Just Play Ball

It’s on a cold, dreary Friday night when you really start to miss the footy.

At this stage of the pandemic, our desire to return to life as we knew it has well and truly taken hold. In fact, things are so far from normal that, as of now, four million Australians have found trust in the Australian Government’s COVIDSafe app. And, to some degree, I don’t blame them.

For one thing, it is tempting to imagine we can stop a global pandemic in its tracks simply by downloading an app. It appeals to our slacktivist tendencies to feel like we’re taking part in something significant, to do the right thing and defeat an “evil” that has claimed lives. But it is naive to project the COVIDSafe app as anything more than this, and to do so requires us to ignore several underlying flaws in this process, solely for the sake of ‘playing ball’.

Playing the ball

The art of playing ball (or ‘playing the ball’, if you must) is taking what is thrown at you and making something of it, whether that’s diving to catch a poorly-thrown ball or improvising when you’re an essential worker and much-needed personal protective equipment isn’t made available to you.

The response of most, if not all governments to this pandemic has been reactive and imperfect—from the Victorian Premier Daniel Andrews declaring a state-wide lockdown in March only to back down the following day, to the debacle over the docking of the Ruby Princess. Grimly, miscommunications and poor decisions are to be expected from our contemporary politics, perhaps amplified by the changing nature of a pandemic. Now, the ball’s been thrown our way.

The app is not the (main) problem

The COVIDSafe app, on the face of it, is admittedly less dangerous than I was originally concerned it would be. The vast majority of the app’s workings are, according to early findings, taken from the Singapore Government’s ‘OpenTrace’ implementation. This source code is hosted on GitHub if you’re curious to see what this looks like. For one thing, I have more faith in the Australian Government when it opts not to design its own app framework. On Android devices, the app itself does not track your location, uses modern network standards including HTTPS, and the data it collects is not accessible to other applications.

On Apple devices, you’ll need to keep your phone unlocked. And the app has to be open. And, for it to work as designed, you’ll need to do this for 15 minutes. “So it’s not perfect,” you might be thinking, “but it works. What’s all the fuss about?”

Fortunately, we have the Government Services Minister, Stuart Robert. COVIDSafe will only record the Bluetooth interactions it has, to quote Robert directly, “if your app has been within 15 minutes duration of someone, within 1.5 metres proximity.” This is false; the app stores all Bluetooth interactions it has with other COVIDSafe devices, no matter the distance nor how long they occured. As per the government’s privacy impact statement, if a user tests positive to COVID-19 and consents, the last 21 days of this data is uploaded to the app’s servers.

There’s also the issue of the data contained on the app itself, including the contents of Bluetooth connections, not being encrypted. These ‘digital handshakes’, as the government insists they are referred to as, involve the unique ID number of both devices being broadcast. These unique identifiers are derived from your phone number, generated by the servers and updated regularly as long as a network connection is retained.

What would be to occur if someone with access to the server also had access to your unique ID? Again, the privacy impact statement outlines this: your identity, in this case your full name and phone number, could be “reasonably ascertained”.

What is(n’t) in writing?

There are several more concerning elements of this process, which for me outweigh any of the app’s failings. For one thing, aside from a single determination that can be appealed at any time, no legislation has been enacted by the federal parliament. This is immediately concerning; many of the protections the government has conceded, such as blocking law enforcement from accessing the app's metadata, are not covered by this determination, and so are utterly worthless until any legislation takes effect.

To chuck a bone to the ‘everyone spies on you already’ crowd: law enforcement agencies in Australia have other means to access your metadata, and in South Australia this has already been used to track Coronavirus patients. If you’re happy to give your consent to this app, consider what you haven't given your consent to. You don’t fix a problem by conjuring up a different, slightly smaller problem.

On Saturday, it was revealed that while the COVIDSafe app is available to download, state and territory health officials cannot yet access the data it captures. Would the last 7 days of data be able to accessed once this is resolved? Like many things about the app, both before and since its release, we don't know. If the app is being used as a bargaining chip by the Prime Minister, and if more states choose to slowly ease lockdown restrictions, is it sensible to risk luring Australians into a false sense of security if the operations of COVIDSafe are not yet finalised?

And returning to the subject of legislation, let’s consider where our data is going. Specifically, the servers—the National COVIDSafe Data Store—which is held on Australian servers owned by Amazon Web Services. Amazon, being an American company, is subject to American law, including the Patriot Act which, if invoked, can compel US companies to hand over data no matter where it is physically stored. Amazon has previously described this as “a red herring” when mounting an argument less convincing than a child blaming the dog for bringing muddy boots into the house.

The end will come

Look, I want to go outside as much as you do. I want to hold hands with my partner and lose my voice at a packed concert. On a cold Friday night, I want to freeze in the stands of the MCG or AAMI Park, and stagger joyfully through Kings Domain after we win on the siren. And we will, soon.

But no app will get us there faster. No matter how hard the Prime Minister will try to blackmail us. No matter how many times people on Facebook try to conflate giving Facebook your personal information (to sell you ads while you browse ad infinitum) with trusting a government app that’s not protected by specific legislation (from the same government that blames a lack of website capacity on a ‘cyber-attack’, no less).

No app, even if it reaches the unthinkable 40% adoption rate, can stop this pandemic. Because COVID-19 is not a technocratic enemy but a viral disease. It requires science to develop a vaccine, adequate testing for all, and a functional and well-resourced healthcare system to care for the vulnerable. To win, we require a community that is willing to act as one.

The footy, the concerts, the good times will wait for us. The end will come.

Photo by Napendra Singh on Unsplash