Why I have not installed COVIDSafe yet

There are a lot of IT people posting articles that ridicule anyone who had decided not to install the COVIDSafe app. Often these people cite their authority to make such a statement, making the assertion that this app is no more a risk than many apps we already have on our phones. So I thought it would be useful to consolidate some comments I have made about the app. Now my background is 23 years in cybersecurity and for the past 6 years, I have been researching eHealth applications for a yet-to-be-finished PhD. So I come to this area with a good deal of specific expertise.

Reasons to install the app

Let's start with the reasons to install the app:

1. It might assist contact tracing of corona cases
2. The government has put in place safeguards of privacy specifically for this application. By this, I mean that if your fundamental concern is that the government will spy on you with this app, I don't think this is likely at all.

Reasons not to install the app

1. There is no published evidence I can find to show that such an app can effectively assist in tracing contacts, and one has never been shown to be effective in controlling an epidemic. This is a giant experiment. Not only is there no exact application whose success has been reported but mobile apps used in population health have also proven to be very difficult to make effective at scale. Update 17 May 20: MIT Technology review article reports limited usefulness of COVID tracing app. “The technology is more or less … I wouldn’t say useless,” says Gestur Pálmason, a detective inspector with the Icelandic Police Service who is overseeing contact tracing efforts. Also, Bruce Schneier, one of the true global experts on cybersecurity, has recently published similar concerns as the ones I am raising.
2. There are very real risks that the presence of this app on peoples phones will give people (and the government) an excuse to prematurely relax social distancing, and false confidence that we can control the inevitable outbreaks that will occur once we start relaxing social distancing.
3. The government made a commitment to release the source code of the app for an independent analysis. They have not done this. Why? Well, it is probably because the app currently contains known flaws, and they wish to avoid embarrassment. They probably want to get these fixed before they release source code. In my view this is not the best approach to making this app secure - the best way has been shown by the open-source community for many years. Thousands of independent eyeballs on the code and processes to support rapid patching will lead to an increase of trust and a reduction in vulnerabilities. Instead, we have seen from the efforts of people disassembling the app that there are bugs and design flaws - not in security management yet - although there is only now starting to be security analysis looking more deeply into this area. The people doing this reverse engineering have tried to report these issues to the government but have been frustrated with the lack of a mechanism to do this. In short, this is looking more and more like the usual clusterf%^ that is federal government IT.
4. Effectively mandating (blackmailing) people to install this app, makes us more tolerant as a society of more privacy-invasive apps in the future. The government has a poor track-record on respecting privacy and freedom-of-speech in this country. We are not irrational in wanting to constrain the surveillance powers of government. The past ten years have seen domestic surveillance used without reasonable safeguards against specific groups, such as welfare recipients and journalists. Also, there has not been a transparent review of the post-9/11 security laws, as originally promised, to ensure we are not trading in personal freedom and privacy for protection against over-stated threats. The reverse is true - every year we are seeing a creeping increase in the surveillance and security powers of the government. I'm not against the government have necessary tools to enforce just laws, but we are seeing the technology capability outpace our legal protections.
5. We have to trust the government that future releases of the app will not compromise security or privacy.

An action plan for the government

So let's assume the marketing and manipulation offensive fails to convince the required quantum of people to install the app. What can the government do to convince people they really are playing an open hand on this issue? Here is my suggested action plan:

1. Release the source code and adopt effective mechanisms for people to report and track known vulnerabilities/bugs in the app. This should include a bug bounty program. Update: 9 May 2020. On Friday the source code was released. Of interest was the 'open source' license which was nothing of the sort, but that is a side concern. Of most interest will be the iOS code (for Apple) as there have been a number of suspected IoS specific defects identified by the analysis of the Android Java code. As yet not effective engagement process has been put in place by the DTA to collect and triage bugs. What we know from the last App release is that the focus was more on the look & feel issues, rather than fixing device compatibility or privacy bugs. The DTA is promising another release next week. For now, the app is effectively no usable on iPhones. Update: 17 May 2020. A new version of the App has been released but no re-release of the source code, that claims to address some of the Bluetooth DoS vulnerabilities that have been identified by independent researchers. The non-re-release of the source demonstrates that there is no commitment to continuous disclosure or open-source security evaluation.
2. Work with Apple to address compatibility issues with the iPhone - this could include moving to the Apple / Andriod model of data management.
3. Legislate the privacy and data protection for the COVIDSafe app as soon a possible. In the meantime publish the draft legislation. Update: 5 May 2020. The government has now released the draft legislation and, in general, privacy experts are giving it a positive review. link. Update: 17 May 2020. This bill has now passed into law.
4. Implement an evaluation program for COVIDSafe app, that captures and measures the effectiveness of the app in enabling tracing of cases. This should be done under the AIHW as a COAG initiative, involve public health researchers and academics, and not done secretly in the DOH. Define a review point where the app's use be evaluated by and report to the Senate Select Committee on Health on this.