DTA releases COVIDSafe encryption details

Denham Sadler
National Affairs Editor

The Digital Transformation Agency has finally released details of the encryption process behind its COVIDSafe contact tracing app, but no further information on the server used to store the sensitive information.

The development of COVIDSafe has been managed by the Digital Transformation Agency (DTA), with the source code of the digital contact tracing app released publicly in May.

The agency has now publicly released the app’s cryptography specifications.

The 28-page document details how it interacts with other users who have COVIDSafe on their phone, and how this data is kept encrypted on the device before being sent to the national database and distributed to the relevant state or territory health authority.

contact tracing
Padlock: COVIDSafe encryption details revealed, but nothing on the storage systems

COVIDSafe performs “digital handshakes” with other devices running the app, with a random unique identifier sent between the phones. This identifier is now changed every 7.5 minutes, the specifications outlined, rather than every two hours when COVIDSafe was launched in April.

This change is a “significant improvement to the privacy of users”, the DTA said, and reduces the time COVIDSafe sends the same unique identifier to other users by up to 93 per cent.

“This encryption is like a padlock: anyone can use an open padlock to lock up a box of valuables, but only the trusted person with the key will be able to open it and access what’s inside,” the DTA said.

The document doesn’t however detail the security of the underlying platforms or protocols surrounding COVIDSafe, such as the AWS database used to store the data of users who have contracted COVID-19. The DTA referred interested readers to the “official vendor documentation” for more information on how those systems operate.

This means that the new specifications don’t tell us anything new, cryptography expert and Thinking Cybersecurity chief executive Professor Vanessa Teague said.

“It’s better than nothing, and better late than never, but it doesn’t tell us anything we didn’t already know. In particular, it still doesn’t give us any detail about what happens on the server side, so if there are bugs or security problems there, there’s no chance for the tech community to get them fixed,” Professor Teague told InnovationAus.

“It does confirm that decryption is done on the Amazon server – not at the state contact tracers’ end as we might have hoped. So any protection against federal authorities or Amazon accessing the contact data is purely procedural, they have the keys to decrypt it.”

The authentication of health workers to give them access to COVIDSafe data is handled by AWS’s identity management system Cognito. Following the completion of two-factor authentication by the health worker, the Cognito system issues a JWS credential, which is stored by the browser as a cookie.

In the document, the DTA said it could have utilised full ECIES encryption for each encounter between users to “assure anonymity”, meaning every encounter would involve a unique identifier, but this would have come with a number of downsides.

“Asymmetric cryptography is computationally expensive by design. Testing conducted by the Australian government indicates full ECIES or device-to-device handshakes would significantly reduce battery life, impact performance and push them limits placed on background services by Android and iOS, potentially resulting in encounters being dropped or users choosing to use COVIDSafe,” the DTA said.

COVIDSafe has again been in the spotlight this week after Prime Minister Scott Morrison called on the Victorian government to improve its contact tracing efforts.

This led to a number of federal Labor members pointing to the apparent failures of the federal government’s COVIDSafe, which is yet to identify a new close contact in Victoria.

Do you know more? Contact James Riley via Email.

1 Comment
  1. Chris Drake 4 years ago

    77% of Australians rejected the COVIDSafe privacy nightmare (only 23% were bold enough to let the government track their every move.)

    If the App had been designed NOT to share our whereabouts, but to simply record locally WITHOUT SHARING this data, there would have been zero possible privacy issues, vastly improved uptake, and a significantly more useful and trusted app.

    My phone is more than capable of telling me that I was near an infection point after my phone is told all the infection points – there is no need to share my data with anyone for that.

    When will the government learn that “asking nicely” and behaving respectfully is how you earn trust and achieve co-operation. They lost 77% of their audience by behaving like a bully and treating our privacy with no respect – all of which was technically unnecessary.

Leave a Comment

Related stories