Troy Hunt
Mon Apr 27 04:50:56 +0000 2020

I've just installed #covidsafe and want to capture my thoughts on the experience and the general principles behind the app here, especially as they relate to privacy and trust in the government. My last thread on this was 11 days ago and is still relevant:

The summary of that thread is that in essence, I viewed the app as very low risk to privacy due to the intended design and assuming it's effective in reducing the spread of COVID-19, it has significant potential upsides. I also suggested ways to maximise privacy and transparency.

I'll defer to health professionals on how effective the app is in managing the pandemic, but I will say this: we all have confirmation biases that draw us to people reinforcing our own views. If you don't like the app, you'll find professionals agreeing with you, and vice versa.

So let's install the app and firstly, as of just after 13:00 today, it's actually pretty highly rated at 4.4 stars from 5.9k reviews. Actually much better than a heap of apps I use!

Fired up, the app doesn't really tell us anything we don't already know, but there's a consent screen which is to be expected:

The only registration data collected is name, age range and postcode followed by mobile phone number verification. This is all that's *explicitly* provided so as far as "how much info does the gov have on me" goes this is obviously nothing not already known (a tiny subset of it).

Next is the permissions requested and it's only Bluetooth and notifications. Some people have been concerned about location tracking - note that access to geolocation is *never* requested so #covidsafe will never be able to access it (this is controlled at the operating system).

And that's it - take your phone with you when you go out (so no change there!), keep the app open and don't disable Bluetooth. If you're requested by a health official, you can upload your info (inevitably if you test positive).

So that's the mechanics of it and it's dead simple. It does precisely what we were told it would but I didn't expect to learn any more from a surface glance. I'm much more interested in what's happening under the covers and this thread is awesome for that:

I'd still like to see it open-sourced so those willing are able to review it and because it sends a strong message about transparency. Apparently, it will be: "The PIA and source code will be released subject to consultation with the ASD’s ACSC"

So only basic personal info that's already known at registration, contact tracing sandboxed from other apps, no device info exchanged with other users, data only uploaded when the user elects to share it (encrypted before transmission) and the 21 day data retention implemented.

If the data ever *is* uploaded (because you test positive), what is now known? The identifiers of other devices you've interacted with which is precisely what a health professional would sit down and go through with you anyway, app or no app, except with more reliable data.

How would I personally feel if that was me? Frankly, I'd be bloody scared about the impact of the virus on my health and that of the people I've interacted with. *That's* what I'd be thinking about, not about whether there was any impact on my own privacy.

So far, Aussies are embracing #covidsafe far in excess of expectations: "We got the first million within five hours. We had been hoping, our best hope, was we might get to 1 million in five days."

The negativity I'm seeing is almost entirely based on unsubstantiated speculation and a general distrust of government as opposed to any tangible, impactful evidence. As @mcannonbrookes said, "turn the angry mob mode off"

If your position is "I don't trust gov because of [reasons]", then don't trust the gov, trust those like @matthewrdev in the tweet above who are tearing the thing apart and independently verifying what it does. Trust him and people like @GeoffreyHuntley

By any reasonable measure, #covidsafe is itself, "safe". Still, that won't stop people chiming in on this thread - on one of the world's largest social media platforms funded by profiling your usage of it and targeting ads at you - from saying it'll erode their privacy. It won't.

Mon Apr 27 04:51:05 +0000 2020