Australia’s Rollout of Covid-19 Tracing App Is Marred by Secrecy and Bugs
Amid privacy fears, officials dangle ‘footy’ and beer in an effort to sell the
program
By Jamie Tarabay
29 May 2020, 06:45 GMT+10
In trying to persuade Australians to embrace the government’s new
contact-tracing app, officials are invoking images of favorite pastimes —
football and beer — with a clear underlying message: If you want things to go
back to normal, install it on your phone.
“Want to go to the footy? Download the app,” Health Minister Greg Hunt tweeted
earlier this month.
Prime Minister Scott Morrison dangled the memory of going to the pub and
drinking with pals. “Now, if that isn’t an incentive for Australians to
download COVIDSafe on a Friday, I don’t know what is,” Morrison said.
But authorities’ efforts to persuade Australians to install COVIDSafe have been
met with some resistance. The nation’s tech community complained that the
government was slow to fix glitches, while some members of the public have
raised questions about whether the app impinges on privacy rights or makes a
difference in fighting Covid-19, the disease caused by the coronavirus. Some
said they felt coerced into embracing an opaque technology.
As U.S. states and cities start their own contact-tracing programs, the
Australian experience — delivered with technical bugs and shifting messages
from government officials to a skeptical public — may offer a glimpse of what’s
to come.
Contact-tracing apps are being developed around the world as a way to fight the
virus, by helping to track down those who may have been in close contact with
people diagnosed with the coronavirus. Many of the apps, including COVIDSafe,
use a phone’s Bluetooth technology to pull data from other app users who pass
nearby. But many of the tracing programs have struggled because of lackluster
adoption and worries about privacy and government surveillance.
Australia to Tackle Post-Virus Labor Changes With Skills Focus Says PM Morrison
at the National Press Club
Scott Morrison
Photographer: Mark Graham/Bloomberg
Australia has recorded slightly more than 100 deaths from Covid-19, and over
7,000 confirmed cases. The infection rate peaked in the mid-March, when 469
cases were recorded in a single day and the country grounded international
flights, closing its borders. After weeks of social restrictions, the number of
daily infections dropped sharply. On May 27, it was four.
As part of its campaign to get the country moving again, the government on
April 26 launched its COVIDSafe app, based on source code from Singapore’s
TraceTogether program, one of the first contact-tracing apps. Eager to tamp
down the impact of budget deficits and the country’s first economic recession
in a generation, government officials have appealed to the public to download
COVIDSafe, hoping it would usher in a quicker return to normal.
The government has rejected criticism of the app’s rollout. In an email to
Bloomberg News, the agency responsible for the app, the Digital Transformation
Agency, said it had received “widespread support and endorsement” from the
information technology community in Australia. The government has “remained
transparent throughout the rollout of the COVIDSafe app, and suggestions to the
contrary are categorically false,” according to an email from an agency
spokesperson.
To address privacy concerns, the government declared that data gleaned from the
app would be used only by health officials and not shared with law enforcement
or other government agencies. It also passed legislation making the sharing of
COVIDSafe data a crime.
In the month or so since the program started, more than 6 million people have
registered for the app — about a quarter of the population.
“Australia continues to be a world leader in testing, tracing and containing
the coronavirus,” Hunt, the health minister, said in a recent statement in
which he encouraged Australians to download the app.
The Digital Transformation Agency has offered few details about the app’s
deployment beyond updating how many people have registered. The health ministry
directed all questions to the DTA, which didn’t address questions on how many
people are using the app on average each day, what the geographic spread of
users is, and whether it would release the server code so cybersecurity experts
can help find flaws, as they have done in Singapore and elsewhere.
“It would be much more sensible to say they did this in a hurry, and it’s not
perfect.” said Vanessa Teague, a cryptographer who focuses on privacy and
election security at Thinking Cybersecurity, a cybersecurity firm based in
Melbourne. “But the refusal to engage with the constructive suggestions for
change that are really important is just dumb.”
Problems with COVIDSafe emerged on the first day of its release.
That morning, at 1:20 a.m., Jim Mussared, a software developer in Sydney, was
emailing anyone he could reach in the Australian government and tech industry,
flagging what he said were implementation flaws that caused unintended privacy
glitches. They included in some cases exposing the phone owner’s name and
allowing for the long-term tracking of devices, even after the app was
uninstalled — which raised concerns among activists against domestic violence.
“I can’t tell you how many different ways I tried to get the attention of
anyone,” he said in an interview. “I spent hours writing detailed explanations
of how they might fix these issues, and I don’t expect a reply. I’m shouting
into the void.”
He wasn’t alone for long. Cybersecurity experts took to social media, published
findings online and even went on breakfast radio to implore the government to
respond to a plethora of complaints they’d sent to the Covid app website. It
would take weeks before some of the bugs were addressed, according to updates
from the government.
The government has moderated its public message since the start of the program.
Initially, it said it wanted 40% of Australians to download the app. But after
officials discovered that the operating system didn’t run on older mobile
phones, they said they meant 40% of smartphone users instead. The government
also softened its message about downloading the app. Morrison initially didn’t
rule out the possibility that it could be mandatory; the government later
passed a law making it illegal to force anyone to download the app.
Users have also complained about problems with the app, according to
cybersecurity experts and online reviews. Some uninstalled it after learning
that it interfered with their health monitoring apps, particularly those for
diabetes patients. Some removed it because it interfered with their car audio
systems. On some phones, it drained the battery.
“Even the Senate committee on Covid has experienced difficulties in getting
straight answers from officials,” said Senator Rex Patrick, an independent
lawmaker from the state of South Australia and a member of the parliamentary
committee studying the government’s response to the virus outbreak.
Amazon Web Services was awarded a six-month contract for $465,000 for its cloud
services, a deal that eventually prompted the government to pass legislation
with extra privacy provisions that make it illegal to transfer any data from
the app stored in the cloud outside of the country. But some legal scholars and
others worry that AWS could be required to produce the data it stores if served
with a U.S. subpoena, based on the U.S. Clarifying Lawful Overseas Use of Data
Act, or CLOUD Act for short.
In an email response to Bloomberg News, AWS said the CLOUD Act doesn’t give
U.S. law enforcement unfettered access to data stored in the cloud. Rather, a
formal warrant “through rigorous, pre-defined legal processes” is necessary
before any access could be granted according to an AWS spokesperson. The law
applies to a narrow category of circumstances, such as seeking evidence of
terrorism, AWS said.
Some people who have declined to install the app out of privacy concerns point
to sweeping powers granted to intelligence and law enforcement agencies over
the last two decades, which they believe have come at the expense of personal
liberties. “There’s no way I’m downloading it,” lawyer Anne Greenaway said,
citing privacy worries. “I don’t trust the government for a second.”
Greenaway, a solicitor who lives in Queanbeyan, about nine miles south of
Canberra, the nation’s capital, was surprised that people in her town resisted
lifting social restrictions but embraced the app — and shamed those who didn’t
download it. “What annoys me is it’s turning people against each other. That if
you don’t download it, you’re letting the side down and holding everyone back,”
she said.
David Killick, a hobby farmer who writes for the local newspaper in Hobart on
the island state of Tasmania, reluctantly downloaded the app after hearing
government officials say that restrictions wouldn’t be eased until more people
participated.
“I think some people have the sense that the government isn’t all that
trustworthy with people’s data, and that there tends to be a bit of mission
creep with these things: once you give up some of your liberties, they tend to
want to hang onto them forever,” he said.
“In the end I felt like there wasn’t much choice. Download the app or we were
all going to be stuck at home forever.”
