With the Australian Government releasing the COVIDSafe contact tracing app on Sunday (26th April 2020), here’s some information about how it came to be, how it works, and ongoing privacy/data concerns.

The federal government released the (currently voluntary) contact tracing app yesterday and there have been more than 1 million downloads in the first 12 hours.

The app was built by the Digital Transformation Agency (an agency within the Social Services Portfolio, that aims to improve government digital services) and the Health Department, using code from Singapore’s ‘TraceTogether’ app which has been modified/added to for Australian conditions.

Users downloading and installing COVIDSafe are requested to provide a name (an alias will suffice), age range, mobile number and postcode – which are used to generate a unique, encrypted reference code for your mobile phone.

The app uses Bluetooth to identify when your mobile phone comes within 1.5m of another mobile phone, for 15 minutes or more. It logs the other mobile phone’s unique reference code and stores it on your own phone for a rolling period of 21 days, After 21 days, the data is deleted.

Although no physical location data is collected by the phone, either on Android or iOS, there is a small caveat: Android devices require that all apps using Bluetooth ask for location permission also.

If a user is diagnosed with COVID-19, the user can consent to upload the data from their phones to the National COVIDSafe Data Store. From here it will be analysed for contact tracing information: the Australian Government has promised that laws will be introduced to limit data access only to state and territory health professionals.

Some data access and privacy issues still remain:

  1. Data storage and access:
    • Amazon Web Services (AWS) a US-based company was given the contract to store the data on their servers. Apparently there were concerns voiced by the Digital Transformation Agency about the contract to AWS, although they have since refuted the claims.
    • Issuing the contract to AWS may mean that Australian data is obtainable by the US Government under a 2018 law granting access to data held by US-registered data companies wherever in the world that data is held
    • Scott Morrison and Stuart Robert (government services minister) have denied this possibility, stating that there will be new laws introduced (expected later this month) to restrict access only to state and territory health professionals. Any other use will be a criminal offence.
    • In the interim, Greg Hunt has issued a determination under the Biosecurity Act restricting data to health professionals
  2. Privacy concerns:
    • An independent privacy impact assessment, conducted by the legal firm Maddocks, has largely given the app a tick of approval. All but one of Maddocks’ recommendations have been fully agreed to by the health department – with this recommendation (the ability for users to access/correct information via an electronic form) agreed to in part and slated for a future version of the app.
  3. The app’s source code:
    • Despite promises to release the source code of the app to allow detailed analysis of what the app does, this hasn’t happened yet. Although apparently it’s in the works…