Researchers in Australia have identified a bug that caused that country’s contact tracing app to malfunction, it was announced Monday.
Governments around the world have introduced contact tracing apps to track the spread of the coronavirus. But, as in Australia, so far it’s unclear how much of a benefit these systems are having. Critics complain about risks to privacy and centralization of sensitive data, and note that intrusive technologies rarely work as expected.
COVIDSafe, Australia’s contact tracing app, was rolled out in April. But its latest version has not been working properly due to a bug, Richard Nelson, a software engineer, announced.
The bug causes iPhones that are locked to stop creating a new temporary ID, which is a key feature of Bluetooth-based contact tracing. This method uses the Bluetooth signal of other phones to identify with whom you’ve been in close contact. If a person with a phone you’ve come into contact with contracts COVID-19, you will be alerted because your temporary IDs were communicated to each via Bluetooth when you were close.
To protect user privacy, these temporary IDs regularly change. Without the ability to create a new temporary ID, though, a person’s phone will recognize and log other devices around it, but cannot be recognized by other devices, rendering it effectively invisible.
“The bug has a material impact on the number of encounters logged, particularly at an event, say, where people will tend to not have their devices out and in use, for example at a concert or movie theater,” Nelson told CoinDesk. “This is exactly the type of scenario where you’d want the application to be working in an optimal manner.”
In the report, Nelson laid out a scenario in which a woman named Alice packed her bag, put her iPhone in it, and went out for the day to a football (soccer) game. “With her device in this state, nobody else will record her presence, and if anyone around her tested positive she would not be contacted,” he wrote.
Contact tracing is the process by which countries and health departments track with whom an infected person has come into contact so they can let those people know they should quarantine. Apps have been proposed and implemented around the world to aid in this process. The results have been mixed at best.
For example, the state of Utah launched an app called HealthyTogether in an effort to help the state reopen from lockdown. As of late May, the only features available in the app were a symptom checker and testing center map, despite assurances there would also be tools to help human contact tracers, and a maps function that would allow users to determine which areas were at high or low risk in their communities, according to reporting by Buzzfeed News. Today, the New York Attorney General is calling on tech giants Google and Apple to crack down on shady contact tracing apps in their app stores that aren’t transparent about how they’re using or storing user data.
“As businesses open back up and Americans venture outdoors, technology can be an invaluable tool in helping us battle the coronavirus,” said Attorney General Letitia James in the announcement. “But some companies may seek to take advantage of consumers and use personal information to advertise, mine data and unethically profit off this pandemic.”
Meanwhile, Norway has suspended its contact tracing app after its own data protection agency said it was too invasive when it came to user privacy.
Back in Australia, nearly one month after the COVIDSafe app launched, the Guardian reported the app was barely used, and only one person had been reported to have been identified as positive for COVID-19 using data from it.
Ironically, an effort to better protect users' privacy is what caused this bug in the first place, according to one cryptographer.
“The Australian government had recently overhauled the cryptographic protocol for their app, adding encryption to the payload in a way which, when it worked, mostly improved users' privacy,” said Vanessa Teague, a cryptographer with a focus on privacy and election security, and an associate professor at Australian National University.
She has also been researching the app. “Unfortunately, because they seem to have rushed it out without adequate testing or peer review, they seem to have completely broken its operation on iPhones in background mode.”
Steve Wilson, the managing director of Lockstep Group, a consulting firm that focuses on digital identity and privacy, saw the report and said the app has been terribly disappointing in terms of software quality.
“There are some surprising bugs, indicative of poor software processes,” said Wilson. “The app is turning out to be both pretty impotent and innocuous.”
Wilson said he was sad because he’s sympathetic to contact tracing technology as a general proposition, and the app is well intentioned, if a bit clumsy. Wilson said some of the privacy criticisms are overblown when you compare it to the very real impact of the virus, and especially if you don’t consider the government an adversary in the privacy-safety trade-off the world is currently navigating.
“COVIDSafe is nowhere near the worst thing a government has ever done to privacy,” said Wilson.
In a statement to CoinDesk, the Data Transformation Agency (DTA) for Australia said it continues to welcome feedback on COVIDSafe from the developer community, with previous feedback helping us to improve the app.
“The DTA will continue to release updates to the COVIDSafe app to deliver a range of performance, security and accessibility improvements as required,” said a spokesperson for the DTA. “The Australian community can have confidence the app is working securely and effectively.”
Nelson said he had reported the issue to the DTA.
“I’m sure they’ll fix it in a timely manner so, hopefully, going forward the issue is resolved,” said Nelson.
The leader in news and information on cryptocurrency, digital assets and the future of money, CoinDesk is a media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. CoinDesk is an independent operating subsidiary of Digital Currency Group, which invests in cryptocurrencies and blockchain startups. As part of their compensation, certain CoinDesk employees, including editorial employees, may receive exposure to DCG equity in the form of stock appreciation rights, which vest over a multi-year period. CoinDesk journalists are not allowed to purchase stock outright in DCG.