[LINK] How will the coronavirus app work?

[Narelle Clark]

Their subsequent article on the legalities is more interesting...

https://www.smh.com.au/politics/federal/attorney-general-to-ban-police-from-accessing-coronavirus-app-metadata-20200422-p54m6e.html


On Thu, 23 Apr 2020 at 10:01, Bernard Robertson-Dunn <brd at iimetro.com.au> wrote:
>
> How will the coronavirus app work?
> https://www.smh.com.au/politics/federal/how-will-the-coronavirus-app-work-20200421-p54ltg.html
>
> The federal government wants you to download an app. Critics say it's a
> surefire way to get our personal data stolen. Proponents say it will
> save lives. Here's the detail.
> By Max Koslowski
> April 22, 2020
>
> The federal government wants you to download an app. The app – a tool
> you will be able to download to your smartphone soon – would speed up
> contact tracing for new coronavirus cases.
>
> Contact tracing is one of the ways some governments, including ours, are
> suppressing the spread of this virus. When someone falls ill, a special
> team quickly gathers as much information as they can from the patient,
> then calls up anyone who's had close contact with them while they were
> infectious and tells those people to isolate themselves. The government
> says contact tracing is a must-have in order for them to even consider
> relaxing lockdown laws.
>
> Hundreds of contact tracers are working in teams across Australia
> already. The app, says the government, will offer an additional
> automated version of this process. By enabling your phone to identify
> who's near you and preparing a record of who you've been near that's
> ready to go in case you ever contract COVID-19. It would save time. It
> might even save lives.
>
> But in a new world of big data, experts have serious concerns about even
> seemingly tiny bits of information being shared with the government. The
> app may well mark the start of a fresh tension between civil liberties
> and lifesaving not seen since policies made after the September 11
> terrorist attacks in 2001.
>
> So how would the coronavirus app work? Could the personal data it takes
> be stolen or misused? Will the app actually save lives?
>
> How does the app work?
>
> All smartphones have Bluetooth. We use it to connect our phones to other
> devices such as speakers, smartwatches and printers.
>
> Bluetooth can also be used to communicate wirelessly with other phones –
> and that's how the app will identify who you've been near. The phones
> will communicate with each other as you do in a call-and-response game,
> let's say, Marco, Polo. If you have downloaded the free app (by
> selecting it in the app store on your phone), your phone will send
> little signals every now and then – the "marco" – and if there's a phone
> nearby where someone has downloaded the app, it will register a "polo"
> in response.
>
> If you later contract COVID-19, all the "polos", or responses, your
> phone registered that belonged to phones that were within 1.5 metres of
> you (which is the required proximity for social distancing) for at least
> 15 minutes will be sent off to a central government database.
>
> The app is based on a similar piece of software out of Singapore, called
> TraceTogether. Australia joins Germany and Denmark in looking to push
> out a contact tracing app within the next couple of weeks.
>
> Sounds good, so what's the problem?
>
> This is where it gets a little trickier - and where some experts have
> concerns over privacy. The government has said it's taking only a very
> limited amount of personal data from app users: your name, mobile
> number, postcode and an age range. And the government has stressed what
> it's not taking: it won't actually ever keep track of where you are,
> just who you're with.
>
> To add an extra layer of security, they've made it so that when a phone
> picks up another user near it, it isn't able to know any of that
> information. How? By giving everyone an anonymous ID – so when your
> phone says "marco", it doesn't actually know who is "poloing" back.
>
> But for the app to work, the government needs to have a way to turn that
> anonymous ID into a full name and number – they need to contact trace
> somehow. Somewhere out there, there has to be a secret key that will
> unlock a secret database that turns an anonymous ID into someone's
> contact details. That's where privacy concerns come in.
>
> So is your personal data at risk?
>
> The most likely way your personal data could be misused or stolen is
> through that secret database. Richard Buckland, a professor in cyber
> security at UNSW, says that's where the real danger lies. "If you know
> the secret keys – the passwords that the government uses to set this up
> – you can work out what all the anonymous IDs would be. That's one
> little secret you need to get a hold of a database where you can access
> every 'polo' they're going to call out," he says.
>
> The federal government has given some assurances - they won't have
> access to this database, Prime Minister Scott Morrison revealed on April
> 21, and only state health officials tasked with contact tracing will be
> able to see what's inside.
>
> But there's still a lot we don't know. Earlier, the government said they
> would release the source code of the app - the backroom details showing
> how it is designed – but has now said it will keep parts of the code
> secret. And we don't know how long the app will be used – perhaps right
> up until a vaccine is distributed.
>
> So how likely is it that the secret database could be hacked? It's
> almost inevitable, Professor Buckland says. "I would assume the database
> would be compromised," he says. "Everything can be hacked. The [United
> States'] National Security Agency and Facebook are both far better
> funded than we are – and they've both been breached."
>
> Australian National University Cyber Institute chief executive Lesley
> Seebeck says similarly: "If someone is determined to get in they will
> get in – if a nation state wants to get in they will."
>
> The government has limited the amount of data that can be hacked. Data
> will only be sent to the secret database if someone tests positive for
> coronavirus, and they consent to that data being shared. That means that
> if someone successfully accessed the database, they wouldn't get a full
> list of everyone you have interacted with since downloading the app –
> but they would know what your anonymous ID is.
>
> And the limited data could be hacked. "Secret services in other
> countries could set up their own Bluetooth beacons," Professor Buckland
> explains, "they could put a Bluetooth beacon outside all Canberra
> brothels, for instance – and all of a sudden you've got the ability to
> identify someone's phone because they're constantly emitting that
> beeping Bluetooth 'marco' out of it."
>
> And while the app doesn't strictly collect location data, Professor
> Buckland says it wouldn't be hard to figure that out from the Bluetooth
> pings. There are algorithms around that can figure out whether you're on
> a crowded train, or a shopping centre, or your home, based on the
> frequency of signals emitted. The data could be used to blackmail people
> having affairs, or threaten journalists working on sensitive stories, or
> go after high-level executives thinking of working for another company.
>
> Professor Buckland makes another point about your personal data: we
> don't know for sure how a government of the future will use this new
> information.
>
> He fears governments will take this app as permission to encroach on
> civil liberties in the months and years ahead - in what is known in
> academic circles as scope creep.
>
> "With anti-terror legislation after [September 11], we started with one
> or two acts ... now there's more than 50," he says.
>
> Will the app save lives?
>
> It's impossible to say at this stage. The app will help contact tracing
> only if the people you have been in contact with also have it downloaded
> on their phones – and we don't know how many people will download it.
>
> The argument from Prime Minister Scott Morrison is that if enough people
> take up the app – he wants 40 per cent of Australians using it – then
> that will not only hasten the coronavirus contact tracing process but
> give an additional safeguard needed to reopen parts of the country.
> Deputy Chief Medical Officer Nick Coatsworth described the app not as
> essential to health outcomes but as the "icing on the cake" for an
> already "well-oiled" tracing regime.
>
> There is no data publicly available that shows how effective this will
> be, though. While some tech business leaders have been positive about
> the app, others have reservations.
>
> UNSW epidemiologist professor Mary-Louise McLaws, who sits on a World
> Health Organisation panel that advises on the preparedness, readiness
> and response to coronavirus, says, during the process of contact
> tracing, memory can fail patients distressed with a virus diagnosis.
>
> "People who are probably very upset, potentially sick and anxious, have
> to now try to recall everyone who they had any contact with – that can
> be difficult when it's trying circumstances," Professor McLaws says.
>
> The epidemiologist says there could be more use in shortening the
> timeframe for contact recording to five or 10 minutes, rather than 15.
>
> Professor Seebeck from the ANU Cyber Institute fears it may even slow
> down contact tracing teams. "What proportion of cases that we already
> know of fit within the 1.5 metre, 15-minute window? We're already told
> we shouldn't shake hands – we don't shake hands for 15 minutes," she
> says. "And [coronavirus] lingers on surfaces – that's not going to be
> captured by the app."
>
> The Cyber Institute chief executive says the app could generate a lot of
> false positives, putting extra work on contact tracing teams who now
> have to chase up more people.
>
> There's no way of knowing if the app saves lives – or, using Prime
> Minister Morrison's language, saves livelihoods – until we see it in action.
>
> Will Professor Buckland download the app?
>
> "If the situation got really bad," he says, "and this made a big
> difference, I wouldn't think twice."
>
> "But I would want to make sure there was assurance this was a temporary
> thing, that there wasn't scope creep, and that I could opt out at any time."
>
> Will Professor Seebeck? No.
>
> "Not until I have trust in the government. And they've got to work on
> it. It's up to the more powerful partner in the relationship to give
> trust, it's not for them to demand it."
>
> What about the epidemiologist, though?
>
> "I wouldn't recommend anyone download the app," Professor McLaws says.
> "We need to have wider community consultation - and have it done rapidly
> - about how long the data is held for and who holds it, and then is it
> removed completely and not used for secondary purposes."
>
> "It would be reckless to roll something out."
>
> Soon, it'll be up to you to decide.
>
> --
>
> Regards
> brd
>
> Bernard Robertson-Dunn
> Canberra Australia
> email: brd at iimetro.com.au
>
> _______________________________________________
> Link mailing list
> Link at mailman.anu.edu.au
> http://mailman.anu.edu.au/mailman/listinfo/link



-- 


Narelle
narellec at gmail.com