Australia has all but abandoned the COVIDSafe app in favour of QR codes (so make sure you check in)


Shutterstock

Paul M. Garrett, The University of Melbourne and Simon J Dennis, The University of MelbourneThe COVIDSafe app was pretty popular upon its release, with around 70% of surveyed Australians saying they supported the idea. And it was a good idea at the time. Now? Not so much.

Actual uptake was never high. By May last year, only 44% of those surveyed had actually downloaded it. Plenty on social media are now saying they’ve all but abandoned COVIDSafe in favour of the QR code check-ins done via, for example, the Victorian government app or the Service NSW app.

And when Victoria’s health minister Martin Foley was asked this week whether the COVIDSafe app had been used in responding to the latest outbreak, he said:

No. Not to my knowledge, and I’m sure in such a rare event it would have been brought to my attention.

For now, it seems the benefits to Australia’s public health may be better served by other technology, such as QR code check-ins. And the public cost of maintaining the COVIDSafe app may not be in our collective interest.

Was COVIDSafe a failure?

COVIDSafe was supposed to work by using Bluetooth technology to create an anonymous registry of close contacts (other app users). If one of your close contacts self-identified as having COVID-19 through the app, government contact tracers would be alerted and notify you to get tested and isolate, before starting manual contact tracing efforts.

It’s clear COVIDSafe didn’t live up to the hype, but understanding why may be more difficult than you might think.

Australia may be a victim of its own success in keeping the outbreak at bay. Having successfully suppressed the spread of COVID-19, the benefits of using COVIDSafe may not outweigh data privacy and security concerns many people had about it.

Even in places around the world where case numbers have been relatively high, this never guaranteed that a COVIDSafe-style contact tracing app would be widely used.

For example, Germany showed similar levels of app approval to Australia, but had similarly poor uptake of their CORONA-Warn App, even when their case numbers exceeded 30,000 per day.




Read more:
70% of people surveyed said they’d download a coronavirus app. Only 44% did. Why the gap?


And a large part of why QR scanning technology works is because we are reminded to use it when we enter a shop, restaurant or school. But there are no public reminders about COVIDSafe, and no consequences to not using it (whereas some — although by no means all — venues won’t let you in unless you can show you’ve checked in via a QR code scan).

Finally, there is no incentive to use COVIDSafe without public compliance. Without widespread support, COVIDSafe fails as a technology (it only works if others are using it in your proximity) and as a socially desirable behaviour (we often act and do things so as to fit in with our peers). This “social license” is necessary for any voluntary measure to be effective, and right now COVIDSafe doesn’t have it.

QR code scan tech and Google location services

Human memories are prone to making errors, with people wrong about where they were about a third of the time. The cost of a memory error is high during a pandemic and misremembering which shopping centre you visited could have dire consequences.

This is why the QR code scan system works well. They are a reliable way to track where you have been, you’re constantly reminded to use it and you get notifications if you visited an exposure site.

There are, of course, gaps. Not all venues or places require QR codes because it is impractical, and the use of QR check-ins is not uniformly enforced.

If, like many people, you keep your phone’s location services on, that provides a back-up plan. You can easily download your location history and take a digital walk through your past week, month or year, identifying where you were down to the minute. And there are services like unforgettable.me that provide more detailed information from multiple sources, combining your location data with messages, emails, and weather forecasts.

So, does Australia still need COVIDSafe?

Well, we need some sort of help to prevent memory errors that put others at risk. Overwhelmingly, people are more concerned about the health of others than themselves. What’s important is to remind others to use these technology aids, and highlight the public benefit of using them.

For now, it seems QR code check-ins are providing more benefit than COVIDSafe.

So if you are not using COVIDSafe, rest assured you’re not the only one. But there is still technology that helps you remember where you’ve been and when. That helps keep you and your loved ones safe and well.




Read more:
By persisting with COVIDSafe, Australia risks missing out on globally trusted contact tracing


The Conversation


Paul M. Garrett, Post Doctoral Research Fellow, The University of Melbourne and Simon J Dennis, Director of Complex Human Data Hub and Professor of Psychology, The University of Melbourne

This article is republished from The Conversation under a Creative Commons license. Read the original article.

By persisting with COVIDSafe, Australia risks missing out on globally trusted contact tracing


Ritesh Chugh, CQUniversity Australia

Australia has ruled out abandoning the government’s COVIDSafe contact tracing app in favour of the rival “Gapple” model developed by Google and Apple, which is gaining widespread support around the world. Deputy Chief Medical Officer Nick Coatsworth told The Project the COVIDSafe app was “a great platform”.

In the two months since its launch, COVIDSafe has been downloaded just over 6.4 million times – well short of the government’s target of 40% of the Australian population.

Its adoption was plagued by privacy, security and backwards compatibility concerns, and further exacerbated by excessive battery consumption. And despite being described as a vital tool in the response to COVID-19, it is reportedly yet to identify a single infection that hadn’t already been tracked down by manual contact tracing.




Read more:
False positives, false negatives: it’s hard to say if the COVIDSafe app can overcome its shortcomings


It seems the app has failed to win the public’s trust. Software downloads are based on the perceptions of risk and anticipated benefits. In this scenario, the risks appear to outweigh the benefits, despite the dangers of a second coronavirus wave taking hold in our second most populous city.

COVID-19 cases in Melbourne continue to surge. But more broadly, the relatively low number of overall cases in Australia and the lack of adequate buy-in among the public make it difficult for COVIDSafe to make a meaningful contribution.

Is there another way?

Some 91% of Australians have a smartphone, whereas a rough calculation based on the 6.4 million downloads suggests only 28% have downloaded COVIDSafe.

For digital contact tracing to be effective, an uptake of around 60% of the population has been suggested – well beyond even the 40% target which COVIDSafe failed to hit.

The logic is straightforward: we need a system that 60% of people are willing and able to use. And such a system already exists.

Tech giants Apple and Google have collaboratively developed their own contact-tracing technology, dubbed the “Gapple” model.

How does Gapple work?

Gapple is not an app itself, but a framework that provides Bluetooth-based functionality by which contact tracing can work. Crucially, it has several features that lend it more privacy than COVIDSafe.

In simple terms, it allows Android and iOS (Apple) devices to communicate with one another using existing apps from health authorities, using a contact-tracing system built into the phones’ operating systems.

The system offers an opt-in exposure notification system that can alert users if they have been in close promixity to someone diagnosed with COVID-19.

Gapple’s exposure notification system.

Gapple’s decentralised exposure notification system offers more privacy and security than many other contact-tracing technologies, because:

  • it does not collect or track device location

  • data is collected on the users’ phones rather than a centralised server

  • it does not share users’ identities with other people, Apple or Google

  • health authorities do not have direct access to the data

  • users can continue to use the public health authority’s app without opting into the Gapple exposure notifications, and can turn the notification system off if they change their mind.

The system meets many of the basic principles of the American Civil Liberties Union’s criteria for technology-assisted contact tracing. And its exposure notification settings appear in recent updates of both Android and iOS devices. But without an app that uses the Gapple framework, the exposure notification system cannot be used.

COVID-19 Exposure Notification System.

Gapple going global

Global support for the Gapple model is growing. The United Kingdom, many parts of the United States, Switzerland, Latvia, Italy, Canada and Germany are abandoning their native contact-tracing technologies in favour of a model that could achieve much more widespread adoption worldwide.

The ease of communication between different devices will also make Gapple a crucial part of international contact tracing once borders are reopened in the future, and people start to travel.

In this light, it is hard to see why Australia resisted the calls to ditch COVIDSafe and adopt the Gapple model.

Can Australians use Gapple anyway?

No, they can’t, because the Gapple model requires users to download a native app from their region’s public health authority which uses the Gapple exposure notification system. Australia’s decision means that won’t be happening here any time soon.

In grappling with the dilemma between citizens’ civil rights and curbing the growth of the fatal COVID-19 virus, the Gapple model is a trade-off to encourage higher uptake of contact-tracing technologies.




Read more:
70% of people surveyed said they’d download a coronavirus app. Only 44% did. Why the gap?


Ultimately, the Gapple model will be a step forward in the world’s fight against COVID-19, because it will encourage significant numbers of people to use it.

The decision to persist with the COVIDSafe app, rather than adopting an emerging global model, could have severe repercussions for Australians. For any digital contact-tracing technology to work effectively, a large number of people must use it, and COVIDSafe has fallen short of that basic requirement.The Conversation

Ritesh Chugh, Senior Lecturer/Discipline Lead – Information Systems and Analysis, CQUniversity Australia

This article is republished from The Conversation under a Creative Commons license. Read the original article.

False positives, false negatives: it’s hard to say if the COVIDSafe app can overcome its shortcomings



Shutterstock

Dinesh Kumar, RMIT University and Pj Radcliffe, RMIT University

The Australian government’s contact-tracing app, COVIDSafe, has been touted as crucial for restarting the country’s economy and curbing COVID-19’s spread.

But until more data are collected, it’s hard to estimate how effective the app will be. Nonetheless, there are some predictable situations in which COVIDSafe’s design may mean it will struggle to fulfil its purpose.

False positives

COVIDSafe uses Bluetooth to digitally “trace” people with whom a user has come into contact, with the aim of alerting anyone who has interacted with a confirmed COVID-19 case. But this technology carries a risk of “false positives”, wherein a user may be falsely alerted despite not actually having come into contact with the virus.

This is because Bluetooth radio waves pass through walls and glass. They can only measure how physically close two people are; they can’t tell whether those people are in the same room, in different rooms, or even in different cars passing each other.

In a high-density apartment building, depending on the strength of Bluetooth signals, it’s possible COVIDSafe could falsely alert plenty of people.




Read more:
As coronavirus forces us to keep our distance, city density matters less than internal density


The Department of Health has acknowledged this complication, saying:

If this happens and one of the contacts is identified as having coronavirus, state and territory health officials will talk to the people to work out if this was a legitimate contact or not.

Nonetheless, this process may cause unnecessary distress, and could also have negative flow-on effects on the economy by keeping people home unnecessarily. False positives could also erode public trust in the app’s effectiveness.

False negatives

On the other side of the coin, COVIDSafe also has the potential for “false negatives”. Simply, it will not identify non-human-to-human transmission of the virus.

We know COVID-19 can survive on different surfaces for various periods of time. COVIDSafe would not be able to alert people exposed to the virus via a solid surface, such as a shopping trolley or elevator button, if the person who contaminated that surface had already left the scene.

COVIDSafe is also not helpful in the case of users who become infected with COVID-19 but remain asymptomatic. Such a person may never get tested and upload their contact data to the app’s central data store, but may still be able to pass the virus to those around them. More data is needed on asymptomatic transmission.




Read more:
Why do some people with coronavirus get symptoms while others don’t?


And regarding the decision to classify “close contacts” as people who have been within a 1.5m distance for 15 minutes – this may have been based on research from Japan for when people are in an open space, and the air is moving.

However, this research also showed micro-droplets remained suspended in the air for 20 minutes in enclosed spaces. Thus, the 1.5m for 15 minutes rule may be questionable for indoor settings.

Downloads vs usage

Recently, Iceland’s contact tracing app achieved the highest penetration of any such app in the world, with almost 40% of the population opting in. But Icelandic Police Service detective inspector Gestur Pálmason – who has overseen contact tracing efforts – said while it was useful in a few cases, the app “wasn’t a game-changer”.

Australia’s Prime Minister Scott Morrison has said on multiple occasions COVIDSafe requires a 40% uptake to be effective.

Since then, federal health minister Greg Hunt has said there’s “no magic figure, but every set of people that download will make it easier and help”. This was echoed more recently by Department of Health acting secretary Caroline Edwards, who told a Senate committee there was no specific uptake goal within her team.

Past modelling revealed infection could be controlled if more than 70% of the population were taking the necessary precautions. It’s unclear what science (if any) was forming the basis of Australia’s initial 40% uptake goal for COVIDSafe.

This goal is also lower than proposed figures from other experts around the world, who have suggested goals varying from 50-70%, and 80% for UK smartphone owners. But the fact is, these figures are estimates and are difficult to test for accuracy.

A survey conducted by University of Sydney researchers suggested in Sydney and Melbourne, COVIDSafe’s uptake could already be at 40% – but lower in other places.
Shutterstock



Read more:
In some places 40% of us may have downloaded COVIDSafe. Here’s why the government should share what it knows


Demographic bias

There are many other uncertainties about COVIDSafe’s effectiveness.

We lack data on whether the app is actually being downloaded by those most at risk. This may include:

We also know COVIDSafe doesn’t work properly on iPhones and some older model mobile phones. And older devices are more likely to be owned by those who are elderly, or less financially privileged.

What’s more, COVIDSafe can’t fulfil its contact tracing potential until it’s downloaded by a critical mass of people who have already contracted the virus. At this stage, the more people infected with COVID-19 that download the app, the better.

A tough nut to crack

Implementing a contact tracing app is a difficult task for our leaders and medical experts. This is because much remains unknown about the COVID-19 virus, and how people will continue to respond to rules as restrictions lift around the country.

Predictions of the disease’s spread have also shown a lot of variation.

Thus, there are many unknowns making it impossible to predict the outcome. The important thing is for people to not start taking risks just because they’ve downloaded COVIDSafe.

And while the government pushes for more downloads and reopening the economy, ongoing reviews will be crucial to improving the app’s functionality.The Conversation

Dinesh Kumar, Professor, Electrical and Biomedical Engineering, RMIT University and Pj Radcliffe, Senior Lecturer, Electrical and Computer Engineering, RMIT University

This article is republished from The Conversation under a Creative Commons license. Read the original article.

In some places 40% of us may have downloaded COVIDSafe. Here’s why the government should share what it knows


Robert Slonim, University of Sydney

It’s 18 days since the government launched its digital contact-tracing app COVIDSafe. The latest figure we have for downloads is 5.4 million, on May 8, about 29% of smartphone users aged 14 and over.

My own mini-survey suggests that in Sydney and Melbourne the takeup could already be 40% – a figure the government has mentioned as a target – while in other places it is much lower.

Oddly, it’s information the government isn’t sharing with us.


Total number of COVIDSafe app users (millions)


Endorse COVIDSafe

The importance of downloading and using the app is growing day by day as we relax restrictions. We are able to see what has happened in countries such as South Korea that have relaxed restrictions and then experienced a second wave.

5.4 million Australians after 13 days is a promising start.

As can be seen in the above graph produced by my colleague Demetris Christodoulou and me, 5.4 million downloads represents about 28.7% of Australians with smartphones.




Read more:
Chief Medical Officer Brendan Murphy predicts more than 50% take-up of COVID tracing app


It compares favourably to the 22.4% of Singaporeans with smartphones who downloaded their app within 13 days of its launch.

But the government is only making public a single figure indicating “total” downloads. It would be far more useful if it provided disaggregated community, city and state level data, and below, I attempt to fill the breach.

Letting us know more about which communities are downloading the app would help with health, motivation and transparency.

Health

Knowledge about potentially-dramatic variations in where the app was being downloaded could help guide policy.

Hypothetically speaking, if 70% of Melbourne’s smartphone users had downloaded the app but only 20% of Adelaide’s users, this could have distinct implications for the ability to successfully trace COVID-19 outbreaks in the respective cities and for the right amount of easing of restrictions in each city.

It could also help residents of those cities make more informed decisions about their own safety, such as whether and how to shop and whether to wear a mask.

Motivation

While COVIDSafe originally generated more than 500,000 daily downloads, the number has fallen to less than 100,000, suggesting that new efforts to motivate more downloads is urgently needed.

Providing geographical details could energise downloads in three ways.

First, people often feel enormous pride when their community steps up to help others. Knowing how well the community is doing is likely to motivate more people to help.




Read more:
COVIDSafe tracking app reviewed: the government delivers on data security, but other issues remain


Second, knowing how well other communities are doing can be a powerful incentive to catch up; few people want to be in the community that isn’t doing its part.

Third, if state leaders make decisions about relaxing restrictions partly on the basis of local downloads, community members will see a direct connection between downloading the app and the freedoms that will be available to them.

Transparency

The government’s appeal to download the app is built around trust.

It has asked us to trust it by downloading the app. In return it should trust us with better information.

People in Adelaide, Alice Springs, Brisbane, Cairns, Canberra, Darwin, Geelong, the Gold Coast, Hobart, Launceston, Melbourne, Newcastle, Perth, Sydney, Townsville, Wollongong, rural communities and other places deserve access to information the government already has that could help them make better choices.

The sort of data authorities are keeping to themselves

Given the lack of transparency to date, I conducted my own online survey among 876 residents of Sydney, Melbourne and regional communities with less than 50,000 people.

My survey results, run with a sample of people using the online survey platform PureProfile, indicate the proportion of people who had downloaded the app by May 11 was 50.5% in Sydney, 44.0% in Melbourne and 36.1% in less populated communities.

Controlling for age and gender, there was no significant difference between downloads in Sydney and Melbourne. Both were significantly higher than rural communities.




Read more:
Contact tracing apps: a behavioural economist’s guide to improving uptake


Restricting the responses to people who have a mobile phone that is capable of downloading the app, the proportion of downloads increases to 53.8% in Sydney, 47.8% in Melbourne and 41.2% in less populated communities. An extra 7.2%, 6.9% and 5.7% of respondents said they would either definitely or probably download the app in the next week.

This survey evidence indicates that there are stark regional differences in the downloads, and that although the national level of downloads is about 29%, some locations such as Sydney and Melbourne may have already surpassed (or will soon supass) the 40% government stated target.

Of course the government shouldn’t rely these survey results, because it’s got the actual information. It is time it shared the detailed download information it has with us, both to reciprocate our trust and let us make more informed decisions.The Conversation

Robert Slonim, Professor of Economics, University of Sydney

This article is republished from The Conversation under a Creative Commons license. Read the original article.

70% of people surveyed said they’d download a coronavirus app. Only 44% did. Why the gap?



Shutterstock

Simon J Dennis, University of Melbourne; Amy Perfors, UCLA School of Medicine; Daniel R. Little, University of Melbourne; Joshua P. White, University of Melbourne; Lewis Mitchell, University of Adelaide; Nic Geard, University of Melbourne; Paul M. Garrett, University of Melbourne, and Stephan Lewandowsky, University of Bristol

In late March, we posed a hypothetical scenario to a sample of Australians, asking if they would download a contact tracing app released by the federal government; 70% responded in favour.

But a more recent survey, following the release of COVIDSafe, revealed only 44% of respondents had downloaded it.

The Australian government’s COVIDSafe app aims to help reduce the spread of COVID-19 and let us all return to normal life. But this promise depends on how many Australians download and use the app. The minimum required uptake has been variously estimated at 40-60% of the population.

Our ongoing research, led by the Complex Human Data Hub of the University of Melbourne’s School of Psychological Sciences, surveyed the Australian public to understand their opinions and use of the COVIDSafe app, and other possible government tracking technologies.

Our research is helping us understand the conditions under which Australians will accept these technologies, and what’s holding them back.

Is there community support for COVIDSafe?

COVIDSafe uses Bluetooth to establish an anonymous contact registry of who a user has been close to, and for how long. If that user tests positive for COVID-19, they can voluntarily upload their contact registry to a central data store accessible only by state and territory health officials. Human contact tracers then alert those at risk and advise them on appropriate isolation measures.




Read more:
Explainer: what is contact tracing and how does it help limit the coronavirus spread?


Gaining broad community support for COVIDsafe requires the app’s perceived public health benefits to outweigh concerns of personal privacy, security and potential risk of harm.

As of May 7, from a sample of 536 survey participants, 44% reported having downloaded the COVIDSafe app. Promisingly, another 17% said they had not, but planned to.

We also asked all our respondents what technology they thought COVIDSafe used. Only 60% correctly responded with “Bluetooth”. Others responded with “location data” (19%), “mobile phone towers” (5%), or that they did not know (16%). This breakdown differed between people who had downloaded the app and those who had not, as shown below.

Why are people opting in?

For those who downloaded COVIDSafe, most reported doing so to monitor others’ health (28%), their own health (19%), and in the hope of returning to normal activities sooner (18%). The least motivating factor was “to help the economy” (14%).

Most people who had not downloaded the app said they were weighing the pros and cons (22%), had not had time (19%) or had technical issues (12%). A small number were waiting for legislation that stipulated how the data could be used (6%).

This may be good news for the government, as many of these reasons are relatively straightforward to address.

Of those who reported they would not download the app, privacy was the main concern (31%).




Read more:
The COVIDSafe bill doesn’t go far enough to protect our privacy. Here’s what needs to change


Downloads does not equal usage

Whether those who download COVIDSafe are using it properly will largely determine its effectiveness.

Of those who had downloaded COVIDSafe, 90% said they had registered and kept Bluetooth switched on either at all times (77%) or when they left home (15%). Also, 58% said they had tried to share the app with others – helping to increase the rate of uptake.

Yet, there remains some doubt as to whether turning Bluetooth on is sufficient for the app to work productively on iPhones.
According to app developers, COVIDSafe works best on iPhones when the app is open, on the front screen (foreground), and the phone is unlocked.

But since these iPhone-related issues can be fixed (albeit potentially with some level of difficulty), it would be worthwhile for the government to invest in this.

International comparisons

Before the release of COVIDSafe, our research also tracked social support for similar apps and tracking technologies in other countries, including the UK, US, Taiwan and Germany.

We asked respondents about two hypothetical scenarios of government tracking.

The first scenario was similar to Australia’s COVIDSafe app rollout. In it, people were asked to download a voluntary government tracking app allowing them to be contacted if they had been exposed to COVID-19. In this scenario, 70% of our respondents said they would download the app.

The second scenario was less voluntary, wherein all people with a mobile phone had their location tracked. Governments would use the data to trace contacts, locate people who were violating lockdown orders and enforce restrictions with fines and arrests, if necessary. Interestingly, in this scenario even more people (79%) said they would download the app. If people could opt out, 92% indicated they would support the policy.

Importantly, these scenarios were completely hypothetical at the time, which may account for the intention-behaviour gap. That is, the gap between people’s values and attitudes, and their actual actions.

So, while 70% of people in our first survey said they would download a hypothetical government app, a later survey showed only 44% had actually downloaded COVIDSafe after its release.

This graphs shows the proportion of participants who indicated they would download a voluntary government app (in green), and who found mandatory tracking through telecommunications companies acceptable (purple) in Taiwan, Australia, UK, Germany, and the US under various situations. ‘Sunset’ refers to a sunset clause, in which governments legislate promises to stop tracking and delete the associated data within six months. ‘Local data storage’ refers to when tracking data is stored on a user’s device, rather than a central repository. This data was collected prior to the announcement of the COVIDSafe app.

Australians showed high levels of support for both scenarios, particularly in comparison to other western democracies, such as the UK and the US.

An evolving situation

Prime Minister Scott Morrison has repeatedly linked COVIDSafe’s uptake to a potential easing of lockdown restrictions. But more recently, federal defence minister Marise Payne said the app’s uptake wouldn’t be a deciding factor for when restrictions were lifted.

When asked if the government should use the app’s uptake levels to decide when restrictions should be lifted, only 51% of our survey participants responded “yes”.

Overall, our data show Australians are generally accepting of the use of government tracking technologies to combat the COVID-19 emergency. However, only time will tell how this translates to real-world uptake of the COVIDSafe app.

Detailed results of the survey data from Australia, as well as the UK, US, Spain, Switzerland, Germany, and Taiwan, are continually being reported here.The Conversation

Simon J Dennis, Director of Complex Human Data Hub and Professor of Psychology, University of Melbourne; Amy Perfors, Associate Professor, UCLA School of Medicine; Daniel R. Little, Associate Professor in Mathematical Psychology, University of Melbourne; Joshua P. White, Research Assistant – Complex Human Data Hub, Melbourne School of Psychological Sciences, University of Melbourne; Lewis Mitchell, Senior Lecturer in Applied Mathematics, University of Adelaide; Nic Geard, Senior Lecturer, School of Computing and Information Systems, University of Melbourne; Senior Research Fellow, Doherty Institute for Infection and Immunity, University of Melbourne; Paul M. Garrett, Post Doctoral Research Fellow, University of Melbourne, and Stephan Lewandowsky, Chair of Cognitive Psychology, University of Bristol

This article is republished from The Conversation under a Creative Commons license. Read the original article.

How safe is COVIDSafe? What you should know about the app’s issues, and Bluetooth-related risks



Shutterstock

James Jin Kang, Edith Cowan University and Paul Haskell-Dowland, Edith Cowan University

The Australian government’s COVIDSafe app has been up and running for almost a fortnight, with more than five million downloads.

Unfortunately, since its release many users – particularly those with iPhones – have been in the dark about how well the app works.

Digital Transformation Agency head Randall Brugeaud has now admitted the app’s effectiveness on iPhones “deteriorates and the quality of the connection is not as good” when the phone is locked, and the app is running in the background.

There has also been confusion regarding where user data is sent, how it’s stored, and who can access it.

Conflicts with other apps

Using Bluetooth, COVIDSafe collects anonymous IDs from others who are also using the app, assuming you come into range with them (and their smartphone) for a period of at least 15 minutes.

Bluetooth must be kept on at all times (or at least turned on when leaving home). But this setting is specifically advised against by the Office of the Australian Information Commissioner.

It’s likely COVIDSafe isn’t the only app that uses Bluetooth on your phone. So once you’ve enabled Bluetooth, other apps may start using it and collecting information without your knowledge.

Bluetooth is also energy-intensive, and can quickly drain phone batteries, especially if more than one app is using it. For this reason, some may be reluctant to opt in.

There have also been reports of conflicts with specialised medical devices. Diabetes Australia has received reports of users encountering problems using Bluetooth-enabled glucose monitors at the same time as the COVIDSafe app.

If this happens, the current advice from Diabetes Australia is to uninstall COVIDSafe until a solution is found.

Bluetooth can still track your location

Many apps require a Bluetooth connection and can track your location without actually using GPS.

Bluetooth “beacons” are progressively being deployed in public spaces – with one example in Melbourne supporting visually impaired shoppers. Some apps can use these to log locations you have visited or passed through. They can then transfer this information to their servers, often for marketing purposes.

To avoid apps using Bluetooth without your knowledge, you should deny Bluetooth permission for all apps in your phone’s settings, and then grant permissions individually.

If privacy is a priority, you should also read the privacy policy of all apps you download, so you know how they collect and use your information.

Issues with iPhones

The iPhone operating system (iOS), depending on the version, doesn’t allow COVIDSafe to work properly in the background. The only solution is to leave the app running in the foreground. And if your iPhone is locked, COVIDSafe may not be recording all the necessary data.

You can change your settings to stop your iPhone going into sleep mode. But this again will drain your battery more rapidly.

Brugeaud said older models of iPhones would also be less capable of picking up Bluetooth signals via the app.

It’s expected these issues will be fixed following the integration of contact tracing technology developed by Google and Apple, which Brugeaud said would be done within the next few weeks.




Read more:
The COVIDSafe bill doesn’t go far enough to protect our privacy. Here’s what needs to change


Vulnerabilities to data interception

If a user tests positive for COVID-19 and consents to their data being uploaded, the information is then held by the federal government on an Amazon Web Services server in Australia.

Data from the app is stored on a user’s device and transmitted in an encrypted form to the server. Although it’s technically possible to intercept such communications, the data would still be encrypted and therefore offer little value to an attacker.

The government has said the data won’t be moved offshore or made accessible to US law enforcement. But various entities, including Australia’s Law Council, have said the privacy implications remain murky.

That said, it’s reassuring the Amazon data centre (based in Sydney) has achieved a very high level of security as verified by the Australian Cyber Security Centre.

Can the federal government access the data?

The federal government has said the app’s data will only be made available to state and territory health officials. This has been confirmed in a determination under the Biosecurity Act and is due to be implemented in law.

Federal health minister Greg Hunt said:

Not even a court order during an investigation of an alleged crime would be allowed to be used [to access the data].

Although the determination and proposed legislation clearly define the who and how of access to COVIDSafe data, past history indicates the government may not be best placed to look after our data.

It seems the government has gone to great lengths to promote the security and privacy of COVIDSafe. However, the government commissioned the development of the app, so someone will have the means to obtain the information stored within the system – the “keys” to the vault.

If the government did covertly obtain access to the data, it’s unlikely we would find out.

And while contact information stored on user devices is deleted on a 21-day rolling basis, the Department of Health has said data sent to Amazon’s server will “be destroyed at the end of the pandemic”. It’s unclear how such a date would be determined.

Ultimately, it comes down to trust – something which seems to be in short supply.




Read more:
The COVIDSafe app was just one contact tracing option. These alternatives guarantee more privacy


The Conversation


James Jin Kang, Lecturer, Computig and Security, Edith Cowan University and Paul Haskell-Dowland, Associate Dean (Computing and Security), Edith Cowan University

This article is republished from The Conversation under a Creative Commons license. Read the original article.

The COVIDSafe bill doesn’t go far enough to protect our privacy. Here’s what needs to change


Katharine Kemp, UNSW and Graham Greenleaf, UNSW

The Australian government will need to correct earlier misstatements and improve privacy protections to gain the trust of the millions of Australians being called on to download the COVIDSafe contact tracing app.

The draft Privacy Amendment (Public Health Contact Information) Bill 2020, or the “COVIDSafe bill”, released yesterday, is the first step towards parliamentary legislation providing privacy protections for users of the app.

The COVIDSafe bill includes some significant improvements on the protections offered by federal health minister Greg Hunt’s current determination under the Biosecurity Act, which put rules in place to encourage uptake of the app. However, the bill falls short on other substantial concerns.

Improvements incorporated in the bill

The COVIDSafe bill includes several amendments to the privacy protections originally set out in the determination, which the legislation is intended to replace.

The bill, like the determination, would make it illegal to gather or use data collected by the app for purposes other than those specified. Such an offence would be punishable by up to five years in prison.

Importantly, the bill also permits individuals to take some enforcement action on their own behalf if the privacy protections are breached, rather than relying on the government to bring criminal proceedings. It does this by making a breach of those protections an “interference with privacy” under the Privacy Act. This means users can make a complaint to the federal privacy commissioner.

The bill also improves the kind of consent needed to upload a user’s list of contacts to the central data store, if the user tests positive for COVID-19. Instead of allowing anyone with control of a mobile phone to consent, the bill requires consent from the actual registered COVIDSafe user.

The legislation will also apply to state and territory health officials to cover data accessed for contact tracing purposes, in case they misuse it.




Read more:
The COVIDSafe app was just one contact tracing option. These alternatives guarantee more privacy


Not 1.5 metres, not 15 minutes

A crucial problem with the bill is it allows the government to collect much more personal data than is necessary for contact tracing.

Just before the app’s release, federal services minister Stuart Roberts said the app would only collect data of other app users within 1.5 metres, for at least 15 minutes. He also said when a user tests positive the app would allow the user to consent to the upload of only those contacts.

Neither of these statements is true.

According to the Privacy Impact Assessment of COVIDSafe, the app collects and – with consent of a user who tests positive – uploads to the central data store, data about all other users who came within Bluetooth signal range even for a minute within the preceding 21 days.

While the Department of Health more recently said it would prevent state and territory health authorities from accessing contacts other than those that meet the “risk parameters”, the bill includes no data collection or use restrictions based on the distance or duration of contact.

The government should correct its misstatements and minimise the data collected and decrypted to that which is necessary, to the extent that is technically possible.

An overly narrow definition of protected data

The privacy protections in the bill only apply to certain data. And the definition of that data does not capture critical personal data created and used in the process of COVIDSafe contact tracing.

The bill defines “COVID app data” as data collected or generated through the operation of the app which has been stored on a mobile phone or device. This would include the encrypted contacts stored on a user’s phone.

But if the user tests positive and uploads those encrypted contacts to the national data store, the decrypted records of their contacts over the last 21 days do not clearly fall within that definition. Data transformed or derived from that data by state and territory health officers would also fall outside the definition.

“COVID app data” should be re-defined to expressly include these types of data.

No source code

Ministers have said COVIDSafe’s source code, or at least the parts of it which do not pose “security issues”, would be made available within a fortnight after the app’s release. Yet, there is no sign of this.

The full source code should be made public at least a week prior to the COVIDSafe Act being enacted so experts can identify weaknesses in privacy protections.

The bill also fails to provide any guarantee of independent scientific advice on whether the app is continuing to be of practical benefit, or should be terminated.

Loopholes in the rules against coercion

The bill contains some good protections against coercing people to download or use the COVIDSafe app, but these need to be strengthened, by preventing requirements to disclose installation of the app, and discriminatory conditions. This is especially necessary given various groups, including chambers of commerce, have already proposed (illegal) plans to make participation or entry conditional on app usage.

Some behavioural economists have proposed making government payments, tax break or other financial rewards dependent on individuals using the app. The bill should make clear that no discount, payment or other financial incentive may be conditional on a person downloading or using the app.

The government must abide by its promise that use of the COVIDSafe app is voluntary. Coercion or “pseudo-voluntary” agreement should not be used to circumvent this.

‘Google knows everything about you’ doesn’t cut it

Many have argued Australians who do not yet trust the COVIDSafe app should download it anyway since Google, Facebook, Uber or Amazon already “know far more about you”. But the fact that some entities are being investigated for data practices which disadvantage consumers is not a reason to diminish the need for privacy protections.

The harms from government invasions of privacy have even more dramatic and immediate impacts on our liberty.

Parliament will debate the COVIDSafe Bill in the sitting expected to start May 12, and a Senate Committee will continue to investigate it. Many are likely to wait for improved protections in the final legislation before making the choice to opt in.




Read more:
Coronavirus contact-tracing apps: most of us won’t cooperate unless everyone does


The Conversation


Katharine Kemp, Senior Lecturer, Faculty of Law, UNSW, and Academic Lead, UNSW Grand Challenge on Trust, UNSW and Graham Greenleaf, Professor of Law and Information Systems, UNSW

This article is republished from The Conversation under a Creative Commons license. Read the original article.

The COVIDSafe app was just one contact tracing option. These alternatives guarantee more privacy



Shutterstock

Kelsie Nabben, RMIT University and Chris Berg, RMIT University

Since its release on Sunday, experts and members of the public alike have raised privacy concerns with the federal government’s COVIDSafe mobile app.

The contact tracing app aims to stop COVID-19’s spread by “tracing” interactions between users via Bluetooth, and alerting those who may have been in proximity with a confirmed case.




Read more:
Explainer: what is contact tracing and how does it help limit the coronavirus spread?


According to a recent poll commissioned by The Guardian, out of 1054 respondents, 57% said they were “concerned about the security of personal information collected” through COVIDSafe.

In its coronavirus response, the government has a golden opportunity to build public trust. There are other ways to build a digital contact tracing system, some of which would arguably raise fewer doubts about data security than the app.

All eyes on encryption

Incorporating advanced cryptography into COVIDSafe could have given Australian citizens a mathematical guarantee of their privacy, rather than a legal one.

A team at Canada’s McGill University is working on a solution that uses “mix networks” to send cryptographically “hashed” contact tracing location data through multiple, decentralised servers. This process hides the location and time stamps of users, sharing only necessary data.

This would let the government alert those who have been near a diagnosed person, without revealing other identifiers that could be used to trace back to them.

It’s currently unclear what encryption standards COVIDSafe is using, as the app’s source code has not been publicly released, and the government has been widely criticised for this. Once the code is available, researchers will be able to review and assess how safe users’ data are.

COVIDSafe is based on Singapore’s TraceTogether mobile app. Cybersecurity experts Chris Culnane, Eleanor McMurtry, Robert Merkel and Vanessa Teague have raised concerns over the app’s encryption standards.

If COVIDSafe has similar encryption standards – which we can’t know without the source code – it would be wrong to say the app’s data are encrypted. According to the experts, COVIDSafe shares a phone’s exact model number in plaintext with other users, whose phones store this detail alongside the original user’s corresponding unique ID.

The TraceTogether contact tracing app is part of Singapore’s effort to mitigate the spread of COVID-19. But according to the ABC, less than 20% of the population has downloaded it.
Shutterstock

Tough tech techniques for privacy

US-based advocacy group The Open Technology Institute has argued in favour of a “differential privacy” method for encrypting contact tracing data. This involves injecting statistical “noise” into datasets, giving individuals plausible deniability if their data are leaked for purposes other than contact tracing.

Zero-knowledge proof is another option. In this computation technique, one party (the prover) proves to another party (the verifier) they know the value of a specific piece of information, without conveying any other information. Thus, it would “prove” necessary information such as who a user has been in proximity with, without revealing details such as their name, phone number, postcode, age, or other apps running on their phone.

Not on the cloud, but still an effective device

Some approaches to contact tracing involve specialised hardware. Simmel is a wearable pen-like contact tracing device. It’s being designed by a Singapore-based team, supported by the European Commission’s Next Generation Internet program. All data are stored in the device itself, so the user has full control of their trace history until they share it.

This provides citizens a tracing beacon they can give to health officials if diagnosed, but is otherwise not linked to them through phone data or personal identifiers.

Missed opportunity

The response to COVIDSafe has been varied. While the number of downloads has been promising since its release, iPhone users have faced a range of functionality issues. Federal police are also investigating a series of text message scams allegedly aiming to dupe users.

The federal government has not chosen a decentralised, open-source, privacy-first approach. A better response to contact tracing would have been to establish clearer user information requirements and interoperability specifications (standards allowing different technologies and data to interact).

Also, inviting the private sector to help develop solutions (backed by peer review) could have encouraged innovation and provided economic opportunities.




Read more:
COVIDSafe tracking app reviewed: the government delivers on data security, but other issues remain


How do we define privacy?

Personal information collected via COVIDSafe is governed under the Privacy Act 1988 and the Biosecurity Determination 2020.

These legal regimes reveal a gap between the public’s and the government’s conceptions of “privacy”.

You may think privacy means the government won’t share your private information. But judging by its general approach, the government thinks privacy means it will only share your information if it has authorised itself to do so.




Read more:
The new data retention law seriously invades our privacy – and it’s time we took action


Fundamentally, once you’ve told the government something, it has broad latitude to share that information using legislative exemptions and permissions built up over decades. This is why, when it comes to data security, mathematical guarantees trump legal “guarantees”.

For example, data collected by COVIDSafe may be accessible to various government departments through the recent anti-encryption legislation, the Assistance and Access Act. And you could be prosecuted for not properly self-isolating, based on your COVIDSafe data.

A right to feel secure

Moving forward, we may see more iterations of contact tracing technology in Australia and around the world.

The World Health Organisation is advocating for interoperability between contact tracing apps as part of the global virus response. And reports from Apple and Google indicate contact tracing will soon be built into your phone’s operating system.

As our government considers what to do next, it must balance privacy considerations with public health. We shouldn’t be forced to choose one over another.The Conversation

Kelsie Nabben, Researcher / PhD Candidate, RMIT Blockchain Innovation Hub, RMIT University and Chris Berg, Senior Research Fellow and Co-Director, RMIT Blockchain Innovation Hub, RMIT University

This article is republished from The Conversation under a Creative Commons license. Read the original article.