Australia’s “COVIDSafe” contact-tracing app was rushed to market in the knowledge it would perform poorly on some devices and without agreements in place to let actual contact-tracers use the data it collects. As a result, no collected data has been used in at least 10 days since its launch.
Meanwhile, security researchers have alleged the app has serious flaws – one of which can broadcast the names of devices running the app – and one has criticised Australia’s government for not offering a formal method to point out such problems.
News that data is not yet flowing emerged yesterday at a hearing of Australia’s COVID-19 select committee at which officials from Australia’s Digital Transformation Agency, Attorney-General’s Department and Department of Health gave testimony. The transcript [PDF] of the meeting reveals:
- Agreements between Australia’s Federal and State governments to share COVIDSafe data are not yet in place. As States run health services and employ contact-tracers, this means no data gathered by the federally-administered app has been shared in the 10 days since its launch. Officials said they expect those arrangements will be in place “certainly this week”. Officials "are taking the extra steps of making sure we consult with privacy agencies" to ensure the data flows properly. Officials added that the backend of the app is working perfectly so data should flow once agreements are ironed out. State governments, meanwhile, have said their contact-tracing teams are yet to be trained to use data produced by the app.
- Anticipated problems with iPhones have materialised, as “quality of the Bluetooth connectivity for phones that have the app installed running in the foreground is very good, and it progressively deteriorates and the quality of the connection is not as good as you get to a point where the phone is locked and the app is running in the background.”
- Australia is “aware of the performance issues as the app moves further into the background and are working with Apple and Google on the improvements that they're making to Bluetooth, and we will be one of the first adopters of that improved Bluetooth connectivity.”
- Officials said the app was developed despite its creators and government knowing in advance it would be imperfect. “Our option was to wait until every feature was running perfectly and deliver a solution in six or 12 months time” the Committee was told.
- Legal advice has been sought regarding the impact of the USA’s CLOUD Act on data collected by COVIDSafe, as it is stored in AWS. Officials would not release that advice and said they believe it is “not conceivable” the data could be accessed by US authorities, emphasised that security had been considered from every angle and opined that US courts would not likely look favorably upon a request to access data gathered by the app.
- Government agencies have “limited” capacity to engage with developers who share opinions on the app, but are “are engaging with the tech community on general issues that they may be identifying and we're working through those in a methodical way. We have a backlog, as you would expect, of issues. We prioritise those and we deliver improvements on an iterative basis.”
- A partial release of the app's source code is planned for late this week or early next week.
Serious flaws, no bug bounty, no evidence of engagement
Security researchers, meanwhile, continue to find problems with the app.
Geoffrey Huntley, a security researcher who with colleagues and acquaintances has decompiled the app’s Android .APK and observed the iOS app running with a debugger, told The Register he has found a flaw in the app’s use of unique identifiers that retains one value instead of making a change every two hours. He also said the app’s Bluetooth implementation makes it possible to read device names with a Bluetooth beacon.
Huntley also labelled the lack of a bug bounty program for the app “unusual” and said only personal relationships with government staff afforded him a channel through which to report his findings – after mailing government agencies' public email addresses with details of bugs and not receiving replies for a week.
Australia’s app uses some of Singapore’s open source contact-tracing code. Huntley said he found flaws in Singapore’s code, reported it to developers there and saw changes made on the same day. He said he’s since informed Australian authorities of the same problem and seen it left in place in an app update that he said has changed nothing of substance. His research and opinions are detailed in this Tweet and subsequent thread.
Issue 1 (which is a privacy breach) in @jim_mussared's research was confirmed by the Singapore team. It was fixed same day. It has not been fixed in the Australian app.— geoffrey huntley (@GeoffreyHuntley) May 6, 2020
Nb. I also disclosed see above tweets about being ignored. pic.twitter.com/wtGsy8Ki5R
Huntley has called upon those responsible for the app to implement formal customer service and developer community engagement tools, as he feels the app is a worthy weapon in Australia’s coronavirus response. However he has withdrawn his personal support for the app until the privacy issues he has identified are addressed.
Australia’s government, meanwhile, continues to tie increased adoption of the app to future lightening of social distancing regulations. Over five million Australians have downloaded the app at the time of writing, however with iPhones the majority of the national phone fleet COVIDSafe’s efficacy is currently questionable. ®