With the government’s progress in battling with COVID-19 there has been talk of a release of a national app that will help to track contact with other people to help get the nation to a stage where we can get the economy moving again as quickly as possible.
It works like this..
The App is installed on as many phones as possible. The app then uses the phones Bluetooth transmitter like a beacon to ping other phones. Because Bluetooth is a short range radio signal, it is good for finding other devices within a 3 to 10 meter radius.
When the app finds another device using the app, both devices then record that contact in a table held in each app. This repeats over time and the information may be retained for up to 3 weeks.
Let’s assume that someone using the app displays COVID-19 symptoms and is tested at a clinic and is confirmed as positive. Normally they would then have to trace their movements and think back over the last 2 weeks or more to remember who they were in contact with.
Assuming the infected individual can remember who they were in contact with and knew how to get in touch, each individual would need to be contacted and advised to get tested.
This is where the app based on Singapore’s Trace Together would step in.
When there is a need to notify there is a positive case, a push of a button will advise all devices that were in close proximity over the previous 2 or 3 weeks to the device of the infected user nearly instantly.
Done. Simple right?
There are some people piping up with concerns over privacy which is a question everyone should be asking but simply dismissing it out of hand because you don’t know the details in this current climate is simply irresponsible (I am looking at you Barnaby Joyce and other technophobe pollies).
Honestly, if you are worried about apps on your phone tracking you and gathering datapoints you need to be putting Google, Facebook, Apple, Microsoft, Amazon, TenCent, Waze, Instagram, Twitter, TicToc and a whole raft of other apps under the microscope.
Having a problem with what private information your phone is giving up now is really closing the gate well after the horse has bolted 10 years ago. If we are going to give up data points it might as well be for the good of the community, not the good of a corporation.
Railing against an app that vastly falls short of the level of information gathering the rest of the market is doing years ago could be seen as a desperate grab for airtime that could have a real impact on Australian communities.
What Barnaby and his ilk fail to grasp is that privacy and security is not a yes/no option. It is weighing up the benefit versus the risk and finding a point at which you are OK with going ahead.
I am often asked if I think an app is OK or not and here is a chance for us to really break down an appropriate list of features that will do the job without compromising privacy and security.
I am OK with:
- Bluetooth proximity tracking – this is all you need to scan for nearby devices.
- Anonymised contacts with other devices that warrant tracking – No need to track names or even real device MAC addresses. A generated signature within the app is all that is needed.
- Secured Encrypted Cloud backups – best offered as an option that people can opt in to. This will only be used to store the scans recorded by the device.
- Background use with minimal battery impact – An app that drains battery life will quickly get the boot and having to open the app while out an about is counterproductive. This app is intended to keep track of people you may have been in contact with so you don’t have to rely on your own memory if you are diagnosed as positive.
- Shutdown of App and support systems once the event is declared over – This is vitally important. Having active apps and databases available are at risk of exploitation so leaving code and data available longer than needed unnecessarily exposes it to attacks or unauthorised access.
- Opening up the source code and subsequent version updates for examination by the community will give experts a chance to check code for bugs and potential security issues.
Push notifications in case users need to be contacted.
I am NOT OK with:
- GPS geolocation. There is no need to track where people are as that does not relate to proximity to others and potential infection. You do net get infected by being close to a point on a map, you get infected by being close to a person.
- Selling/sharing of any user information to any third parties (including law enforcement and any govt departments not related to health). This is just a straight up violation of trust. The Government will have a hard time selling any tech project based on past experience and needs to really step up in doing all the right things. Slipping up on a project like this will be a major blow to this and future governments credibility and trustworthiness.
- Having to run the app in the foreground – This is just madness. Needing to run an app to allow it to send and record the results of a scan via Bluetooth is simply poor app design and makes the app cumbersome to use which will result in very poor performance.
- Needing to enter in any personal information – the app can run fine without any personal user data apart from a number to send SMS alerts to in case push notifications are not available.
- Mandatory participation – There is no world that I can imagine that any government should have the authority to demand any app is installed and used on a private citizen’s own device. Period.
- Apps requesting access to microphone, camera, GPS, accelerometer etc.
- You will only need the following:
- Bluetooth – For scanning for devices nearby.
- Storage – For recording the scan results on the phone.
- WiFi/Cellular Data – For uploading of encrypted data to secure online backups and for reporting infection.