COVIDSafe was sold as Australia’s ticket out of lockdown. But almost three months since its late April launch, its impact remains unclear. Victoria has accessed data from the coronavirus app almost 400 times. Yet health authorities have not identified any potential COVID-19 exposure that manual contact tracing missed.
In New South Wales, officials extracted app data 23 times. In one case, they contacted a person whose details were unavailable during manual tracing.
COVIDSafe’s ability to reliably transmit and collect encrypted Bluetooth codes from other apps remains under scrutiny.
Meanwhile, another option has emerged.
In May, Google and Apple launched an exposure notification API built into their devices’ operating systems. This framework allows health authorities to create apps with fewer bugs and workarounds.
Germany, Ireland, and other European nations have already launched COVID-19 exposure notification apps using the Google-Apple system.
Centralised vs. Decentralised Models
COVIDSafe and Google-Apple-based apps both use Bluetooth to log random codes from nearby devices.
Ireland’s COVID Tracker app and Germany’s Corona-Warn-App take a different approach to the next step. If someone tests positive, they can choose to share their recent random codes with the exposure notification system. Each app then checks its stored codes against those flagged as infected. If there’s a match, the user receives a warning and can decide to contact a doctor.
This process runs entirely on the user’s device.
COVIDSafe works differently. When someone tests positive, health authorities may ask them to upload their data to a central database. Local health teams then sort codes into close contacts (within 1.5 metres for 15 minutes or more) to track possible exposures.
Ireland and Germany’s apps function mainly as warning systems and provide far less data to authorities.
Security expert Vanessa Teague, CEO of Thinking Cybersecurity, believes Australia should adopt the Google-Apple API.
“It has a huge privacy advantage,” she said.
While direct comparisons are lacking, she suggested apps built with the Google-Apple framework likely perform better. This is because Bluetooth detection is built into the devices’ operating systems.
“By ‘work,’ I mean that when two people are near each other, the likelihood of exchanging the required pings is probably much higher,” she explained.
Are Google-Apple Apps Successful?
Germany launched its app in mid-June. By July 23, the Corona-Warn-App had 16.2 million downloads in a country of 80 million.
Ireland’s Health Service reported 1.4 million downloads of its app since July 7. Ninety-one users received exposure alerts.
Australia’s COVIDSafe has been downloaded more than six million times. However, there is little public data on how much it contributes to pandemic control.
Germany faced similar transparency issues. By July 20, 660 people who tested positive had the chance to warn others via the app. Robert Koch Institute President Professor Lothar H. Wieler admitted they could not confirm how many were warned due to the app’s decentralised design.
Stephen Farrell, a computer security researcher at Trinity College Dublin, raised doubts about Bluetooth’s accuracy in gauging distance.
“It faces the same challenges in reliably detecting proximity,” he said. “Phones in pockets, handbags, different positions … walking, cycling.”
Farrell argued that measuring the real impact of these apps will be difficult.
“We need to know how many cases the app caught that manual tracing missed,” he said. “And of those, how many were false or true positives? I suspect we’ll never know.”
Privacy Concerns
COVIDSafe’s centralised data model has raised privacy concerns since its launch.
Europe faces similar issues. Experts worry that Google-Apple-based apps could enable location tracking on Android devices. Bluetooth’s link to location permissions on Android fuels this fear, as some non-contact tracing apps use Bluetooth beacons to track users in places like shopping centres.
Teague explained, “If you refuse to let Google track your location, you can’t use Bluetooth scanning.”
COVIDSafe and Google-Apple apps both request location permission on Android, though they insist they don’t log location data.
Google stated, “We do not collect user information, location data, or details about other nearby devices.”
Professor Alexandra Dmitrienko, head of Secure Software Systems Research at the University of Würzburg, still criticised the requirement.
“Users who avoid location services are forced to choose: enable them or lose access to their public health app,” she said.
She also warned about the growing power of Google and Apple in public health.
“As a security and privacy expert, I see that we are handing too much control to two American companies,” she said.
Could Australia Switch?
To adopt the Google-Apple API, COVIDSafe would need a fundamental redesign. The API limits governments to requesting, not requiring, personal details like phone numbers. COVIDSafe demands these details at signup. Ireland’s app, by contrast, only asks for optional metrics.
Minister for Government Services Stuart Robert said the government remains open to improvements.
“We will continue working with Google and Apple to see if they can remove barriers to a sovereign app that keeps health professionals central,” he said.
For now, no app seems to be the pandemic “silver bullet” many hoped for.
Professor Dmitrienko believes it’s still too early to judge.
“[The] general opinion is that this technique cannot really replace the manual contact tracing, but it can be complementary,” she said.
But then, there’s the price tag.
By some estimates, COVIDSafe has reportedly cost around $2.75 million in contractors fees.
The Irish app cost €850,000 ($1.4 million).
Article courtesy: www.abc.net.au