Australia's contact-tracing app regulation avoids 'woolly' principles in comparable cyber-laws, say lawyers

Australia has released its promised COVID-19 contact-tracing app.

Dubbed COVIDSafe, the smartphone app follows the now-established practice of asking people to register their name, age range, phone number, and postcode, and create a unique identifier. That identifier is shared with other users of the app when they come into close contact with each other.

If a user subsequently tests positive to COVID-19, they have the option to notify health authorities. Other users who have had close contact with an infected person are then contacted by health authorities. Close contact data is stored, encrypted, on devices for 21 days, but some data is stored off-device for health authorities to access.

Only health workers can access the off-device data and even then only after initial opt-in and a second request for permission after a positive test.

The app, available for Android and iOS, uses some code from Singapore's TraceTogther app and uses Amazon Web Services to store registration information, encrypted user IDs, and contact data.

While source code of the app has not been released, a privacy impact assessment [PDF] drawn up by lawyers recommends it be made available. The Department of Health's response [PDF] concurs, saying it "will be released subject to consultation with the Australian Signals Directorate's Australian Cyber Security Centre".

No timeframe for that consultation is offered, nor is there a guarantee the Cyber Security Centre will agree to the release of the source code.

Privacy

The app's use of AWS has quickly raised eyebrows given the cloud giant is subject to the United States' Patriot Act and could be compelled to surrender COVIDSafe data despite it being stored on Australian soil. The app's legal underpinnings, however, appear reasonably sound.

A newsletter from law firm Gilbert & Tobin analysed the legal instrument that underpins the app – a new ministerial determination made under section 477 (1) the Bioescurity Act – and offered the following commentary:

• "To the Government's credit, it avoids the formula of broad discretions and 'woolly' principles which have characterised much of the telco data security legislation of the last few years."
• "You cannot – to use medieval plague language – be treated as a 'leper' because you have decided not to download the app." Not using the app therefore cannot be grounds to refuse a contract, refuse entry to premises, or refusal to provide or receive goods or services
• The determination includes what the firm calls a "keep out Home Affairs signpost" that means any investigation into the app's use can only concern the determination, not possible breaches of other laws.

Security

Without the source code, it's impossible to make a full assessment of the software. However the app's Android .APK file, as is the case with all such files, can be just-about-decompiled.

The Register is yet to find an authoritative post-de-compilation analysis, but some efforts have been made and offer cautiously optimistic assessments of the app.

Data is stored locally in a SQLite database using the RoomDatabase API.

This places collected data inside the apps internal storage, a secure part of your phone strictly private to #covidsafe. pic.twitter.com/u8y8mo8WUu

— Matthew Robbins (@matthewrdev) April 26, 2020

The data upload is authenticated by a One Time Pin request that is sent your mobile phone.

This is important as all data upload is through user consent only.

— Matthew Robbins (@matthewrdev) April 26, 2020

So I'm generally fine with the app. The two minor things that concern me are:
- device-id is sent to API
- the API could give you the same "temp" id over and over again which might allow tracking; a better solution would be for the client to generate the ID

— xssfox (@xssfox) April 26, 2020

Bad Apples

Another criticism leveled at the app is that it must be in active use to perform usefully on Apple devices. As Australia's national mobile phone fleet is dominated by the iPhone – with over 50 percent market share – the app may not collect a lot of useful data.

That's not stopped a million registrations for the app, according to health minister Greg Hunt.

As at 10:30 PM 1 million Australians have now downloaded and registered for the #CovidSafeapp - please join us and help protect ourselves, our families, each other but above all else our nurses and doctors

— Greg Hunt (@GregHuntMP) April 26, 2020

At the time of writing, the COVIDSafe Google Play page counts 100,000+ installs. The next milestone that Google reports is 500,000 and Apple's app store doesn't enumerate usage, making an assessment of actual installs hard to determine.

However the app is well regarded: Android users give it 4.6/5, and iOS users rate it a 4.3. ®