The controversial Australian government contact tracing application based on the Singapore version has finally been released for Australians. Understandably, a lot of people are concerned about their privacy and whether or not the government messed this up.
I had a spare phone lying around, so I installed the application for the lols. I decided to see if I could find anything nefarious with the app or if it drains my battery like Singaporeans reported their app did.
I am talking about the Android version in this article, presumably the Apple version is also the same, albeit when we speak about permissions, iOS offers its own set of permissions that developers can request.
Firstly, I commend the Australian government to an app which doesn’t look terrible. Usually, government built apps look terrible and work terribly, probably because it’s not a from-scratch application and based on Singapore’s app TraceTogether.
This is not going to be a technical deep-dive on the application or decompiling it and discussing lines of code. If you’re looking for the decompiled source, the community has already started doing that here. Although, the Australian government says the code will be made open source, who knows if or when that will be happening.
It appears on the surface the app is quite unremarkable. Like the Singapore version, it encrypts your data locally on your device and only through a request can you allow your data to be decrypted. Right now as the app currently stands, it seems safe. However, I have valid concerns which you should also have.
Does CovidSafe Drain My Battery?
From what I could see running it for a few hours, no. While I did not go out and try and get it to make a “trace handshake” with anyone else, it appears the app doesn’t use that much battery. In the few hours I used it, I saw a few percent drop which is nothing compared to Spotify, Pokemon Go or YouTube.
The application also appears to work fine in the background on Android as well. You get a notification telling you the app is active in the background and that’s it. There is no need to run the app and have it the only one open meaning you can interact and use other apps and features on your phone.
While the app only appears to access Bluetooth right now and uses it to determine the vicinity you are in relation to other app users, the app asks for the
ACCESS_FINE_LOCATION permission on Android. If you read up on this permission here in the Android documentation, pay close attention to what it provides.
Allows the API to determine as precise a location as possible from the available location providers, including the Global Positioning System (GPS) as well as WiFi and mobile cell data.
Without fearmongering, I want to point out that the application at the time of writing this only ever uses Bluetooth. The ability to use GPS or anything else for location does not appear to be in the current application.
In theory, there is nothing stopping the Australian government from making an update which allows them to also track your location via GPS. This permission gives the app the ability to track GPS data if it wanted too, but I want to stress again, the app does NOT currently do this.
Concerns About Privacy
The CovidSafe application as far as I can see is safe. It does everything that the government said it would and it also appears to not be sending anything off in secret to the government or tracking your movements. However, I implore you the reader to be sceptical for a few reasons.
The first reason relates to the government’s mandatory data retention legislation. Law enforcement agencies are being given browser history of people under investigation, despite the fact the legislation specifically excluding it.
Given the LNP passed such legislation in 2015 and ever since there have been numerous reports and instances of metadata being incorrectly given to agencies, people and agencies getting access to data that they shouldn’t and overall confusion around how the scheme and subsequent legislation works.
Since the introduction of this legislation, there has also been significant scope creep where more and more agencies and bodies are able to access metadata. (from Greyhound Racing Victoria to Consumer Affairs and various local councils). If you think only law enforcement and national security agencies can access your metadata, think again.
A very real scenario
The second and most important reason relates to the controversial encryption weakening legislation that was passed in 2018. Given everything that has happened since then, it’s easy to forget this legislation passed and still exists.
If you think that the concerns around privacy and data are invalid, looking no further than law enforcement agencies asking for added capabilities to be added into the application. A request which the Morrison government knocked back, but the fact they even asked in the first place should concern you.
Here is where things get muddy and it’s a concern that not even the government can reassure citizens on. The encryption weakening legislation passed in 2018 could in theory, allow the government to add in a backdoor or added features to the application in a stealth update and nobody would be allowed to say anything.
All of the legal provisions are there to allow the Morrison government to enable this application (with a few lines of added code) to become something that can track your location through GPS given the permission to do so has already been granted.
Legally speaking (I am not a lawyer) the interpretation of all of this is the promised safeguards for the CovidSafe app would NOT override the backdoor encryption legislation or any other established legislation if they were to ever conflict with one another. As such, the reassurances and promises that protections are in place for CovidSafe are nothing more than empty words.
While I do not doubt that this app could be incredibly effective in helping trace COVID-19 infections and spread, there are just too many unknowns for me to consider installing this app. At the end of the day, make the decision that feels right to you and do not let this post or anyone else’s opinion do anything more than inform you and allow you to make your own decisions.