On COVIDSafe
The Australian government rolled out their contact tracing app, COVIDSafe through the Apple and Android app stores at 6 last evening. Understandably, there has been quite a bit of apprehension leading up to it but the it’s starting to sound like there might be a cautious uptake of the app among the general public given that 1 million people downloaded it in the last 12 hours. If the AFR’s readership (possibly right-leaning and more trusting of the current government) is a reliable metric, the consensus is that the app may eventually help ease restrictions in place.
A few things:
It’s an app with a purportedly singular purpose - contact tracing. It’ll use low energy Bluetooth to exchange a handshake between two devices that are 1.5 m apart for over 15 minutes.
The only data that’s collected are a name or pseudonym, age range and your phone number. I realize that you’ll need phone numbers to get in touch with individuals who may have spent time with a diagnosed person but having that unique identifier in the database negates any perceived benefit of using a pseudonym. An alternative would be notify people of proximity to confirmed cases through just device notifications; granted, it’ll be harder to ensure quarantine or isolation measures.
”Not even a court order can penetrate the law, not even a court order, or the investigation of an alleged crime would be allowed to use [the data]”.
There’s two levels of consent to go through registration and they’re quite detailed - it’s harder to implement something stricter without sacrificing usability and uptake.
The data store is hosted on AWS instances in ACT - assume they’ll use the same protected instances that the government already use.
The data stored on devices is held on for rolling period of 21 days much like how you can configure browsing history deletion on Google’s My Activity page.
It’s a bit unclear what permissions and privileges the ‘COVIDSafe Administrator’ will have but I assume quite a bit given they can delete registration data.
The punishments for misuse of app data are quite onerous - 5 years jail time and $63,000 in fines.
Law firm Maddocks conducted a 48 page privacy assessment and made 19 recommendations which all seem to have been accepted.
Source code will be released over the coming days.
Singapore’s version of the app, the source code for which has been leveraged for COVIDSafe, hasn’t quite seen the uptake you’d want for something like this. Approximately 20% of Singapore residents have downloaded the app and Australia wants at least 40% of the population to download it for it to be useful.
The debate over this has been lively and has no doubt contributed to the way the app has been rolled out - fingers crossed that every safeguard in place is meaningfully enforced.
Links:
AFR: 'Privacy by design' approach for COVIDSafe app
The Verge: Why Bluetooth apps are bad at discovering new cases of COVID-19
ITNews: Australia's COVID tracing app better than Singapore's: Health chief