COVIDSafe overhaul fails to stem criticism


Denham Sadler
Senior Reporter

The government’s decision to completely overhaul the protocol underpinning COVIDSafe in an effort to improve functionality of the contact tracing app has done little to stem the ongoing calls from local tech experts for it to adopt the model offered by Google and Apple instead.

Government Services Minister Stuart Robert and Health Minister Greg Hunt announced on Monday that the government would adopt the new Herald bluetooth protocol, developed by VMware’s open source project.

According to the government, this new protocol would improve the functionality of COVIDSafe, particularly between locked iPhones, leading to “unparalleled app-level Bluetooth performance”.

The government has now released the code for the COVIDSafe update with the Herald protocol and will soon roll out the update.

contact tracing
Contact trace rethink: COVIDSafe app gets a big rebbuild

COVIDSafe uses a smartphone’s bluetooth to record close contacts between users. If a user later tests positive for COVID-19, they can give permission for their contact record to be sent to the central server, operated by the government on AWS servers, where they are filtered and then passed on to state and territory health authorities.

The app has been criticised for performance issues on Apple devices particularly, a lack of transparency around how the server operates and for the government declining to adopt the framework for digital contact tracing offered by Apple and Google.

COVIDSafe is still yet to pick up a new close contact anywhere in Australia except for New South Wales, where it has detected 17 close contacts. Despite being touted by the government as akin to putting on “sunscreen”, the app has largely faded from the spotlight in recent months.

More than seven million Australians have downloaded COVIDSafe, but the government has continually declined to reveal how many active users of the app there are.

COVIDSafe was developed by the Digital Transformation Agency (DTA), with the help of a number of contractors, including Boston Consulting Group and Shine Solutions, who have now been paid nearly $10 million for work on the app.

One of these contractors, Canberra tech firm Delv, recently received a $3.7 million pay rise, which could be explained by the upcoming Herald update.

Despite claiming upon the launch of COVIDSafe in April that the app was working effectively across all devices, whether locked or unlocked, testing data released under a Freedom of Information request revealed that performance between two locked iPhones was rated as “poor”, meaning that only 25 per cent or loss of contacts between users were accurately recorded.

The most recent testing, before Herald has been implemented, recorded “moderate” success between locked iPhones, with 25 to 50 per cent of contacts effectively recorded.

According to new testing released by the DTA based on the new bluetooth protocol, all settings and device types reached an “excellent” rating, with a more than 80 per cent success rate.

The developers of Herald have acknowledged the ongoing issue of bluetooth use in the background on Apple devices and outline a number of “workarounds” it has employed to fix them. These include using nearby Android devices as “calling cards”, with these users acting as “notice boards” and exchanging their close contacts with nearby iPhone users.

The DTA said users just need to have COVIDSafe running, either in the background or foreground, on an unlocked or locked device, for it to work effectively now, but did not say whether its testing data is based on the “calling cards” method used by Herald.

“Using the new protocol, the COVIDSafe app will only need to be running, either in the background or the foreground. It does not need to be open in the foreground or the phone to be unlocked to work. Herald implements a number of improvements that together provide better Bluetooth communication between handsets and better contact detection,” a DTA spokesperson told InnovationAus.

But the local developer community, which has been scrutinising COVIDSafe since it was launched, is unconvinced that the change will fix any of the issues the app is facing, and continues to push for the framework provided by Google and Apple to be adopted instead, which overcomes the bluetooth issues entirely and has been used around the world.

Thinking Cybersecurity chief executive Professor Vanessa Teague said it appeared the DTA had already overcome COVIDSafe’s performance issues on iPhones, and the update is more like tinkering at the edges.

“This new framework looks like a bunch of really good people probably doing a good job of the app-to-app bluetooth connection. But it’s not clear to me this is the problem we still have. I can’t see that it’s going to make it any worse, but it’s not clear to me that it solves a problem we have,” Professor Teague told InnovationAus.

“I really don’t see a good reason for adopting a new thing that is the minimum change model, that changes very little about the architecture or structure of COVIDSafe in the hope the tail works better.

“The obvious thing to try is the decentralised model that many other countries have been using successfully for months. The obvious alternative is still the Google-Apple API, which is tried and tested, and has been running for months in many other countries.”

It’s hard to tell what if anything is going wrong with the current version of COVIDSafe as the government has opted to not publicly release the source code for the server, which is responsible for sifting through the contacts between users and passing the relevant ones onto state and territory health authorities, Professor Teague said.

“We don’t know if something is going badly wrong on the server side because we can’t see the server side,” she said.

“What we really need to understand is what, if anything, is still going wrong on the server side and whether the Herald way of doing things is going to fix that. But we still don’t have the server code, so we can’t tell what’s going wrong or whether this new thing will help fix it,” she said.

“We have to see the server code and I’m still very unconvinced that there’s a good reason not to switch to the Google-Apple model.”

A spokesperson for Mr Robert has confirmed that the government will not be adopting the Google and Apple option.

“The Apple / Google platform puts health information in the hands of the IT companies, and would not be covered by the current privacy legislation – which received bipartisan support. It also does not allow the source of an infection to be traced which is a major factor in stopping the spread of the virus,” the spokesperson said.

The DTA has released the source code for the new COVIDSafe with the Herald protocol, which will soon be rolled out to the Apple and Android app stores.

But software developer Jim Mussared said the code that has been released is an “absolute mess”.

“It’s almost cliche for programmers to say that about other people’s code, but this is a disaster. It’s definitely not ‘ready for inspection’ quality,” Mr Mussared told InnovationAus.

It appears that the new version will not alter how the COVIDSafe server currently operates, he said.

“That is really concerning because the issues with the previous system were largely due to the app team and the server team understanding the system differently, the server is not open for inspection and the centralised system creates a huge bottleneck for tracing,” Mr Mussared said.

“This doesn’t address any of the tech community’s concerns about the server-side implementation. It’s just a better implementation of exactly what COVIDSafe already does for the BLE protocol. But we still have no idea how the actual contact tracing and data collection and, most importantly, filtering works.”

The DTA has said it has released the code before the update is rolled out in order for the tech community to give feedback on the changes.

“We are engaging as early as possible with the technology community to seek your valuable feedback on the code. We are still testing the pre-release code so in some cases it includes logging code that will be removed prior to launch,” a DTA spokesperson said.

But Mr Mussared said the government is still not consulting properly with the tech community on COVIDSafe.

“This is not engaging with the tech community. There’s still no way for the tech community to test this app locally. The licence is still unwelcoming and restrictive. They’ve made no effort to make the code easy for inspection,” he said.

The government also confirmed on Monday that a new advertising campaign focusing on the upcoming Christmas period will include a focus on installing and running COVIDSafe.

“The government is reinforcing the message not to be complacent in regards to the risks of spreading COVID-19 and how to stay safe, including having the app on your phone,” the DTA spokesperson said.

Do you know more? Contact James Riley via Email.

Leave a Comment