Is The COVIDSafe app created by Australian Government safe to use ?
Let’s understand if this even makes sense, considering would an app even help or work against Coronavirus (COVID-19) ?
The app is designed to record when people are near to each other using bluetooth and gps, so that if anyone gets COVID19 the ability to contact, test and isolate people that have been near someone with COVID19 can be very quick. Considering each day someone has COVID19 increases the chance they will infect more people with COVID19 then the speed to respond and isolate can reduce the number of people infected. Also each person that avoids being infected “breaks the chain” and stops COVID19 infecting people that they contact. So COVIDSafe is quick response tool, almost like a triple-zero call to fire fighters to put out a fire quickly, because if the firefighters act quickly you can put the fire out. Alternatively if you don’t get the information to act quickly enough the fire is too large and is unstoppable. The difference in locating and tracking people is alot harder then fires and hence the reason for the app.
What’s it in it for you?
The better we all are at preventing to spread COVID19 by responding to possible infections, social distancing and isolation, the faster we can reduce / remove any lockdown restrictions. So potentially it could mean all businesses and schools resume normal operation except the 10% of the population in lockdown that are possibly infected as determined by the COVIDSafe app.
The reverse also applies in that if we get lazy, contact someone outside our household, stop performing social distancing, slow response to infections then the lockdown restrictions may increase and last longer.
What about privacy of using COVIDSafe ?
According to the current documentation COVIDSafe only captures name, mobile number, postcode, select your age range and people nearby using Bluetooth. This information is mostly public so the ability for this information to be misused is unlikely. In the wrong hands such data is not valuable unless you are a person of interest such as a politician, celebrity, CEO or so forth. Also many people provide this level of information publicly through Facebook and other applications so for some this may already be an acceptable amount of information for sharing. For others they may feel less comfortable however considering the Government already has your name, address, age and phone number the only extra information would be other people that you have been near (which they could possible get through bank or phone records). However the sharing of the people you have been near (within the past 21days) is optional, and only when requested by the government on the bases you are suspected to have COVID19.
This is the minimum information to make COVIDSafe effective however does require sharing some information that may or may not (accidentally or maliciously) end up in the wrong hands. That said even in the wrong hands this information has limited impact as the GPS coordinates could be used to identify home address but it does not have exact age. It is more likely an attacker would use other public information such as the day everyone says Happy Birthday on Facebook or a phishing / smishing for an attack.
Furthermore the bluetooth contact tracing (https://en.wikipedia.org/wiki/BlueTrace) is only stored on the device so nobody can access and uses random IDs for each person that are frequently regenerated. This means not only can the government not access the data, but anyone who access the data on the mobile wouldn’t be able to determine who any of the people are.
Therefore it would be difficult and unlikely that this data would be used for an attack as they would probably be able to gain the same information through easier methods.
Finally for those still concerned about the privacy, they should consider using a Fake name as it reduces this risk and also provides a method to determine anyone who has or uses this information.
What about the security of using COVIDSafe ?
Android and iOS enforce a range of security for the apps installed so they should provide a level of security generally for the app except for the permissions required
As you can see for the list COVIDSafe requires the use of Bluetooth which has in the past had vulnerabilities allowing complete control over a phone, so using a patched and up-to-date mobile is important to ensure these past issues have been fixed on your phone.
The stored bluetooth information for each contact is theoretically only accessible on request, however an update to the app could quickly change that.
COVIDSafe also required network access and GPS access so we will do some testing over the next couple of days to understand it’s network usage and GPS storage.
What are the alternatives?
The Coronavirus (COVID-19) has already caused a huge number of deaths and massive impacts to Country Economies so the options are clear.
- Get a separate mobile, mobile number and use a fake name, age and postcode for the use of the COVID19 app.
- Stay isolated at home as if you don’t contact people, you don’t need to track it.
- Risk the entire country being in lockdown for many more months due to COVID19 outbreaks. (Similar to Canada and USA where people are ignoring advise)
Using COVIDSafe makes sense and we should use, at least while we are in this COVID19 pandemic as it can be uninstalled after. However while most people are isolating at home, the immediate requirement for the app can wait a week or two while further testing and investigation is performed to confirm / fix up the bugs.