The Digital Transformation Agency has finally released details of the encryption process behind its COVIDSafe contact tracing app, but no further information on the server used to store the sensitive information.
The development of COVIDSafe has been managed by the Digital Transformation Agency (DTA), with the source code of the digital contact tracing app released publicly in May.
The agency has now publicly released the app’s cryptography specifications.
The 28-page document details how it interacts with other users who have COVIDSafe on their phone, and how this data is kept encrypted on the device before being sent to the national database and distributed to the relevant state or territory health authority.
COVIDSafe performs “digital handshakes” with other devices running the app, with a random unique identifier sent between the phones. This identifier is now changed every 7.5 minutes, the specifications outlined, rather than every two hours when COVIDSafe was launched in April.
This change is a “significant improvement to the privacy of users”, the DTA said, and reduces the time COVIDSafe sends the same unique identifier to other users by up to 93 per cent.
“This encryption is like a padlock: anyone can use an open padlock to lock up a box of valuables, but only the trusted person with the key will be able to open it and access what’s inside,” the DTA said.
The document doesn’t however detail the security of the underlying platforms or protocols surrounding COVIDSafe, such as the AWS database used to store the data of users who have contracted COVID-19. The DTA referred interested readers to the “official vendor documentation” for more information on how those systems operate.
This means that the new specifications don’t tell us anything new, cryptography expert and Thinking Cybersecurity chief executive Professor Vanessa Teague said.
“It’s better than nothing, and better late than never, but it doesn’t tell us anything we didn’t already know. In particular, it still doesn’t give us any detail about what happens on the server side, so if there are bugs or security problems there, there’s no chance for the tech community to get them fixed,” Professor Teague told InnovationAus.
“It does confirm that decryption is done on the Amazon server – not at the state contact tracers’ end as we might have hoped. So any protection against federal authorities or Amazon accessing the contact data is purely procedural, they have the keys to decrypt it.”
The authentication of health workers to give them access to COVIDSafe data is handled by AWS’s identity management system Cognito. Following the completion of two-factor authentication by the health worker, the Cognito system issues a JWS credential, which is stored by the browser as a cookie.
In the document, the DTA said it could have utilised full ECIES encryption for each encounter between users to “assure anonymity”, meaning every encounter would involve a unique identifier, but this would have come with a number of downsides.
“Asymmetric cryptography is computationally expensive by design. Testing conducted by the Australian government indicates full ECIES or device-to-device handshakes would significantly reduce battery life, impact performance and push them limits placed on background services by Android and iOS, potentially resulting in encounters being dropped or users choosing to use COVIDSafe,” the DTA said.
COVIDSafe has again been in the spotlight this week after Prime Minister Scott Morrison called on the Victorian government to improve its contact tracing efforts.
This led to a number of federal Labor members pointing to the apparent failures of the federal government’s COVIDSafe, which is yet to identify a new close contact in Victoria.