Does Australia’s COVIDSafe App Steal Your Private Data?

28 April, 2020
Does Australia's COVIDSafe App Steal Your Private Data?

Data privacy is becoming an ongoing threat to our internal sense of security, and an issue many have woken up to following the Facebook and Cambridge Analytica Data Scandal. In light of Coronavirus, the Australian Government has released an app called COVIDSafe, which aims to reduce community transmissions of COVID-19. With the release of this app and over 2 million downloads in under 48 hours, there’s a growing concern around the privacy of your data. After all, this is a government app that is used for tracking purposes. However, what sort of tracking is the app responsible for?

My Approach to Analysing COVIDSafe

My approach was twofold. I started by reading the privacy policy of the app. While I’m not a lawyer (and this therefore isn’t legal advice), the privacy policy is very easy to read, which in my experience is a positive indicator. I also downloaded the Android app (from the Google Play Store), decompiled it which provided the code, and analysed said code. This code has been written in accordance with industry standards, which is also a positive indicator as it seems they’re not trying to inadvertently “hide” anything. While I would have been eager to do the same for the iOS app (from the Apple App Store), Apple is far more protective of their apps and devices in the interest of privacy and intellectual property. This restricted me to the Android app. Therefore, I am indeed making the assumption in the below blog post that the Android and iOS versions of the COVIDSafe app use the same approach in how they treat data.

Tracking of Location Data

When people hear tracking, they think about location data and the privacy of it. This was my concern too. After all, if the app tracks location data, it is able to keep a record of your movements which would feel very “big brother” (certainly not appropriate when we’re already scared to leave home). The other concern I’ve heard people mention is that the COVIDSafe app is simply an entry point to the device through which the Australian Government will continue to track our location post Coronavirus. None of this sounds particularly appealing.

From the perspective of both the privacy policy and the app’s code, COVIDSafe is unable to track your location. When developing a mobile app, the location is first captured by the device’s GPS hardware. Following this the latitude, longitude, and elevation above sea level of the device is provided to the device. The device stores this and makes it available to mobile apps that request it. However, there are two barriers reassuring us that COVIDSafe doesn’t use location data:

  1. We are never asked by the device if we want to allow the app to use our location. Before any device will permit the location data to be used by the mobile app, it first needs to be approved by us. It can’t get access to the data without this approval.
  2. There is no reference to your location in the app’s code, and therefore it can never be sent to the Australian Government (more on this later when we analyse who can access COVIDSafe data).

Therefore, you should have no concern about your location data being captured by the Australian Government. Ok then, how does the app work? And what data is being tracked?

How Does COVIDSafe Work?

COVIDSafe works by tracking those you come in close contact with every day without using location (GPS) data. It does this by using your mobile device’s bluetooth signal to “ping” other devices in your vicinity. Therefore, people need to be fairly close to you.

Bluetooth technology does not produce a strong radio signal. It’s strong enough if you’re both going through self checkout at the local supermarket to detect each other, but not strong enough to propagate through a wall. In other words, according to medical professionals, you need to be close enough such that the virus has a chance of spreading between you.

When your mobile phone and that of someone else with the COVIDSafe app come in contact with each other, they send a message to each other such that both devices are aware of each other’s close proximity. The record of your device is an encrypted identifier that contains no personally identifiable information. This identifier is known by nobody except the Australian Government. Then, if you or someone you’ve come in contact with contract Coronavirus, health professionals will ask you to share your COVIDSafe data with them. You then have the option within the app to publish this data to them. Those health professionals will receive the identifiers of all people you’ve come in contact with, and use this to contact potentially vulnerable individuals (who you’ve been in contact with). This is possible as the Australian Government keeps a record of which person correlates with each identifier (from when you first register for the mobile app).

This helps you to become aware of your contact with an infected individual, such that you can take necessary precautions thereafter.

What Data is COVIDSafe Tracking?

When we think of the data COVIDSafe is tracking, it is best to break this down into the information stored on your device, and that stored by the Australian Government in their servers.

  • Device: Each device stores your information entered on registration, as well as the encrypted identifier of each device it has come in contact with. It doesn’t store any information about the people you’ve been in contact with, only the encrypted identifiers of those individuals.
  • Australian Government: The Australian Government stores the data you enter on registration (name, age range, mobile phone) and a device identifier. This identifier is used to find your details if they need to contact you about a potential exposure to the virus.

Therefore, if you’re really concerned about your privacy, you could always wreak the benefits of the app by using a fake name. That said, I wouldn’t doubt that the Australian Government already knows who owns each mobile phone number, so this seems counterproductive.

Who Can Access COVIDSafe Data?

The record of devices you’ve been in contact with stays on your device until it is shared. It is also deleted after 21 days. Should you or someone you’ve been in contact with elect to share the data from their app, it can be accessed by health professionals only according to the app’s privacy policy. Therefore, your data is very secure and is not available to people other than those who need to have access to it. It is ultimately in the interest of aiding the Australian public.

In summary, using the COVIDSafe app is incredibly helpful to the Australian public in reducing the spread of COVID-19. I strongly encourage you to join those who have downloaded the app and registered if you haven’t already.

Get a free, no obligation
assessment of your technology

info@stationfive.com

+61 (02) 8278 7895
S3, L3, 2-12 Foveaux St,
Surry Hills NSW 2010