A group of technology and privacy experts have backed the ongoing utility of a Bluetooth-based contact tracing app in Australia, but say more needs to be done to make COVIDSafe fit for that purpose.
In the wake of last week's government report into COVIDSafe, software developers Richard Nelson, Jim Mussared and Geoffrey Huntley and cryptographer Vanessa Teague have released their own assessment of the app’s operation and effectiveness.
The report offers an in-depth look at the chequered history of the app since its launch in April 2020, and calls out a number of security, privacy and functionality issues that were overlooked.
“The [government] report lacks a deep discussion of changes made throughout the app’s development which heavily impacted efficacy, and fails to disclose key information such as the number of active users,” the group said.
As reported by iTnews last week, the government report concedes COVIDSafe was “rarely” used by public health officials in the first 12 months, which it attributed to low community transmission rates and strong manual contact tracing.
While the government report discloses the number of close contacts and encounter uploads registered through the app, as well as total registrations, the number of active users remains unknown, meaning it is largely devoid of useful analysis.
The Digital Transformation Agency has previously used the underpinning legislation, the Privacy Amendment (Public Health Contact Information) Act 2020, as justification for not tracking the number of active users.
The group of IT and privacy professionals said that without knowing the number of active users, and with the DTA’s continued approach to collecting COVIDSafe efficacy data, it was “difficult to determine how well the application has been working”.
“In contrast, the UK’s NHS, which abandoned early efforts on connection based Bluetooth methods and implemented Apple and Google’s Exposure Notification framework, have published peer reviewed research on the epidemiological impact of [its application,” they said.
The group also said “almost all of the serious security bugs, privacy issues and bugs affecting COVIDSafe's efficacy could have been avoided using the Exposure Notification framework, keeping public perception high”.
While it is “commendable” that the government was able to release the app within a matter of weeks, flaws in the app led to “a sharp dive in public perception, from which it did not recover”, the group argued.
Even as issues were progressively fixed, the app did not receive the same level of marketing it had previously, leading to the “continued perception (real or not) that the application did not function well”.
“It should have been clear early on that a design using Bluetooth connections opened COVIDSafe up to a swathe of privacy, security, and functional problems, and that the DTA and its engaged partners were not well-equipped to find or solve them,” the report said.
As such, the group has repeated calls for the government to adopt the Google-Apple Exposure Notification framework, which, unlike COVIDSafe, notifies users directly when they have come into contact with some who has tested positive for Covid.
“The pandemic is unlikely to disappear soon, and it is still worth pursuing a Bluetooth-based exposure notification (EN) system that works,” the report said, adding that Exposure Notification Express could be implemented as a “first step”.
“Using the EN framework, which is a secure, privacy-based approach that is known to work, has many advantages over COVIDSafe’s approach, and the supposed downsides have been both misunderstood and overstated.
“With Australia’s relatively low case rate, it could be the ideal environment for validating the effectiveness of app-based contact tracing for containing outbreaks, as well as aiding in fast isolation of close contacts.”
The report added that using the exposure notification framework had inherent benefits for the more infectious Delta strain - which is proving a challenge for contact tracing teams - by notifying possible contacts as soon as possible after exposure.
“The advantage of such a design is that close and casual contacts can be notified as soon as a confirmed positive case is found. This removes the bottleneck of manual contact tracing, and when health officials do follow up, the cases can already be isolating,” the group said.
“In attempting to build the ‘ideal’ solution and failing to deliver, COVIDSafe has missed the opportunity to provide any value at all.”