[LINK] How will the coronavirus app work?

Bernard Robertson-Dunn brd at iimetro.com.au
Thu Apr 23 09:59:24 AEST 2020


How will the coronavirus app work?
https://www.smh.com.au/politics/federal/how-will-the-coronavirus-app-work-20200421-p54ltg.html

The federal government wants you to download an app. Critics say it's a
surefire way to get our personal data stolen. Proponents say it will
save lives. Here's the detail.
By Max Koslowski
April 22, 2020

The federal government wants you to download an app. The app – a tool
you will be able to download to your smartphone soon – would speed up
contact tracing for new coronavirus cases.

Contact tracing is one of the ways some governments, including ours, are
suppressing the spread of this virus. When someone falls ill, a special
team quickly gathers as much information as they can from the patient,
then calls up anyone who's had close contact with them while they were
infectious and tells those people to isolate themselves. The government
says contact tracing is a must-have in order for them to even consider
relaxing lockdown laws.

Hundreds of contact tracers are working in teams across Australia
already. The app, says the government, will offer an additional
automated version of this process. By enabling your phone to identify
who's near you and preparing a record of who you've been near that's
ready to go in case you ever contract COVID-19. It would save time. It
might even save lives.

But in a new world of big data, experts have serious concerns about even
seemingly tiny bits of information being shared with the government. The
app may well mark the start of a fresh tension between civil liberties
and lifesaving not seen since policies made after the September 11
terrorist attacks in 2001.

So how would the coronavirus app work? Could the personal data it takes
be stolen or misused? Will the app actually save lives?

How does the app work?

All smartphones have Bluetooth. We use it to connect our phones to other
devices such as speakers, smartwatches and printers.

Bluetooth can also be used to communicate wirelessly with other phones –
and that's how the app will identify who you've been near. The phones
will communicate with each other as you do in a call-and-response game,
let's say, Marco, Polo. If you have downloaded the free app (by
selecting it in the app store on your phone), your phone will send
little signals every now and then – the "marco" – and if there's a phone
nearby where someone has downloaded the app, it will register a "polo"
in response.

If you later contract COVID-19, all the "polos", or responses, your
phone registered that belonged to phones that were within 1.5 metres of
you (which is the required proximity for social distancing) for at least
15 minutes will be sent off to a central government database.

The app is based on a similar piece of software out of Singapore, called
TraceTogether. Australia joins Germany and Denmark in looking to push
out a contact tracing app within the next couple of weeks.

Sounds good, so what's the problem?

This is where it gets a little trickier - and where some experts have
concerns over privacy. The government has said it's taking only a very
limited amount of personal data from app users: your name, mobile
number, postcode and an age range. And the government has stressed what
it's not taking: it won't actually ever keep track of where you are,
just who you're with.

To add an extra layer of security, they've made it so that when a phone
picks up another user near it, it isn't able to know any of that
information. How? By giving everyone an anonymous ID – so when your
phone says "marco", it doesn't actually know who is "poloing" back.

But for the app to work, the government needs to have a way to turn that
anonymous ID into a full name and number – they need to contact trace
somehow. Somewhere out there, there has to be a secret key that will
unlock a secret database that turns an anonymous ID into someone's
contact details. That's where privacy concerns come in.

So is your personal data at risk?

The most likely way your personal data could be misused or stolen is
through that secret database. Richard Buckland, a professor in cyber
security at UNSW, says that's where the real danger lies. "If you know
the secret keys – the passwords that the government uses to set this up
– you can work out what all the anonymous IDs would be. That's one
little secret you need to get a hold of a database where you can access
every 'polo' they're going to call out," he says.

The federal government has given some assurances - they won't have
access to this database, Prime Minister Scott Morrison revealed on April
21, and only state health officials tasked with contact tracing will be
able to see what's inside.

But there's still a lot we don't know. Earlier, the government said they
would release the source code of the app - the backroom details showing
how it is designed – but has now said it will keep parts of the code
secret. And we don't know how long the app will be used – perhaps right
up until a vaccine is distributed.

So how likely is it that the secret database could be hacked? It's
almost inevitable, Professor Buckland says. "I would assume the database
would be compromised," he says. "Everything can be hacked. The [United
States'] National Security Agency and Facebook are both far better
funded than we are – and they've both been breached."

Australian National University Cyber Institute chief executive Lesley
Seebeck says similarly: "If someone is determined to get in they will
get in – if a nation state wants to get in they will."

The government has limited the amount of data that can be hacked. Data
will only be sent to the secret database if someone tests positive for
coronavirus, and they consent to that data being shared. That means that
if someone successfully accessed the database, they wouldn't get a full
list of everyone you have interacted with since downloading the app –
but they would know what your anonymous ID is.

And the limited data could be hacked. "Secret services in other
countries could set up their own Bluetooth beacons," Professor Buckland
explains, "they could put a Bluetooth beacon outside all Canberra
brothels, for instance – and all of a sudden you've got the ability to
identify someone's phone because they're constantly emitting that
beeping Bluetooth 'marco' out of it."

And while the app doesn't strictly collect location data, Professor
Buckland says it wouldn't be hard to figure that out from the Bluetooth
pings. There are algorithms around that can figure out whether you're on
a crowded train, or a shopping centre, or your home, based on the
frequency of signals emitted. The data could be used to blackmail people
having affairs, or threaten journalists working on sensitive stories, or
go after high-level executives thinking of working for another company.

Professor Buckland makes another point about your personal data: we
don't know for sure how a government of the future will use this new
information.

He fears governments will take this app as permission to encroach on
civil liberties in the months and years ahead - in what is known in
academic circles as scope creep.

"With anti-terror legislation after [September 11], we started with one
or two acts ... now there's more than 50," he says.

Will the app save lives?

It's impossible to say at this stage. The app will help contact tracing
only if the people you have been in contact with also have it downloaded
on their phones – and we don't know how many people will download it.

The argument from Prime Minister Scott Morrison is that if enough people
take up the app – he wants 40 per cent of Australians using it – then
that will not only hasten the coronavirus contact tracing process but
give an additional safeguard needed to reopen parts of the country.
Deputy Chief Medical Officer Nick Coatsworth described the app not as
essential to health outcomes but as the "icing on the cake" for an
already "well-oiled" tracing regime.

There is no data publicly available that shows how effective this will
be, though. While some tech business leaders have been positive about
the app, others have reservations.

UNSW epidemiologist professor Mary-Louise McLaws, who sits on a World
Health Organisation panel that advises on the preparedness, readiness
and response to coronavirus, says, during the process of contact
tracing, memory can fail patients distressed with a virus diagnosis.

"People who are probably very upset, potentially sick and anxious, have
to now try to recall everyone who they had any contact with – that can
be difficult when it's trying circumstances," Professor McLaws says.

The epidemiologist says there could be more use in shortening the
timeframe for contact recording to five or 10 minutes, rather than 15.

Professor Seebeck from the ANU Cyber Institute fears it may even slow
down contact tracing teams. "What proportion of cases that we already
know of fit within the 1.5 metre, 15-minute window? We're already told
we shouldn't shake hands – we don't shake hands for 15 minutes," she
says. "And [coronavirus] lingers on surfaces – that's not going to be
captured by the app."

The Cyber Institute chief executive says the app could generate a lot of
false positives, putting extra work on contact tracing teams who now
have to chase up more people.

There's no way of knowing if the app saves lives – or, using Prime
Minister Morrison's language, saves livelihoods – until we see it in action.

Will Professor Buckland download the app?

"If the situation got really bad," he says, "and this made a big
difference, I wouldn't think twice."

"But I would want to make sure there was assurance this was a temporary
thing, that there wasn't scope creep, and that I could opt out at any time."

Will Professor Seebeck? No.

"Not until I have trust in the government. And they've got to work on
it. It's up to the more powerful partner in the relationship to give
trust, it's not for them to demand it."

What about the epidemiologist, though?

"I wouldn't recommend anyone download the app," Professor McLaws says.
"We need to have wider community consultation - and have it done rapidly
- about how long the data is held for and who holds it, and then is it
removed completely and not used for secondary purposes."

"It would be reckless to roll something out."

Soon, it'll be up to you to decide.

-- 

Regards
brd

Bernard Robertson-Dunn
Canberra Australia
email: brd at iimetro.com.au




More information about the Link mailing list