back to article Australian contact-tracing app sent no data to contact-tracers for at least ten days after hurried launch

Australia’s “COVIDSafe” contact-tracing app was rushed to market in the knowledge it would perform poorly on some devices and without agreements in place to let actual contact-tracers use the data it collects. As a result, no collected data has been used in at least 10 days since its launch. Meanwhile, security researchers have …

  1. Winkypop Silver badge
    Facepalm

    You know they are bullshitting you when they say:

    "Legal advice has been sought regarding the impact of the USA’s CLOUD Act on data collected by COVIDSafe, as it is stored in AWS. Officials would not release that advice and said they believe it is “not conceivable” the data could be accessed by US authorities, emphasised that security had been considered from every angle and opined that US courts would not likely look favourably upon a request to access data gathered by the app."

    1. JassMan

      Re: You know they are bullshitting you when they say:

      They had better be publishin the source code pretty soon as well. The original code they copied is published under GPL V3. Not even governments are allowed to break contracts.

      1. john.jones.name
        Mushroom

        its done now and not in a good way... they break the GPL

        https://www.theregister.co.uk/2020/05/09/coronavirus_tracing_app_source_code/

        see comments

    2. Pascal Monett Silver badge

      Officials need to re-read the Cloud Act.

      Basically put, nobody's data is safe from US scrutiny if it is stored on a server that is controlled by a company that has a presence in the USA. And no judge is going to go against that.

      Excerpt from the article :

      "First, the Act amended U.S. law to authorize U.S. law enforcement to unilaterally demand access to data stored outside the U.S."

      It's a demand, not a request.

      1. Drew Scriver Silver badge

        In this case the US is already authorized to demand access.

        Assume for a moment that this law were not in place yet. Would it really be wise to build an application around a solution that may sooner or later give other countries access to the data?

  2. Anonymous Coward
    Anonymous Coward

    Putting the Cart before the Horse

    I recently read that the UK was planning a similar tracing app. They completed the Legal Agreements, Data Privacy Provisions, and published the Source Code before the sign off to go live. Seems like the Australian Government have not thought this through. I will not be downloading this App until the Source Code is Published and the Data Privacy Provisions are legislated as the Minister has proven that he cannot be trusted after the RoboDebt scandal.

    1. BebopWeBop Silver badge

      Re: Putting the Cart before the Horse

      Don't believe everything you read about the UK!

    2. Cuddles Silver badge

      Re: Putting the Cart before the Horse

      You can read about the UK's app right here on El Reg - https://www.theregister.co.uk/2020/05/05/uk_coronavirus_app/

      In summary, it's full of security holes, is not in any way anonymised (despite lies from those involved claiming otherwise), and is run by the usual old boys' network of Tory associates including some of those involved with Cambridge Analytica and the Leave campaign. But probably most importantly of all, it is fundamentally incapable of actually functioning on both iOS and Android because neither OS actually allows bluetooth to be used the way the app needs.

      It's certainly possible the UK government has been more competent than the Australian one here, but only in the sense that they've been better at generating kickbacks for their mates.

      1. Andrew Dancy

        Some facts

        I'm not impressed with Kieran's article and it's causing a lot of confusion and concern (as many other sites are just copy/pasting the information without checking). I know I'll get downvoted for this but here's some facts to clear up a lot of the wilfull mis-information doing the rounds.

        1. No, the app was not developed by Cambridge Analytica or Dominic Cummings or Marc Warner or anyone like that. People who jumped on that bandwagon mis-understood a different NHS contract. The app has been developed by Pivotal (part of VMWare) along with NHSX's in-house team.

        2. No you don't need the app running in the foreground. The iOS app uses some clever techniques to allow it to run just enough in the background to be able to continue functioning. The Android app has some nifty code to allow it to parse the iOS bluetooth beacon format to maintain cross-app compatibility

        3. The app does not track your location. The Android app only asks for location services because for some insane reason Google decided that Bluetooth permission is tied to Location (e.g you have to ask for the latter in order to get the former). The iOS app does not ask for location permissions and the Android app does not actually use location data.

        4. The app appears to be well written and uses good security practice (strong crypto, certificate pinning, UK hosted API endpoints, etc). There have been some false tweets about the crypto not being secure but that's based on a mis-understanding of how APK was decompiled.

        Disclaimer - I'm not involved in any way with the app, I'm director of a company which spent a lot of time yesterday pulling the app apart to see how it actually ticks.

        1. Cederic Silver badge

          Re: Some facts

          along with NHSX's in-house team

          We appear to be doomed.

        2. mark4155

          Re: Some facts

          Well said! You are destined for better things. Keep safe and Toodle Pip old bean.

        3. John Brown (no body) Silver badge

          Re: Some facts

          That's good to know, but you may be overlooking one major flaw. According to The BBC, "In a related development, Health Secretary Matt Hancock has announced that Baroness Dido Harding will head up the wider test, track and trace programme."

          So, we can pretty much guarantee that the data will be leaked en masse, probably twice over.

  3. redpawn Silver badge

    We have a betterr plan

    The virus will miraculously disappear. No need for contact tracing apps here.

    1. Someone Else Silver badge

      Re: We have a betterr plan

      If, by "we" you mean tRump and his suck-up-ophants....

  4. The Central Scrutinizer

    <smug mode>I absolutely bloody knew something like this would happen, given the government's shitty record on just about anything IT related.<end smug mode>

    I will absolutely never download their knocked up over the weekend crap, despite Scotty's pleas.

    I fear that a lot of the lemmings rushing to download it have no idea of the implications for their privacy and security.

    1. Tom 7 Silver badge

      Spare phone

      I wont load it on my phone but I will dig out a spare phone , clean it thoroughly and then run it on that.

      That way it may save lives (mine FFS) and with luck bankrupt the buggers hoping to make money off my info,

    2. John Brown (no body) Silver badge

      "I fear that a lot of the lemmings rushing to download it have no idea of the implications for their privacy and security."

      So, no different to every other app they download which massively breaches and/or slurps their personal data security. The vast majority don't read Ts&Cs and grant any and all permissions asked for.

  5. JassMan
    Trollface

    @The Central Scrutinizer

    You can't be as smug as TouchPhone users. We can't even run the stupid app until the SourceCode is published. Hopefully we can roll in the Sinpore fixes before compiling and packaging.

    1. The Central Scrutinizer

      Re: @The Central Scrutinizer

      Rots o' ruck.

  6. cb7

    Apparently the UK NHS app is using the same centralised approach that, apart from the privacy concerns, relies on iPhone users bringing the app to the foreground periodically to ensure it keeps Bluetooth on.

    https://www.theguardian.com/world/2020/may/06/critical-mass-of-android-users-needed-for-success-of-nhs-coronavirus-contact-tracing-app

    Though this article seems to suggest the Aussies are working with Apple to address this.

    But this also shows we don't have a unified approach across the whole globe.

    1. John Jennings Bronze badge

      I am sure Australia will get as far as the UK does in 'working with apple'

      https://9to5mac.com/2020/05/06/uk-nhs-contact-tracing-app/

      or the french

      https://9to5mac.com/2020/05/05/france-issues-misleading-statement/

      IE not very far

  7. Anonymous Coward
    Anonymous Coward

    Australia 2.0

    The new Penal Colony.

    1. The Central Scrutinizer

      Re: Australia 2.0

      You clearly missed the 2.1 update, dude.

  8. Anonymous Coward
    Anonymous Coward

    It also highlighted that Australia Government doesn't have control over National Data Soverienty

    There's some political noise about security of the data which made people aware of the US Cloud Act.

    COVIDSafe uses AWS cloud technology which means it automatically comes under the US Cloud Act. To get around this problem they has placed in special biosecurity provisions. Interesting, what about all the rest of data belong to the Australian government and businesses?

    The US Cloud Act means that the US Federal Government can get access to any data stored on any US Cloud provider in any country.

    1. Someone Else Silver badge

      Re: It also highlighted that Australia Government doesn't have control over National Data Soverienty

      All your Slurp are belong to us!

    2. John Brown (no body) Silver badge

      Re: It also highlighted that Australia Government doesn't have control over National Data Soverienty

      The US Cloud Act means that the US Federal Government can get access to any data stored on any "US Cloud provider in any country."

      Well, yes and no. It depends on whether said US company is prepared to break local laws regarding locally stored or exporting of locally stored data. It could end up with Amazon execs suddenly finding they can no longer travel to countries which used to have Amazon bitbarns for fear of arrest. But probably not.

      1. eldakka Silver badge

        Re: It also highlighted that Australia Government doesn't have control over National Data Soverienty

        It could end up with Amazon execs suddenly finding they can no longer travel to countries which used to have Amazon bitbarns for fear of arrest.

        By not complying with the Could Act, they could find themselves in jail in the US, therefore the question becomes "jail in the US or not being able to travel to certain foreign countries"

  9. Doctor Syntax Silver badge

    The first of the bullet points brought to mind the saying that to fail to plan is to plan to fail. That was misleading. The rest made it clear that they'd knowingly planned to fail.

    The only possible explanation for this is the politicians syllogism: something must be done, this is something therefore it must be done.

    1. Drew Scriver Silver badge

      Efficiency...

      "rushed to market in the knowledge it would perform poorly on some devices and without agreements in place"

      If nothing else they're efficient and skipped the step of failing to plan.

      They went straight to "planning to fail"...

  10. Magani
    Black Helicopters

    Vulnerabilities? What vulnerabilities?

    So walking around, keeping 1.5m from everyone, with your Bluetooth on is safe? A quick delve into your favourite search engine will show you that it isn't. Googleing for 'bluetooth android vulnerability 2020' brought up a mere 1 million+ hits (I didn't worry about iPhones; they've got their own CovidSafe problems).

    While you're here, can someone explain how this works?

    1. According to their blurb, When the app recognises another user, it notes the date, time, distance and duration of the contact and the other user’s reference code. AFAIK, BT works through walls. I was unaware that viruses could travel through them though. Anyone for a host of false positives?

    2. I found the statement by our PM to be rather disingenuous when he stated early on that the data would be held in Oz, hence giving all true blue Aussies a warm fuzzy feeling. He failed (at that time) to state that it was with AWS, a decidedly US company. As has been stated earlier, the US TLAgencies can grab anything they want without much hindrance from a company with US roots. Our beloved pollies also stated that not even a court order could get the data released to our gummint, but as a member of Five Eyes, Shirley they can get it (CLOUD Act), and hand it back to Peter Dutton, MP (Minister for keeping us safe from overseas nasties) without having to bother with any legalities.

    Of course they'd never stoop to such things would they?.

    1. MachDiamond Silver badge

      Re: Vulnerabilities? What vulnerabilities?

      "AFAIK, BT works through walls. I was unaware that viruses could travel through them though. Anyone for a host of false positives?"

      I can just see a phone of an employee pushed under the counter as they are not supposed to have their phones with them while working. Let's say the person works at a petrol station with a service window to the outside. Everybody that walks up gets tagged by the employee's phone under the counter with no regards to the wall and glass between them. I'm sure with some thought I could come up with more examples.

      None of this tracing stuff would work on me. I leave off wi-fi, BT, GPS and data when I'm not actively using them. It gives me very good battery life and I'm not leaving as big of a bread crumb trail. Sometimes I even switch the phone off and I've verified it really is off when I think it's off. At least it's not transmitting anything the spectrum analyzer will pick up. Maybe there is a receiver on that can wake the phone up, but I've seen no evidence of that.

  11. batfink Silver badge

    Ah it's nice to see Agile at work

    So, something rushed out, badly thought through, not working and full of bugs and vulnerabilities? Surely that can't be Agile at work?

    1. EnviableOne Silver badge

      Re: Ah it's nice to see Agile at work

      TBF the intent of Agile, and the way it has been implemented in most places are two very different things.

      1. Dagg

        Re: Ah it's nice to see Agile at work

        I have never seen agile implemented any other way... The bosses and BA's just love it as it just means they don't need to actually do any work. Just throw a half arsed idea over the wall and issue the command 'build'!

  12. Someone Else Silver badge
    Big Brother

    And this surprises you how, exactly?

    Let's see now...a "contact tracing app" that doesn't actually trace contacts, no apparent activity to set it up to actually perform its alleged purpose, no concern for privacy issues, a belief that it is “not conceivable” the data could be accessed by US authorities, known bugs that go unfixed -- or not even acknowledged, abject failure on the most popular platform...but lots of pressure from The Authorities to download and turn it on anyway.

    Surprising? No. Remember, Australia is a 5-Eyes country.

  13. Will Godfrey Silver badge
    Unhappy

    Can't be explained by incompetence

    I don't believe any degree of incompetence could achieve a clusterfuck of such proportions. Therefore it must be malice.

    1. Version 1.0 Silver badge
      Unhappy

      Re: Can't be explained by incompetence

      Think about writing code to run in an environment where you have more than fifty different phone manufacturers hardware configurations and every user has their own unique set of applications installed and running ... OK, so "Hello Swirled" but be easy to do (oh shite, there's a bug there too) but writing a complex app to track all those different Bluetooth devices and getting to work securely straight out of the box in a short time is impossible. Essentially they have just demonstrated this.

  14. Woza
    Joke

    not conceivable?

    You keep using these words... I do not think they mean what you think they mean.

    Is Vizzini working in the Australian Public Service now?

    Data accessed by the US? Inconceivable!

  15. petef

    BlueFrag

    Android 8 and 9 are vulnerable to BlueFrag. That can steal personal data without the owner clicking anything. Android 10 is also affected but it only crashes Bluetooth, no data is stolen.

    This is not directly related to the NHS app or Google's alternative but it spreads over the same channel. The only mitigation for BlueFrag on unpatched phones is to keep Bluetooth disabled.

    The dodgy Android code was fixed in the Android security patch of Feb 2020. You can find out your patch level in settings, somewhere near the bottom usually.

    My phone, a Moto G5S, is less than two years old but is only at an Aug 2019 security level. The Motorola web site confirms that is the latest. It seems that security updates end 24 months after the launch of a handset. So I leave Bluetooth off. I might consider short sessions in private.

    https://insinuator.net/2020/04/cve-2020-0022-an-android-8-0-9-0-bluetooth-zero-click-rce-bluefrag/

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020