A Bluetooth revamp touted to fix Australia's COVIDSafe app connectivity flaws

The federal government is claiming 'excellent' performance across all devices.
Written by Asha Barbaschow, Contributor

The federal government has updated COVIDSafe, Australia's COVID-19 contact tracing app, this time touting the changes will significantly improve its capability.

The app will incorporate a new Herald Bluetooth protocol, Minister for Government Services Stuart Robert said, explaining that this would offer "unparalleled app-level Bluetooth performance and contribute to better identification of potential close contacts".

A statement from Robert and Health Minister Greg Hunt said the Digital Transformation Agency (DTA) has been working with Apple and Google to incorporate the protocol into the COVIDSafe app. The statement also provided COVIDSafe Bluetooth encounter logging results, which demonstrated "excellent" status for all tests.

See also: Even with COVID-19 spread near zero, chief scientist says Australia's systems are ready  

The DTA said in May that 179 functional tests were conducted for the Apple iOS and Google Android versions of the COVIDSafe app prior to release and that requirements were met.

"All tests satisfied the baseline design requirements," the DTA said at the time. "Performance tests were also conducted against the technical requirements."

In June, however, it was revealed the DTA knew COVIDSafe had severe flaws. This was despite the app being sent out for public use on 26 April 2020. The revelation followed research that showed locked iPhones were practically useless when it came to logging encounters through COVIDSafe.

This time around, the app is reporting that even locked iPhone to locked iPhone logs were recording "excellent" performance.


Herald Bluetooth performance summary results as at 27 November 2020.

Image: Australian government

"The protocol provides for excellent performance of all encounter logging under all phone conditions and will continue to work on more than 96% of Apple and Android phones," the ministers' statement said. 

The code for the update will be made available via Github to "enable the tech community an opportunity to provide feedback ahead of the release to the Apple App Store and Google Play Store".

"Australia's technology capability and contact tracing systems are world-leading and we will be the first country in the world to adopt the Herald Bluetooth protocol, which has been shown to significantly improve our capability through the COVIDSafe App," Robert said.

"We are encouraging everyone interested to review the code, conduct their own testing, and provide their feedback.

"We are also making this code available to other countries so they too can benefit from Australia's world first technology implementation to help improve their digital response to managing COVID-19."

COVIDSafe was originally a rework of Singapore's TraceTogether app.

Australia's tech community, however, has taken a different view.  

"This is not 'engaging with the tech community'. The code is not inspection quality, and despite numerous CVEs and serious issues raised, nobody I know was contacted or notified of this," researcher Jim Mussared wrote on twitter.

Mussared originally said the DTA has retrofitted the existing BlueTrace-based system into Herald, saying this means that the server-side implementation hasn't changed. He later clarified the copied and modified Herald code has extra COVIDSafe-specific bits to make it work

"So the different versions have at least some level of backwards compatibility," he said.

One of the current issues with COVIDSafe is that it only identifies a handful of cases and manual contact tracing efforts have proved to be more reliable.

During Senate Estimates last month, the Department of Health revealed that despite there being a total of 27,554 confirmed cases of COVID-19 in Australia, only 17 were picked up using COVIDSafe without the use of manual contact tracing.

"When used as part of state and territory contact tracing efforts, the COVIDSafe app has proven to assist in identifying close contacts not picked up through manual tracing," the ministers' statement continued. 

"New South Wales successfully accessed the COVIDSafe app to identify 80 close contacts, including 17 contacts that weren't identified by manually contact tracing.

"In Victoria, it has been reported that 1,851 cases have said they have the App and are now using it as part of their contact tracing process."

During a hearing held in early August by the COVID-19 Select Committee, Secretary of the Department of Health Dr Brendan Murphy said that health services in Victoria were feeling "so pressured" that they decided to not use the COVIDSafe app.

It was later confirmed that DHHS had told the Department of Health on July 16 it had paused using COVIDSafe app data, citing concerns that using the app's data would contradict its requirements with privacy laws. On August 1, it recommenced using the COVIDSafe app data.

Must read: Living with COVID-19 creates a privacy dilemma for us all

With Victoria moving out of its second phase of lockdown restrictions, the state government on Monday announced businesses could now access a free QR code service to keep a record of visitors.

Similar to what has been in place in NSW for months, the Victorian QR system will rely on visitors scanning a QR code using their smartphone camera to check-in. Failing that, users will be directed to download the Service Victoria app to complete check-ins. 

"All data collected through the Victorian government QR code is securely stored, protecting customers from on selling of contact details. Data will be deleted after 28 days unless it is specifically requested by the Department of Health and Human Services for contact tracing purposes,' the government said in a statement.

Following the state government announcement, Australian cybersecurity firm Pure Security raised concerns with QR code-based information collection.

"Many QR codes are simple links to websites and documents with the express purpose of recording the details and have little focus on security," Pure Security acting head of advisory Jason Plumridge said.

"I have seen QR links that combine the submission of details along with marketing checkboxes which in my view is not appropriate.

"Businesses should be rightly concerned with the security controls around data privacy implemented by the QR providers and deserve to have assurance that only persons with a right to access that data (i.e. contact tracers) have the ability to do so."


Editorial standards