COVIDSafe: It’s a matter of trust

Posted on

Several days ago, the Australian Government’s ‘COVIDSafe’ contact-tracing app was released.

Two main questions arise: will it work, and is it trustworthy? The Government has stated that at least 40% of the population will need to use it for it to be effective, and Oxford experts suggest that number is 60% [1], so these questions are closely linked.

“One reason why people might choose not to install the app is a deficit of trust,” said Alex Jago, Secretary of Pirate Party Australia. “Unfortunately, the Government has a long history of trading away privacy and information security. Asking people to self-surveil on top of that is a step too far for many.”

Examples of how the Government has consistently acted against privacy are plentiful [2]. Metadata retention (2015) and the “Assistance and Access” Act (2018) are simply two of the more objectionable.

“In the past fortnight, there were some particularly farcical moments when several MPs announced they would not be using the app, citing privacy concerns,” continued Alex. “Given past voting records, we can only hope this represents a permanent change of heart.”

We also note the transparency issues surrounding the app’s code. “It’s ironic that the Minister for Health’s Declaration makes it a crime to decrypt the app’s data, yet the app itself is not obfuscated and trivially easy to decompile in defiance of the government’s reticence to open source the code,” said Party President Miles Whiticker. “A further irony is that the OpenTrace code (which the CovidSafe app is based on) is under the copyleft General Public License, which places an obligation on the government to release the code which white hat hackers have already obtained. The Pirate Party supports principled civil disobedience in defence of free and open software.”

While the app’s source code has not yet been published, the decompilation of the Android version of the app [3] does not seem to reveal anything unexpected. There are several implementation issues, but these are not insurmountable. Less transparency is presently available for the iOS version, but it also presently only works properly when actively used; this is of course a major impediment to effectiveness.

With the app itself subject to effective scrutiny, focus then shifts to what happens on the server. As the back-end is hosted by Amazon, a US company, the Government must assure the public that only Australian laws will apply to it. Additionally, there are questions to be raised about contact-tracing data that might simply get backed up like anything else. Some concerns have been addressed by Minister Hunt’s regulation on April 25th determining the use of, and protections for, the contact-tracing data. [4]

“This regulation is good for the length of the declared pandemic, but once it ends then all the provisions of laws like data retention come back into play,” said Brandon Selic, lawyer and Party Councillor. “The Government needs to pass legislation to maintain privacy protections before they expire with the declared emergency. In particular, they must ensure that any personal data collected will be securely deleted once the declared pandemic ends.”

“However, for the Government to do that they would have to vote on the legislation from the floor of Parliament,” continued Brandon. “And we’ve no indication as to when Federal Parliament will next be sitting.”

During the Spanish flu pandemic, some thought the crisis under control early in the autumn of 1919, with state governments lifting some restrictions. But it came to life again and carried off many Australians with it. [5]

A temporary suspension of our social freedoms may be a necessary measure in dealing with the threat in the short term, but it is no less vital that our liberties are restored in a timely fashion once the crisis subsides.

Contact tracing is an incredibly powerful tool against infectious disease, but it is not the only one and not a replacement for self isolation. The Pirate Party recommends that everyone makes their own informed decision on whether or not to use the app.

Coronavirus tracing app: can we trust it? Maybe. But that doesn't really matter. With metadata retention, the #AABill and more, trust is already lost.

 

Further Reading:

https://digitalrightswatch.org.au/2020/04/24/covid-19-trace-app/
https://www.tech.gov.sg/media/technews/six-things-about-opentrace

[1] https://www.spatialsource.com.au/latest-news/covid-tracing-app-plagued-by-privacy-efficacy-concerns
[2] https://digitalrightswatch.org.au/timeline-natsecleg/
[3] https://www.legislation.gov.au/Details/F2020L00480
[4] https://github.com/vteague/contactTracing
[5] https://theconversation.com/how-australias-response-to-the-spanish-flu-of-1919-sounds-warnings-on-dealing-with-coronavirus-134017