As there’s no Moonee Valley Council meeting this week (cancelled with no clear explanation) I thought it might be worth writing about Australia’s COVID-19 tracing app.

The federal government will today launch its version of the tracing app used in Singapore to facilitate contact tracing for future cases of COVID-19. It’s called COVIDSafe.

By way of disclaimer, I am not a tech or digital expert and I understand the technical engineering behind the app is complex.

I am simplifying things somewhat here and I apologise for any frustration this may cause tech experts.

From various media reports, the app appears to work in the following way:

• When a person installs the app, they register their name, phone number, post code and age range;
• This information is encrypted – this presumably creates public and private keys (see below);
• When two people with the app installed come within 1.5 metres of one another for 15 minutes or more, the app exchanges the encrypted data;
• Exchanged encrypted data will be stored on the phones for a rolling period of 21 days, and then deleted;
• In the event of a positive COVID-19 diagnosis, and with the consent of the phone owner, this data will be uploaded to the government who will then be able to decrypt it using the public and private keys mentioned above;
• The government will then use the data to notify people who have come in contact with the person;
• All the data on the government’s server will be deleted at the end of the pandemic.

This might sound straight forward, but technology is, of course, more complex and often loses something in the explanations offered by government ministers (a la George Brandis’ addresses on envelopes as an explanation for metadata).

One of the key complexities with the tracing app is the ‘public and private keys’ related to the encryption process.

The complexity of encryption

Encryption involves public and private keys, and the usage of these to ‘sign’ information to protect it. The process is something like this. In this example, the plain text is your name, phone number, post code and age.

 

Public keys are used to sign the information to be exchanged. Public and private keys are used to decrypt information.

What’s not clear from any of the government material or reporting is how the government manages the private keys.

Presumably, when a person downloads the app and registers their details, they create a private key. This will then be stored on the server for the government’s later use to decrypt any data related to this person – as a patient or contact.

As with most digital tools, the central concern about the app is the privacy controls around the management, including storage of and access to the data, including, in this case, the private keys.

How will the government manage encrypted data?

To recap, when someone downloads the app and registers, their details are encrypted with a newly created private key which is unique to that individual.

While public keys are involved in the exchange of information, for the service to be able to decrypt your data when it is logged by another person’s phone and uploaded, the private decryption key must also be known. So, the private key must be stored and managed.

The Government has said the database keys will be managed through Amazon Web Services’ (AWS) Key Management System (KMS). But we don’t know at what point this information is uploaded to AWS. We can only presume the private keys of all registrants are stored.

Concerns have been heightened because a contract for the data storage was awarded to US retail and technology giant Amazon who owns Amazon Web Services (AWS).

Amazon is one of the protected certified cloud services in Australia. There are other Australian owned services that, it’s thought, were not invited to tender for the contract.

There is concern that Amazon’s involvement may result in the Australian data being accessible under a 2018 US law that allows information held by US-registered data companies to be accessed by US law enforcement no matter where in the world that information is held.

The Australian Government has said the US law would not apply to the tracing app data.

Confusingly, this law is referred to as the CLOUD Act – Clarifying Lawful Overseas Use of Data Act (CLOUD Act) – but is very different to what we’re used to referring as ‘the cloud’ – which are servers, and the software and databases stored on the servers, that are accessed over the Internet and located in data centres across the world.

So the key privacy concerns are connected to the storage of and access to personal data, by the government using AWS’ technology services.

After it is accessed, because of a positive test, where is it stored?

If two people with the app are in contact for more than 15 minutes at a distance of less than 1.5m, the app logs the encrypted data of that contact. Public keys are involved in the exchange of information between phones.

The encrypted information is stored in the app on those phones. It doesn’t get uploaded onto a server unless you test positive.

If one person then tests positive to COVID-19, they would be asked to make their encrypted contact log available to the Government.

The Government will will store the logged data in the Amazon cloud — what Minister Stuart Roberts describes as “highly secured servers.”

“Uploaded contact information will be stored in Australia in highly secure servers ” Mr Roberts said.

The Government says the data will be uploaded to the onshore Amazon server, and it will be a crime to move the data offshore. But the AWS technology will be used to store and manage the data.

Decrypting the identifiers requires the private keys as explained above. As mentioned above, the decryption keys will be stored in the same cloud as the data, making it vulnerable.

Who has access to the unencrypted data?

Lawful access to the unencrypted data will be restricted to state health professionals only.

However, as flagged above, it’s not clear what security controls will exist to protect the decryption keys and the original personal data.

Other issues

The app theoretically only exchanges data when people come within 1.5m for 15 minutes or more. This raises several questions about its effectiveness.

There are also concerns about whether Bluetooth, the communication protocol used by the app, can be reliably limited to a small distance with any accuracy. It may be that the exchanges occur over a wider range of distances, or through walls.

A former national coordinator for health information technology, Farzad Mostashari, has said: “If I am in the wide open, my Bluetooth and your Bluetooth might ping each other even if you’re much more than six feet away,” he said. “You could be through the wall from me in an apartment, and it could ping that we’re having a proximity event. You could be on a different floor of the building and it could ping. You could be biking by me in the open air and it could ping.”

The app says it stores data related to the strength of the signal and this is the means through which it ‘measures’ close contacts. We’ve played around a bit with this at home and there are large margins of error, but the strength does reduce considerably between 2 and 5 metres.

There are also concerns about the reliability of Bluetooth more generally, and the operation of the app using Bluetooth on a phone given that the capacity for apple and Android phones to have Bluetooth running in the background has not yet been clarified.

Secondly, the usefulness of the app relies on social distancing as a key variable in the transmission of COVID-19. It won’t pick up any cases transmitted via surfaces, or, theoretically, where contact has been maintained for less than 15 minutes.

Location information would be more helpful in locating these cases, but for understandable reasons, location information is not being retained as part of this app.

For those interested, here’s an alternative tech solution for a tracing app that does not involve the central storage of any personal data or decryption keys.

There are also calls for the Government to be open and transparent regarding its COVID-19 tracing software application.

More than 40 academic and industry-based experts in Australia say it is possible to offer the public both privacy and successful COVID-19 contact tracing and have called for an independent review process, open to all in the Australian and international community.

The list of signatories includes eminent and leading researchers.

So, should we download the app? 

We all want to make it easy for the state governments to conduct contact tracing to suppress further spread of COVID-19.

Individual concerns about privacy, trust in technology and the reliability of Bluetooth, need to be weighed against community efforts to contain COVID-19. People will reach different conclusions.

I think I probably will download the app but my name, postcode, age and phone number are already public. Many people have good reasons for being more cautious with their personal data.

I also think there is probably enough scrutiny on this that if the data is misused, the Government will lose any remaining public trust it has. However, there are a lot of very technical questions that have not yet been answered and we should keep asking questions – always!