Australia's contact-tracing app regulation avoids 'woolly' principles in comparable cyber-laws, say lawyers

COVIDSafe application lands for Android, iOS – sans source code

Australia has released its promised COVID-19 contact-tracing app.

Dubbed COVIDSafe, the smartphone app follows the now-established practice of asking people to register their name, age range, phone number, and postcode, and create a unique identifier. That identifier is shared with other users of the app when they come into close contact with each other.

If a user subsequently tests positive to COVID-19, they have the option to notify health authorities. Other users who have had close contact with an infected person are then contacted by health authorities. Close contact data is stored, encrypted, on devices for 21 days, but some data is stored off-device for health authorities to access.

Only health workers can access the off-device data and even then only after initial opt-in and a second request for permission after a positive test.

The app, available for Android and iOS, uses some code from Singapore's TraceTogther app and uses Amazon Web Services to store registration information, encrypted user IDs, and contact data.

While source code of the app has not been released, a privacy impact assessment [PDF] drawn up by lawyers recommends it be made available. The Department of Health's response [PDF] concurs, saying it "will be released subject to consultation with the Australian Signals Directorate's Australian Cyber Security Centre".

No timeframe for that consultation is offered, nor is there a guarantee the Cyber Security Centre will agree to the release of the source code.


The app's use of AWS has quickly raised eyebrows given the cloud giant is subject to the United States' Patriot Act and could be compelled to surrender COVIDSafe data despite it being stored on Australian soil. The app's legal underpinnings, however, appear reasonably sound.

A newsletter from law firm Gilbert & Tobin analysed the legal instrument that underpins the app – a new ministerial determination made under section 477 (1) the Bioescurity Act – and offered the following commentary:

  • "To the Government's credit, it avoids the formula of broad discretions and 'woolly' principles which have characterised much of the telco data security legislation of the last few years."
  • "You cannot – to use medieval plague language – be treated as a 'leper' because you have decided not to download the app." Not using the app therefore cannot be grounds to refuse a contract, refuse entry to premises, or refusal to provide or receive goods or services
  • The determination includes what the firm calls a "keep out Home Affairs signpost" that means any investigation into the app's use can only concern the determination, not possible breaches of other laws.


Without the source code, it's impossible to make a full assessment of the software. However the app's Android .APK file, as is the case with all such files, can be just-about-decompiled.

The Register is yet to find an authoritative post-de-compilation analysis, but some efforts have been made and offer cautiously optimistic assessments of the app.

Bad Apples

Another criticism leveled at the app is that it must be in active use to perform usefully on Apple devices. As Australia's national mobile phone fleet is dominated by the iPhone – with over 50 percent market share – the app may not collect a lot of useful data.

That's not stopped a million registrations for the app, according to health minister Greg Hunt.

At the time of writing, the COVIDSafe Google Play page counts 100,000+ installs. The next milestone that Google reports is 500,000 and Apple's app store doesn't enumerate usage, making an assessment of actual installs hard to determine.

However the app is well regarded: Android users give it 4.6/5, and iOS users rate it a 4.3. ®

Narrower topics

Other stories you might like

  • GPL legal battle: Vizio told by judge it will have to answer breach-of-contract claims
    Fine-print crucially deemed contractual agreement as well as copyright license in smartTV source-code case

    The Software Freedom Conservancy (SFC) has won a significant legal victory in its ongoing effort to force Vizio to publish the source code of its SmartCast TV software, which is said to contain GPLv2 and LGPLv2.1 copyleft-licensed components.

    SFC sued Vizio, claiming it was in breach of contract by failing to obey the terms of the GPLv2 and LGPLv2.1 licenses that require source code to be made public when certain conditions are met, and sought declaratory relief on behalf of Vizio TV owners. SFC wanted its breach-of-contract arguments to be heard by the Orange County Superior Court in California, though Vizio kicked the matter up to the district court level in central California where it hoped to avoid the contract issue and defend its corner using just federal copyright law.

    On Friday, Federal District Judge Josephine Staton sided with SFC and granted its motion to send its lawsuit back to superior court. To do so, Judge Staton had to decide whether or not the federal Copyright Act preempted the SFC's breach-of-contract allegations; in the end, she decided it didn't.

    Continue reading
  • US brings first-of-its-kind criminal charges of Bitcoin-based sanctions-busting
    Citizen allegedly moved $10m-plus in BTC into banned nation

    US prosecutors have accused an American citizen of illegally funneling more than $10 million in Bitcoin into an economically sanctioned country.

    It's said the resulting criminal charges of sanctions busting through the use of cryptocurrency are the first of their kind to be brought in the US.

    Under the United States' International Emergency Economic Powers Act (IEEA), it is illegal for a citizen or institution within the US to transfer funds, directly or indirectly, to a sanctioned country, such as Iran, Cuba, North Korea, or Russia. If there is evidence the IEEA was willfully violated, a criminal case should follow. If an individual or financial exchange was unwittingly involved in evading sanctions, they may be subject to civil action. 

    Continue reading
  • Meta hires network chip guru from Intel: What does this mean for future silicon?
    Why be a customer when you can develop your own custom semiconductors

    Analysis Here's something that should raise eyebrows in the datacenter world: Facebook parent company Meta has hired a veteran networking chip engineer from Intel to lead silicon design efforts in the internet giant's infrastructure hardware engineering group.

    Jon Dama started as director of silicon in May for Meta's infrastructure hardware group, a role that has him "responsible for several design teams innovating the datacenter for scale," according to his LinkedIn profile. In a blurb, Dama indicated that a team is already in place at Meta, and he hopes to "scale the next several doublings of data processing" with them.

    Though we couldn't confirm it, we think it's likely that Dama is reporting to Alexis Bjorlin, Meta's vice president of infrastructure hardware who previously worked with Dama when she was general manager of Intel's Connectivity group before serving a two-year stint at Broadcom.

    Continue reading

Biting the hand that feeds IT © 1998–2022