6 million COVIDSafe downloads and a AU$60b JobKeeper data error

Only 4 million more until Australia reaches Scott Morrison's magic 40% target.
Written by Asha Barbaschow, Contributor

The Australian government has surpassed 6 million downloads of its COVIDSafe coronavirus contact tracing mobile application.

Despite reports last week the app was not really being used by state and territory contact tracers, a statement from Minister for Health Greg Hunt and Minister for Government Services Stuart Robert said COVIDSafe has helped public health officials automate and improve manual contact tracing of the coronavirus and that it is proving to be a valuable tool.

"In Victoria, a person who had not been identified through the normal processes, was notified as being a close contact by the app. That person is now in quarantine, protecting the community from a further potential spread of the virus," the statement said.

The statement also said since its launch, the COVIDSafe app has received widespread support and endorsement from across the Australian community.

Must read: Australia's COVIDSafe contact tracing story is full of holes and we should worry

In contrast, Australian researchers have provided a summary of the outstanding issues with COVIDSafe, four weeks since its launch, including that the "1.5 metres for 15 minutes" claim is meaningless.

"The COVIDSafe app was launched for Android and iOS on 26/04/2020, and within hours several serious privacy and functionality issues were discovered by the tech community," the team of researchers wrote. "Four weeks later, this app continues to be a privacy risk for anyone who installs it and there is no ETA on when these issues will be resolved."

Providing recommendations, the privacy update -- published by Jim Mussared and Eleanor McMurtry, with contributions from Vanessa Teague and Richard Nelson who had raised their concerns with COVIDSafe a few weeks ago -- said the risks of using the COVIDSafe app should be explained to the public.

They also said those who take major concern with tracking should not install COVIDSafe and said the privacy policy must be updated to more accurately reflect what the app actually does.

They said further investigation should also be undertaken to understand how these issues were not detected during testing, why industry best-practices around reporting and managing security issues were not followed, and why the fixes took such a long time to acknowledge and implement.

The researchers also requested the move to the Apple/Google Exposure Notification API be expedited while highlighting that seven main issues with the app still remained unresolved. Five previous issues were now fixed though, they said.

"The tracking issues described in this document have all been relatively easy to exploit, and it only takes one person to package them up into a malicious app for others to use," the group wrote. "Most importantly though, these privacy issues are not inherent to the functionality of the app, and should have been caught during development and review."

Such issues include the persistent, long-term tracking of devices, even after the app is uninstalled; TempID rotation still being broken on iPhones, allowing re-identification of devices and encounters not being recorded; the TempID rotation is set to use a two-hour expiry time, which the researchers said is too long, and is far longer than Singapore's TraceTogether app which uses a 15-minute expiry time.

Other issues were that phone model name and device name is available to any device in range, allowing for device re-identification and tracking; the source code for the server is not available, and none of the cryptography can be verified to be compliant with the privacy policy; the distance measurement as implemented by COVIDSafe does not work, making the claimed 1.5 metres for 15 minutes criterion used for contact tracing meaningless; and there have been a number of different reports of this app interacting poorly with other Bluetooth-based apps, the researchers say.

Through the use of Bluetooth, the app records "digital handshakes" for each minute that two phones using the app are in contact.

When a user tests positive for coronavirus, they are asked to upload the handshakes to a centralised National COVIDSafe Data Store, which are then accessed by contract tracers to notify people who are determined to be at risk.

The handshakes contain: The unique IDs of each user in contact -- said to be an "encrypted version of the user's mobile phone number"; Bluetooth signal strength used to determine distance; and a timestamp. Handshakes are stored on mobile devices and deleted 21 days after being created.

Prime Minister Scott Morrison wants at least 40% of Australia's 25.67 million population to install COVIDSafe.

On Friday, it was also revealed that there was a multibillion-dollar miscalculation made by the federal government where coronavirus-related welfare was concerned.

The JobKeeper program was expected to cover 6 million workers who would receive a AU$1,500 fortnightly wage subsidy.

Morrison admitted the error was out by around half -- 3 million workers and AU$60 billion.

"When we first put together the JobKeeper plan, this was at a time of incredible uncertainty … Treasury put forward an estimate of what they thought the demand for that program would be and they thought at that time that it would be reaching out to around 6 million people," Morrison said.

"Now, it has proved that that has not been the case and the demand is not as high as Treasury estimated and along the way, the information that we were getting back from the Australian Taxation Office was indicating that that initial estimate was accurate. But as we've all seen, there was an administrative error in how that information was being tracked by the Australian Taxation Office."

Morrison said the estimate was overstated and the process with the Australian Taxation Office (ATO) to keep Treasury updated "had a flaw in it".

"We acknowledge that, I acknowledge that, and ultimately I have to take responsibility for those things," he said.

"But what it means is Australians won't have to borrow as much money. This is not money that is sitting in the bank somewhere, this AU$60 billion, that is all money that would have otherwise had to be borrowed."


Also on Friday, the Australian Digital Health Agency (ADHA), the system administrator for My Health Record, announced BreastScreen WA has become the first breast screening service in Australia to connect to the digital health record.

Women in Western Australia who have consented will have their mammogram results uploaded to their My Health Record as soon as their test is assessed by two consultant radiologists. They can also choose to receive either an SMS or a letter. 

"Regular breast screenings save lives but waiting for the results of the procedure can be challenging," a statement from Hunt said. "The fast-tracking of results will further support women and their health care providers as more care is delivered digitally."

After revealing it was the target of an unsuccessful cyberattack, ADHA CEO Bettina McMahon told the Joint Committee on Public Accounts and Audit last week there has been an increase in use of My Health Record in the past few months.

"We've seen a significant increase in the use of My Health Record by both consumers and healthcare providers, particularly over the last three months," she said.

"In relation to general practitioners, the month of March has seen the highest amount of viewing of documents yet, as well as uploads to track use."

McMahon said the ADHA also witnessed around a threefold increase in viewings of documents by general practitioners.

"Around 20,000 documents are viewed each month," she added. "That's a threefold increase since the same period last year."

According to McMahon, 95% of the public pathology labs in the country are uploading into the My Health Record, which she said was another threefold increase over the last year of tests being uploaded.

Providing further updates, Hunt's statement said 140,000 people used My Health Record in March to see their diagnostic results, which was a 76% increase over February.

"The volume of My Health Records with health information has almost doubled in the last 12 months with more than 60% of records now having data in them," he added.

There are currently 22.74 million My Health Records and 13.97 million records with information in them.

There's a total of 1.89 billion documents in the system.

31% of pathology and diagnostic imaging providers are connected and they have uploaded almost 43 million pathology reports. More than 1 million pathology and diagnostic imaging documents were uploaded in March.


Editorial standards