Raising Hell: Cracking COVIDSafe: Part 1: Sunscreen

In which we learn the price of transparency...

The press conference was one of those held towards the front-end of 2020, somewhere in April, during that period when time lost all meaning and days bled into weeks. Prime Minister Scott Morrison was speaking to the news cameras once more, using the moment to lay out his vision of the future. His message was simple, if optimistic and bordering on delusional: the virus was now a fact of life and, in order to not damage the economy, the Australian people would have to learn to live with it.

Then he got to the point.

“That’s why the protections we put in place for a COVIDSafe Australia are so important,” Morrison said.

It took a keen ear to process what the former ad man did in that moment. In an effort to “solve” the pandemic, the government had built themselves an app. Ripped from Singapore, the code was given a brush and rolled out to the Australian public in a matter of weeks. The stated goal of the project was to automate the process of contact-tracing — an often tedious feat of detective work that relied upon health officials combing back through a person’s life to work out where they have been and who they had contact with — and instead have it sorted by technological wizardry.

In naming its app, the Australian government had christened it “COVIDSafe”, encapsulating the Prime Minister’s vision for a better world. At this press conference, in this particular moment, he worked hard to sell the idea with the deliberate choreography of an Apple product launch. Throughout the address, he repeated the phrase, using it to refer both to the app and to his vision of a better tomorrow in what appeared to be a conscious effort to reinforce the connection between the two in the minds of his audience. All that was missing was a ™ symbol.

“This is an important protection for a COVIDSafe Australia,” Morrison said. “I would liken it to the fact that if you want to go outside when the sun’s shining, you gotta put sunscreen on. This is the same thing.

“Australians want to return to community sport. You want to return to a more liberated economy and society. Its important that we get increased numbers of downloads when it comes to the COVIDSafe app. This is the ticket to ensuring that we can eased restrictions and Australians can go back to the lifestyle and the things they can do and this is important.”

What happened next was just as extraordinary for a public health announcement. In May, the government conceded to public demands for transparency about the app’s creation by announcing it would release the source code to the public.

Even then the Coalition government couldn’t let go of its basic instinct for maximum secrecy — a detail Morrison immediately spun as a strength. When asked how many people were using the app, the Prime Minister said he couldn’t possibly offer a number. All the information had been locked away on a government black box somewhere. If only select officials within the government were allowed to know, the public weren’t, either. Anti-transparency was a feature, not a bug.

Today the COVIDSafe app has fallen from the headlines and its existence is slowly fading from the public’s collective memory. Where the app is remembered, it is mostly spoken about as a botched public health project.

I have, in part, contributed to this. I first wrote about the COVIDSafe app in the week leading up to its release. I was not the only one and certainly not the most prolific on the subject. Unlike others who chased the tech side of the story, I was mostly interested in the legal and social aspects of the project. As I called around to hear what people had to say on the privacy aspects of the story, I was stunned at how “the app” offered a clear window into the systems for data collection and sharing between state and federal government agencies.

Some months later, I wrote up an autopsy on what went wrong with the app. While putting that together I met people in the open source tech community — people with no particular political axe to grind — who had worked concurrently and without pay to take apart the app, find its flaws and reconstruct how it was made. Once the hive-mind of the internet got its hooks into the code, it found a piece of medical software that had been built poorly, rushed out the door and didn’t do what it was supposed to. At first these people worked as curious hobbyists, but over time they began to link up and the issues they found through their various collaborations grew in severity. The more they learned, the more they found themselves asking a pretty simple question: how could anyone screw up this bad?

That’s a question I remain interested in. Today, COVIDSafe tends to be talked as tech story: flawed code in another failed government tech project. For me, the subject remains attractive for wholly different reasons. What matters is not the app, but the machine that made it. If we think about the app as the combined result of the social, political, economic and legal forces behind its creation, the story takes on new dimensions — and raises a lot more questions. Who were the key players in this? Who made what decisions? When? And what did they actually do to earn the money they were paid?

This feature series evolved out of my attempts to answer these questions through Freedom of Information. The idea has been to treat the process of gathering this material as a story in itself. Ordinarily, journalism works by delivering a report as a neat, finished product where all the messy leg-work has been squared away. Using Raising Hell as a platform to publish means I can show how I got into and through the mess, and still tell the story of COVIDSafe.

Getting Started

The project was always going to be a fishing exercise, but the first step was to begin with the obvious: the Digital Transformation Agency (DTA). The DTA is a branch of the Australian government formed in 2016 and burdened with all the hopes of a bureaucracy that desperately wants to build IT systems that actually work. When it came to COVIDSafe, development was initially left in the hands of the Department of Home Affairs, but passed to a team of twelve at the DTA a short time later. Their job involved coordinating between Home Affairs, the Department of Health, the Office of Prime Minister and Cabinet, a host of intelligence agencies and a fleet of private contractors — not that the agency was particularly open about any of this until months had passed since all the important decisions had been made.

Even as the earliest reports were being written about the app, the DTA’s media people refused to clearly explain who was responsible for leading development. All they would say at the time was they were handling media requests. It took a Senate Select Committee on Covid-19 to get concrete answers when Senator Rex Patrick asked point blank on 28 April 2020 who, exactly, had responsibility for what. The agency officials took the question on notice. When the answer came back on 6 May 2020, the response finally offered some clarity with a clear breakdown of the contracting arrangements:

The list also included a fourth company: Amazon Web Services. The trillion-dollar US company that has made a fortune helping run the railway track of the internet became the obvious focus for much of the media. Almost immediately, people began to point out the security risks associated with relying on their services.

For me, it was these lesser-known names that were of interest as they made for good targets. A quick Google search told how Ionize was a private company of white hat hackers who were brought in to test the app for security flaws. Another explained the Boston Consulting Group (BCG) was a US-based consultancy that had a long association with the Department of Home Affairs.

That wasn’t all. In its answer, the DTA explained that Atlassian — the $57 billion dollar tech company — had been involved in the early stages of development. Atlassian had worked on an earlier information app with another company, Shine — also listed above — and had helped Home Affairs prototype COVIDSafe. Though the company has never spoken about what its involvement actually involved, its co-founder Mike Cannon-Brookes had been vocal in advocating that people should download the app. In a post to Hacker News, Cannon-Brookes advised the tech community: “When asked by non technical people “Should I install this app? Is my data / privacy safe? Is it true it doesn’t track my location?” - say “Yes” and help them understand.”

Knowing who had worked on the app was one thing, but the next step was to find out what they had actually done during development. To that end, I filed three separate Freedom of Information (FOI) applications to learn more: one to Home Affairs asking for any documents relating to Atlassian’s involvement and another two to the DTA in separate applications. Those sent to the DTA asked for copies of the penetration testing report — that documented how the company tried to break into the app — delivered by Ionize and another seven bundles of documents relating to BCG, including reports, emails and information about the procurement process.

I did all this knowing it was guesswork, especially as I didn’t suspect any government agency of wrongdoing. In my past experience with FOIs, the process is made easier if I have someone who can quietly tell me exactly where to look and what to ask for. This was not the case this time around. At any rate, I sent the applications to the emails listed under the FOI section on the websites of the DTA and Home Affairs, and then immediately forgot about them.

A few weeks later, on 21 July 2020, word came back from the DTA on the application that concerned BCG. They said they could absolutely get me those documents, but it was going to set me back $753.13. The letter included a standard table that divided up the cost and was far less helpful than it might appear:

Breaking down the calculation, the DTA was apparently looking to charge me for 36 hours of decision-making time across seven batches of documents. To keep the application moving, I would have to lay down a deposit of $188.28 before they would even think about what documents to hand over and I had 30 days to pay up, or the application would time-out and it would all stop there.

The letter contained no explanation of how the charge had been put together. When I asked for more clarity, DTA officials said they thought the majority of time would be spent on one line-item only — the request I made for internal emails, briefs and similar documents sent between the DTA and BCG. This seemed weird. That $750 was a lot of money — roughly a weeks rent for an apartment in Barry Street, North Sydney according to RealEstate.com. In weighing up whether to pay up or walk away, I asked myself a deceptively simple question: who were the Boston Consulting Group anyway?



  • Cracking COVIDSafe is a feature series made in association with Electronic Frontiers Australia. It aims to highlight the importance of Freedom of Information as an essential tool for holding government to account while helping to teach people about the process so they can do it themselves.

  • The journalism published by Raising Hell will always be free and open to the public, but feature series like these are only made possible by the generous subscribers who pay to support my work. Your money goes towards helping me pay my bills and covering the cost of FOI applications, books and other research materials. If you like what you see share, retweet or tell a friend. Every little bit helps.