Australia's wobbly start to COVIDSafe app transparency

The recent experience of Jim Mussared with the COVIDSafe app illustrates how Australia is still behind the pace when it comes to handling reports of cybersecurity vulnerabilities.

The government's official COVID-19 contact tracing app, which is more accurately described as an exposure notification app, is based on Singapore's TraceTogether app. It was released on April 26.

By 1:19am on April 27, Mussared had discovered multiple privacy issues in the Android version.

"The COVIDSafe app has a number of issues which may allow a malicious person to track any user for an indefinite period of time," he wrote in his detailed report.

"Don't Panic! Users are advised to be aware of these issues but in most cases might reasonably conclude that they are not significant enough to warrant not using the app."

On April 27 and 28, Mussared emailed the Department of Health, the Digital Transformation Agency (DTA) who had made the app, the Australian Signals Directorate (ASD), the Australian Cyber Security Centre (ACSC), and the Cyber Security CRC.

He finally received a response from the DTA a week later on May 5: A single line acknowledging that they'd received his email.

It may be worth noting that this happened shortly after the media started making enquiries.

In your writer's view, this seems a long way short of best practice. Mussared agrees.

"The best practices would be a formal disclosure program and a bug bounty program, and a commitment to getting the bugs fixed," he told ZDNet.

"I've been able to confirm issues with the Singapore team within hours of finding them, and even had some fixed!"

That's not the only difference between Australia and other countries developing such an app. According to cryptographer Dr Vanessa Teague, Australia's approach lacks transparency.

"Singapore released app and server code weeks ago," Teague wrote in a Twitter thread on Friday.

"Aus & the UK released app code, and no server code, within the last 24 hours," she said, which is a problem because in both cases the server does all the crypto.

Both Singapore and the UK released whitepapers explaining their crypto and assumptions. The UK's whitepaper [PDF] is by Dr Ian Levy, technical director of the National Cyber Security Centre (NCSC).

"The UK whitepaper and app code give some opportunity to examine the crypto for bugs. In Aus we don't even know what encryption they're using (if any)," Teague wrote.

"In both cases, there are some things I disagree with, but I respect the authors for putting the details out for review."

Australia, however, has even failed to explain why it is only rotating the encrypted user IDs every two hours instead of Singapore's 15 minutes.

"We need to see the server code, and read some justification of the design decisions, so that we can identify and fix other bugs in #CovidSafeApp and have a genuine public debate about how it should change," Teague wrote.

Such scrutiny has certainly helped in the UK.

On Friday, Rob Dyke discovered that individuals using the beta version of the NHS COVID-19 iOS app are tracked by Google Analytics.

"When accessing the Privacy Policy tracking code is passed from the application to the covid19.nhs.uk website which is processed by Google Analytics. Data captured could be used to re-identify an individual," he wrote.

In DTA's defence, all this was being done in a hurry. It's also the first time a government app has gained more than five million users in just a few days, and under such intense public scrutiny.

The DTA has now published an email address where researchers "can provide feedback" about the application's source code.

In the government's defence more broadly, the ASD has acknowledged the importance of input from the research and academic communities in its response to a question [PDF] from Senate Estimates.

Question: Does ASD believe that the input of external security researchers is able to assist in improving the information security practices of the Commonwealth?

Answer: Yes.

But this attitude doesn't seem to be evenly distributed across government departments and agencies. It can be difficult to engage with the government on security conversations.

Teague and various colleagues, for example, have reported problems with online voting systems and the ease of re-identifying supposedly anonymised heath data, only to be met with denialism and grief.

Labor's Shadow Assistant Communications Minister and Shadow Assistant Cyber Security Minister, Tim Watts, pointed to the success of the NCSC's central vulnerability disclosure platform as a proposed solution. It covers all UK government entities and is operated by HackerOne.

"[This] is a pretty different philosophical approach to security than we have in Australia at the moment," Watts said during a roundtable hosted by the Australian Strategic Policy Institute International Cyber Policy Centre last week.

It's just one part of the UK-style active cyberdefence program that Labor is proposing for Australia in its recent policy discussion paper called National Cyber Resilience: Is Australia Prepared for a Computer Covid-19?.

A central government clearinghouse for vulnerability reporting seems like a no-brainer, so why isn't it happening?

Related Coverage

• Commonwealth three-step COVIDSafe plan details when Australians return to work
• Department of Health has no target for COVIDSafe uptake
• Australia's COVIDSafe contact tracing story is full of holes and we should worry
• 2.44 million Aussies have registered for COVIDSafe
• COVIDSafe legislation introduces AU$63,000 fine for data misuse