Special Feature
Part of a ZDNet Special Feature: Coronavirus: Business and technology in a pandemic

2.44 million Aussies have registered for COVIDSafe

Another 9 million needed before the government would reach its 40% quota.

Since the Australian government's coronavirus contact tracing app COVIDSafe went live on Sunday night, 2.44 million people have downloaded and registered to participate.

During the lead up to the app's release, Prime Minister Scott Morrison said there was a need for around 40% of Australia's population to use the app for the initiative to work.

The Australian Bureau of Statistics estimates the current population to be around 25.67 million.

Hosted by Amazon Web Services out of its Sydney region, the app is a rework of Singapore's TraceTogether. Its source code is due out within a fortnight.

Through the use of Bluetooth, the app records "digital handshakes" for each minute that two phones using the app are in contact.

When a user tests positive for coronavirus, they are asked to upload the handshakes to a centralised National COVIDSafe Data Store, which are then accessed by contract tracers to notify people who are determined to be at risk.

The handshakes contain: The unique IDs of each user in contact -- said to be an "encrypted version of the user's mobile phone number"; Bluetooth signal strength used to determine distance; and a timestamp. Handshakes are stored on mobile devices and deleted 21 days after being created.

Read more: COVIDSafe privacy report calls on state health bodies to comply with Privacy Act

Responsibility for the implementation and operation of the app lies with the federal Department of Health, along with the Digital Transformation Agency, but app information is passed only to state agency-based contact tracers.

Discussing a handful of the security and privacy concerns not addressed in the Department of Health's Privacy Assessment, researchers from the University of Melbourne, Dr Chris Culnane, Eleanor McMurtry, Robert Merkel, and associate professor Vanessa Teague, said the government and AWS, and anybody who has access the server, can recognise all of a user's encrypted IDs if they are heard on Bluetooth devices, recognise them on a user's phone if it's in their possession, and learn a user's contacts if that user tests positive.

The researchers explained that TraceTogether's whitepaper recommends "the issuance of daily batches of TempIDs," which are their equivalent of UniqueIDs.

"These are recommended to change every 15 minutes. So, based on TraceTogether's whitepaper, we believe that the app downloads a day's worth of TempIDs (presumably 96 of them) and uses a new one every 15 minutes," they wrote.

"The Australian app instead downloads a new UniqueID only every two hours. It has no batch capacity, so if it cannot reconnect to the Internet within two hours it simply keeps using the same UniqueID. This has serious privacy implications that are not adequately addressed in the PIA."

The researchers said this greatly increases the opportunities for third-party tracking because a given user advertises the same UniqueID for much longer.

"The difference between 15 minutes' and 2 hours' worth of tracking opportunities is substantial," they said.

See also: Contact tracing apps unsafe if Bluetooth vulnerabilities not fixed

On the issue of tracking, despite assurances from the government that the app would not be used to track if people are breaking social distancing rules or engaging in otherwise illegal activity, the researchers said concerns could have been easily avoided if all the information being transmitted had been encrypted.

"It is not true that all the data shared and stored by COVIDSafe is encrypted. It shares the phone's exact model in plaintext with other users, who store it alongside the corresponding Unique ID," they explained.  

In addition, when a person tests positive for COVID-19, they upload all the UniqueIDs they have heard over the days they may have been infectious. COVIDSafe does not give them the option of deleting or omitting some IDs before upload, the researchers detailed.

"This means that users consent to an all-or-nothing communication to the authorities about their contacts," they added.

There is also no legislation safeguarding the app as yet, with the government saying the directives under the Biosecurity Act would ensure the data stays within Australia

Touching on individuals who have been sending text messages that say a user has had their movements traced and that they have been caught engaging in illegal activity, Minister for Health Greg Hunt said the Australian Federal Police are investigating.

"The use of telecommunications for a hoax is illegal, this case has already been referred to the federal police for investigation and that investigation has begun and anyone who is found responsible will be charged with a significant criminal offence," he said.

"This is deeply un-Australian, at a moment when Australians are coming together … to have a few people, or might just be one person, who are doing something contrary to the public health messages -- this isn't a game, this is about life and death, this is about saving lives and protecting lives, whoever it is.

"They should be afraid of the law because they are conducting a hoax which is about a very serious public health matter."

Addressing the Select Committee on COVID-19 on Tuesday, Treasury Secretary Dr Steven Kennedy discussed the dispersion of funds from the government's AU$320 billion coronavirus response.

He touted the stability of the systems in place at both the Australian Taxation Office (ATO) and Services Australia, despite only around 3% being paid so far.

"From my perspective, and this is of no benefit to those people [in dire circumstances] … these moneys are running out remarkably quickly and they're running out quickly because we've got a high quality ATO and ATO system, and a very capable social security system that's managing to make, for example, already the AU$750 payments faster, I think, than it has made those types of payments at any period in the past," he said.

"We've not seen a shock hit this fast. In any period. And making literally billions of dollars of payments within four weeks of their announcement -- which I appreciate is of no comfort to the broader community that's been hit by these shutdowns -- I would actually regard it as a rapid payment of money and I really can't see what the alternative would be."

With around AU$10 billion already being paid, Kennedy said the ATO has begun paying the cash flow payments a week earlier than the April 28 timeline it was given.

"From my perspective, those parts of the public service have done exceptionally well," he said.

At the time of writing, the World Health Organization reported that there have been nearly 2.9 million confirmed cases, with over 198,000 fatalities as a result of the virus. Australia has reported around 6,700 cases and 84 deaths.

More than 521,000 tests have been conducted across Australia.