The design of the Australian COVIDSafe contact tracking application creates opportunities for unintentional monitoring, according to a group of four security professionals who unpacked their .APK file.
Written by an independent security researcher Chris Culnane, Tutor at the University of Melbourne, researcher in cryptography and master's student Eleanor McMurtry, developer Robert Merkel and associate professor at the Australian National University and Thinking Security CEO, Vanessa Teague and posted on GitHub, the analysis in note three concerning the design choices.
The first address is the decision to change the UniqueIDs – the identifier that the application shares with other users – once every two hours and so that the devices accept a new UniqueID only if the application is running of execution. The four researchers say it will allow the government to understand if users are running the application.
“This means that someone who chooses to download the application, but prefers to deactivate it at certain times of the day, informs the Data Store of this choice,” they write.
The authors also suggest that persisting with a UniqueID for two hours “greatly increases the possibility of third-party monitoring.”
“The difference between 15 minutes and 2 hours of follow-up opportunities is substantial. For example, suppose the person has a home tracking device such as a Google home mini or Amazon Alexa, or even an inexpensive Bluetooth-enabled IoT device, which records the person's unique identifier at home before go. Then consider that if the person goes to a mall or other public space, each device that cooperates with their home device can share information about where they went. “
The analysis also notes that “it is not true that all of the data shared and stored by COVIDSafe is encrypted. It shares the exact model of the phone in clear text with other users, who store it with the corresponding unique identifier. “
It is worrying because:
The authors are also concerned that the application shares all UniqueIDs when users choose to report a positive COVID-19 test.
“COVIDSafe does not give them the opportunity to delete or omit certain identifiers before downloading,” they write. “This means that users consent to an all-or-nothing communication to the authorities regarding their contacts. We do not see why it was necessary. If they want to help defeat COVID-19 by letting strangers on a train or supermarket know they may be at risk, they must also share with the government a detailed picture of their day's close contact with family and friends. , unless they remembered to stop the application at these times. “
The analysis also highlights some cases of unique IDs lasting up to eight hours, for unknown reasons.
The authors conclude that the application is not an immediate danger to users. But they say it presents “serious privacy concerns if we view the central authority as an adversary”.
None of this seems to bother Australians, who have downloaded it more than two million times in 48 hours and have stunned adoption expectations.
Atlassian co-founder Mike Cannon-Brookes may have helped, suggestingit's time to “turn off angry mob mode”. He also offered the following advice:
Webcast: Build the Next Generation of Your Business in the Public Cloud