ADVERTISEMENT

Secrecy and Glitches Mar Australia's Tracing App Rollout

Australia’s Rollout of Covid-19 Tracing App Is Marred by Secrecy and Bugs

(Bloomberg) -- In trying to persuade Australians to embrace the government’s new contact-tracing app, officials are invoking images of favorite pastimes — football and beer — with a clear underlying message: If you want things to go back to normal, install it on your phone.

“Want to go to the footy? Download the app,” Health Minister Greg Hunt tweeted earlier this month.

Prime Minister Scott Morrison dangled the memory of going to the pub and drinking with pals. “Now, if that isn’t an incentive for Australians to download COVIDSafe on a Friday, I don’t know what is,” Morrison said.

But authorities’ efforts to persuade Australians to install COVIDSafe have been met with some resistance. The nation’s tech community complained that the government was slow to fix glitches, while some members of the public have raised questions about whether the app impinges on privacy rights or makes a difference in fighting Covid-19, the disease caused by the coronavirus. Some said they felt coerced into embracing an opaque technology.

As U.S. states and cities start their own contact-tracing programs, the Australian experience — delivered with technical bugs and shifting messages from government officials to a skeptical public — may offer a glimpse of what’s to come.

Contact-tracing apps are being developed around the world as a way to fight the virus, by helping to track down those who may have been in close contact with people diagnosed with the coronavirus. Many of the apps, including COVIDSafe, use a phone’s Bluetooth technology to pull data from other app users who pass nearby. But many of the tracing programs have struggled because of lackluster adoption and worries about privacy and government surveillance.

Secrecy and Glitches Mar Australia's Tracing App Rollout

Australia has recorded slightly more than 100 deaths from Covid-19, and over 7,000 confirmed cases. The infection rate peaked in the mid-March, when 469 cases were recorded in a single day and the country grounded international flights, closing its borders. After weeks of social restrictions, the number of daily infections dropped sharply. On May 27, it was four.  

As part of its campaign to get the country moving again, the government on April 26 launched its COVIDSafe app, based on source code from Singapore’s TraceTogether program, one of the first contact-tracing apps. Eager to tamp down the impact of budget deficits and the country’s first economic recession in a generation, government officials have appealed to the public to download COVIDSafe, hoping it would usher in a quicker return to normal.

The government has rejected criticism of the app’s rollout. In an email to Bloomberg News, the agency responsible for the app, the Digital Transformation Agency, said it had received “widespread support and endorsement” from the information technology community in Australia. The government has “remained transparent throughout the rollout of the COVIDSafe app, and suggestions to the contrary are categorically false,” according to an email from an agency spokesperson. 

To address privacy concerns, the government declared that data gleaned from the app would be used only by health officials and not shared with law enforcement or other government agencies. It also passed legislation making the sharing of COVIDSafe data a crime. 

In the month or so since the program started, more than 6 million people have registered for the app — about a quarter of the population.

“Australia continues to be a world leader in testing, tracing and containing the coronavirus,” Hunt, the health minister, said in a recent statement in which he encouraged Australians to download the app.

Secrecy and Glitches Mar Australia's Tracing App Rollout

The Digital Transformation Agency has offered few details about the app’s deployment beyond updating how many people have registered. The health ministry directed all questions to the DTAwhich didn’t address questions on how many people are using the app on average each day, what the geographic spread of users is, and whether it would release the server code so cybersecurity experts can help find flaws, as they have done in Singapore and elsewhere.

“It would be much more sensible to say they did this in a hurry, and it’s not perfect.” said Vanessa Teague, a cryptographer who focuses on privacy and election security at Thinking Cybersecurity, a cybersecurity firm based in Melbourne. “But the refusal to engage with the constructive suggestions for change that are really important is just dumb.”

Problems with COVIDSafe emerged on the first day of its release.

That morning, at 1:20 a.m., Jim Mussared, a software developer in Sydney, was emailing anyone he could reach in the Australian government and tech industry, flagging what he said were implementation flaws that caused unintended privacy glitches. They included in some cases exposing the phone owner’s name and allowing for the long-term tracking of devices, even after the app was uninstalled — which raised concerns among activists against domestic violence.

“I can’t tell you how many different ways I tried to get the attention of anyone,” he said in an interview. “I spent hours writing detailed explanations of how they might fix these issues, and I don’t expect a reply. I’m shouting into the void.”

He wasn’t alone for long. Cybersecurity experts took to social media, published findings online and even went on breakfast radio to implore the government to respond to a plethora of complaints they’d sent to the Covid app website. It would take weeks before some of the bugs were addressed, according to updates from the government.

The government has moderated its public message since the start of the program. Initially, it said it wanted 40% of Australians to download the app. But after officials discovered that the operating system didn’t run on older mobile phones, they said they meant 40% of smartphone users instead. The government also softened its message about downloading the app. Morrison initially didn’t rule out the possibility that it could be mandatory; the government later passed a law making it illegal to force anyone to download the app. 

Users have also complained about problems with the app, according to cybersecurity experts and online reviews. Some uninstalled it after learning that it interfered with their health monitoring apps, particularly those for diabetes patients. Some removed it because it interfered with their car audio systems. On some phones, it drained the battery. 

“Even the Senate committee on Covid has experienced difficulties in getting straight answers from officials,” said Senator Rex Patrick, an independent lawmaker from the state of South Australia and a member of the parliamentary committee studying the government’s response to the virus outbreak.

Amazon Web Services was awarded a six-month contract for $465,000 for its cloud services, a deal that eventually prompted the government to pass legislation with extra privacy provisions that make it illegal to transfer any data from the app stored in the cloud outside of the country. But some legal scholars and others worry that AWS could be required to produce the data it stores if served with a U.S. subpoena, based on the U.S. Clarifying Lawful Overseas Use of Data Act, or CLOUD Act for short.

In an email response to Bloomberg News, AWS said the CLOUD Act doesn’t give U.S. law enforcement unfettered access to data stored in the cloud. Rather, a formal warrant “through rigorous, pre-defined legal processes” is necessary before any access could be granted according to an AWS spokesperson.  The law applies to a narrow category of circumstances, such as seeking evidence of terrorism, AWS said.

Some people who have declined to install the app out of privacy concerns point to sweeping powers granted to intelligence and law enforcement agencies over the last two decades, which they believe have come at the expense of personal liberties.  “There’s no way I’m downloading it,” lawyer Anne Greenaway said, citing privacy worries. “I don’t trust the government for a second.”

Greenaway, a solicitor who lives in Queanbeyan, about nine miles south of Canberra, the nation’s capital, was surprised that people in her town resisted lifting social restrictions but embraced the app — and shamed those who didn’t download it. “What annoys me is it’s turning people against each other. That if you don’t download it, you’re letting the side down and holding everyone back,” she said. 

David Killick, a hobby farmer who writes for the local newspaper in Hobart on the island state of Tasmania, reluctantly downloaded the app after hearing government officials say that restrictions wouldn’t be eased until more people participated.

“I think some people have the sense that the government isn’t all that trustworthy with people’s data, and that there tends to be a bit of mission creep with these things: once you give up some of your liberties, they tend to want to hang onto them forever,” he said.

“In the end I felt like there wasn’t much choice. Download the app or we were all going to be stuck at home forever.”

©2020 Bloomberg L.P.