Aussie Contact-Tracing App: Details Slowly EmergeAustralia Opting for a Centralized Model for Its Effort to Help Combat COVID-19
Australia's COVID-19 contact-tracing app may be released by the end of the month.
The details of the project have trickled out as the Australian government has sought to get in front of privacy concerns, which center around the types of data the government would be collecting and security measures in place. Getting the public's support is critical because the government has said use by 40 percent of the population is needed for it to be an effective public health tool (see: COVID-19 Pandemic Puts Privacy at Crossroads).
Australia has expansive national security laws, which have raised questions about whether the data inputted into a contact-tracing system could be appropriated for other uses. But the government says it plans to introduce new laws next month that would likely restrict the use of contact-tracing data by police.
Prime Minister Scott Morrison said on Thursday that the data collected by the app will only be accessible by state and territory health officials. "It's [the app] got one job," Morrison said at a press conference in Canberra. "It's for a time-limited period. It has the specific job of helping public health officials help you."
Data from the app will be encrypted and go into a "national data store" that will be off-limits to the broader Commonwealth Government, Morrison says.
No code is available yet, and while one government minister said the source code would be released, the government has since been more circumspect. The government also intends to release a privacy impact assessment of the app.
The app will be somewhat based on Singapore's TraceTogether project. Rather than collecting GPS data from phones and matching those infected with coronavirus to those they have been near, the app functions as a proximity-based detector (see: Australia Considers How to Approach Pandemic Contact Tracing).
Like TraceTogether, Australia's app will use the short-range Bluetooth wireless protocol to detect whether two people have come in close contact with one another. It's believed the sensitivity will be set to around 1.5 meters, and the two people will have to have been around one another for 15 minutes or more.
Upon registration, the app will require name, age range, post code and phone number. If two people come in close contact, the app will record each person's name and phone number, according to an ABC interview with Government Services Minister Stuart Robert. That data will be stored in an encrypted format on the device, and the contact record will only be stored for the last 21 days.
"It's got one job. It's for a time-limited period. It has the specific job of helping public health officials help you."
—Scott Morrison, Prime Minister, Australia
But many other details have yet to be revealed. For example, it's unclear if people who contract the new coronavirus will voluntarily submit their details to the national data store.
Controversy Over Centralized Model
Computer security experts have advocated that contact-tracing apps don't use a centralized server to keep track of who has been in contact with each other. Centralized servers pose risks, they argue. The encrypted contact data sent to the server could be recovered if the central server uses weak or broken encryption, writes Vanessa Teague, a cryptologist and former associate professor in the School of Computing and Information Systems at the University of Melbourne.
Even if the tracing app only records proximity-based contact, who a person has been in contact with could be just as sensitive as where the contact actually took place.
There are also questions about other parties that may be involved in the project. Singapore's app, for example, uses Google's Firebase cloud, which means Google has visibility into the data, Teague writes.
The ABC revealed on Thursday that the Australian government has offered the data storage contract for the app to Amazon. The government says that it plans to use Amazon Web Services' Key Management System, or KMS, for the management of encryption keys. AWS uses hardware security modules to store the encryption keys.
Amazon would also have access to those encryption keys, says Patrick Townsend, CEO of the data security consultancy Townsend Security in Olympia, Washington.
"Amazon Web Services KMS is a multi-tenant key service, and access to individual keys is a shared responsibility," Townsend says. "Amazon would say that they have strong protective procedures in place. I don't doubt that, but it is still a shared service."
The choice of Amazon raised eyebrows as to why an Australian company wasn't selected. It has also raised legal questions because of the Clarifying Lawful Overseas Use of Data Act, also known as the Cloud Act, which was passed by the U.S. Congress in March 2018. The Cloud Act allows U.S. law enforcement to access electronic data held by a service provider in its jurisdiction even if that data is actually outside the U.S.
The Apple Problem
Other technical barriers to successful app-based contact tracing remain as well. Apple bans iOS apps that aren't actively being used to collect data, such as location, via sensors such as Bluetooth. This means that unless someone has a contact-tracing app in the foreground, it won't be able to do its job.
Reuters reports that Germany is in talks with Apple to relax its restrictions for its own contact-tracing app, and France has pursued that path as well. But so far, no agreement has been reached. It's unclear what Australia's strategy is around this issue.