This morning I asked a number of questions of the Foreign Minister about the COVIDSafe App, its performance so far and necessary improvements.
Disturbingly, she claimed not to know how many times a COVIDSafe App user had tested positive with COVID19 and their tracing data uploaded. “We do not have access to that information nor should we.”
This afternoon I spoke on the governments COVIDSafe App and why I won’t be downloading it. I understand this Government feels the need to get this app in wide use and is prepared to write good data protection rules to achieve that.
I would ask the Government to show it really cares about the privacy of everyday Australians by revisiting the wider issue of Government use of private data.
Transcript
Senator Roberts.
Thank you Madam Acting Deputy President. As a servant to the people of Queensland and Australia I have pleasure in saying that One Nation will be supporting this bill. That doesn’t mean that I will be downloading the app as I’ll explain.
But firstly, I would like to compliment the attorney general for the work that went into this bill. When Minister Hunt’s regulations came out to accompany that app launch, my office had a number of reservations about the level of security provided on the data.
This bill is needed to clear up those issues and it has done so. I will mention these in passing for the benefit of our constituents. Then I’ll move on to the security risk that the app itself still represents. I did have a concern that the government was giving bad players an opportunity to access data on the server without detection.
So there are two aspects to this Madam Acting Deputy President, there’s the app itself and then there’s the uploading of data to the server and the storing of that data and the use of that data. So I did have a concern that the government was giving bad players an opportunity to access data on the server without detection.
The decision to ask the Office of the National Data Commissioner, the commissioner, to overview data storage and access is a wise choice that addresses this concern. We are pleased with that. I was also worried about Amazon having access to both the client file, which is needed, to identify app users and the data file for COVID positive users.
This in effect gave Amazon access to significant personal information of app users. So let me explain a bit more. The separation now of the key file and the data access, the data file itself, under the supervision of the commissioner is the best way of making sure Amazon and the government keep each other honest, well done.
So in other words, we’ve got the government storing the data, we’ve got Amazon storing the data and the government having the keys. Both are needed. It can’t be separate. There is one reason not one party can have control. There is one issue here to do with the cryptography on the unique user IDs.
The open-source app that the COVID-safe app took as a starting point only requires 32 bit encryption. I would have hoped the app developers have taken that up to 128 bit and we’d ask the commissioner to consider that. Now let me turn to a number of security issues in the app itself that need to be addressed.
My office has put out a detailed sheet on this, so let me quickly mention them here and move on. The user ID can stick in the phone case causing a phone to broadcast multiple different user IDs over extended periods of time, which increases the chances of a phone being tracked.
Secondly, the COVID-safe app overrides phone security settings to use the same handshake address for a phone over the life of the app instead of changing every few minutes. This is a major security issue in the app. Thirdly, the COVID-safe app stores the make and model of the other phones it has matched within plain text where it can be easily read.
This approach is not necessary since this data could easily be trapped when the app is registered instead of storing it in the phone. Fourthly, if someone has named their phone such as, in my case Malcolm’s iPhone under some circumstances, this real name is what the other phone stores, app users who have named their phone with their real name may be exposing themselves to danger.
This results from the app using different ways of broadcasting data to maximise the chance of a match. This tells us that the developers have taken a deliberate decision to compromise safety to achieve the most number of matches. Fifth, data stored to the cloud is not deleted.
If a cloud service is used to backup or sync a phone, the COVID-safe app contact blog gets backed up to the cloud. This can be viewed by anyone with a sign in without the phone user’s knowledge. So I acknowledge that this bill makes the behaviour illegal, but not storing some of the data in plain English would have been a far better choice.
Sixth, an app running in the background will not match with another app running in the background on an iPhone. The app does not meet the government’s, number seven the app does not meet the government’s own standard for app accessibility.
WCAG 2.0 A. It fails accessibility tests on font size and field width and people with a disability the first people that need to get this app. So that was sloppy. Eight errors that were detected early in the release of the app have still not been fixed. Registration fails over WiFi, which is used in poor reception areas.
Bluetooth conflicts with external devices. Power management on an iPhone interferes with the app. 3% of older phones cannot use the app an alert message advising users that they have tested positive for COVID was being accidentally triggered. This was fixed by deleting the message.
So currently the app can’t be used to alert users when they actually do test positive. I must however compliment the government for the sudden concern about security. Where was the concern about people’s privacy in this government’s capture and use of the metadata of every Australian?
This government is storing texts, telephone call details, social media posts, websites visited and website comments for every Australian. At Senate estimates, we discovered that in 2019 there were 297,000 accesses of the metadata records of everyday Australians by 22 different government agencies.
How many of these accesses were accompanied by a warrant? Madam Acting Deputy President? None. Not one warrant. Now I understand this government feels the need to get this app in wide use and is prepared to write good data protection rules to achieve that.
So I’d ask the government to show it really cares about the privacy of everyday Australians by revisiting the wider issue of government use of private private data. Because the government’s track record on security is poor.
So as I’ve explained Madam Acting Deputy President, the shortfalls initially in our assessment of the app were to do with the data storage and access of that. That has now been resolved or will be resolved once this bill, Privacy Bill passes. However, the reverse is the case for the app.
We were originally happy with the app. We now see a number of flaws in it. So that leaves security issues in regard to people being able to track the phone owner, the phone user and that is not acceptable. I also wanna make a comment about the blackmail that’s being used by the government to push this app.
Minister Hunt said, “you wanna go to the 40?” “Download the app.” We’ve just heard here Senator Bragg saying, “this is that ticket to freedom.” No it’s not. There are far more effective tickets to freedom.
The Australian people have already shown a highly responsible approach to managing this COVID virus and we need to extend that. We need to stop the blackmail stop the control that is pushed over us. We need to get back to the freedoms that are inherent and being everyday Australians.
That is part of our birthright, part of our citizenry that we have, are entitled to rights and freedom. When we have permission from something to do something from a government that is not a freedom, that is the reverse because there is being withheld until the permission is granted.
So we need to rely upon the trustworthiness and the competence and a sense of responsibility of everyday Australians right around the country. So Madam Acting Deputy President, let me summarise by saying that this bill is necessary, and that is why One Nation will be supporting it. It is welcome.
Secondly, the app is not up to scratch and that’s why I won’t be downloading it. And thirdly, we need to get back to freedom properly.