COVIDSafe app scepticism

The digital rights watch have their own perspective on QR codes:

If one was concerned about the risks associated with the COVIDSafe App, privacy and security of QR codes leave the app for dead (for the wrong reasons).

To sum up, our options are:

• a Federal Government app that doesn’t work at all well, but is partially open-sourced;
• a multitude of private sector QR codes and;
• QR code functionality that’s added to various closed-source State government apps.

The NSW government implementation is now compulsory in that State. I’ve noticed that, when I inadvertently scanned an old private-sector QR code, the app just said that it’s invalid. Presumably, the app will detect a code that’s been tampered with (or “hacked”). I’d say that the government apps are less of a concern.

As far as I can tell, this QR code represents the literal text “to open email app” - and will not work on my phone (not do what we were intending it to do anyway) - and I would hope it would not work on any phone.

But thanks for searching.

You are however mixing in two different things.

1. What the QR code represents?
2. What is processing the QR code?

Looking at the second item, the QR code can be processed by

a) a web browser, or
b) an app

A web browser is in some ways safer - because an app can be doing absolutely anything on your phone - and a web browser is more flexible (will work on any platform that has a working web browser, and in theory doesn’t even need a camera).

Looking at the first item, the QR code can represent

a) a URL on a third party web site
b) a URL on a government web site
c) text that is formatted specifically for use by an app that knows how to process it

The third case is unlikely to be in use much if at all because too many people won’t have the app installed, if there is more than one such app then they are likely to be mutually incompatible, …

In all cases (in the context of this discussion) the QR code represents an identification of the premises (whether by name, code/number, street address, GPS coordinates, …).

If the QR code is a URL then the id of the premises would usually be hiding in the URL query string (the part after the question mark). If an app has to process such a URL then it will presumably discard the hostname (or at least validate it) and extract the useful information from the query string.

When your web browser or the app submits the id of the premises, it will send along with it your name and phone number (potentially pre-entered and stored if using an app, so more convenient, so a classic security-convenience tradeoff) and the time and date at which submission is occurring is also recorded.

That is indeed what my QR code scanner says is in the image.
What is does with the content depends on what you set to happen. My scanner has lots of settings depending on what it sees the content as. A URL, an email address, a text string, phone number, contact name. It can automatically take a default action after scanning, or ask me, or do nothing and just display the decoded contents.

(On my phone there’s no choice but) for that QR code it offered to use a search engine to search the web for that text, which for contact tracing is completely useless.

I have my doubts that “automatic” is ever a good idea - pretty much as explained by the DRW blog item linked above.

As I said:

Different strokes for different States.

I guess we’ll just have to agree to disagree on that. Though I suppose an evil government app could be calling in the black helicopters.

It’s just sad that the Federal government dropped the ball.

I don’t think that using the NSW government app is compulsory. Using electronic check-in is what is compulsory. https://www.nsw.gov.au/covid-19/being-covid-safe/check-in

If you don’t have the app, you’ll be given the option to install the app, or to check in using an online form.

They do make it appear that the app is compulsory. It is hard to see that there is an option besides installing the app but if you keep scrolling around, you will find the option for a conventional web form to fill in and submit.

Checking in and leaving your contact details using an electronic system is now mandatory at some types of businesses and events in NSW.

Electronic systems include things like QR codes, but if you don’t have a smartphone the business should also be able to take your details another way, such as recording them on a computer or tablet device.

A business might in theory say that they are uninterested in anyone except those that have the app installed and use it to check in - but that is the choice of the business. It is not being mandated by the NSW government.

It is doubtful that a business will care whether you use the government app (on a NSW government QR code) or you use your web browser (on a NSW government QR code). The end result is very similar - except that the latter avoids running mystery, unaudited government code on your phone. The end result for your name, phone number and location at a specified time being stored in the government’s database is the same.

Either way, it is a surveillance state that needs to end as soon as possible.

Both the ABC and IT News have reported directly. The ABC has said,

image1536×499 168 KB

While IT News has a similar understanding.

“Customer Service Minister Victor Dominello on Wednesday said that select businesses that had not introduced any system for digital registration by this date would face a penalty.

In situations where customers don’t have a smartphone or there is an outage, businesses will be able to manually record contact details and the time of entry on a device using Excel, for example.”

There may be a discrepancy between a quoted spoke saying “businesses are required to provide alternatives” and the web site (text quoted above) which says “business should also be able to take your details another way” (my emphasis in both cases)

Is it a “must” or a “should”? Might need to find the actual text of some Health Order.

The IT News quote is likewise not clarifying what is mandatory (“will be able”), while also muddying the waters talking about a fallback situation when there’s an outage.

I think the bottom line is: business must record in electronic form (NSW Health doesn’t want reams of paper to work with in the event that contact tracing becomes necessary for that venue, and NSW Health doesn’t want shared surfaces like pens and papers to be vectors of transmission) - the business is free to choose what electronic form.

The few venues where I have paid attention … if you don’t have your own device, the venue is providing a device (accessing the same web site that you would) and you verbally provide your details and a staff member enters your details.

Which is a perfectly adequate solution. Also my experience of several in Qld.

IT News were quoting the responsible NSW Minister for Services. Politicians are what they are.

From the current directions of the Minister:

Screenshot 2021-01-15 000952812×1136 253 KB

Screenshot 2021-01-15 000926799×587 120 KB

It says the person supplying the details may provide the details directly to the occupier of the premises AND the occupier of the premises is to electronically register the details within 12 hours.

The compulsion/mandate is for the occupier to record the details.

Nov 2020 info but may have been missed with all the outbreaks and other news.

ASIO have been capturing COVID App data “incidentally” and the Inspector General advises that they don’t believe the data has been used, decrypted etc but they are going to check later.

"Summary of findings to date
Based on the work described above the acting Inspector-General is satisfied that the intelligence agencies within IGIS jurisdiction which have the capability to incidentally collect a least some types of COVID app data:

-Are aware of their responsibilities under Part VIIIA of the Privacy Act and are taking active steps to minimise the risk that they may collect COVID app data.

-Have appropriate policies and procedures in place to respond to any incidental collection of COVID app data that they become aware of.

-Are taking steps to ensure any COVID app data is not accessed, used or disclosed.

-Are taking steps to ensure any COVID app data is deleted as soon as practicable.

-Have not decrypted any COVID app data.

-Are applying the usual security measures in place in intelligence agencies such that a ‘spill’ of any data, including COVID app data, is unlikely."

In the report pdf linked above you can read how all this was checked and overseen from April 2020 but in the response “Next Steps” part of the report it then says they will incorporate checking in future to ensure compliance which largely puts a lie to the April onward “we’ve been checking” stance. They also say no one has made complaints…I wouldn’t whistleblow if I had info because the way the Federal Govt treats whistleblowers you would end up in Jail and prosecuted in Secret Courts (in that order).

Only in “unexpected circumstances”. It is arguable that such circumstances can’t be the norm, and nor could they be simply the choice of the occupier or the person. This is intended to cover the situation that you have a working electronic system but something breaks and it temporarily ceases to work.

My reading of it is completely different.

Limiting the discussion to a hospitality venue, which may be the most common situation and certainly what I was thinking of:

The legal obligation is on the person.

The person must, in normal circumstances, report the details directly to Service NSW. We just officially became a surveillance state.

Note subclause (2). It does not obligate the occupier to record anything but instead obligates the occupier to obligate the person to provide details.

There is no obligation at the current time to use the Service NSW app - but see later.

There is no obligation on the occupier to provide any alternatives if, for example, the person does not have a suitable device. The obligation remains on the person to report details to Service NSW. If you choose not to do that then it is noone else’s problem but your own - except that the occupier must then deny you entry (and with the previously noted exception in the event of “unexpected circumstances”).

The NSW government could force everyone to use the Service NSW app simply by withdrawing the option to use the web i.e. the “webform” option.

I would like to correct the above. While it is not in general incorrect, in the specific case of Service NSW check-in URLs, the id of the premises is hiding in the URL fragment id (the part after the hash sign).

Probably not that big a deal because there is basically no reason to run the COVIDSafe app. Just deinstall it. Problem solved.

Perhaps more of a concern is: We don’t even know what data we are talking about. What is the data that is stored encrypted on the user’s phone with barely legal consent? Is any data stored unencrypted? Who can decrypt the encrypted data? The user? The Health Department? ASIO? AFP? other police forces?

In any legitimate investigation the authorities would be able to get most if not all of the PII that is uploaded as part of registration (e.g. name, age, postal code and phone number), I would suppose.

It is the contact information that might be of interest i.e. did terrorism suspect A come into contact with terrorism suspect B? (where “contact” is as defined by Bluetooth communication, with all the limitations therein)

More interesting would be the same report in respect of the Service NSW app / web site (and equivalent apps / web sites for other states).

In Tasmania the event organisers or business is legally obliged to collect COVID contact tracing information…

If a patron/guest/customer refuses to provide such information, the business/event organisers have the right to refuse entry/deny service.

No problem there for me. The app would not install in the first place on my phone(s), and the same for any member of my family that had phones and tried it.
Of course, maybe we are just backward hillbillies who fail to buy new phones every two years.

We took our grandkids to Cape Tribulation in FNQ when they stayed with us for the school holidays last year.

Not included in the Tripadvisor review I did regarding our “experience” was the COVIDSAFE “precautions” where we had “lunch”.

At the counter was a container with assorted pens and a visitor sheet that virtually nobody had filled in.

The persons there were reminiscent of the ones we had in FNQ back in the hippy area around 1970.

In case anyone is interested, I have posted the link to the Tripadvisor review I posted.

Whilst I had not looked at it since, I see that they actually replied, promising to do better?

I suspect that this was always inevitable.

There is no indication of where the fakes directed anyone unfortunate enough to scan them, but as QR codes are inherently untrustworthy I suggest not even trying.