Questions remain about the effectiveness of Australia’s COVIDSafe contact tracing app

The COVIDSafe app has been labelled a "dud" by Labor. Source: AAP

More than 5 million Australians have downloaded the government’s COVIDSafe app, yet serious questions still remain about privacy and the app’s effectiveness. Here’s what we know, and what we don’t.

The Australian government's COVIDSafe contact tracing app has been available for close to two weeks now, and has been downloaded by more than 5 million Australians.

However, serious questions remain about the app's effectiveness, and experts continue to raise privacy concerns, applicable in rare but specific circumstances.

The government has promoted COVIDSafe as a key part of Australia's recovery from coronavirus shutdown, saying that the app will help health authorities to quickly contact anyone who may have been exposed to an active case of COVID-19.

The app uses Bluetooth technology to record a handshake with any other app users nearby, and this data can be uploaded to a central server if a user tests positive for the virus.

While the application's source code has yet to be made public as promised, since the app's release the Australian tech community has reverse-engineered and scrutinised much of its functionality, identifying a number of flaws along the way.

We've previously covered some of the concerns experts have raised, as well as detail on how the COVIDSafe app is intended to work. Close to two weeks later, here are some of the key questions that remain.

Does the COVIDSafe app work on iPhones?

When the COVIDSafe app was first released, questions were raised about whether the app works as intended on iPhones, which are not designed to allow the continuous use of Bluetooth by apps running in the background.

On Wednesday, authorities acknowledged that there are some problems with the app's functionality on iPhones, but avoided providing details on the issue.

"What we can say is the quality of the Bluetooth connectivity for phones that have the app installed running in the foreground is very good, and it progressively deteriorates," Randall Brugeaud, the head of the Digital Transformation Agency which is developing the app, told a Senate committee.

"The quality of the connection is not as good as you get to a point where the phone is locked and the app is running in the background."

As for whether it's possible to fix the problem, Brugeaud said that Australia will be "one of the first adopters" of new contact-tracing technology set to be released by Apple and Google.

This in turn raises some new questions -- while the full details of Apple and Google's new framework have yet to be released, the tech giants have been focused on providing a decentralised solution to contact tracing which does not store personal information on a central server like COVIDSafe does.

Experts have suggested that updating Australia's app to work with Apple and Google's framework is therefore not just a small update, but a potentially "huge and fundamental rewrite" of the app. The Digital Transformation Agency did not answer a question from The Feed about whether this will be the case.

Are people having other problems getting the app to work?

IPhone issues aside, the government has also admitted that state and territory health departments have yet to actually receive or use any data from the app, as agreements on access to the data are still in the works. A Department of Health spokesperson told a Senate committee on Wednesday that those agreements were "very close" to completion.

Additionally, some users have left app store reviews detailing problems registering for the app after downloading it. In some cases, this issue can be fixed by temporarily disconnecting from WiFi.

None of these issues are reasons not to install the app, and all can be improved on with time. Still, it's worth noting that while 5 million people have downloaded and registered with the app, it remains unclear how many of those 5 million apps are actually functioning as intended.

How many Australians need to download COVIDSafe in order for the app to be effective?

There is no clear answer to the question of exactly how many Australians need to download the COVIDSafe app in order for it to be effective.

The government has previously suggested that at least 40 per cent of Australians need to have the app installed for it to work. However, it's not entirely clear where this figure came from.

Department of Health spokesperson Caroline Edwards told Wednesday's Senate Committee that she was also unsure where the 40 per cent uptake figure came from, and that the department had not set targets for the number of people it needed to download the app.

Instead, Edwards said that while ideally she would like all of Australia's 16.4 million smartphones to have the app, "we're counting as we go".

"We need a critical mass -- I think five million is a massively good start, but the more the better," she said.

It's true that the more users of the app there are, the more effective it will be. The app is intended to complement rather than replace traditional contact tracing, where health authorities interview a person who has tested positive to the virus in order to work out who they have recently come into contact with. If the app is able to identify any contacts health officials have missed, this is helpful.

However, as the app can only record close contact with other users of the app, its usefulness is limited if not enough people download it. A recent study by Oxford University suggested that approximately 60 per cent of the population would need to install a contact-tracing app in order to stop the pandemic's spread, though "lower numbers of app users will also have a positive effect".

Five million downloads is close to 20 per cent of the Australian population, or 30 per cent of Australia's 16.4 million smartphones. This may well have a positive effect, but it should also not give Australians false hope right now -- it will still be necessary to adhere to social distancing guidelines and other measures while transitioning out of COVID-19 lockdown.

Have privacy and security concerns been addressed?

Over the past week, Australia's tech community has been reverse-engineering the COVIDSafe app in order to document any bugs or privacy issues in the code. Quite a few problems have been identified since the app's release, and while they range in severity, experts say they have struggled to get the government to acknowledge and fix even very simple issues.

We'll get into a bit of detail on what those privacy issues are, and what they mean for you, in a moment. For now, here's why experts are concerned about the government's slow response to those issues, even when they're small.

Geoffrey Huntley is one of the software engineers who has been examining the COVIDSafe app for flaws since its release. Together with a group of other developers on social media, he has been documenting his findings in a publicly accessible document, and attempting to alert the government to any problems identified.

Huntley told The Feed he first reached out to government departments on April 27, one day after the COVIDSafe app was released. He contacted both the Digital Transformation Agency and the Department of Health multiple times via multiple email addresses, but said he did not receive any acknowledgement until May 5th.

And while the government released an updated version of the app on May 6th, it did not address most of the problems the tech community had been flagging publicly for over a week -- including problems that could be fixed with just one or two lines of code according to the developers that found them.

"There are no major bug fixes, it's just a new fresh coat of paint," is how Huntley described the latest app update.

That left him to believe that there could be two possible scenarios from his point of view: either the government is simply not receiving or monitoring reports about problems with COVIDSafe, or "someone somewhere knowingly deprioritised privacy work, and instead focused on doing a new paint job for the application".

Huntley has called for the government to provide a way for security and privacy researchers to responsibly disclose problems with COVIDSafe so they can be fixed quickly.

He's not alone in calling for this. Software developer Jim Mussared has also discovered and documented a range of issues in the COVIDSafe app, and has attempted to raise these with the government.

"The response from the government has been exceptionally slow, and they still have not put anything in place to try and work with the community to address these sort of issues," Mussared told The Feed.

"We're nine days into this, and I still don't have a way to reliably report issues as they come up."

By way of comparison, Mussared pointed out that when he and other developers contacted the Singaporean team developing the app that Australia's COVIDSafe is based on, it took less than an hour for the issue to be acknowledged, and less than a day for the team to start on a fix.

Privacy expert and ANU Associate Professor Vanessa Teague, who has also been closely monitoring problems with the app, told The Feed that it is "critically important for [the government] to engage with the tech community and get the bugs fixed".

"Nobody expects that something built under such severe time pressure will be perfect, but we do expect that something millions of Australians are depending upon will be quickly patched when bugs are identified. They need to fix it, now," she said.

The Digital Transformation Agency told The Feed that "there is a rigorous process in place to update the app to ensure new features perform as expected and meet security requirements", and said that the government "will continue to welcome feedback on the app" via the "report an issue" function or support@covidsafe.gov.au.

However, the DTA did not answer specific questions about when it became aware of the issues flagged in documents sent to it by Huntley and other developers, why developers reporting issues did not receive a response from the agency until May 5, why these issues were not addressed in the May 6 app update, or when the issues in question would be resolved.

Should Australians be worried about the app's privacy issues?

As for whether the privacy issues experts have uncovered should worry you, that really depends on your individual circumstances.

We've explained some of the potential privacy issues raised by the app previously, and the issues that remain today are largely similar. They include things like the app broadcasting information like the model of your phone, as well as the types of information the app sends to a central government server.

While this information may seem innocuous, it can be used to discover or reveal other information that may matter more to you. And while the government has introduced legislation that would make misuse of COVIDSafe data punishable by up to five years in prison, Australia's tech community is pointing out that the government could simply make many of these abuses of data impossible by making changes to the app.

For instance, one of the bugs identified by Mussared is a mistake that means the anonymous code the app broadcasts from an individual's phone is not refreshed every two hours as intended. That makes it possible, in theory, for someone to identify when a specific phone moves between different locations.

"This might not be a big problem, for most people," Mussared said. "But it's particularly concerning for people who really need to know that they are not having their location tracked -- that people can't see that they left one place and then arrived at another place."

For many Australians, this is likely not concerning at all -- realistically, most people have no reason to fear that anyone will go to the effort of working out which unique code matches their phone, let alone use that code to track their movements. That's why, in Mussared's document, he begins by advising readers "Don't Panic!!", adding that "users are advised to be aware of these issues but in most cases might reasonably conclude that they are not significant enough to warrant not using the app".

It's also true, though, that for some Australians these issues will be concerning, which is why Mussared, Huntley, Teague and so many other developers and researchers are dedicating their time to examining this app.

"I think you're right, a lot of people would not be terribly concerned about this," Mussared told The Feed. "But the point is that this is not about everybody. This is about the people for whom this is extremely concerning. And we need to fix it for them."

Vanessa Teague expressed a similar view, telling The Feed that even as a privacy expert, she can't give Australians advice on whether or not to install the app, because it depends too much on their personal circumstances.

"My position is that different people have different privacy needs, and hence need clear and accurate information when they're deciding whether or not to run it," she said.

"There are privacy implications -- for most people, they're probably not a big deal, but for some people they are. In particular, there's a risk that very precise information about who's been near you could be leaked or abused."

"For example, if you're an Australian journalist meeting a source face-to-face, you would need to assess the risk of the data being abused by the Australian government. If you're a foreign pro-democracy activist living in Australia, you might care about the risk that your home government cracks into the Australian database or the phones of you or your friends."

So, should I install COVIDSafe?

Ultimately, then, the decision about whether to install COVIDSafe remains a personal one at this time. If the privacy issues that have been identified don't worry you, you may feel perfectly comfortable installing the app.

Importantly, experts stress that questions about whether the app works well on iPhones should not dissuade you from installing the app -- while we don't know how well the app runs in the background, any time that it spends running can potentially assist in contact tracing.

At the end of the day, though, whether or not to install the app is your decision, and your decision only. Neither the government nor your employer can force you to do so, and you're within your rights to wait if you want to see some questions answered before you hit download.


People in Australia must stay at least 1.5 metres away from others. Check your state's restrictions on gathering limits.

Testing for coronavirus is now widely available across Australia. If you are experiencing cold or flu symptoms, arrange a test by calling your doctor or contact the Coronavirus Health Information Hotline on 1800 020 080.
The federal government's coronavirus tracing app COVIDSafe is available for download from your phone's app store.

SBS is committed to informing Australia's diverse communities about the latest COVID-19 developments. News and information is available in 63 languages at sbs.com.au/coronavirus