Over the last couple of weeks I’ve had a large number of people reach out to me to ask what my opinion was on the Government’s COVID-19 tracking application, and whether it was “safe”. Last night, following the release of the application named “COVIDSafe”, I installed it. Here’s my rundown.
TLDR; Generally, it appears ‘safe’. I would prefer if the application didn’t record location data, but the amount of information it appears to track, store and share is far less than what most people share every minute with organisations like Facebook, Google, Apple, Microsoft, Amazon, etc. I’ll be continuing to track research published by security researchers who reverse engineer applications like these to understand what they really do, and if that opinion changes as a by-product, you’ll find my update here.
Sunday night (27/04) the Australian Government released the COVIDSafe application for download. Within 4 1/2 hours it had been downloaded over 1 million times. Yet despite this, privacy advocates are worried about what the application actually collects. This is also combined by a generally poor history of the Government protecting the personal information of its citizens. As a result, many people are concerned about whether they should or should not install the application.
How a COVID tracking application could work….
In theory, an application like this would need a unique identifier for each device and then leverage Bluetooth Low Energy (BLE), which we all use to connect devices like smart watches, hands free headsets and wireless earphones, not to mention others, to probe the area around the device to see if other devices running the application respond. The application would keep record of the device ID’s it’s come into proximity with, and the date/time of this occurrence.
Over a period of time, the application purges older “sightings” and if the user of the application tests positive, they hit a button, and the application sends information to the mother ship (whomever is managing the database), with a list of device IDs along with the date/time they came into proximity of those devices.
The mother ship then receives the data and sends a message to the application where those device IDs exist and lets them know they should be tested. The user then contacts the respective health authority to get tested.
Sounds simples, right?
I went ahead and installed the application around 9.00pm Sunday evening to check it out, and reached out to a bunch of folk much smarter than me to see what their first impressions were….
How the COVIDSafe application actually works…
This is based on my own experiences with the application along with an evolving research paper you can find here: https://docs.google.com/document/d/17GuApb1fG3Bn0_DVgDQgrtnd_QO3foBl7NVb8vaWeKc/preview#; along with a discussion thread here: https://news.ycombinator.com/item?id=22986147. I will update this article as the research evolves, particularly if there is anything that changes my current stance on the safety and security of the application.
The general gist of the research, although still in its early days, is that the application functions to the most part like I theorised above, with a few exceptions. The application is based on the Singapore Governments own application, and several parts of the programming code reference the aforementioned application.
On top of what I suggested above, the application also records:
- your name, age and post code – although you can make this up
- the mobile telephone number of the device the application is stored on
- the location of the devices it comes into proximity of
- the strength of the signal of the other device (this helps determine, roughly, distance between devices)
Whilst I’m not really sure your name, age, postcode, and mobile number are essential in making this work, I understand the logic behind why they’ve been included. I’d rather that location data was optional, or not recorded at all. That’s probably my biggest complaint right now.
I do appreciate that the information you enter, doesn’t have to be legitimate, although I’m not sure it even needs this much information.
Is Big Brother watching…..?
In a round about way, YES. But the amount of data they are collecting is minimal in comparison to the sort of information being tracked every day by the likes of Facebook, Google, Apple, Microsoft, Amazon and others.
Honestly, at this point I see no reason to remove the application from my phone. Based on what’s known so far (by media and security researchers), the information can’t be accessed by other applications on your device and is allegedly encrypted. The amount of information collected is minimal – although it could be less. The Government has said that they will look at releasing the source code to allow security researchers to independently review the code. These are all positives.
I genuinely think the Australian (and New Zealand) Governments have done a remarkable job of handling this pandemic and are going to extreme lengths to be as open and transparent about this particular strategy; they’ve also raised the prospect of potential laws regarding the use of the data from a COVID contact tracing app.
Ultimately, you don’t go to all these lengths to try and appease the concerns of the population and then talk about releasing the source code, unless you’re ready to have your arse handed to you for lying to your people when people much smarter than you and I reverse engineer the published application, dissect the crap out of it, and confirm whether or not the released source code matches the version of the application everyone installed.
And like I said, there are much bigger corporations who track more information about us every day. I’m surprised they couldn’t just give the Government some of that data to help – although maybe that would give away too much about what they actually track!! 🤣
If you’re not fully understanding what I’m saying about Facebook, Google, etc tracking us – check out an old episode of InSecurITy.TV that my friends Charles Hensen (USA), Scott Beck (Canada) and I put together on the topic of “The Price of Free“, which goes a lot deeper into how companies who charge you nothing for a service you use every day, make money by tracking everything you do – on and off their services.
- Apple and Google partner on COVID-19 contact tracing technology
- ABC News: Australian Government’s coronavirus tracing app COVIDSafe downloaded 1 million times
- Dissection of COVIDSafe (Android)
- Discussion Thread on “Disecction of COVIDSafe (Android)”
- IT News: Govt raises prospect of new laws for COVID contact tracing app