Australia has released its promised COVID-19 contact search application.
Double COVIDSafe, the smartphone app follows the now established practice of asking people to register their name, age group, phone number and postal code, and create a unique identifier. This identifier is shared with other users of the application when they come into close contact with each other.
If a user is subsequently positive for COVID-19, he has the possibility of informing the health authorities. Other users who have had close contact with an infected person are then contacted by the health authorities. Close contact data is stored, encrypted, on devices for 21 days, but some data is stored off device for health authorities.
Only health workers can access data outside the device and even in this case only after initial membership and a second authorization request after a positive test.
The application, available for Android and iOS, uses a The TraceTogther app from Singapore and uses Amazon Web Services to store registration information, encrypted user IDs, and contact information.
Although the application source code has not been released, a privacy impact assessment [PDF] drawn up by lawyers recommends its availability. The Ministry of Health reply [PDF] approves, saying that it “will be published subject to consultation with the Australian Cybersecurity Center of the Australian Signals Directorate”.
No delay is proposed for this consultation, and there is no guarantee that the Cyber Security Center will accept the publication of the source code.
The app's use of AWS quickly raised eyebrows since the cloud giant is subject to the U.S. Patriot Act and may be forced to hand over COVIDSafe data despite the fact that it is stored on Australian soil. The legal basis for the application, however, seems reasonably solid.
A bulletin from the law firm Gilbert & Tobin analyzed the legal instrument underlying the application – a new ministerial determination made under subsection 477 (1) of the Bio-security Act – and commented as follows:
- “To the credit of the government, it avoids the formula of broad discretion and” woolly “principles that have characterized much of the telecommunications data security legislation of recent years.”
- “You cannot – to use the medieval language of the plague – be treated as a” leper “because you have decided not to download the application.” Not using the application cannot therefore be a reason to refuse a contract, refuse entry to premises or refuse to provide or receive goods or services
- The determination includes what the firm calls an “information panel on internal affairs”, which means that any investigation into the use of the application can only concern the determination, and not of possible violations of other laws.
Without the source code, it is impossible to make a complete evaluation of the software. However, the application's Android .APK file, as is the case with all of these files, can be pretty much decompiled.
The register has not yet found an authoritative analysis after decompilation, but some efforts have been made and offer cautiously optimistic assessments of the application.
Data is stored locally in a SQLite database using the RoomDatabase API.
– Matthew Robbins (@matthewrdev) April 26, 2020
The data download is authenticated by a single pin request sent to your mobile phone.
This is important because all data downloads are made only with the consent of the user.
– Matthew Robbins (@matthewrdev) April 26, 2020
So I'm generally good with the app. The two little things that worry me are:
– the device-id is sent to the API
– the API could give you the same “temp” identifier again and again, which could allow tracking; a better solution would be for the client to generate the ID
– xssfox (@xssfox) April 26, 2020
Another criticism of the app is that it must be active to run efficiently on Apple devices. As Australia's national fleet of mobile phones is dominated by the iPhone – with more than 50% market share – the app may not collect a lot of useful data.
That didn't stop a million registrations for the app, according to Health Minister Greg Hunt.
At 10:30 p.m., 1 million Australians downloaded and recorded for the #CovidSafeapp – please join us and help protect us, protect our families, but especially our nurses and doctors
– Greg Hunt (@GregHuntMP) April 26, 2020
At the time of writing, the COVIDSafe Google Play Page has over 100,000 installations. The next milestone reported by Google is 500,000 and the Apple App Store does not list usage, making it difficult to assess actual installations.
However, the application is well regarded: Android users give it 4.6 / 5 and iOS users rate it's a 4.3. ®
Webcast: Build the Next Generation of Your Business in the Public Cloud