Wednesday, May 13, 2020

Thoughts on the COVIDSafe app

This post has been created to enable me to collect and collate information about the COVIDSafe app which I feel is interesting and may interest others.

When people ask me what do I think about the COVIDSafe app, which usually means in terms of whether they should install it or not, I don't have a clear answer.

In an ideal world where nothing goes wrong you could install anything. But the world isn't ideal and things do go wrong.

Personally I will hold off installing the app. At this stage that's not a big issue because whilst the COVIDSafe app may be available for download and installation, the data cannot get to those who would need to use it to assist with tracking. That part for whatever reason is not yet complete so the whole system is not complete.

For Apple iPhone users the app at this point is of limited value. If the COVIDSafe app is not active and the screen unlocked, the app doesn't work as it should. Apple needs to update their operating system and that's going to happen, but probably only when Apple and Google launch their own contact tracing apps.

I also have a concern on the design of the app which means the large collection of data on Australians will be occurring and to me that is a concern. That COVIDSafe app also collects data that isn't really required and may even be a risk for some people.

The COVIDSafe app is designed to store data centrally on Amazon servers (reportedly costing around three quarters of a million dollars). The data is stored in Australia, but Amazon is an overseas country and as such answers to an overseas country, the United States. Hackers also have no concern for borders. Keep in mind up to 10% of people working in organisations that have access to the data may not be as law abiding as the rest of us. In the 911 bombings Homeland Security found 3% of people were too dangerous to let on planes and up to 10% in total needed to be stopped before being let onto planes. To have access to data that links people to other people at such a detailed level stored online can only be a concern. Thinking it through the design of the COVIDSafe app could have been completely decentralised. All the data gathered could have been encrypted and held on the mobile phone and accessed if and when required by contract tracers. There would be no reason to register any data to use the app. The fact the government has chosen not to go that way means they have reasons for not doing that, that we don't know about.

Data registered with the app is your mobile number, an age range and your postcode. None of this data is necessary if the data was stored locally. In addition, from what I've read, the app stores in the logs for the app the type of phone a person connects to. By inspecting the logs it may be possible to infer who a person's been with, or that they weren't where they say they were. This I've read could be a concern for people in abusive relationships. By collecting any data that's not strictly necessary increases any potential issue significantly. In one article it stated the date, time, distance and duration of time with the contact.

If encryption does work, with an app that stores data locally, when a person's mobile phone connects to a nearby phone, the only data that need be collected could be the mobile number. That mobile number along with any other data such as length of connection, could then be encrypted and stored on the mobile phone. Contract tracers could then use the list of phone numbers to follow up those who had potentially been exposed. All data encrypted and stored locally on the mobile phone. Nothing collected that wasn't necessary and much less exposure.

Today I also say a last minute change in the legislation and this is a reminder we are talking about legislation that can be changed in future and that doesn't mean it won't change.

https://www.9news.com.au/national/virus-app-bill-introduced-to-parliament/7ad5d23f-8b19-4554-a1e5-edb78329dd12

The change was "People could refuse to allow others into their home if they didn't have the app" and that means having or not having the app has started to potentially impose restrictions on people. Earlier it's been mentioned "Under the proposed privacy laws, business owners can't ban or refuse to serve people if they don't have the app", but that begs the question, what about other organisation that aren't business owners such as schools or other government entities. Is it possible we won't be allowed to drive on public roads if we don't have the app installed? Once the government starts including one rule that imposes a restriction or reduces the rights of a person it potentially opens up the ability to impose further restrictions or reducing people's rights. To me this is very concerning.

One piece of information I thought I'd mention is the app uses an ID to store on another person's phone. The ID is stored encrypted. The ID is generated and refreshed after two hours. The problem is if the person isn't connected to the internet the ID does not get refreshed. Some articles have reported two hours is a long time and could be used to track people. If you think about it most trips you take to get somewhere will be less than two hours so with access to the data it may be possible to track people in some form. What this also tells me is the app is communicating with a government run server/service and this can be monitoring our use and in fact the communities use of the app pretty much in real time. My mind starts to wonder what other information can be recorded and collected when a device is using the internet on an ongoing basis such as the IP address. All this metadata is outside that collected by the app and may not be covered by the legislation.

The following are some articles I found interesting and thought others might as well.

https://www.news.com.au/technology/gadgets/mobile-phones/covidsafe-app-data-yet-to-be-used-bluetooth-fix-reliant-on-apple-google/news-story/748f12bdf35179705b6d4e86c2da34db

https://www.theage.com.au/politics/federal/us-access-of-covidsafe-data-not-conceivable-but-legal-advice-not-released-20200506-p54qff.html

https://www.abc.net.au/news/2020-05-02/coronavirus-app-currently-not-fully-operational/12208924

https://www.pcworld.idg.com.au/article/678801/covidsafe-explained-everything-need-know-about-australian-government-coronavirus-app/

https://techsafety.org.au/resources/resources-women/covid-19-tracker-app-advice-for-survivors/

https://www.smartcompany.com.au/coronavirus/covidsafe-tracking-app-secure/

https://www.ag.gov.au/RightsAndProtections/Privacy/Pages/COVIDSafelegislation.aspx


Issues with other apps

I thought I'd raise one issue that may be a concern for some people. I read the COVIDSafe app may interfere with other apps people may run such as a medical monitoring app. If this is possible it may be wise to use the COVIDSafe app on a separate mobile device.

I'll continue to update this post with information I find relating to the COVIDSafe app.

As a final comment keep in mind tha COVIDSafe app gives you one thing you can't get any other way. If the app is working then if someone who has the app is in your vicinity and is later shown to have been infected, your contact details will be available to the health department and they'll be able to contact you. That is a very good benefit as it lets you know you've been exposed and then you can take precautions to protect yourself, your family and others.

Kelvin Eldridge
www.Mapz.com.au/coronavirusvictoria/

Update: 14/05/2020
https://newsroom.unsw.edu.au/news/business-law/some-improvements-required-covidsafe-bill-parliament

Update: 16/05/2020
Using a Bluetooth scanner app on an Samsung S7 I wanted to see if I could see two Apple iPhones. Without COVIDSafe installed the scanner app did not locate either of the iPhones. Once the COVIDSafe app was installed on each of the iPhones the scanner could detect both of the iPhones and determine one was an iPhone 6S and one was an iPhone 7. Once the iPhone's screened locked and the COVIDSafe app went into the background the scanner could no longer see the iPhones. This leans towards confirming issues with Apple iPhones when the COVIDSafe app is not currently running on the screen.

Update: 21/05/2020
If you haven't updated the COVIDSafe app (perhaps you have automatic updates turned off) it's a good idea to update the app. Found the following information which contains information on updates.
https://www.dta.gov.au/news/next-release-covidsafe-live

Update: 24/05/2020
I've visually checked the files in an Android mobile and not currently found any information that is clear text that would give me information as to what mobile phones are around me. This isn't to say there isn't, but if people are using basic tools in the mobile phone to check folders and files, they may not easily find any information.

Update: 18/06/2020
The following news article shows how the government mislead us as to how effective the COVIDSafe app really was on iPhones when it was released. I still doubt how effective it is on iPhones. If you read the articles you'll see they mention keeping one iPhone unlocked to get moderate performance if the other iPhone is locked. The reality is most people walk around with their mobile phones locked. I doubt COVIDSafe on the iPhone in normal use is effective at all.
However, having said that, what I'd suggest is when you enter an area where's there's other people, open the COVIDSafe app on your iPhone and don't let your iPhone lock. That way you improve the chances of other mobile phones being detected.

Update: 30/06/2020
The following article shows the COVIDSafe app has hardly been used.
Through my own testing and watching downloads it makes sense the COVIDSafe app isn't getting useful results. First with downloads I can't be sure but based on early numbers of downloads I'd suspect about two thirds are iPhones. I tested an iPhone 7, iPhone 6s and Samsung Galaxy A20 recently and the iPhone 7 was not able to be detected using a Bluetooth scanner if the iPhone was left and locked the screen. In addition I recently visited the Apple store in Doncaster and did a Bluetooth scan. Only one iPhone visible. Not one additional person to alert as a contact in Victoria shows something is seriously wrong and the app is simply not performing. Try it yourself. Download a Bluetooth scanner app and see how many phones around you, you can detect.

What the app needs is visible feedback it is working. Right now you have no idea if it's working or not. Give me a count of the number of devices found around me and how many have been in contact for the required time. If I walk into a restaurant and there's no phone detected that lets me know the app isn't helping me in any way. Currently the blind assumption it's working doesn't cut it for me.

For example if I walk into a restaurant I'd like to think the owner or staff have a phone recording those in the restaurant, including me, so if someone in the restaurant is infected I'd get notified. Right now I can't be sure the app is doing anything useful and the lack of results for contact tracing is confirming it probably isn't doing anything useful.

Update: 9 July 2020
I can't help feeling the COVIDSafe app has been a waste of time and money. The real issue is many Apple users are given a false sense of security when using the app and that is a worry if it encourages them to undertake risky activity because they feel safer. This is an example of where the government has not kept us informed. Apple iPhone users could use a spare Android mobile phone to keep them safer if they knew this was a problem.
Apple users should assume the COVIDSafe app does not work until they are given a clear guarantee from the government it does work. The media has picked up that Scott Morrison mentioned the COVIDSafe app once in the last fortnight yet prior to that, it was key to keeping Australians safe. This is a clear indication the government knows more than they are letting people know.
Based on my very rough estimate of downloads stats I'd estimate around two thirds of the roughly six millions downloads have been Apple users. Potentially that means up to 4 million people with an app that doesn't work as promoted. Leaving just two million Android users with a working app. That's going to be under 20% of phone users and far less than is needed for the COVIDSafe app to be useful.

Update: 10 July 2020
The following shares a business and their team's experience with the COVIDSafe app where one team member tested positive. Given that all team members have the COVIDSafe app and spend time together, no one else was notified as a close contact by the Health Department. This is a further indication the COVIDSafe app is not working as we've been told. The one question I would have is, "what type of phones do they have?"

Update: 14/07/2020
Another article showing people in high-risk situations not getting alerts.

Update: 3 August 2020
COVIDSafe app finds two cases.

Update: 10 August 2020
Today the COVIDSafe was promoted for the recent success of finding 544 contacts with two being positive. The trouble is this is exactly the same news that came out a week ago. If you weren't following the news you'd think the COVIDSafe app was finding more contacts. With over 7 million people downloading the app and hundreds of cases in Victoria a day, it's hard to imagine why the COVIDSafe app is not finding more contacts.

Update:22 October 2020
I thought this article had some good information on numbers detected by the COVIDSafe app.
Locks like there's been 14 close contacts but no cases found in NSW and no cases anywhere else.. With current estimates of COVIDSafe costing close to $6 million, that's lot of money for very little return.

The real irony is the COVIDSafe app could be useful. The worst feature is it offers no feedback it's actually doing anything. However it could easily be used when people go to restaurant or business. That way people don't have to provide their contact details. With visible feedback that would enable people to see they've at least connected with someone such as the owner of the business or a senior staff member. No need to collecting anyone's data.

Update 5 November 2020
COVIDSafe app has been of no material benefit according to the SA Police Chief.

Update 5 November 2020
It does look like using mobile phones and Bluetooth for contact tracing isn't cutting the mustard. In a study the Google-Apple API approach was shown their approach did not work on public transport. So it looks like it's not only Australia's COVIDSafe is less than useful.





 


No comments:

Post a Comment