The Federal Government is celebrating after more than a million Australians downloaded the COVIDSafe app the same evening it was launched; privacy advocates
COVIDSafe was released at 6pm AEDST on Sunday, and by 10:30pm that same evening, more than a million Australians had downloaded it. That number blew away forecasts from the government, who were estimating that it would take around five days to hit the 1 million downloads milestone.
Health Minister Greg Hunt tweeted that “at 6:00am, it was 1.13 million Australians who had downloaded it… we got the first million within five hours. We had been hoping, our best hope, was we might get to 1 million in five days.”
The government requires a 40 per cent uptake, or around 10 million downloads, in order to effectively manage the spread of the coronavirus to other individuals and inform potentially infected Australians to get tested.
Technology analysts and digital rights advocates are calling for the government to make good on its announcement that the source code would be released, so researchers can study exactly what will be done with the data collected.
Mr Hunt has said that “the source code will be released within two weeks… The reason for that is there’s a constant review of the safety and security,” adding that “our first take is to make sure the security assessment is done and that there is absolute protection of privacy above all else.”
Shadow minister for Health, Chris Bowen said “I’m prepared to take the Government in good faith that if that’s what they’re working through.” In reference to the government’s pledge to make the source code openly available, Bowen added “of course it should be released, but if they need a little bit of time to sort that through and work out how much should be released then I’m prepared to give them that.”
Prime Minister Scott Morrison has stated that the app will help get life back to normal, deeming it an essential tool to ease the restrictions in place around the world to curb the spread of COVID-19.
Minister Hunt added to this, stating “it assists in the early alert and finding of people who may have been in contact with a person who is positive with a diagnosis.
Morrison stated overnight that privacy concerns are unfounded, reiterating that only health officials will have access to any data collected by the app. “No other government agency can use this information, no-one in the Commonwealth Government at all. And in state authorities, only the health officer can use it,” he added.
“Not the police, not the welfare people, nowhere else. Just the health officer.”
As we reported last week, however, there have been concerns from security experts about the government awarding the tender for data storage to Amazon Web Services, a foreign-owned organisation, when a number of Australian security-vetted companies weren’t allowed to bid on the tender, in an invitation-only process issued by the Department of Home Affairs.
Michelle Price, chief executive at AustCyber said “I don’t know why they weren’t alerted to it… it’s a bit unfortunate that local providers who have worked hard and attained accreditation to provide security in the cloud to the government were not able to be a part of this.”
Price also raised concerns about the government’s decision to store decryption keys in the cloud itself, which a number of tech analysts have stated goes against the best practice of cybersecurity when dealing with sensitive data in the cloud.
“The other thing we can do as best practice is to ensure, because the data is appropriately going to be encrypted, the encryption keys are held separately to the database.”
“It’s my understanding that off the back of us and others asking the question about whether the keys will be stored in the same cloud, and pointed out that best standard is to hold them separately- that’s being actively worked on… it’s my recommendation that those keys be held in a sovereign cloud,” Price concluded.
“We will delete all data in the data store after the COVID-19 pandemic has concluded as required by the Biosecurity Determination… Contact data on your device will be automatically deleted from your device 21 days after contact occurs. It will also be deleted if you remove COVIDSafe from your device or upload your contact data to the data store,” they added.