The researchers behind a new report used by the federal government to tout COVIDSafe as “the most secure” contact tracing app in the world say that a decentralised model would be better for both privacy and security.
Despite the report being used to claim COVIDSafe is secure and privacy-preserving, researchers from the University of Adelaide, CSIRO’s Data61 and the University of London found that while the Australian app is among the most secure of the centralised models from around the world, decentralised models would always be better for privacy.
COVIDSafe uses a centralised framework for digital contact tracing, with data on the close contacts of a confirmed COVID-19 case sent to a central server and then transferred to state and territory health authorities.
The decentralised model, pushed by Google and Apple in their own framework, keeps all data on the user device, who are then notified through the app if they have been in close contact with a confirmed case.
The centralised model has been adopted by several governments as it keeps manual contact tracers directly involved with the process and allows them to directly contact people, while the decentralised model provides far better privacy protections as no data leaves the device using the app.
The researchers analysed the security and privacy of 34 digital contact tracing apps from around the world, mostly based on a centralised model.
It assessed the apps on the design paradigms and privacy protections provided, a static analysis to discover potential vulnerabilities and data flows to identify potential vulnerabilities and the robustness of privacy protection approaches.
The report details a range of privacy issues and security vulnerabilities, with COVIDSafe at the time assessed as being “at risk” of linkage-server attacks, linkage-user attacks and relay attacks.
The researchers concluded that COVIDSafe is among the better of the centralised apps in terms of privacy, but that the decentralised versions are better in this regard.
The research was undertaken before a number of countries around the world adopted to build decentralised contact tracing apps.
The UK government had previously been set to launch a centralised app similar to COVIDSafe, but recently ditched this version and is now building an entirely new decentralised version using Google and Apple’s framework.
The paper was soon picked up and presented as having found COVIDSafe to be “among the safest in the world”.
The University of Adelaide’s press release claimed the research found that COVIDSafe was “among the safest in the world”. The press release, issued on 1 July, was then picked up and copied nearly word-for-word in an Australian Financial Review piece the next day, carrying a headline stating “COVIDSafe app best of class for privacy, says study”.
In response to this article, one of the researchers of the COVID-19 contact tracing app report, University of Adelaide School of Computer Science lecturer Dr Jason Xue, said the story should be re-titled as “contact tracing apps to be vulnerable” instead.
By the next week, Government Services Minister Stuart Robert had picked up on the report, referencing it at his National Press Club address on Tuesday and in subsequent interviews.
While the university press release and AFR piece referenced the app as “among the safest”, Mr Robert took it even further, saying the research found that COVIDSafe was “the most secure of all 34 tracing apps”.
“The tech community has worked with us and we have now completed seven updates to the app, including addressing over 30 potential bugs and areas for improvement raised by the tech industry,” Mr Robert said.
“Consequently, the University of Adelaide has rated the Australian COVIDSafe app the safest globally, after comparing it to 34 similar apps. My conversations with peer digital ministers around the world echo this sentiment,” he said.
But no-one seems to have read the research report by the University of Adelaide academics, which actually finds that COVIDSafe is vulnerable to a range of attacks and privacy faults.
University of Adelaide School of Computer Science associate professor Damith Ranasinghe, one of the authors of the report, said that decentralised models for digital contact tracing are generally more privacy preserving.
“Generally we found that the decentralised models tend to provide better privacy than centralised ones. The decentralised solutions tend to be better than centralised, purely from a privacy point of view,” Professor Ranasinghe told InnovationAus.
“No solution you’re going to develop is going to be perfect, even the decentralised solutions have their issues. It’s really going to be a balance between privacy and the current medical systems running in a country, and the societal norms,” he said.
“It’s complex to determine the best solution, but from a researcher point-of-view the decentralised option tends to provide better privacy.”
They did find that COVIDSafe performed well in terms of privacy compared to other centralised apps, Professor Ranasinghe said.
“We looked at the kinds of security provisions the app provides, and COVIDSafe comes out on top in terms of that for a centralised version. Then in terms of privacy, it also comes out on top,” he said.
Dr Xue said the study also wasn’t meant to look at whether any of the apps were actually effective in assisting with contact tracing.
“Nothing is perfect, even decentralised apps have privacy issues. COVIDSafe is a centralised version and is one of the safest in the world. There’s no such thing as a 100 per cent secure and privacy-preserving system in the world,” Dr Xue said.
“The effectiveness of the app versus the security and privacy of the app is beyond our study. We never studied the effectiveness of the app.”
Cryptography expert Dr Vanessa Teague said the research had been misrepresented by the media and politicians.
“When you read the paper, it’s a decent, reasonably careful analysis of security and privacy properties of some selected contact tracing apps,” Dr Teague told InnovationAus.
But the research has been used to present COVIDSafe as safe and secure, when the centralised model it is based on isn’t as privacy-preserving as a decentralised one, Dr Teague said.
“This puts the authors in a terrible position, because what they are represented to have said directly contradicts what they’ve actually written in their paper,” she said.
“The second sad thing is that a lot of journalists have just picked up the press release without taking even a cursory glance at the paper or asking the authors what they really intended to say.”