back to article Australian contact-tracing app leaks telling info and increases chances of third-party tracking, say security folks

The design of Australia’s COVIDSafe contact-tracing app creates some unintended surveillance opportunities, according to a group of four security pros who unpacked its .APK file. Penned by independent security researcher Chris Culnane, University of Melbourne tutor, cryptography researcher and masters student Eleanor McMurtry …

  1. Diogenes

    Mike Cannon-Brookes

    I might be more impressed if Atlassian paid tax in Australia.

    He willfully ignores the fact that unlike Facebook and Google, government can arrest you, link your data to health data, tax etc etc.

    Also I have heard a rumour that there may be an issue with licence of some of the underlying code which specifies source must be released

    1. Mark 65

      Re: Mike Cannon-Brookes

      Mike Cannon-Brookes Got his one big break and now somehow thinks he’s some kind of sage that we should all listen to. He’s just a politician cosying attention whore.

      1. Michael Wojcik Silver badge

        Re: Mike Cannon-Brookes

        This certainly looks like standard minor-celebrity-Dunning-Kruger to me. "Oh, I'm in IT in some fashion, therefore my opinion on everything even vaguely related to it is important."

        (Of course my opinion on everything even vaguely related to IT is important, but that stands to reason.)

  2. deevee

    Maybe 2 million people use the app, but that means 20 million don't.

    Also the 2 million who did install the app probably have no idea what it really does, and think its going to save them by knowing they walked past someone once in the street who had coronavirus, when in fact 99.9999% of the time it wouldn't have a clue if your paths have crossed with someone with the virus, and it certainly won't be notifying you about that, and the only people its really even likely to match you with is one of your family or close friends.

    1. Precordial thump

      Speaking as a front-line health care worker who does know what the app claims to do and how it claims to do it, I'm prepared to recognise its imperfections and say to everyone in this country who can: download it. Use it.

      Australia is tantalisingly close to completely suppressing this thing. Yes, the epidemiology that the app is based on is probabilistic, but, guess what: transmission of the virus is probabilistic over a population.

      And if, $deity forbid, clusters start popping up again, then we need to put data into the hands of public health physicians quickly. Contact tracing stops small clusters becoming big ones. That is the sole function of the app.

      1. Diogenes

        Lockdowns aside

        Lockdowns aside, with the exception of my bus commute home, assuming no major changes to my habits I can easily give you list of everybody I was closer to than 1.5m for 15 minutes or more over a 2 week period. Apart from the wife, and my students it would be a very very short list.

        1. Precordial thump

          Re: Lockdowns aside

          -a bus commute home is a very big exception

          -who have your students been near today?

          -who has your wife been near today?

          Some people (such as essential service workers) still have a normal work day's exposure to a random selection of our community even with a lockdown in force. Can you tell me who on your bus is a nurse? An ambo? The bloke who cleans the public toilet? If we could predict modes of transmission we would not have gotten into this mess in the first place. Meanwhile, we need data.

          1. Michael Wojcik Silver badge

            Re: Lockdowns aside

            a bus commute home is a very big exception

            And would make for a great big pile of false positives if OP were incorrectly diagnosed as infectious.

            That's one glaring problem with contact-tracing applications. The precision of existing SARS-Cov-2 tests is poor, and given the large groups we'll need to test to make contact tracing useful and the low overall infection rate, the false-positive paradox is going to bite hard. When that's multiplied by probabilistic - and not very accurate1 - contact tracing, the number of people who will be informed that they might have been exposed is going to go through the roof.

            That was part of Ross Anderson's argument; the other part is that many people will respond to a flood of false-positive warnings by calling emergency services and/or going to medical facilities for testing or treatment, which will increase strain on those systems. And many other people will see the flood of false positives and ignore the contact warnings, rendering the apps irrelevant. And others will abuse the system (to force closures at schools and other facilities, to harass, for "art", for the lulz).

            Personally, I doubt contact tracing will make a significant difference in controlling COVID-19.

            And those with access to the data will certainly abuse contact tracing in any way they can. If history tells us anything, it tells us that.

            1Because BLE is not a very good proxy for exposure to a significant number of virons. It's barely adequate as an estimation of overall distance, and completely uncorrelated to many types of barriers (walls, PPE), surface contact, air movement, etc.

      2. Jim Birch

        Personally, I'd rather stick with my privacy fetish and let the old people die.


  3. haiku

    >> Remind them how little time they think before they download dozens of free, adware crap games

    >> that are likely far worse for their data & privacy than this ever would be!

    A case of two wrongs making ME right ?

  4. Anonymous Coward
    Anonymous Coward

    The phone model is likely so they can identify the Android devices making garbage Bluetooth scans when the drivers aren't fully to spec and can add special handling or filter them out. E.g. some devices use a positive number for RSSI instead of negative.

  5. the Jim bloke Silver badge

    The publicly acknowledged privacy concern

    is the database being hosted by Amazon.

    So the Australian government has denied itself access to all the data, but the Americans can grab whatever they feel like (something they have history of)

    Whenever a journalist asks about this, ...

    next question..

    1. TheOtherMe

      Re: The publicly acknowledged privacy concern

      Aus govt is not silly - they can get the yanks to interrogate the data and claim "it wasn't us"...

      1. andro

        Re: The publicly acknowledged privacy concern

        Actually I have worked with AWS, and their staff were not able to see my data. They do have very strict standards and security good design in house. But the best thing is, the app does not upload data until you find you have covid and allow it to upload. So 'all the data' does not mean 'everyones data'. Far from it. But where it has value to save lives, then people can share data (or not, but if that was your intent surely you would not install the app).

  6. nematoad Silver badge

    Maybe, maybe not.

    "The design of Australia’s COVIDSafe contact-tracing app creates some unintended surveillance opportunities..."

    Are you sure that the consequence were unintentional?

    1. MrDamage

      Re: Maybe, maybe not.

      That they were found out, was unintentional.

      1. andro

        Re: Maybe, maybe not.

        What, and phones are not trackable based on their IMEI from the tower, or from their WIFI scan data? Open up Kali Linux and run airsnort-ng and some scanning tools and watch for the known wifi networks phones are scanning for. Showing busines names, hotel names, and all under their own wifi ID. This fingerprint is already there and doesnt change at all . A necessary ID that by default changes every 15 mins, bumped up to 2 hours is hardly the security concern in your phone. They probably changed it to lower processing costs of merging the data back together when someone is found to have covid and they need it.

  7. Anonymous Coward
    Anonymous Coward

    The question is, is it better than not having it? Cases are low (or nill) in some parts of Australia now, but corona will come back at some stage of society returning to normal. Each case prevented will save us from a whole string of many more cases after it, same as was said at the start of this. Nothing (at this point) can stop this virus 100%. Surely if this app can be 20% effective, that will save a sh*tload of lives. I would suggest anyone who is worried about people stealing their phone, hacking their way in to it, reading text logs, comparing data against someone elses phone trying to locate a meet at a 3rd party residence, has missed the point. For most people this is not a concern. For those it is, well, they shouldnt even have a phone. This app is pretty good on the scale of things. The worst offenders for tracking are those making money out of you. Facebook, Google, Apple, Advertisers, Malware authors, etc....

  8. julian.smith

    Pushing it uphill

    # of mobile phones in Australia: 17.2m

    "Goal": 10m (58%)

    Success: "40%" (6.9m)

    Actual: 2.8m (16%)

    Call me when:

    - you can be trusted

    - you get to 50%

    You know my number

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020