3rd Party Risk Management , Endpoint Security , Governance & Risk Management

Aussie Contact-Tracing App: Details Slowly Emerge

Australia Opting for a Centralized Model for Its Effort to Help Combat COVID-19
Aussie Contact-Tracing App: Details Slowly Emerge
Australia is close to launching a contact-tracing app and has an informational health app, pictured above.

Australia’s COVID-19 contact-tracing app may be released by the end of the month.

See Also: On Demand | 2024 Report Findings: Security & Productivity in the Age of AI

The details of the project have trickled out as the Australian government has sought to get in front of privacy concerns, which center around the types of data the government would be collecting and security measures in place. Getting the public’s support is critical because the government has said use by 40 percent of the population is needed for it to be an effective public health tool (see: COVID-19 Pandemic Puts Privacy at Crossroads).

Australia has expansive national security laws, which have raised questions about whether the data inputted into a contact-tracing system could be appropriated for other uses. But the government says it plans to introduce new laws next month that would likely restrict the use of contact-tracing data by police.

Prime Minister Scott Morrison said on Thursday that the data collected by the app will only be accessible by state and territory health officials. “It's [the app] got one job,” Morrison said at a press conference in Canberra. “It's for a time-limited period. It has the specific job of helping public health officials help you.”

Data from the app will be encrypted and go into a “national data store” that will be off-limits to the broader Commonwealth Government, Morrison says.

No code is available yet, and while one government minister said the source code would be released, the government has since been more circumspect. The government also intends to release a privacy impact assessment of the app.

Proximity-Based Protector

The app will be somewhat based on Singapore’s TraceTogether project. Rather than collecting GPS data from phones and matching those infected with coronavirus to those they have been near, the app functions as a proximity-based detector (see: Australia Considers How to Approach Pandemic Contact Tracing).

Like TraceTogether, Australia’s app will use the short-range Bluetooth wireless protocol to detect whether two people have come in close contact with one another. It’s believed the sensitivity will be set to around 1.5 meters, and the two people will have to have been around one another for 15 minutes or more.

Upon registration, the app will require name, age range, post code and phone number. If two people come in close contact, the app will record each person’s name and phone number, according to an ABC interview with Government Services Minister Stuart Robert. That data will be stored in an encrypted format on the device, and the contact record will only be stored for the last 21 days.

"It's got one job. It's for a time-limited period. It has the specific job of helping public health officials help you."
—Scott Morrison, Prime Minister, Australia

But many other details have yet to be revealed. For example, it’s unclear if people who contract the new coronavirus will voluntarily submit their details to the national data store.

Controversy Over Centralized Model

Computer security experts have advocated that contact-tracing apps don’t use a centralized server to keep track of who has been in contact with each other. Centralized servers pose risks, they argue. The encrypted contact data sent to the server could be recovered if the central server uses weak or broken encryption, writes Vanessa Teague, a cryptologist and former associate professor in the School of Computing and Information Systems at the University of Melbourne.

Even if the tracing app only records proximity-based contact, who a person has been in contact with could be just as sensitive as where the contact actually took place.

There are also questions about other parties that may be involved in the project. Singapore’s app, for example, uses Google’s Firebase cloud, which means Google has visibility into the data, Teague writes.

The ABC revealed on Thursday that the Australian government has offered the data storage contract for the app to Amazon. The government says that it plans to use Amazon Web Services' Key Management System, or KMS, for the management of encryption keys. AWS uses hardware security modules to store the encryption keys.

Amazon would also have access to those encryption keys, says Patrick Townsend, CEO of the data security consultancy Townsend Security in Olympia, Washington.

“Amazon Web Services KMS is a multi-tenant key service, and access to individual keys is a shared responsibility,” Townsend says. “Amazon would say that they have strong protective procedures in place. I don't doubt that, but it is still a shared service."

Townsend wrote a blog post about the differences between KMS and AWS CloudHSM, which is a dedicated hardware security module for which Amazon lacks administrative access.

The choice of Amazon raised eyebrows as to why an Australian company wasn’t selected. It has also raised legal questions because of the Clarifying Lawful Overseas Use of Data Act, also known as the Cloud Act, which was passed by the U.S. Congress in March 2018. The Cloud Act allows U.S. law enforcement to access electronic data held by a service provider in its jurisdiction even if that data is actually outside the U.S.

The Apple Problem

Other technical barriers to successful app-based contact tracing remain as well. Apple bans iOS apps that aren’t actively being used to collect data, such as location, via sensors such as Bluetooth. This means that unless someone has a contact-tracing app in the foreground, it won’t be able to do its job.

Reuters reports that Germany is in talks with Apple to relax its restrictions for its own contact-tracing app, and France has pursued that path as well. But so far, no agreement has been reached. It’s unclear what Australia’s strategy is around this issue.

Meanwhile, Apple and Google continue to work on their own platform for contact tracing that emphasizes privacy.

About the Author

Jeremy Kirk

Jeremy Kirk

Executive Editor, Security and Technology, ISMG

Kirk was executive editor for security and technology for Information Security Media Group. Reporting from Sydney, Australia, he created "The Ransomware Files" podcast, which tells the harrowing stories of IT pros who have fought back against ransomware.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.