How Safe Is COVIDSafe?

It’s all about contact tracing, an important weapon in the fight against a contagious virus like COVID-19: when someone tests positive, the health authorities begin a laborious process of trying to get in touch with everyone they’ve been in close contact with while they were infectious. The sooner those people can take precautions, isolate themselves, and potentially get tested, the fewer people they will pass the virus onto.

That means you might now not catch it because someone you would otherwise have come into contact with is already at home, isolating.

One of the reasons why COVID-19 has spread so widely is that people who catch it are typically contagious before they show symptoms. Some people who catch it may never show symptoms, but still put their friends, colleagues and family at risk by potentially passing it on to them.

The COVIDSafe app helps to improve and speed up the contact tracing process by partially automating it. If you have the app installed, then your phone will have a record of every other app user you’ve come into contact with over the last 21 days. The contact tracers can use this data to begin alerting those people.

It’s the same process you’d previously have been asked to do entirely manually, except now it will likely be much more accurate. Let’s face it, could you remember everyone you’ve come into contact with over the last few weeks?

While the government has promised to release the COVIDSafe source code within the next few weeks, here’s what we know so far. Some of this is based on what the government has told us, while other information has come from the Australian tech community, who have begun reverse-engineering the Android and iPhone apps and trawling through the code.

The first thing to note is what the app does not do.

It doesn’t track your location. It uses Bluetooth to communicate with nearby devices, but doesn’t capture the location where that communication took place. While the Android app does ask for location permissions, this is due to a quirk in the Android OS Bluetooth permissions, which don’t offer a way to ask for access to the Bluetooth Low Energy API the app needs without also asking for location; those who have reviewed the decompiled source code have confirmed that the location APIs are not used, at least not in the current version of the app. The iPhone app only asks for Bluetooth access.

So what information does it collect? When you register, you have to provide a name, age range, postcode and phone number, all of which get sent to the central government server, hosted in AWS in the Sydney datacentre. But only the phone number is verified, so there's no obligation to provide your real name, age or location.

The information about which phones have been in contact with each other is not sent to the central government server unless one of the parties tests positive for COVID-19. When two phones exchange details they share their own unique pseudonymous IDs over Bluetooth, but these are initially only stored on those individual phones, with a rolling 21 day deletion period removing the oldest data once it is no longer useful for contact tracing. The unique ID that your app broadcasts is also regularly changed to reduce the risk of a malicious third party trying to track your movements.

If you test positive, you’ll be asked to use the option in the app to upload your local data to the central server. The authorities can match those stored IDs with the phone numbers provided during registration and start notifying individuals who have come into contact with you.

While the COVIDSafe app doesn’t share your location, security researchers have identified some potential risks with the app’s architecture.

One of those is the way those unique IDs that are shared between phones are generated and renewed. Since your phone with the app installed will be broadcasting this ID, it needs to be regularly refreshed to mitigate the risk of your phone being tracked by other (potentially malicious) actors. The IDs are generated on the central server, and downloaded by the app every 2 hours, but if the COVIDSafe app isn’t open or cannot connect to the internet it will keep using the same ID for potentially a much longer period, increasing the risk that a user of the app could be tracked by a third party, although it should be noted that this type of tracking will be made illegal under new legislation.

Another potential issue with the app architecture, is that it currently broadcasts the make and model of your phone in plain text along with the ID. The technical reason for this is so that the system can estimate the distance between phones that exchange details (important for contact tracing purposes given that COVID-19 cannot travel more than a short distance through the air). Different phone models transmit Bluetooth signals at different power levels. Rather than attempt to calculate this on the client (phone) side, the developers opted to capture the phone model details so that the calculation can be done server-side. In many ways this is a sensible decision, as it allows the calculation to be modified later as more data about the Bluetooth signal strength of different phone models becomes available, but it does present an additional privacy risk by exposing an additional piece of information about users.

As the security researchers note:

In the initial release of COVIDSafe there were issues with the iPhone app when running in the background. Thanks to the work of members of the Australian tech community, who devoted their own time to investigating these issues and alerting the DTA, many of these issues have now been resolved and the app should now work much more effectively when backgrounded. If you’ve already installed COVIDSafe, then you should make sure you get the latest update from your phone’s app store.

In addition, Google and Apple have both been working to introduce contact tracing capability into their core OS offering, so further improvements may be possible when that becomes available, potentially in a matter of weeks, but of course that will require users to download OS and app updates.

The bottom line is that for the app to be effective it needs a critical mass of users, with the government indicating that 40% of the Australian public is the magic threshold.

While everyone should make their own decisions about whether to install, the information collected by the app is relatively benign. For the vast majority of people, any potential risk associated with the app is hugely outweighed by the common good of helping to keep COVID-19 under control, and potentially meaning we can all get back to something close to normal life as soon as possible.

As privacy advocate Simon Harman writes: