I’ve now posted a second part to this article, here.
Yesterday the Australian government released their version of the Singaporean COVID-19 tracing app. Despite previous promises, they are yet to release the source code, making it difficult to fully assess whether the app works, is secure, maintains privacy, or importantly — is effective.
While I don’t think that there is likely to be anything directly malicious in the source code, as stakeholders it is essential for us to question proposed solutions by governments to great challenges we all face, especially when our government has such a poor track record in developing software-based infrastructure projects.
Given what information is available I’m not convinced that this app will be sufficiently secure, effective, or well-designed given better frameworks available by an Apple-Google joint effort and others.
CovidSafe is based on an earlier implementation developed by the Singaporean government, using their BlueTrace protocol. The Singaporean app has suffered some barriers to its effectiveness. For example, only 1 in 6 people have used the app as of April.
Compounding the problem is that it doesn’t enable tracing of iPhone users when the app is in the background or the screen is shut off — the phone and app must be active at all times to work. This is due to a necessary security restriction within the operating system that prevents apps from tracing their users while in the background. This is a good thing, since you usually don’t want app developers to trace you, and this is a large part of why Apple and Google worked to develop the secure solutions that they’ve been building into both iOS and Android operating systems.
Tracing versus Tracking
Tracing apps, basically, work by using Bluetooth messages in the background to securely and at least semi-anonymously note when two phones are in proximity to one another. In the case of the CovidSafe, the health authorities will issue all users with a unique special ID periodically, and then each device will broadcast this ID while recording the IDs of any other broadcasting device in close proximity. If a user gets a positive diagnosis, the health authorities request all the IDs they’ve recorded in the past 21 days. Since these IDs belong to people you’ve been in close proximity to, and the government knows who each ID belongs to, they can alert everyone who might have contracted a disease from the diagnosed user who can then take action before they might have symptoms or a diagnosis themselves.
Using Bluetooth is a good idea. It means that the data doesn’t record where you’ve been, but everyone you’ve been close to, and in a way that means you don’t need to know who the other people are yourself. There is a lot of unnecessary context able to be derived by recording GPS locations of everyone within a populace, so apps like CovidSafe avoid that overreach. We only need to know how the virus is spreading between people, rather than knowing the exact locations of those people, so to maintain an extra level of security and privacy apps should try to trace the virus, rather than track the virus.
There are a few challenges to the CovidTrace app, though.
I’m not an expert in biological viruses, I’m an engineer and computer scientist, but I do believe that it takes much less than 15 minutes of close proximity for SARS-CoV-2 to spread between two people — which is the window required before the CovidTrace app notes an encounter. We need to question why the Australian app uses 15 minutes as a window, and just how effective this app will be given a large majority of close proximity interactions will be missed.
Will it provide a false sense of security and, if so, what could the implications of that be?
As citizens we need to understand how effective these apps are intended to be, and over time, how effective they actually are. We need to ensure there is pressure on our government to provide an app that will at least be good at its intended purpose.
Reinventing the Wheel
One interesting decision in the implementation of this app is that the government has elected to avoid leveraging better solutions that enable contact tracing to occur without risking our data being stored by the health authorities.
France, who have been developing their own app also, has publicly stated their difficulty in negotiating with Apple to allow their app to trace users while running in the background — a problem common to the Singaporean app that CovidSafe is based on. It’s unlikely that the Australian government has been successful here, either, and so it’s unlikely that at least the iPhone app will be able to provide trustworthy information to those who need it.
The reason for not wanting to use decentralised solutions is because some governments want to be able to store identifiable tracing data in a central database they have access to. The argument is that they’ll only store the tracing data of people who have been infected or in contact with someone infected and that it will only be used by health authorities. Implicitly, they are also asking for trust that the databases and cryptographic keys remain secure and will never be compromised in the future, whether by hackers or overreaching bureaucrats.
While there may be an argument for governments analysing and researching such data explicitly for public health purposes, it’s unlikely that it is worth the risk for people to give up this much privacy. There are existing ways for us to decentralise contact tracing while maintaining the privacy of every individual and without the need for governments and health authorities to maintain secure databases and cryptographic keys.
It’s a safe bet that if health authorities can derive useful information from your tracing data, then there are other insights that can also be gathered by fourth parties (assuming the health authority is a third party) that might get access to it — whether other state authorities or other actors altogether.
This was the driving motivation in Apple and Google collaborating to modify their iOS and Android operating systems to enable full privacy protection, and a framework for disease tracing apps that don’t jeopardise the security of their devices, removing the ability for benevolent or malevolent surveillance by any third party — including themselves.
Importantly, there is no sufficient need to centrally store this data for access by third parties. Using cryptography (i.e. mathematics) an infected party can alert someone who they’ve recently been in close proximity to in an anonymous way, without third party intervention. While you might decide (or be required) to let the health authorities know if you’ve been diagnosed positive, there’s no need for governments to know who has been in close proximity to who and when, because those individuals are already aware.
If you’re technically inclined, below is a description about how the Apple-Google implementation works (skip to 1hr 19m), which was heavily inspired by the open source DP-3T protocol. It’s a very elegant cryptographic solution:
I believe the need for contact tracing is unlikely to go away. This is not something we’ll do for a few months to battle COVID-19 and then be done with. This will become the new normal in battling the transmission of certain diseases, so we should look to get it right now before we let the genie out of the bottle. While time is a pressing constraint, there are already decentralised solutions available for the government to build on, so there’s no need to avoid usage of these at the expense of privacy and security of its citizens.
As an aside, this exercise has led me to question whether all software and web infrastructure produced by governments should be made open source for citizen review. Security through obscurity is not security at all, so there’s only trust to be gained by a government who acts in such good faith and transparency with their citizens. There’s a great upside to this also, and that’s that issues and bugs can be found much faster, and citizens themselves can elect to contribute to the development and maintenance of those projects.
For now, until this app is made open source — both front end and back end infrastructure — and there’s more expert commentary around whether the implementation will be sufficiently effective, I won’t be installing this app.
Apple and Google will be releasing updates to their operating systems in a couple more weeks. Their solution is a more elegant and useful solution than what the Australian government has used. Other governments, such as Germany, have announced their decisions to develop solutions based on these decentralised protocols. We should too.
While developing mobile apps is outside of my domain of expertise, if you’re interested to develop a decentralised, open sourced solution on top of the Apple-Google framework, please get in touch.
- In 2017 it was discovered that there was a significant data breach within Medicare where hackers were auctioning access to Medicare records. The breach was made possible due to the number of legitimate points of access made available to health care providers, and was not a hack but a feature designed into the system.
- The Australian government is not an advocate of cryptography and secure encryption implementations, and implemented laws recently to prevent tech companies from maintaining good security in favour of implementing backdoors for surveilance.