The Australian government launched its home-grown COVIDSafe contact-tracing app for the new coronavirus on 26 April. And despite the government’s history of technology failures and misuse of personal data, smartphone users have been eager to download the opt-in software on Apple’s App Store and on Google Play. But if the government is to achieve its target of 10 million downloads, there’s still a ways to go.
After downloading COVIDSafe, users with an Australian cellphone number enter their name, age range, phone number, and postcode. They receive an SMS text to complete the app’s installation. An encrypted reference code is generated based on the person’s information and is stored on the phone.
COVIDSafe uses Bluetooth to seek out other devices with the app installed. When coming into close proximity, Bluetooth initiates a series of handshakes between the devices, and the apps log each other’s encrypted reference codes.
To record the date, time, and proximity of the contact—but not the location—COVIDSafe employs Bluetooth’s calibrated Received Signal Strength Indicator (RSSI) to measure the signal’s strength between devices and estimate their approximate distance from each other. The app also estimates how much time the users spend together. The distance and duration for a close contact are specified at roughly 1.5 meters for 15 minutes or more. This information is also encrypted and stored on the phone.
To allow for a 14-day incubation period of the virus, the app retains the contact information for 21 days before deleting it on the phone. To safeguard privacy, only health officials are able to access the encrypted close contact information and the app can be turned off at any time.
Users diagnosed with the virus are asked to upload their close contact information to what the government describes as “a highly secure information storage system” located on Amazon Web Services. This enables health officials to look up people who have been diagnosed, find all the COVIDSafe users they have recently come into contact with, and advise them what to do.
Suranga Seneviratne, a lecturer on computer security at the University of Sydney, believes the app poses no major security risks as it cannot access sensitive data.
“COVIDSafe appears to adequately address widely discussed privacy concerns… such as contact lists, GPS locations, and SMS contacts.” On the other hand, he says, “It might be a good idea to open the source code so that the information security community can have a closer look.”
Some experts are not as sanguine. Katina Michael, a professor of engineering and information sciences at Arizona State University’s School for the Future of Innovation in Society, is wary of the app’s impact on battery consumption, particularly given that iPhone users are asked to keep the app open in the foreground on their phones so as to detect other devices.
“Depending on the area, a phone could be tracing every 30 seconds—and not just one but numerous devices,” says Michael. “The more you ‘poll’ other devices, the more battery energy used. What’s more, iOS 13 on new iPhones is already a battery hog.”
She also suspects unexpected problems to arise because of the app’s lack of field testing. “For instance, although Bluetooth is considered robust, materials such as metal, brick, and concrete can weaken its strength, making it at times seem more like a line-of-sight technology. This may affect proximity reading.”
COVIDSafe is by no means the first contact-tracing app to be launched. Indeed, the software is based on open-source code developed by the Singapore government for its TraceTogether app released in March.
China is using two major contact-tracing apps, dubbed “health code apps,” says Jie Huang at the University of Sydney Law School. “In terms of adoption, they have been successful,” she adds. “According to Chinese media, they cover over 900 million users.”
But the apps differ significantly when it comes to which personal information they use. China’s apps record not only location data but also combine information voluntarily provided with a user’s medical records and travel history. The apps also play the part of “immunity passports,” says Huang, and are required “to enter premises such as office buildings, supermarkets, and residential complexes.”
Elsewhere, governments around the world, especially in Europe, are rushing to introduce their own versions of the technology. In the United States, North Dakota released its Care19 app last month, which is also being used by South Dakota.
Meanwhile, Apple and Google announced on 10 April that they’re working together to provide governments with Bluetooth technology to enable contact tracing for both smartphone platforms. They released “exposure notification” APIs to certain developers on 30 April that will enable interoperability between iOS and Android devices for use on apps from public health authorities.
The two companies are also jointly working on Bluetooth beaconing contact-tracing technology to run at the operating system level [PDF]. Unlike COVIDSafe, it will emit a beacon via Bluetooth that includes a privacy-preserving identifier composed of random numbers that frequently change. Other phones nearby receive the beacon and broadcast their own beacons, which are recorded on the devices.
People diagnosed with COVID-19 can notify public officials who add the users’ identifiers to a list of confirmed cases. The positive diagnosis list is downloaded to all participating Bluetooth devices daily, and should there be a match, users are alerted.
But no matter what technology is involved, Michael at Arizona State University warns, “It’s very important that people don’t place their faith in these apps to reduce the spread of COVID-19. The mere fact that the virus can reside on surfaces and in animals demonstrates that these apps are not a silver-bullet solution.”
This story was updated on 6 May 2020.