Australia's contact-tracing app regulation avoids 'woolly' principles in comparable cyber-laws, say lawyers

COVIDSafe application lands for Android, iOS – sans source code

Australia has released its promised COVID-19 contact-tracing app.

Dubbed COVIDSafe, the smartphone app follows the now-established practice of asking people to register their name, age range, phone number, and postcode, and create a unique identifier. That identifier is shared with other users of the app when they come into close contact with each other.

If a user subsequently tests positive to COVID-19, they have the option to notify health authorities. Other users who have had close contact with an infected person are then contacted by health authorities. Close contact data is stored, encrypted, on devices for 21 days, but some data is stored off-device for health authorities to access.

Only health workers can access the off-device data and even then only after initial opt-in and a second request for permission after a positive test.

The app, available for Android and iOS, uses some code from Singapore's TraceTogther app and uses Amazon Web Services to store registration information, encrypted user IDs, and contact data.

While source code of the app has not been released, a privacy impact assessment [PDF] drawn up by lawyers recommends it be made available. The Department of Health's response [PDF] concurs, saying it "will be released subject to consultation with the Australian Signals Directorate's Australian Cyber Security Centre".

No timeframe for that consultation is offered, nor is there a guarantee the Cyber Security Centre will agree to the release of the source code.


The app's use of AWS has quickly raised eyebrows given the cloud giant is subject to the United States' Patriot Act and could be compelled to surrender COVIDSafe data despite it being stored on Australian soil. The app's legal underpinnings, however, appear reasonably sound.

A newsletter from law firm Gilbert & Tobin analysed the legal instrument that underpins the app – a new ministerial determination made under section 477 (1) the Bioescurity Act – and offered the following commentary:

  • "To the Government's credit, it avoids the formula of broad discretions and 'woolly' principles which have characterised much of the telco data security legislation of the last few years."
  • "You cannot – to use medieval plague language – be treated as a 'leper' because you have decided not to download the app." Not using the app therefore cannot be grounds to refuse a contract, refuse entry to premises, or refusal to provide or receive goods or services
  • The determination includes what the firm calls a "keep out Home Affairs signpost" that means any investigation into the app's use can only concern the determination, not possible breaches of other laws.


Without the source code, it's impossible to make a full assessment of the software. However the app's Android .APK file, as is the case with all such files, can be just-about-decompiled.

The Register is yet to find an authoritative post-de-compilation analysis, but some efforts have been made and offer cautiously optimistic assessments of the app.

Bad Apples

Another criticism leveled at the app is that it must be in active use to perform usefully on Apple devices. As Australia's national mobile phone fleet is dominated by the iPhone – with over 50 percent market share – the app may not collect a lot of useful data.

That's not stopped a million registrations for the app, according to health minister Greg Hunt.

At the time of writing, the COVIDSafe Google Play page counts 100,000+ installs. The next milestone that Google reports is 500,000 and Apple's app store doesn't enumerate usage, making an assessment of actual installs hard to determine.

However the app is well regarded: Android users give it 4.6/5, and iOS users rate it a 4.3. ®

Similar topics

Other stories you might like

  • Prisons transcribe private phone calls with inmates using speech-to-text AI

    Plus: A drug designed by machine learning algorithms to treat liver disease reaches human clinical trials and more

    In brief Prisons around the US are installing AI speech-to-text models to automatically transcribe conversations with inmates during their phone calls.

    A series of contracts and emails from eight different states revealed how Verus, an AI application developed by LEO Technologies and based on a speech-to-text system offered by Amazon, was used to eavesdrop on prisoners’ phone calls.

    In a sales pitch, LEO’s CEO James Sexton told officials working for a jail in Cook County, Illinois, that one of its customers in Calhoun County, Alabama, uses the software to protect prisons from getting sued, according to an investigation by the Thomson Reuters Foundation.

    Continue reading
  • Battlefield 2042: Please don't be the death knell of the franchise, please don't be the death knell of the franchise

    Another terrible launch, but DICE is already working on improvements

    The RPG Greetings, traveller, and welcome back to The Register Plays Games, our monthly gaming column. Since the last edition on New World, we hit level cap and the "endgame". Around this time, item duping exploits became rife and every attempt Amazon Games made to fix it just broke something else. The post-level 60 "watermark" system for gear drops is also infuriating and tedious, but not something we were able to address in the column. So bear these things in mind if you were ever tempted. On that note, it's time to look at another newly released shit show – Battlefield 2042.

    I wanted to love Battlefield 2042, I really did. After the bum note of the first-person shooter (FPS) franchise's return to Second World War theatres with Battlefield V (2018), I stupidly assumed the next entry from EA-owned Swedish developer DICE would be a return to form. I was wrong.

    The multiplayer military FPS market is dominated by two forces: Activision's Call of Duty (COD) series and EA's Battlefield. Fans of each franchise are loyal to the point of zealotry with little crossover between player bases. Here's where I stand: COD jumped the shark with Modern Warfare 2 in 2009. It's flip-flopped from WW2 to present-day combat and back again, tried sci-fi, and even the Battle Royale trend with the free-to-play Call of Duty: Warzone (2020), which has been thoroughly ruined by hackers and developer inaction.

    Continue reading
  • American diplomats' iPhones reportedly compromised by NSO Group intrusion software

    Reuters claims nine State Department employees outside the US had their devices hacked

    The Apple iPhones of at least nine US State Department officials were compromised by an unidentified entity using NSO Group's Pegasus spyware, according to a report published Friday by Reuters.

    NSO Group in an email to The Register said it has blocked an unnamed customers' access to its system upon receiving an inquiry about the incident but has yet to confirm whether its software was involved.

    "Once the inquiry was received, and before any investigation under our compliance policy, we have decided to immediately terminate relevant customers’ access to the system, due to the severity of the allegations," an NSO spokesperson told The Register in an email. "To this point, we haven’t received any information nor the phone numbers, nor any indication that NSO’s tools were used in this case."

    Continue reading

Biting the hand that feeds IT © 1998–2021