Cybersecurity and privacy experts have lined up to voice concerns about the federal government’s proposed coronavirus tracing app.
Slated to be released in a few weeks, an Australian contact-tracing smartphone app based on Singapore’s TraceTogether app has been the subject of heated debate over its mode of operations and conditions surrounding its launch.
The government’s messaging has been uncertain and shaped by backlash. An initial suggestion that the new app’s use would be mandatory was walked back after refusal of Coalition MPs to download the app, and government services minister Stuart Robert’s suggestion that new laws may coincide with its release.
On Monday, the government confirmed that using the app would not be mandatory, and that the app would not track people’s locations, nor would the data be made available to law enforcement.
App’s purpose is to track
Associate Professor Clive Harfield from the Institute for Cyber Investigations & Forensics at the University of the Sunshine Coast said that these claims belie the apps purpose — even if locations are not recorded.
“Assertions that these apps do not provide live tracking data disguise the whole point of these apps, which is to trace – and so track – contacts between people and thereby identifying individuals who may have been infected with the virus but are not yet presenting symptoms,” he said.
“The purpose of contact tracing is to track the movements of individuals (all be it historically rather than in real-time) and identify where they have been, who they have been with, and where they might have spread the contagion.”
Professor Harfield said that the core vulnerabilities of any app still apply to this one — vulnerabilities that enable hacking or coincidental uses for the app, and aggregation of the data collected by the app with other data sources, particularly those routinely gathered and shared in relation to use of mobile devices.
“Once gathered and collated, any data is vulnerable to unauthorised access through information sharing between entities or agencies who (mistakenly) believe they are authorised to share such information, or to unauthorised access through hacking,” he said.
“Digitised records forming part of the My Health Record database are to be retained long after the patient is dead: how long is the contact tracking data going to be retained, storage and retention being significant data management/cybercrime vulnerabilities?”
App’s basic functions revealed
The basics details of how the app works have now been released. A government database will record the identities of all users that install the app, and assign them a permanent, private ID in that database. These private IDs are used to generate public IDs that are periodically regenerated.
A user’s phone with the app installed will broadcast their public ID signature via Bluetooth Relative Signal Strength Indicator (RSSI) readings, and log the exposure to signals of all other users’s public IDs it can detect.
This record of all nearby public user IDs, along with measurements of signal strength and time encountered, is stored on each user’s phone. If one of those users is diagnosed with Covid-19, then they give the authorities the full list of logged public IDs and associated metadata, and the government uses cryoptographic keys to unlock the private IDs of any proximate people in that list, sending them alerts.
But serious questions remain about the app’s operation and implications for its use.
Professor Richard Buckland, Professor of Cybersecurity at UNSW Sydney, and Director of the SECedu Australian Cybersecurity Education Network said that what is known about the app’s operation and the extent of its data collection presented a range of circumstances that may facilitate significant breaches of privacy:
- The exposure of other people’s IDs reveals much data about their movements that would otherwise be private, such as non-compliance with social distancing of passers-by, other movement restrictions, or any other activities that would otherwise be unknown to authorities
- Data breaches or sharing of the central database with other state actors would allow those to easily identify people from their app’s beacon signal by by adding Bluetooth sensors to other means of surveillance, such as allowing tracking by drones, or a new means of personal identification within existing camera surveillance systems
- If data were shared with enforcement agencies, or if such agencies had the power to compel users to hand over logs, they could be used to force reporters to identify sources, identify whistleblowers, identify people attending a protest or politicians leaking to media, people in witness protection or in hiding from abusive partners, etc.
Professor Buckland recommended that safeguards around its operation should be enacted. Firstly, an explicit legal prohibition that all data can only be used for Covid-19 contact tracing and not subsequently rolled back by ministerial regulation — Australia’s track record on privacy has shown many agencies will seek to access such data for their own purposes.
Secondly, a ‘genuine opt-in’ should be put in place — meaning people can not be discriminated against for opting out, data cannot be demanded by enforcement agencies, and a guarantee that people opting out will have their data securely destroyed.
Finally, a time limit and guarantee of secure deletion should accompany the app’s roll-out to ensure the app and all associated data will be securely deleted within a specified timeframe or upon satisfaction of Covid-related epidemiological goals.
A survey by the University of Melbourne published yesterday found that 73 percent of Australian respondents would use such an app, if given guarantees that it had a six-month expiry date.
Doubts over efficacy
Professor Buckland said there is debate amongst health experts about the extent to which a technological solution such as an app can contribute to a meaningful world intervention.
“It is important to understand the data about the costs and the benefits before embarking on an intrusive solution. To what extent do people contract the virus from being near anonymous others versus contact with those they know or from touching contaminated surfaces?” he said.
A recent University of Oxford simulation on the use of a contact tracing app to control an epidemic found that 80 percent of smartphone users, or 56 percent of the population would need to use such an app to make its use effective.
Associate Professor Frank den Hartog from the School of Information Systems and Technology Management at UNSW Canberra said that the app’s role in lifting social distancing restrictions also relies on the agility of institution to act on the data.
“The level that the uptake needs to be to make it possible to lift restrictions mostly depends on how effective the institutions react given the data. This is hard to predict. The app itself only generates data,” he said.
Professor den Hartog said that many questions about the app cannot be answered unless the service specifications and code of the app were be released for evaluation.
“Actually, the service specifications should have been published a long time ago, followed by an open expert consultation for feedback to the service specification and an assessment of the 60+ apps that already exist worldwide. Then choose a promising candidate, take it from there, publish the code, and ask for another open expert consultation,” he said.
“Part of that consultation would be a privacy and a security assessment. The outcome of which would be more broadly accepted by the public than an assessment by the government or parliament itself. Having said that, I think Australians should be prepared to accept some trade-off between privacy and public health here — but that does not preclude a thorough minimisation of privacy risks to a bare minimum.”
Stay up to date by getting stories like this delivered to your mailbox.
Sign up to receive our free weekly Spatial Source newsletter.
