The Australian Department of Health released the COVIDSafe app yesterday.

The concept seems great; use a technology previously used by advertisers to track you and sell ads. Now instead it can be used to save lives. I love it.

Except a lot of the Australian public does not love it. Maybe because it was promised to be open sourced, then wasn’t? Or that they promised local data would be encrypted, but it isn’t? What about when they said they wouldn’t use Singapore’s TraceTogether but then completely based the app on it’s code? The app still links to the Singapore’s TraceTogether store page;

COVIDSafe's store page URL being Singapore's TraceTogether app

It also uses the example BLE service identifier;

BLE service identifier is the fake example in TraceTogether app
Nah we’ll just use the random example Characteristic ID, she’ll be right mate

I’m no lawyer but using GPL code without disclosing your source code is a bit of a no no I’ve heard.

It’ll work though?

Maybe the public’s issue is with the app’s implementation? iPhones famously kill background apps while most android phones are perhaps even worse. The team behind TraceTogether did testing by leaving phones on the same desk with the app open overnight.

Chart of phones discovering each other over hours
Each dot is a connection. Many phones go hours without noticing any of the other 25 phones.

They then ran into false positives of phones in different rooms logging a 1.5 metre contact, because radio signals can pass through walls. This led to them going down a rabbit hole of measuring signal strength, attempting to calibrate to particular phone models and gauge true distance. This all goes out the window once you put your phone in your back pocket instead of your front.

Don’t worry it’s ‘encrypted’

Privacy concerns are covered by a determination that the app’s data cannot be accessed without your permission. It is a small consolation when they’ve already made it a crime to not hand over your passwords.

The randomised token used to identify other phones only changes every 2 hours instead of TraceTogether’s 15 minutes. Even worse, according to the Privacy Impact Assessment the token will only update if you have the app open and running. So you could go around for days with your phone screaming ‘hi I’m phone#456 make sure you remember me’

Meanwhile the government’s database linking these tokens to identities will be stored on Amazon’s servers. Australia seems to think keeping the data physically in Australia will keep it safe. Unaware perhaps, that hackers nor all countries believe geography dictates jurisdiction. To top it off the encryption keys for the data will be stored by Amazon as well.

Database keys will be managed through Amazon Web Services’ Key Management System (KMS)…

  • A spokesman from the Department of Home Affairs

So what’s the problem?

I doubt many people are concerned or even know about any of the above. The real problem is the lack of payoff to users. Google already tracks everywhere you go but people accept it because they get useful maps in return. What does COVIDSafe provide? Less battery life? A chance for your stalker to follow your movements down to the meter? No thanks Scott, now I have a Zoom meeting to attend…