The Government has now solved all the issues with the app.
“Don’t you worry about that.” “We’re from the Government, we’re here to help you”
1 Like
I haven’t. Need to install a Kotlin compiler first. 
That is not strictly necessary, as I understand it. The app does want internet access every 2 hours but if it doesn’t get that then it keeps going with the existing id until it does get internet access.
So if you can live with that privacy implication (more tracking by parties other than the government - because the government can track you 24x7 with this app anyway) and you do at least go home each day and give the phone access to the internet via your home WiFi (or some other WiFi) then it should work OK.
So the phone never needs to connect to the mobile phone network and you should be able to get by with no SIM in the phone at all.
Unfortunately the government’s flawed registration process does apparently mean that you need a (valid, working) SIM during registration (contradicting my previous paragraph). I am unclear on whether you would need balance on your SIM to do registration but many pre-paid providers would require a small amount up front anyway.
That’s not what is being claimed. Maybe you were taking the ■■■■.
The headline says that the government has now solved all the privacy concerns with the app.
The article shows that even that is not true though - because the legislation is not actually passed.
Once the legislation is passed, then the remaining privacy concerns would be legitimate concerns that they don’t plan to address, or plan to address only if and when they migrate to the Apple-Google framework in some future version of the app.
1 Like
It is comforting to me that the government is getting the best medical advice. I am not quite so sure that the Deputy CMO is the right expert to speak on issues of IT and privacy.
3 Likes
How many of our too many ministers speak about that which they know about? Knowledge or competence in their realm has rarely if ever been a pre-requisite; power and seniority always have been. The ministerial mouthpieces are those most able to politically spin, defend, deflect, and sell the agenda of the day. The Deputy CMO probably has a better grasp on IT and privacy than Malcolm Turnbull when he was Minster for Communications or George Brandis, AG, explaining meta-data and the legal implications thereof. The DCMO might not be the ‘right expert’ but still could be the best in government!
2 Likes
This can be two different devices and not necessarily the same device…not unless this has changed since I tested it on a non-SIM android tablet using another smartphone (with an Australian number) to get code for verification. This code then can be entered into the other non-sim device.
It also appears that WIFI connection would be needed as a minimum should one be COVID-19 positive and asked to upload data.
This negates the need for mobile internet access.
1 Like
Yes, I wondered about that.
Even better then for @SueW.
1 Like
First (?) vulnerability (CVE) formally reported. https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=2020-12717
This was reported under the usual “responsible disclosure” regime i.e. report it to the “manufacturer”, keep it secret for a time, give them time to fix it, disclose when the problem has been fixed / the time limit expires.
Allegedly this problem has been fixed but the published source has not been updated (as of late yesterday) which does rather defeat the purpose of having public source. 
The person who reported it is apparently happy with the responsiveness of the Australian government - 8 days between “report” and “fix”. My opinion: could do better - but at least they were contactable and at least they did something.
Because of the way responsible disclosure works, the above CVE is a little vague about what the actual bug is (that is normal).
However it has been published elsewhere on the internet that the bug is that if you advertise a manufacturer id of length 1 then you will crash the app on all iPhones within reception range - and the app will keep on crashing even if the user restarts it as long as you are running your malicious code. So in a crowded public area this would be a somewhat effective DenialOfService attack.
This is not in the worst category of bugs - since there is no unintended information disclosure or other compromise of the target device - and since the phone itself does not crash.
1 Like
With thanks to Randall Munroe:
3 Likes
Really interesting article in the Protonmail Blog.
2 Likes
Thanks for sharing Sue, that’s a very informative article
2 Likes
is obvious when stated clearly (as Postulative has done), and raises the questions:
- what is being done improve manual contact tracing itself?
- what else can be done to complement manual contact tracing?
with respect to 1. why are we still seeing bulletins “Did you fly on this plane?” when surely the airline has a passsenger list (names, contact details).
For people using Go card, Oyster card etc on a particular train, bus, ferry at a particular time - if that is a “place + time frame” that needs contact tracing because someone infectious was there.
With everywhere doing cashless transactions to avoid handling notes & coins surely the retailers and financial institutions can provide details of who made a payment (and even who used a loyalty card) in a “place + time frame” that needs contact tracing because someone infectious was there.
1 Like
Yes, there would be useful data, however could be significant privacy implications. While such information would be accessible to the organisations, the same organisations may not be able to share the information with health authorities/government as it would breach their privacy policies and potentially privacy legislation. There could be drawn out legal action by some affected parties should a voluntary release/share occur, to prevent its release.
Maybe the only way would either write legislation to compel and organisation to share such data (which would set privacy back decades and would be possibly subject to legal challenge) or through a court order (would a court be able to grant such orders fot any data requested by the government?).
I can’t speak to their credentials on the IT front but privacy in public health departments is taken very seriously.
If anyone is worried about this app I hope they don’t use Facebook (aka WhatsApp, IG etc) or I guess Zoom for that matter!
Pretty sure no-ones swipes when they get off; what about the health workers that are likely just travelling for free (at least in my state in off-peak times retiree’s also don’t get charged afaik). There’s no way to tell how long they ultimately were on said vehicle. For trains (bendy buses) were they even in proximity.
REad in another forum that since the last update (1.2) backgrounding has been improved in iOS. No idea if its true.
The version on IOS is now only asking users to ensure the COVIDsafe App is active. There is no request to ensure it is open and on top.
1 Like
privacy implications versus public health measures during a pandemic - that is what we are talking about when it comes down to tracking possible contacts of confirmed infection case
Okay to use an app but not okay to use a flight passenger list?
That’s an amazing response considering it went through the whole release and acceptance cycle, regression testing, limited release, full release hahahaha yeah I know … More likely two teams, one hacking together a quick fix with testing to the extent of ‘does it compile’ … the other team busy coming up with spin about how it wasn’t a serious issue … And that’s my optimistic view …
2 Likes
I think we would both punt on the same team being bigger and better paid 
Bear in mind that this is someone telling them exactly which line of code is broken.
I think the 8 days would have been determined by a pre-existing release cycle i.e. bug not serious enough to warrant fixing out-of-cycle.
The published source code has now been updated for this vulnerability.
It seems the model that the government is adopting is that bugfixes are made, the updated app version is released and then some days later the published source code is updated. So the government isn’t really embracing what transparency means and isn’t really embracing what lack of trust means - but I would guess that you can hold off letting your phone update the app until such time as the new source is available.
If use of the app is voluntary - the decision being at the sole discretion of the phone owner/user - and the purpose of the app is exclusively contact tracing then that establishes at least two ways in which the app differs from a flight passenger list.
This is a massive can of worms but maybe better suited to a different topic.
1 Like
