How the COVIDSafe app could pierce your privacy — and change Australia’s privacy equation

Technical analysis picks apart app as experts warn of potential for broad-based surveillance.

A binary eye peers through a broken network  >  data breach / security break / privacy violation
WildPixel / Getty Images

Shrugging off early privacy concerns and warnings of “serious privacy implications” from security experts, the Australian federal government’s COVIDSafe app — which was released this week to help streamline the process of COVID-19 coronavirus contact tracing — has been downloaded more than 2 million times within days.

Early reports of technical problems and usage issues — iPhone apps must not, for example, broadcast Bluetooth signals when running in the background — have also spawned concerns the app may present usability issues in the long term. COVIDSafe relies on smartphones’ Bluetooth radios interacting with each other to determine who came in close contact with whom.

How the COVIDSafe app could unmask users’ identities

COVIDSafe is an evolution of Singapore’s TraceTogether, an early app-based approach to contact tracing that rapidly became a global exemplar and has been open-sourced to encourage wide use.

It collects a limited information set including a name (or pseudonym), age range, postal code and phone number — all of which are being stored on an Amazon Web Services (AWS) installation and will not, the government has been promised, be made available to federal social-welfare, tax-collection, national-security, or other authorities.

To bolster public confidence, the government has announced plans to release its source code for open scrutiny — but some developers have already been poring over the app in other ways.

One team of four developers — led by cryptographer Vanessa Teague of the University of Melbourne School of Computing and Information Systems — used reverse-engineering techniques to learn as much as possible about how the app handles personal data.

The app’s architecture, their ongoing analysis has concluded, “seems approximately similar to the Singaporean TraceTogether architecture, but there are some important differences that users should understand when they are deciding whether to install the app.”

COVIDSafe’s “basic operation” is the sharing of encrypted UniqueIDs with other users, and recording encrypted UniqueIDs received from other users. If a user is infected with COVID-19, they can upload the list of other users’ encrypted IDs to help authorities quickly trigger widespread testing of potential close contacts.

Users’ UniqueIDs are designed to regenerate every two hours, but if the phone is offline it will continue using the same ID — a flaw that the team says “has serious privacy implications that are not adequately addressed” in the app’s attendant Privacy Impact Assessment (PIA).

The longer a UniqueID is retained, the team warned in recommending a much shorter refresh period, the more opportunities there are for cross-matching them with internet of things (IoT) devices and other Bluetooth beacons to track a person’s movements.

“The difference between 15 minutes’ and two hours’ worth of tracking opportunities is substantial,” they concluded. “We understand that legislation will attempt to make [tracking] illegal, but making it technically difficult would have been a lot more effective. How many IoT devices in how many Australians’ homes already violate Australian privacy law?”

White-hat hacker Marc Rogers, who currently serves as executive director of cyber security strategy at identity-management firm Okta, agreed that this approach — paired with a design that seems to transmit information about each user’s phone in plaintext — could leave Australians exposed to tracking and exploitation.

“Given the extended length between rotations,” he said, “it would be easy to track app users for long periods of time. … Taken together, these two flaws offer enough information for any commercial Bluetooth tracking tool, or even a free Bluetooth tracking app, to track a COVIDSafe user. This is a big problem from a privacy perspective.

The app’s use of a central server to manage and store UniqueIDs has also been flagged, with Rogers calling it “a point of vulnerability and potential privacy risk.”

Cyber criminals and fraudsters have already entered the fray

In the meantime, acceptance of the COVIDSafe app will likely grow as early results suggest that the apps may well be providing the benefits that experts hope for. But they’re also providing new occasions for exploitation by cyber criminals and fraudsters — who, true to form, jumped on the opportunities posed by release of the app.

One hoax SMS, for example, suggesting the app was being used to track when users go more than 20km from their home address.

The government urges COVIDSafe adoption as the Apple-Google tracing system comes into view

The 2 million downloads recorded this week suggests that 12 per cent of Australia’s nearly 17 million mobile users have at least loaded the app, which was launched over the weekend as part of the next stage of the country’s coronavirus response.

The government has previously said it is targeting an adoption rate of 40 per cent to produce strong results from the app, which uses Bluetooth technologies to record incidents of close contact with other app users.

The COVIDSafe app will soon gain heavyweight competition from a joint effort by Apple and Google, which has seen the mobile-device giants collaborating on a standard for contact tracing, called Privacy-Preserving Contact Tracing, that will be released within weeks.

Aligning the interests of the Australian government app with those of the Apple-Google project may be important to avoid confusing consumers with duplicated efforts. Yet despite privacy and technical concerns, the Australian government is throwing its weight behind the COVIDSafe app for now, with Prime Minister Scott Morrison warning that widespread use of the app will be essential to relaxing social-distancing restrictions in the future.

Reframing the national privacy conversation, and the dangers of ‘mission creep’

Reception of the app in Australia, where COVID-19 deaths and infections have remained relatively low thanks to aggressive social-isolation measures, was tainted soon after its announcement despite assurances from health minister Greg Hunt that the country “has been able to work to ensure that [the negative experiences of Singapore’s app] are not an issue in Australia.”

Australians have a long and ambivalent relationship with digital privacy — being both voracious consumers of privacy-violating social-media services like Facebook and Instagram, and culturally sensitised to government efforts to increase its surveillance of their movements or associations.

Fully 77 per cent of respondents to a recent Australian survey said they often or occasionally worry about the security of their data — yet despite nearly one in five reporting having a social-media account compromised, half said they don’t know and haven’t bothered to find out how to protect themselves online.

Controversy has dogged legislation such as that requiring telecommunications companies to archive metadata about users’ mobile communications, which drew both strong support and strong opposition when it was introduced several years ago.

Years later, the metadata is regularly made available to authorities — putatively for law enforcement, but also by dozens of agencies that were never intended to have access to the information — and the federal government recently moved to extend this so that data about Australians can be provided to law-enforcement authorities in other countries. “Australia’s track record on privacy has shown many agencies will seek to access such data for their own purposes,” another analysis of the COVIDSafe app warns.

A recent joint statement by more than 300 global experts, dated 19 April 2020, warned that “mission creep” could “result in systems which would allow unprecedented surveillance of society at large.”

Copyright © 2020 IDG Communications, Inc.

The 10 most powerful cybersecurity companies