https://www.intothebloodstream.com.au/2020/04/covidsafe.html
> The first iteration of Australia's contact tracing app seems to stack up, but > privacy concerns relating to future changes to the app, as well as > limitations on government data-use remain, with good reasons. I hope this > summary of what we know so far and some analysis from different sources > assists in making a free and informed choice. A free, informed, and > evidence-based choice is obviously of paramount importance in deciding > whether or not to grant serious powers of surveillance to our government. > Trade-offs of personal privacy for the greater good can only be exchanged in > good faith if we know exactly what, and how much, we're giving up. > > People are right not to automatically trust governments. Refusing to adopt > in-principle faith in the powers that be is central to healthy democracy, and > the integrity of those in authority should never be taken for granted. As > Noam Chomsky said "Any form of authority & domination has a burden of proof > to bear to demonstrate its legitimate." This is especially true in Australia, > of a government who are infamously duplicitous and dangerous, and who's > liberal use and misuse of data is well documented. In this case, though, at > least in its initial form, Australia's CovidSafe contact tracing app seems to > meet this burden of proof. That is, at least this first version of the app > does. But it remains to be seen if government use of our volunteered data > will be adequately constrained to meet similar standards of integrity. > > Context and the government's claims. > On the 26th of April, Health Minister Greg Hunt launched Australia's contact > tracing app, CovidSafe. The app is based off source code from a similar app > used by the Singapore government. Whether or not we agree such an app should > be launched before attempting sharper lockdown measures, the app is here now, > so let's look at it on its merits. Let's look at what the Coalition has > alleged the contact tracing app can and will do. This includes in their > public statements and in the determination (a placeholder for legislation) > published by Greg Hunt under the Biosecurity Act, the evocation of which is > has allowed such drastic social distancing measures to come into force > without the passage of laws. The government claims the following: > > 1. The app will work by bluetooth and won't track your location > 2. At registration, the user provides their name, phone number and postcode, > and selects their age range, this generates an encrypted code, an anonymised > bluetooth ID. Greg Hunt has stated that you may provide a pseudonym or other > inaccurate information if you wish, but that it would assist more if it was > accurate. > 3. If you come within range of someone else who also has the app installed, > your two devices will 'ping' off one and other, exchanging their information > contained in their encrypted IDs by bluetooth. > 4. This data will be secured locally only, on your phone's internal storage, > for 21 days, after which it will be erased. > 5. If you are found to have contracted Coronavirus, you may then consent to > upload your data to a government server provided by Amazon Web Services. > 6. The government can then decode the anonymised IDs and call all those you > had close contact with to advise them to self-isolate and get tested. > > > So does CovidSafe live up to this? > > CovidSafe Mark I : Decoded. > Despite earlier assurances, the source code for Australia's app is yet to be > released, but Australian app developers and privacy experts have already > decompiled and analysed the code making up this first version. The general > mood from those privacy-savvy coders was that the app, at least as it > currently stands, effectively does what it sets out to and nothing more. But > they still see some minor issues with it. Let's compare their findings with > the above summary of the government's claims, they found that: > > 1. The app does work by bluetooth and cannot track your location. The app > will ask for permission to access your location, it's understood that this is > a quirk of Android, to grant bluetooth permissions one must grant location > permissions. But the app is not capable of tracking your spatial location > data. Worryingly though, software engineer, Geoffrey Huntley, writes that it > would be "Potentially possible for GPS functionality to be shipped in a > software update later down the track as users have already consented to fine > grain location access (a requirement for bluetooth LE scanning)" > 2. The app creates an anonymised bluetooth ID for each user. These > encryptions are recycled and replaced every 2 hours for added security. > Vanessa Teague of Thinking Cybersecurity points out that this is a downgrade > from recycling IDs every 15 minutes in the case of Singapore's app. > 3. Despite poor reporting claiming otherwise, the app will exchange its > "bluetooth handshakes" with anyone using the app who is within bluetooth > range, not just those who come within 1.5 metres for 15 minutes. This 1.5 > metre, 15 minute classification is referred to as "close contact" by the > Department of Health. This is an important distinction. The government may > have hoped we mistakenly assumed that only our "close contact" encounters > would be recorded, this doesn't seem to be true, this greatly expands the > volume of data being documented. The distance involved in each bluetooth > handshake is gauged by the recorded bluetooth signal strength once decrypted > and may vary with environmental factors (impeding objects, bluetooth quality, > etc), making it approximate. Another piece of information recorded to assist > with this is the exact model details of each phone, these are exchanged in > each bluetooth handshake too. It's understood this will be used to account > for differing signal strengths between phones when calculating distance. This > information is not encrypted. > 4. This data is held locally on your phone's internal storage. The app > design ensures this. Other apps cannot access this database unless your phone > is jailbroken or "rooted". > 5. The app requires additional consent, once you are confirmed to have > contracted Coronavirus, to upload your data to the government server. Only > then can it be accessed by anyone else. > 6. Contact tracing would then be carried out as the government outlined. > > > Matthew Robbins, a mobile app development expert, summed up his own analysis > of the app's code and design in a tweet, in which he said "From what I can > see, everything in the #covidsafe app is above board, very transparent and > follows industry standard." Paul Haskell-Dowland, from Edith Cowan > University's Computing and Security department concluded "that the data that > is being captured is suitably anonymised, suitably protected and access to it > is reasonably restricted...the opportunity for misuse is incredibly small." > Mahmoud Elkhodr from QC University Queensland drew similar conclusions. > > But this is all based on the current version of the app. Some have suggested > the government could shoehorn in changes as it pleases in future updates. > Could it even coerce the creators of the app to sneak in changes? So far > tech-heads are satisfied with the integrity of the software, but what happens > to our data when we do consent to uploading it to government servers? We need > legislation to entrench strict limitations on government data use. > > The legality of government data use. > The current determination relating to CovidSafe, pending legislation in May, > asserts that data can only be used for contact tracing purposes and that > alone. Well, let's wait and see if this constraint survives in the same form > in the government's bill next month. Even if it does, though, Australia's > Digital Rights Watch have made clear they're concerned that Australia's > recent encryption laws could allow intelligence agencies or law enforcement > access to the data. In a recent statement they said: "They [the government] > can also issue a directive to create or modify features [of a software]. It > is an offence for anyone receiving such an order to even reveal its > existence, or to fail to comply with it. The developers of the contact > tracing app may have already received such a directive, and implemented a > mechanism to give data to law enforcement or other agencies. They would risk > imprisonment if they answered any questions about a directive, or alluded to > its existence." Perhaps the government could legislate an exemption in its > encryption laws for CovidSafe, which would bar access to the data for anyone > except contact tracing personnel. We don't want to see this surveillance > architecture being used for Orwellian law enforcement. > > Digital Rights Watch also raises concerns about Australia's mandatory data > retention laws. In this case though, according to the current determination > under the Biosecurity Act, and assuming it translates into law this May: "The > Commonwealth must cause COVID app data in the National CovidSafe Data Store > to be deleted after the COVID‑19 pandemic has concluded...Note: The > requirements in this section will override any obligation under an Australian > law to retain data for a longer period." It seems that this, if enshrined in > legislation, would legally guarantee the deletion of CovidSafe data > post-pandemic. > > More broadly, Amazon Web Services will be providing the secure server on > which the government will store and access this CovidSafe data. Besides the > obvious issue that we have outsourced this service to an American company of > questionable conduct, it'll be interesting to see what the upcoming senate > inquiry reveals about the robustness of this data storage system. We should > seek assurances that this server is protected from third-party hackers as > well as private use by Amazon itself. The governments determination that the > data remain in Australia must make its way into law and be strictly enforced. > In general a body overseeing the implementation and use of this app could > ensure the CovidSafe infrastructure is not abused. So far, though, the Law > Council of Australia say they've seen "no provision for oversight and > reporting on its use". > > There's also speculation that Australia needs to become recognised as a > 'qualifying foreign government' under America's CLOUD Act, to exclude our > data from US access. Under current arrangements it's unclear if the US could > access our data under these laws because Amazon is an American company. > Despite assurances from the Coalition that the US laws couldn't be enacted to > access our data due to it belonging to the Australian commonwealth and not > Amazon, this is still contested. > > Final thoughts: government scrutiny vs tech-giant free pass > Its critical that we scrutinise any attempt by our government to expand its > already invasive and authoritarian surveillance. But why aren't we applying > this same level of scrutiny to the private tech sector, whose data-mining, > behaviour-programming, and behaviour-predicting industry constitutes one of > the biggest markets in the world? It's appropriate that CovidSafe has > received so much analysis and attention in Australia, but how often do we > sign away and monetise our information and activity to tech giants who > consistently evade paying any tax in this country with zero hesitation? What > our government may do with additional data is a concern, yes, but what tech > companies already do with far richer stores of our data is sickening, and we > should care. > > As Shoshana Zuboff, author of Surveillance Capitalism, explains, Facebook and > Google send the data we provide through a network chain of businesses. In the > case of the photos we upload, Zuboff says buyers and users of our data "use > information from our faces...to train models for facial recognition, those > models are then sold to military operations, some of them in China, and those > Chinese operations do many things, including imprisoning the Uighurs, a > subset of the Muslim population in China, in what is rightly regarded as an > open-air prison." We need to apply scrutiny and checks to constrain both > public and private tyrannies. > > Anyway, I hope all of this has helped provided the information and context > needed to make an independent choice. -- Kim Holburn IT Network & Security Consultant T: +61 2 61402408 M: +61 404072753 mailto:[email protected] aim://kimholburn skype://kholburn - PGP Public Key on request _______________________________________________ Link mailing list [email protected] http://mailman.anu.edu.au/mailman/listinfo/link
