Despite privacy concerns, the federal government’s COVIDSafe app has been downloaded over two million times since its release just days ago.
The app has been developed to trace people who may have been exposed to someone who has tested positive to the virus, with the data then being shared with the Australian Department of Health.
The app’s popularity comes amid mounting concerns over privacy and data breaches coming from both the public and private sectors. But Sean Duca (pictured), vice president and regional chief security officer for Asia-Pacific & Japan at Palo Alto Networks, says people should feel a “level of comfort” over how the government developed the app.
“The Government has undertaken a thorough review of the app through security agencies like the Australian Cyber Security Centre and the Cyber CRC, as well as consulting with other agencies such as the Privacy Commissioner and the Human Rights Commissioner,” Duca said.
“It is important to remember the overall goal when downloading the COVIDSafe application – the Government wants to prevent the next COVID-19 death and mitigate any ‘second wave’ that might occur when social distancing measures are relaxed. This should give Australians a level of comfort.”
While downloading the app is voluntary, Duca says smartphone users should still practice safe cyber security measures to ensure their data is private and protected if they do decide to use COVIDSafe.
“… citizens should only download the application from official channels on the Apple App Store or Google Play Store, and ensure any additional information requests via phone or email are firmly authenticated before sharing any private information,” he said.
“Information required to set up the app is a phone number, name, age range and postcode. And this application certainly has better security than some other apps on the market – such as gaming apps that many Australians already have on their phone.”
Additionally, Duca says the information collected and stored by the app is encrypted and can only be accessed by state and territory health departments.
“The information is encrypted, and that encrypted identifier is stored securely on your phone. Not even the user can access it. The contact information stored in people’s mobiles is deleted on a 21-day rolling cycle. This period takes into account the COVID-19 incubation period and the time it takes to get tested,” Duca continued.
“The Government has indicated only state and territory health authorities can access the data.”
The app works by relying on Bluetooth technology to track its users through their “unique identifiers,” a code assigned through the app, which will then trace other app users who they have been in close proximity with.
“Using Bluetooth technology, the app exchanges unique identifiers with another user when they come within 1.5 metres of each other for 15 minutes or more, and then logs and encrypts this contact,” Duca explained.
“If a person with the app is tested positive to COVID-19, they would be asked to download the log and send it to a central server, where their local health authority could access and decrypt it. The Health Department would then call anyone who had been in contact with a COVID-19 case. This process will quicken the contact tracing process.”
Once someone becomes infected, health departments access the app’s data and contact the impacted individual or their caretakers for further information on who they have been in contact with.
“… our understanding is that when someone is diagnosed with COVID-19, state and territory health officials will ask them or their parent/guardian who they have been in contact with. If they have the COVIDSafe app and provide their permission, the encrypted contact information from the app will be uploaded to a highly secure information storage system,” Duca said.
State and territory health officials will then provide the exposed individuals information on the next steps including symptoms to look out for and where to get tested. The federal government has assured the public that health officials will not name the infected person throughout this process, outlined in its “Privacy Impact Assessment” (PIA).
For people who remain concerned over their privacy and data when using the COVIDSafe app, Duca says it’s important to remember the app is not a “surveillance” tool.
“It is important to note that this is not intended to be a surveillance app and the data is only saved locally to the phone. When the app recognises another user, it notes the date, time, distance and duration of the contact and the other user’s reference code. The COVIDSafe app does not collect your location,” Duca added.
“The information is encrypted, and that encrypted identifier is stored securely on your phone. Not even you, as a user, can access it. The contact information stored in people’s mobiles is deleted on a 21-day rolling cycle.”