The federal government has updated COVIDSafe, Australia’s COVID-19 contact tracing app, this time touting the changes will significantly improve its capability.
The app will incorporate a new Herald Bluetooth protocol, Minister for Government Services Stuart Robert said, explaining that this would offer “unparalleled app-level Bluetooth performance and contribute to better identification of potential close contacts”.
A statement from Robert and Health Minister Greg Hunt said the Digital Transformation Agency (DTA) has been working with Apple and Google to incorporate the protocol into the COVIDSafe app. The statement also provided COVIDSafe Bluetooth encounter logging results, which demonstrated “excellent” status for all tests.
The DTA said in May that 179 functional tests were conducted for the Apple iOS and Google Android versions of the COVIDSafe app prior to release and that requirements were met.
“All tests satisfied the baseline design requirements,” the DTA said at the time. “Performance tests were also conducted against the technical requirements.”
In June, however, it was revealed the DTA knew COVIDSafe had severe flaws. This was despite the app being sent out for public use on 26 April 2020. The revelation followed research that showed locked iPhones were practically useless when it came to logging encounters through COVIDSafe.
This time around, the app is reporting that even locked iPhone to locked iPhone logs were recording “excellent” performance.
“The protocol provides for excellent performance of all encounter logging under all phone conditions and will continue to work on more than 96% of Apple and Android phones,” the ministers’ statement said.
The code for the update will be made available via Github to “enable the tech community an opportunity to provide feedback ahead of the release to the Apple App Store and Google Play Store”.
“Australia’s technology capability and contact tracing systems are world-leading and we will be the first country in the world to adopt the Herald Bluetooth protocol, which has been shown to significantly improve our capability through the COVIDSafe App,” Robert said.
“We are encouraging everyone interested to review the code, conduct their own testing, and provide their feedback.
“We are also making this code available to other countries so they too can benefit from Australia’s world first technology implementation to help improve their digital response to managing COVID-19.”
COVIDSafe was originally a rework of Singapore’s TraceTogether app.
Australia’s tech community, however, has taken a different view.
“This is not ‘engaging with the tech community’. The code is not inspection quality, and despite numerous CVEs and serious issues raised, nobody I know was contacted or notified of this,” researcher Jim Mussared wrote on twitter.
“They’ve retrofitted the existing BlueTrace-based system (based originally on the Singapore codebase) into Herald … Importantly, this means that the server-side implementation hasn’t changed.”
Mussared said that despite using the same underlying payload, the old and new BLE systems are not compatible.
“Which means that everyone has to update. But auto-updating (especially on Android) has not worked well for COVIDSafe,” he added.
“The existing COVIDSafe system suffered from interactions between different revolving keys leading to tracking vulnerabilities. Adding another layer (Herald) complicates this further and adds more risk of this.”
One of the current issues with COVIDSafe is that it only identifies a handful of cases and manual contact tracing efforts have proved to be more reliable.
During Senate Estimates last month, the Department of Health revealed that despite there being a total of 27,554 confirmed cases of COVID-19 in Australia, only 17 were picked up using COVIDSafe without the use of manual contact tracing.
“When used as part of state and territory contact tracing efforts, the COVIDSafe app has proven to assist in identifying close contacts not picked up through manual tracing,” the ministers’ statement continued.
“New South Wales successfully accessed the COVIDSafe app to identify 80 close contacts, including 17 contacts that weren’t identified by manually contact tracing.
“In Victoria, it has been reported that 1,851 cases have said they have the App and are now using it as part of their contact tracing process.”
During a hearing held in early August by the COVID-19 Select Committee, Secretary of the Department of Health Dr Brendan Murphy said that health services in Victoria were feeling “so pressured” that they decided to not use the COVIDSafe app.
It was later confirmed that DHHS had told the Department of Health on July 16 it had paused using COVIDSafe app data, citing concerns that using the app’s data would contradict its requirements with privacy laws. On August 1, it recommenced using the COVIDSafe app data.
With Victoria moving out of its second phase of lockdown restrictions, the state government on Monday announced businesses could now access a free QR code service to keep a record of visitors.
Similar to what has been in place in NSW for months, the Victorian QR system will rely on visitors scanning a QR code using their smartphone camera to check-in. Failing that, users will be directed to download the Service Victoria app to complete check-ins.
“All data collected through the Victorian government QR code is securely stored, protecting customers from on selling of contact details. Data will be deleted after 28 days unless it is specifically requested by the Department of Health and Human Services for contact tracing purposes,’ the government said in a statement.
Following the state government announcement, Australian cybersecurity firm Pure Security raised concerns with QR code-based information collection.
“Many QR codes are simple links to websites and documents with the express purpose of recording the details and have little focus on security,” Pure Security acting head of advisory Jason Plumridge said.
“I have seen QR links that combine the submission of details along with marketing checkboxes which in my view is not appropriate.
“Businesses should be rightly concerned with the security controls around data privacy implemented by the QR providers and deserve to have assurance that only persons with a right to access that data (i.e. contact tracers) have the ability to do so.”