The COVIDSafe app was recently released by the Australian Government to shorten the process of identifying and contacting people exposed to coronavirus (COVID-19). Since its announcement, COVIDSafe has drawn a lot of opinions and comments. We have researched the technical and security details of the app and will provide below some of the key factual information you need to know, followed by a recommendation for all DB Results staff.
We thank Rallas Buttriss for his research and knowledge. Rallas is DB Results' Head of Health, and is also the pre-eminent IT security expert in the company.
How it works
COVIDSafe is an app you voluntarily download. The app collects some personal information such as your name, mobile phone number, postcode and age range, and then generates a unique encrypted code (your personal reference code). It uses Bluetooth technology to communicate with other phones within a certain proximity that are running the app at the same time.
- The app needs to be running in the background on your phone to work.
- You need to have Bluetooth on your phone on for it to work.
- You need to allow notifications for the app on your phone.
- When you come within proximity of another person with COVIDSafe running on their phone, the app will swap reference codes and note the date, time, distance and duration of the contact.
- It will not record location.
When someone is diagnosed with COVID-19, they will be asked to upload their data from their phone for use by health authorities. If your reference code is contained in the data, you will be contacted via the app, and state and territory officials will request permission to access your encrypted contact information. If you provide permission, the encrypted data is uploaded to a secure location. The unique reference codes are the only pieces of information used to contact those at risk of exposure to COVID-19. You will only be contacted through the COVIDSafe app to advise next steps; the government will not have the personal details of those you came into contact with and therefore cannot contact them by ringing them.
The data concerning the reference codes, data, time, distance and duration is stored securely on the phone. If the data has not been uploaded by the individual user within 21 days it is deleted. Therefore, a history of only 21 days’ contact data is kept on the phone. This is considered the reasonable amount of data to keep, accounting for the common 14-day symptomatic detection, testing and contact-tracing period.
Frequently Asked Questions
Will my personal data be available to government or shared with everyone I come in contact with?
- Your personal data is safely stored encrypted on your phone and is not shared with any other phones.
- If you contract COVID-19 and give the government permission to access your data, then your personal information you entered in the app will be uploaded along with the encrypted contact data.
How secure is my personal data?
- The data you have entered in the app is encrypted and therefore safer than most data you have on your phone.
Can the data be used by ‘undesirable’ entities to track me and draw relationships between the people I have contact with?
- The security design of the app means that the data resides on the individual’s phone. For a sophisticated hacker to access and then use the data, they would firstly need everyone’s phone data, and then need to be able to hack the encryption key.
- The encryption key is changed every two hours.
Will COVIDSafe use all my phone data space?
- The contact information stored in people’s mobiles is deleted on a 21-day rolling cycle. The amount of data captured is small and there is no more than 21 days’ data stored at any point in time.
Until a vaccine is found or COVID-19 is eliminated, we need to find ways of quickly identifying transmission to prevent the logarithmic spread of the virus we have seen in the past. By using technology to speed up contact tracing, solutions like COVIDSafe allow us to minimise the unknown spread of the disease and regain some normalcy.
The government has outdone itself with the security design of the COVIDSafe app:
- minimal information is passed between phones,
- all information is encrypted,
- the encrypted key is changed regularly, and
- the government can only access what you specifically give them access to.
As a result, DB Results provides our full endorsement of the COVIDSafe app. We encourage you to download it and have it running in the background of your phone when you leave your home. We recommend that you encourage your family and friends to do the same. COVIDSafe enables you to take ownership for a heightened level of exposure notification and protect the ones you love.
Watch the Australian Government's COVIDSafe App video to learn more.