Via Crikey’s Bernard Keane:
How many Australians have to download the Morrison government’s surveillance app for it to be effective in helping health authorities trace contacts of people who have tested positive for COVID-19?
At least 40% of the population, says Scott Morrison.
Not 40%, say bureaucrats from the Department of Health. In fact, they hadn’t suggested a target at all, they told a Senate committee hearing yesterday. The 40% figure seems to be an invention with no public health basis, despite the prime minister’s certainty. On current download rates, the app is unlikely to reach Morrison’s benchmark any time soon.
Some in the media have accommodated this by shifting the goalposts and pretending Morrison meant phone users, or even adult phone users.
It certainly can’t mean iPhone users since the app doesn’t work properly on those devices, as bureaucrats admitted yesterday — contradicting Government Services Minister Stuart Robert, who declared it was fine on iOS devices.
The Senate committee also heard that phones of different generations may have trouble exchanging information, especially if the app is only running in the background. Meantime, state and territory governments have yet to finalise arrangements to actually start using the data collected by the app.
As cybersecurity experts get time with the app to see how it works, more in-depth analyses are emerging that have exposed potentially serious flaws that could be easily exploited.
Software engineer Jim Mussared, who says he supports the app and its goal of saving lives, released a detailed account of several significant problems he had discovered in the app and which he advised to the Department of Health and security agencies several days ago.
One issue, which the Australian app has inherited from its source code, the OpenTrace app, means the app will broadcast the same ID, rather than regularly changing that ID, to certain devices, enabling the app to serve as a de facto tracking device.
Another problem, introduced in the Australian version of the app, also generates identifying information about the phone on an indefinite basis, again enabling the app to be used as a tracking device if a receiver has the right software.
The problems mean that it is trivially easy for someone to write an app, or construct a receiving device, that can track the movement of a particular phone over an extended period. This isn’t an issue about government surveillance (that can be done perfectly easily with mobile phone metadata and a warrant) but about abuse by malicious actors.
