Today, the Australian government released COVIDSafe, the Government’s coronavirus tracking app, based on Singapore’s TraceTogether version. The release comes complete with the Government’s predictable reassuring and cajoling and guilt-tripping. Should Australians trust them and use the app? Really? For us, there is a very simple answer: when and only when Vanessa Teague gives the all clear.
Vanessa is an expert on cryptography and, as it happens, is an ex-student and a good friend. She is very smart and is as principled a person as we have ever met. Along with many of her colleagues, Vanessa has been critical of the Government’s needless (and entirely predictable) secrecy over COVIDSafe. She has written a series of blogposts about their underlying concerns, and in particular the Government’s failure to follow up on promises and release COVIDSafe’s source code. This is Vanessa’s current stance on using the app (as of 23/04):
“In its TraceTogether form, I would be happy to run it on the train but refuse to run it in my home or office. I need to see the details of Australia’s version before I decide.”
Postscript: We had planned on writing about Vanessa a month or so ago, when she made the news. That story is highly relevant, since it involves privacy concerns, government screw-up, an arrogant and inept minister, a limp lettuce watchdog, a thuggish department secretary being matey matey with a vice chancellor, and a spineless university. Yep, same old, same old. But, given the speed of the times, we’ll probably have to leave that story be.
The Minister for Health has today made an undertaking to release the source code “within two weeks”. We’ll see. (The formal agency response on privacy (26/4) states that such release will be “subject to consultation with the Australian Signals Directorate’s Australian Cyber Security Centre”.)
Vanessa and her colleagues have a new blog post (27/4). The post has been written “on a best-effort basis using decompiled code from the app, without access to server-side code or technical documentation.” Their conclusion:
Like TraceTogether, there are still serious privacy problems if we consider the central authority to be an adversary. That authority, whether Amazon, the Australian government or whoever accesses the server, can
- recognise all your encryptedIDs if they are heard on Bluetooth devices as you go,
- recognise them on your phone if it acquires it, and
- learn your contacts if you test positive.
We’re not going to bother with the nasty guilt-tripping on the COVIDSafe app, including from numerous media nitwits who should know better. This from Bernard Keane suffices.
Vanessa now has a very good twitter thread on the seemingly contradictory safe/not-safe messages from IT folk.
UPDATE (11/5) Vanessa has a twitter thread (08/05) on ScoMoFo’s latest round of silly buggers.
UPDATE (13/5) This will come as a great surprise, but it turns out that Greg Hunt is a dishonest piece of shit.
UPDATE (15/5) Vanessa and her colleagues have a new blog post (14/5): The missing server code, and why it matters.
UPDATE (20/5) Vanessa and her colleague Chris Culnane have a new blog post (19/5), on flaws in and corrections to the UK covid app (and why this was possible). Vanessa also has an accompanying twitter thread.