Application Security , COVID-19 , Governance & Risk Management
Australia Passes Privacy Law for Contact-Tracing App
Jail Time Possible for Those Who Misuse Data; Employers Can't Require UsageAustralia’s Parliament passed a law on Thursday to deal with a range of sticky legal and privacy concerns arising from its quickly developed contact-tracing app, COVIDSafe. But that’s just one set of problems with the app, which has fundamental functional problems and security bugs as well.
See Also: Live Webinar | A Practical Guide To Achieving Continuous Software Supply Chain GRC
The law was needed because COVIDSafe collects personal information that’s stored in a central database and is accessible to local health authorities. The data includes names, age ranges, phone numbers, post codes and phone models.
While COVIDSafe is a proximity detector that does not record precise GPS coordinates, it does record anyone who has been within Bluetooth range for 21 days. That means logs from someone’s phone could reveal their social graph for the past three weeks.
Mobile-phone based contact-tracing apps are intended to automate what is otherwise a human-intensive process of tracking down everyone a COVID-19 patient has been near. But there’s no clear evidence yet if these new apps can act as a replacement for human-centered investigations (see: Australia Releases 'COVIDSafe' Contact-Tracing App).
The country’s Digital Transformation Agency released COVIDSafe on April 26. So far, more than five million people have downloaded it to their devices.
But as in many other countries that have moved to use technology during the COVID-19 pandemic, legal and technological issues emerged, raising questions as to whether Australia perhaps released the app too quickly (see: Digital Contact-Tracing Apps: Hype or Helpful?).
Misuse Equals Jail Time
The law, which amends the Privacy Act 1988, addresses some of the most pressing concerns about COVIDSafe and how its data is used.
Improperly disclosing data is punishable by up to five years in prison. It’s also an offense to upload data from the app without consent. And crucially, employers cannot make use of the app a requirement for returning to work.
But experts note gaps. For example, there’s no hard limit on how long the Australian government can store data in the National COVIDSafe Data Store, a centralized repository set up on Amazon Web Services.
Also, the law fails to prohibit employers from loading the app onto work-issued phones that are then distributed to employees, write two academics with the University of New South Wales.
There are also concerns about whether U.S. law enforcement could get access to the data. Australia awarded the contract to Amazon Web Services to store the data and use its development tools. Because Amazon is a U.S. company, U.S law enforcement would conceivably have access to the data under the Cloud Act, a law that puts data stored overseas by a U.S. company subject to a warrant.
On Thursday, the Law Council of Australia welcomed the new law but indicated the Cloud Act issue remained an outstanding concern. It says it is looking forward to "the government reaching an executive agreement with the U.S. to minimize the potential for data to be accessible under warrant or subpoena via the U.S. Cloud Act.”
Transparency Concerns
The source code for the iOS and Android versions of the app has been released. But the government has not released the back-end code. This code is responsible for issuing temporary encrypted IDs, called “UniqueIDs,” to other devices running COVIDSafe. UniqueIDs are voluntarily uploaded to the data store by someone who tests positive for COVID-19. Health authorities can then decrypt those IDs and contact those who have been in contact with an infected person.
Vanessa Teague, a Melbourne-based cryptologist and CEO of Thinking Cybersecurity, says important encryption operations are done on the server side. She and other researchers published an in-depth post about why release of that code is important.
“We need to see the server code and read some justification of the design decisions, so that we can identify and fix other bugs in #CovidSafeApp and have a genuine public debate about how it should change,” she tweeted.
Other quirks and bugs have been found in the app. For example, while the UniqueIDs are encrypted when transferred to another phone, the app also sends the device name, which may have been set by a user as their own name. It isn’t encrypted.
"That means if you are walking down the street with a Bluetooth equivalent of Wireshark, you can just capture this identifier,” says Geoffrey Huntley, one of a group of independent researchers who’ve closely scrutinized the app.
Also, researchers discovered a denial-of-service bug in the iOS version, writes Richard Nelson, another developer who’s been looking at COVIDSafe. The bug, which was fixed in an update released on Thursday, could have allowed an attacker within Bluetooth range to crash COVIDSafe, preventing the recording of contacts until the app is restarted. He published a video showing the exploit.
Another independent researcher, Jim Mussared, is keeping track of ongoing privacy and security issues in a Google document.
Pivot to Decentralized?
Legal and privacy issues aside, one the largest hurdles Australia faces is how COVIDSafe functions on Android and Apple iOS. The short answer is in some cases, not very well.
Apple and Google have limits on how apps that are not actively being used can tap into Bluetooth. This means that devices running the app might not beacon effectively, essentially undermining its purpose.
Russell Brugeaud, CEO of the Digital Transformation Agency, testified before a Senate Select Committee on May 6 that the Bluetooth signal “progressively deteriorates” if phones are locked and the app is in the background.
Bruguead said, however, that the government is "working with Apple and Google on the improvements that they're making to Bluetooth, and we will be one of the first adopters of that improved Bluetooth connectivity.”
Apple and Google are working on APIs that would improve compatibility with contact tracing. Their improvements, which are dubbed Exposure Notification, will eventually be baked into their operating systems.
But their ideas are firmly based on a decentralized model, where users don’t have to share personal information. It remains unclear if Australia plans to scrap its centralized model in order to take advantage of improved Bluetooth connectivity (see: Contact-Tracing App Privacy: Apple, Google Refuse to Budge).
Katharine Kemp, a senior lecturer at the Faculty of Law at the University of New South Wales in Sydney, says she would be surprised if the government abandoned COVIDSafe and moved to the Apple-Google solution.
“The Australian government clearly has a strong preference for a relatively centralized approach, with the government gathering and decrypting the contact information of those who test positive for COVID-19,” she says.
Other countries, including Germany and Ireland, have changed their plans and will use a decentralized model, which doesn’t aggregate personal information in one location, in an attempt to help ensure privacy.