The Federal Government has released a key part of its strategy to combat COVID-19 through the Google and Apple App stores. Over two million people keen to do their bit for society downloaded and installed the app in just 24 hours. With a target of 40 percent of the population for the app to be effective, adoption of COVIDSafe exploded like a horse from the gates.
There have been a few hiccups along the way, such as inconsistent messaging, too many voices and a lack of clear information that have hampered public opinion. There have been reports of issues when trying to register to use the app, and critics have used the initiative as a platform to muddy the waters based on unfounded claims of privacy risks. That debate seems to have abated, largely due to publication of informed opinion from experts in technology and privacy that have actually reviewed either COVIDSafe or TraceTogether, the Singaporean app it was based upon. Helping the cause is the Privacy Impact Assessment performed by Maddocks, which was released on the Department of Health’s website the day before COVIDSafe was released.
Could the government have done better? These are challenging and largely unprecedented times. Software developers spend millions in producing, marketing and releasing apps, with the only deadlines being set by the pockets of their investors. The Department of Health, along with the Australian Cyber Security Centre, have had a matter of weeks to assess the options available, make a selection and customise it based on the needs of the population. During the process they engaged with privacy experts at Maddocks lawyers to perform a Privacy Impact Assessment, a process that can take weeks in itself. Sometimes the wheels of bureaucracy take time to turn, but in this case it has proven positively nimble.
We in the cybersecurity industry would still like the government to follow through with their promise on making the source code available. At the very least, publishing the independent security review conducted by the Australian Cyber Security Centre would be a positive step. Based on what has been achieved so far, I’m confident that it won’t be long before the findings of the review are released. The good news is that, even without the source code, it is possible to reverse engineer the app and examine the decompiled code base. Software research and development group QTE.AM has spent more than 20 hours analysing COVIDSafe and have reported that it operates largely as described and that they couldn’t find any obvious security flaws.
In the face of the obstacles presented by bureaucratic red tape, tough timeframes and only having previously published three apps before COVID-19, the Department of Health seems to have pulled off a win with COVIDSafe. This rapid action, combined with the willingness of the Australian public to do their bit for society, has given us a fantastic head start in the ability to trace community transmission of COVID-19. Since the initial uptake, there have been a further 2.5 million registrations, taking the app to around 18 percent uptake across the country. Let’s just hope that COVIDSafe’s success continues and the Federal Government’s technology poster child doesn’t run out of steam.