Everything you need to know about the COVIDSafe mobile app

The Australian Government recently launched the COVIDSafe app as part of its measures to contain the spread of COVID-19. Intended to assist health authorities with ‘contact tracing’ – identifying the spread of an infection by person with a view to quickly containing it by identifying who they have been in contact with while contagious. Despite not being mandatory, The app has already been voluntarily downloaded by millions of Australians – so what are the key important things to know about it?

COVIDSafe – an overview

The COVIDSafe app (the app) effectively automates some of the process for gathering information about the exposure of those in the community to  individuals who have tested positive for COVID-19. It uses Bluetooth technology (via communication devices) to support official ‘contact tracing’, a common method used by health authorities to find and notify people who have been in contact with those who have confirmed cases of diseases.

It’s been promoted by the Government as a critical tool  to slow the spread of COVID-19 through identifying those who have been in contact with an infected person so that targeted testing can take place and hopefully reduce the spread of the illness.

What it does

The app uses Bluetooth technology to identify contact between communication devices with COVIDSafe installed. When there’s contact between two devices, it exchanges an encrypted package of data including the contact’s unique ID, as well as the date and time of this ‘Digital Handshake’.  

The app stores this encrypted data on the device for 21 days and if a user tests positive for COVID-19, and consents, all Digital Handshakes stored on their device will be uploaded,to the National COVIDSafe Data Store which will then be accessed by State and Territory health authorities to help them find  individuals with an ‘exposure risk’.

One of the key criticisms from cybersecurity and privacy experts in particular has been that the scope of the Digital Handshake may not be as limited as was initially proposed by the Government and may result in more data being collected than is necessary. Prior to the roll out of the app, it was suggested that the contact log data stored on the phone would be restricted to that of other users within a ‘close contact’ range (i.e. 1.5 metres).

However, in practice many cyber and privacy experts claim that the app collects data from all devices within Bluetooth range (potentially over 10 metres) for a short period of time. That potential capability, coupled with security vulnerabilities associated with requiring Bluetooth to be enabled on a device for the app to operate, has been the subject of much debate within cyber security circles.

What will the data be used for?

If a user tests positive for COVID19, and provides their consent, the information captured by the app, including the user’s registration information (i.e. the user’s name; age; postcode and mobile number) and contact log (i.e. the information collected from Digital Handshakes such as the contact’s unique ID along with the date and time of the contact), is uploaded to the National COVIDSafe Data Store. That information is then used by State and Territory authorities to support their usual contact tracing processes, by speeding up the process of gathering information about close contacts.

Affected people – or their parent or guardian – will then be contacted and advised that they may have been exposed to COVID-19, and may then be offered advice on next steps, such including what to look out for, when, how and where to get tested, and what to do to protect friends and family from exposure.

Will my information be safe?

There have been significant privacy concerns raised, about the operation of the app by privacy and data protection advocates and scholars. Some technical issues have also hampered the roll out, such as some problems with the app not working on older model phones (if you have an iPhone you need iOS 10.0 or later) and the fact that it appears that the iPhone version of the app may work best only when the phone is unlocked. Additionally, as already noted, for the app to operate, Bluetooth needs to be enabled on a device, which cyber experts have argued impacts on battery life and increases device security risk exposure.

In May 2020, amendments to the Privacy Act 1988 (Cth) (Privacy Act) were passed which specifically address the handling of ‘Public Health Contact Information’ including information handling associated with the COVIDSafe app. In particular, under the legislation, it is an offence to upload COVIDSafe app data without consent; to collect, use or disclose it for a purpose unrelated to contact tracing; or to retain or disclose the app data from the National COVIDSafe Data Store outside of Australia (except in limited circumstances by State or Territory authorities where disclosure is required for contract tracing).

The Government have assured users that it will control access, ensuring that the data is only made available to permitted authorities in the relevant State or Territory. Under the legislation, each Digital Handshake will be deleted from a user’s mobile device 21 days after it was created, and there are provisions in the legislation setting out when the COVIDSafe app data in the National COVIDSafe Data Store will be deleted (generally, when the Federal Health Minister determines it is no longer necessary or effective for prevention or control of COVID-19)- hopefully this will be sooner rather than later!

In addition, one of the key measures in protecting the data has been the design of the system, supported by the legislation, to ensure that the federal government is not able to access the unencrypted data – with access to that data instead restricted to the relevant State or Territory health authorities.

Part of the intention behind this appears to have been to address concerns raised that the data may be vulnerable to ‘function creep’ if accessed at a federal level- where it could potentially be combined with other federal data sets or used for other government purposes. This design methodology has provided some comfort in terms of avoiding the risk of the centralised use of a huge data store- however, it is important to note that neither South Australia nor Western Australia have specific privacy legislation that would apply to the information handling by State health authorities.

Accordingly, the amending legislation imposes the Commonwealth rules and privacy protections in the Privacy Act on all State and Territory health authorities in relation their handling of the COVIDSafe app data.

Should I download the app?

Because downloading the app is not mandatory, and there are anti-coercion provisions in the legislation to prohibit others (e.g. employers and landlords) from requiring individuals to install it, this is a decision that remains up to each user. It certainly has been enthusiastically promoted by the Government as a key component of its response to the pandemic in Australia, however figures on its successful operation are so far too low to assess its performance and impact

At the end of the day, COVIDSafe certainly can’t take the place of all the precautionary measures you are likely taking on a daily basis to prevent yourself from coming into contact with the virus in the first instance,  but downloading it may well help alleviate some stress for users – and provide valuable assistance to contract tracers, whose job has no doubt been made more challenging as more and more restrictions are lifted.

Time will tell whether the Government’s privacy protection measures will be effective and prevent misuse, unauthorised access or ‘function creep’ in relation to the COVIDSafe app data in the longer term. It’s clear that many privacy advocates and cybersecurity experts will be closely monitoring the app’s operation and performance, ready to hold them to account if it doesn’t.

The rigorous public debate around the COVIDSafe app has certainly demonstrated that when a government measure relies so heavily on user adoption rates, and effective operation, to be successful a high level of attention to building community trust by addressing privacy concerns goes a long way.

Stay safe and well!