• The security and privacy risk to the community arguably increases proportionate to the degree of take up and therefore number of Australians who have their data captured by the app, and at this stage we aren’t clear what the take up will be.

Unsurprisingly, the Government has pointed to the potential public health benefits of the app as the key reason Australians should download it. But countering this is the following:

• The degree to which the community has chosen to use the application will take some time to become clear; but reaching a 40% usage rate appears to be extremely ambitious given that Singapore only had a take-up rate in the order of around 20%, and — broadly speaking — trust in the government there is likely significantly higher than it is here. So, quantifying the actual public health benefit that will accrue from the use of the app is difficult, and there are no clear cases of international success with contact tracing apps we can refer to;
• There are probably a number of theoretical security risks which we cannot precisely quantify the magnitude of at this time — for example, the potential for Digital Handshakes to be manipulated through false Bluetooth beacons that attempt to mimic a legitimate installation of the COVIDSafe app;
• Rightly or wrongly, the current Government does not have the most enviable perceived track record when it comes to technology initiatives that have security and privacy implications. These difficulties have spanned the My Health Record episode (in which over 2 million Australians opted out of having an e-health record), the controversy surrounding the introduction of the Access and Assistance Bill of 2018[4] concerning encrypted communications, the Census drama of 2016, and mandatory metadata retention laws that were introduced in 2014. Together, these episodes have undoubtedly created a degree of cynicism about the Government’s perceived regard for and ability to safeguard the security and privacy of Australians — particularly where they are storing information about people’s interactions in a centralised database;
• Google and Apple are partnering together on a contact tracing solution that will be natively built into their smartphone operating systems, and which relies on a decentralised model for storing user data until such time as someone reports a positive test. This would allay some of the privacy and security concerns associated with the Government’s centralised database approach. Some people may also feel both companies have a better track record in advocating for user privacy and security, but that is a rabbit hole in and of itself…

In addition, some of the messaging that has been put forward in support of the COVIDSafe app has probably served to hinder rather than help the Government’s cause. For example, in mid-April, the Deputy Chief Medical Officer hinted at the possibility of considering requiring mandatory use of the app if voluntary take up proved insufficient. While the Prime Minister backed down from these remarks the following day, it immediately put privacy and security advocates on alert. Similarly, having the Minister for Government Services make public assurances around the privacy and security of the app, while likely well-intentioned, probably didn’t help the situation when only a matter of days earlier he had incorrectly attributed crashes of the MyGov website to a denial of service attack, rather than to the demand for Centrelink payments caused by the government’s closure of a number of businesses in response to the pandemic.

The upside

The upside is clear: if the app works, it will aid contact tracing efforts significantly, slow the spread of the virus and save lives. It may also help with easing current restrictions on social and economic activity. The Government has committed to putting in place a range of measures to protect the privacy and security of Australians as an added incentive to encourage users to download the app. These include:

• The source code for the application will be released in the next two weeks to enable more detailed independent analysis. Ideally this would have happened sooner, but it is better than not at all;
• Interim mechanisms have been introduced under the emergency declaration provisions of the Biosecurity Act 2015 to ensure the data collected by the app is not at risk of ‘scope creep’ — that is, the data cannot be used for purposes other than those related to contact tracing. These will soon be replaced by strict legislative provisions to formalise these protections;
• Only State and Territory Health Officials will have access to the data;
• The Government, through the Department of Health, has commissioned a comprehensive Privacy Impact Assessment of the COVIDSafe app, has agreed either in whole or part to the recommendations made in it, and taken steps to implement them.

The bottom line

There are undoubtedly security and privacy risks associated with COVIDSafe that are not negligible. However, when we are discussing the security and privacy issues associated with any new technology, system or application, it’s important to try and bring a degree of rationalism to the table. This becomes particularly challenging when there is a strong societal dimension involved, as is clearly the case with COVID-19. It becomes even more difficult in the current environment where COVID-related news dominates the media, meaning that the discussion of security and privacy concerns is prone to being disproportionately aggrandized[5].

In an ideal world, we’d seek to eliminate the security and privacy risks associated with the Government’s contact-tracing app. Realistically, however, we are faced with competing constraints — just like we are in any typical cyber risk assessment exercise. In this case, the rapidly evolving nature of the pandemic means there isn’t the luxury of a lot of time to eliminate those risks. And so, as a matter of practicality, the focus needs to shift from one of risk elimination to one of risk mitigation. In this context, the Government has done a reasonable job of trying to facilitate this through its introduction of regulatory protections and committing to release the app’s source code.

There is of course the risk that a security breach involving data extracted from the app and stored centrally could occur, causing embarrassment and potential harm to the Government and millions of Australians. However, it’s important to acknowledge that those in the security industry do tend to look at things with a degree of paranoia and purism that colours our view and probably over-amplifies the magnitude of those risks — or at least causes some neglect of the factors that may offset them, such as the potential health-protecting and life-saving benefits that the enhanced contact tracing measures of the app may be able to facilitate.

Further, these are obviously extraordinary times. That means we simply don’t have the luxury of being able to expect or demand perfection in the circumstances. There’s also probably merit in suggestions that much of the data we would be sharing with the Government in using this app is no more sensitive than the data we share about ourselves online on different platforms day-to-day.

Given these considerations, and while it is certainly highly advisable for each person to make a decision that they are comfortable with rather than blindly following the pack mentality, there is nothing per se that causes sufficient concern in the circumstances to suggest that people should not, as a blanket rule, download the app.

What could be done better

While initial uptake of the app has been encouraging, it is likely that a good proportion of end users who have downloaded the app to date will have been in the section of the population that has fairly strong views that favour the public benefits the app can bring which may have overridden their concerns around the government’s track record in the security and privacy space.

Ultimately, this widespread concern may have more impact in the coming days as people who are ‘on the fence’ about installing the app make a decision one way or the other as to whether to do so, particularly when Google and Apple are developing their own solution and in many respects competing for the trust of those same end users. It remains to be seen whether these factors will ultimately curtail the ability to achieve the desired 40% benchmark for overall use of COVIDSafe across the community. There are however some measures that the Government could introduce to try and enhance the level of trust in the community to help the situation:

• Introducing transparent and regular reporting mechanisms for whenever COVIDSafe data is accessed, and by whom, would be a good start;
• While the Government has assured the data will only be accessed by State and Territory health officials, ensuring independent oversight is in place to guarantee this will be critical.
• Additionally, having independent assurance and endorsements from parties with sufficient security and privacy expertise of the app will be crucial. Releasing the source code in 14 days may help with this, but by that stage most Australians are likely to have already made up their mind one way or the other.

Addendum

As a point of interest, in a survey we ran internally of our own staff, just under half of those who participated indicated they would download and use the app — but would be doing so in spite of their relative lack of trust of government. This is particularly interesting in a security company, where people will naturally look at these sorts of issues through a particular lens that has a natural bias towards privacy and security concerns.

Despite this, and while there were clear indications from some they would not download the app, the majority of those who participated in the survey indicated they would do so, or would at least seriously consider doing so. Interestingly, while the option was available in the survey, no one indicated they would download and install the app because of their trust of the Government in this space. This is probably reflective of the broader community as well, and indicates our leaders have some way to go to re-establish trust in the community when it comes to their approach to privacy and security related issues.

Arun is a Principal Security Advisor at Hivint / Trustwave.

These are not the official views of Hivint / Trustwave.

— — — — —

[1] As of Monday evening 27 April, 2 million Australians had downloaded the app.

[2] Note that given current social distancing restrictions, it is likely that for many people there will not currently be many handshakes that equate to a contact risk. If and when these restrictions are relaxed, it’s likely more handshakes would fall into the contact risk category.

[3] A good breakdown of how the app is understood to work is provided in the Department of Health’s Privacy Impact Assessment, available at https://www.health.gov.au/resources/publications/covidsafe-application-privacy-impact-assessment

[4] Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018

[5] We’ve seen this unfold already in recent times with the massive publicity given to security concerns around the use of Zoom during the pandemic.