Probably because I do IT stuff for a living, which includes IT Security, I've been asked by a few people will I be downloading the Australian Government's "CovidSafe" app?

This is an evolving topic, but I'd like to give a level-headed answer as of today. It might be different tomorrow.

First off, I'm not the sort of person that wants everything to return to "normal" urgently. Our planet is getting a well-deserved break from the worst ravages of humanity, and it would be great to take advantage of this time to make things better afterwards. So the argument that "just download the app already so I can go get my hair cut and play the pokies again" isn't really that compelling. I do watch on sadly at the personal impact on people's jobs, the arts scene, the cafe culture and our assumed freedom to roam. But I don't think downloading and installing an app that potentially takes away our liberties is worth it, until someone proves otherwise.

Contact tracing has been by all accounts EXCELLENT before this app. I'm still hunting for someone involved in this work actually asking for an app to fill some sort of gap in their capability, and describing what that gap might be. An actual epidemiologist says "This only complements, rather than replaces, the existing contact tracing process. All cases will still need to be interviewed. If only half the population have the app installed, then you would then expect roughly a quarter (0.5 x 0.5) of contacts to be detected by the app."

 

(Tech friends, this won't be a hyper-tech post. Go check out my Twitter if you want more details and sources).

So, there's three parts to this CovidSafe app:

  1. A terrible name. Just to make the point, the app is poorly named. Installing it won't make you safe from COVID-19. Poor marketing. but will make some people feel warm and fuzzy I imagine, which appears to be one of the key reasons for it being released
  2. A phone app that you download to your Android or Apple smartphone, assuming you have one and it is recent enough for the app to install. This software may (or may not) have the source code released soon so that we can be completely sure of what it does, but preliminary analysis shows that it seems fairly benign in day to day operation, at least until you elect to upload what it has captured to the backend server (see 3 below). The issue is that unless you do upload what this app captures to the backend server, the data on your phone is worthless. It doesn't help you, or contact tracers in any way.
  3. A backend server. This is the part that the government has been assuring us only the NSW Health officials have access to do, as it holds the output of everybody's apps.
    One issue is that it is hosted on Amazon Web Services, a generally excellent platform in wide use. But ultimately this backend software is running on physical servers that are not under your control. They aren't under NSW state government control. They aren't under Australian federal government control. There will be some staff working for Amazon (based in the US) who have sufficient administration rights to get to that data, and they are bound by United States laws, not Australian government promises.
    We have also heard no announcement of the source code for the backend being released, but it needs to be if we are to understand the end to end security of the system.

So, at this point I'll install the app when:

  • Someone who works in contact tracing can clearly articulate why it is needed. Note that being blackmailed into "thinking of the hard-working health workers" doesn't count, because as above this app "only complements, rather than replaces the existing contact tracing process".
  • Parties involved release source code for all components for review by independent researchers
  • The backend is moved to physical (and virtual) servers provided by a company bound by Australian laws and paying tax in Australia

As for the "but Facebook and Google already know everything about you anyway, so why not" argument:

  • These two companies are already working together to produce an app that does the same thing, but world wide. Given most of Australia's infection hasn't been through local community transmission but imported, wouldn't utilising that if you are comfortable with those companies tracking you be better anyway, rather than Australia building our own? They also do location-based app development stuff all the time, so are likely considerably more competent at it.
  • I try pretty hard to block that. You can disable much of this, and reduce or cease your use of those platforms

But like I opened with, who knows what tomorrow will bring.

Other great sources: