Deployment of Australia’s coronavirus contact-tracing app spoiled by bugs, privacy concerns

To help track and contain the spread of the Wuhan coronavirus (COVID-19), Australia deployed COVIDSafe, an app designed to help speed up contact tracing. However, the adoption of the app has been hampered by bugs, as well as concerns on whether it infringes on users’ privacy rights.

Launched on April 26, the COVIDSafe app was developed based on source code from Singapore’s TraceTogether app. The latter was one of the first contact-tracing apps produced in the current pandemic. Government officials have appealed to the public to download the app in an effort to minimize the impact of budget deficits and the country’s first economic recession in a generation. (Related: Coronavirus to cause Australia’s unemployment to soar to 10 percent by June.)

In trying to persuade Australians to embrace COVIDSafe, authorities have invoked images of some of their favorite pastimes, such as soccer and beer. Earlier this month, Health Minister Greg Hunt tweeted that anyone wanting to play or watch soccer should download the app.

Meanwhile, Australian Prime Minister Scott Morrison invoked the memory of going to the pub and having a drink with friends. “Now, if that isn’t an incentive for Australians to download COVIDSafe on a Friday, I don’t know what is,” said Morrison.

Efforts to promote COVIDSafe have been met with some resistance

The government’s efforts to persuade Australians to download and install COVIDSafe have not been smooth. Complaints have emerged from the country’s tech community, saying that the government was slow to fix any bugs that have popped up.

These bugs include an exploit that leaves the app vulnerable to a denial-of-service attack that can let attackers crash the application if they’re within Bluetooth range.

Concerns have also been raised about whether the app infringes on privacy rights, especially considering that users are required to provide essential information to use it.

When using COVIDSafe for the first time, users are required to enter their name, age range, postcode and phone number. This data is supposedly stored encrypted on a government server, before being passed on to state and territory health authorities in the event that someone the user has been in contact with tests positive for the coronavirus.

To do this, the app uses Bluetooth to record anyone who gets close to a user if they also have the app, with both instances of the app exchanging anonymized IDs. These IDs are supposedly cycled every two hours, stored encrypted only on the phones and deleted after 21 days. Those who test positive for the coronavirus also get a unique code from a health official that, when used in the app, gives consent to upload the list of anonymized IDs it has stored for the past 21 days for contact tracing.

Government has tried to assure the security of users data

In light of the feedback, the Australian government rejected criticism of the app’s rollout. The agency responsible for the app, the Digital Transformation Agency, said in an email to Bloomberg that it had received “widespread support and endorsement” from the country’s information technology community. In the email, an agency spokesman stated that the government has “remained transparent throughout the rollout of the COVIDSafe app, and suggestions to the contrary are categorically false.”

Meanwhile, Morrison has said that while the federal government will hold on to the data collected by the app, access to it will be limited only to state health officials in charge of contact-tracing.

This is echoed by a direction from the health minister that states that only health authorities or those maintaining the app can get access to the information. Parliament also passed legislation this month that backs this up, making it a crime to share any COVIDSafe data.

Sources include:

Bloomberg.com

Medium.com

TheGuardian.com

Legislation.gov.au

AG.gov.au ^[PDF]