The federal government has launched its much-anticipated contact tracing app to help state and territory health professionals identify individuals who have come into contact with coronavirus.
It comes after weeks of speculation about the app, which has been built by the Digital Transformation Agency and health department using code from Singapore’s TraceTogether app.
However, despite public assurances from numerous ministers, the government is yet to release any part of the source code for independent analysis.
How it works
COVIDSafe use Bluetooth to make a series of ‘digital handshakes' in order to identify when two people with the app come one-and-a-half metres of one another for 15 minutes or more.
It does this by logging an “encrypted reference code” for each individual also running the app that you come into close contact with, as well as the “date, time and proximity of the contact”.
The code is generated from a users’ name (or pseudonym), age range, mobile number and postcode - information that is required when a user downloads the app.
The data is “securely encrypted and stored” on a users’ phone for a rolling period of 21 days before being deleted.
No physical location data is collected by the app on either Android or iOS. The permission structure of Android devices requires all apps that use Bluetooth to gain location permission.
If a user is diagnosed with the virus, they can consent to upload the data on those they have come into close contact to the National COVIDSafe Data Store.
As reported by the ABC on Friday, multinational cloud provider Amazon Web Services was handed the deal to host the app’s data, raising questions over access by US authorities.
Morrison and government services minister Stuart Robert have since denied this data would be available, with new laws to be introduced to restrict access to state and territory health professionals.
Those laws are expected to be introduced later this month, though Hunt has issued a determination under the Biosecurity Act to restrict data access to health professionals in the interim.
Any other access or use, including by law enforcement agencies, will be a criminal offence.
The determination also makes it illegal to coerce someone into downloading COVIDSafe, meaning that it is not required as a pre-condition for employment or entry to premises.
Despite suggestions on Thursday that the app would address iOS Bluetooth problems with TraceTogether, COVIDSafe will require still users to keep the app running in order to log contacts.
However, Hunt said the iOS app would work when an iPhone is locked or other app's are running, which is an improvement on TraceTogether.
On Android devices, the COVIDSafe "works best when it is open and running", but will also work "without [a user] having to open or check COVIDSafe".
A “small ripple in the device image on your app’s home page” will let iOS users know the app is working, while Android devices will show a sticky notification in the notifications panel.
iOS users will be notified if COVIDSage hasn’t been working for at least 24 hours
Flanked with representatives from Australian Medical Association, the Australian College of Nursing and the Australian Nursing and Midwifery Association, Hunt called on Australians to download the app.
The government wants at least 40 percent of the population to download the app in order to have the best chance to reducing the spread of coronavirus.
“We are now calling on all Australians to download the COVIDSafe app to help protect you, your family and your community from further spread of COVID-19,” he said in a statement.
“This will be necessary if we are to start easing some of the difficult social restrictions we have had to put in place.
“It will be one of the critical tools we will use to help protect the health of the community by quickly alerting people who may be at risk of having contact with COVID-19.”
While privacy concerns will no doubt dog the app's take-up due in part to mixed messaging by the government, the independent privacy impact assessment goes some way to eleviate fears.
The assessment, conducted by law firm Maddocks, has largely given the app - and the government's privacy by design approach - the tick of approval.
“We are satisfied the Australian Government has considered the range of privacy risks associated with the app and has already taken steps to mitigate some of these risks,” it said.
“The PIA makes a range of recommendations to ensure privacy issues continued to be addressed as the app is rolled out and app information is collected and used.”
However, Maddocks has made 19 recommendations to improve the app and address “potential privacy risks”, all but one of which has been fully agreed to by the health department.
One recommendation relating to the ability for users to request access to and correct information such as via an e-form was agreed to in part.
In its response to the PIA, the department said this would immediately be possible for users by deleting and reinstalling the app, though said a process would be implemented.
The majority of the PIA’s concerns centred around legislation, and arrangements with states and territories, AWS and the DTA to further minimise risks around the use and disclosure of data.
But the department said these concerns had been addressed through provisions in the Biosecurity Act, the AWS contract, and MoU arrangements with the DTA and the states and territories, and future legislation.
The department has also committed to regularly review the “operation of the app”, including “the effectiveness of privacy controls, to “minimise the rise of ‘function creep”.
The department similarly addressed concerns around the period in which data will be retained, committing to delete “all data in the national COVIDSafe data store” when the pandemic concludes.
“This will override any obligation under an Australian law to retain data for a longer period, including record-keeping obligations under the Archives Act 1983,” the department said.
It has also committed to advising all users when the Pandemic is over and prompting them to delete the App.
The government said the COVIDSafe source code would be released “subject to consultation with the Australian Signals Directorate’s Australian Cyber Security Centre”.