Raising Hell: Cracking COVIDSafe: Part 2: The Boys From Boston
In which we learn about the Boston Consulting Group...
There are really only two things you need to know about the Boston Consulting Group (BCG), the makers of the COVIDSafe contact tracing app.
The first is that it belongs to that clutch of companies whose trade involves the subtle art of whispering in the ears of powerful people. As a prestigious management consulting firm, its considered opinion shapes the decisions that affect our day-to-day lives and its hand holds the pen that drafts the planning documents needed to action them.
The second thing is that since its founding in 1963, the US company has turned up everywhere governments have sought to privatise and outsource “non-core” business. Like The Borg, every so often another entity operating as part of the broader BCG corporate group breaks away and embarks on a mission to assimilate another public institution. While by no means the largest of its species, BCG today boasts outposts in 90 locations, dotting 50 different countries and probably has plans for more.
Wherever they have landed, their work is mostly banal. Sometimes however it swerves into the realm of scandal thanks to its proximity to power and the amorality of the modern corporation.
At one point in Sweden, the company found itself the target of outrage after it was contracted in to help run a hospital. Along the way it imported an approach to healthcare known as “value-based care” that made Nya Karolinska one of the most expensive hospitals in the world. The resulting scandal was enough that the company became the subject of a book published in 2019 by two investigative journalists titled: “The Consultants”. Roughly translated to English, its blurb reads:
Value-based care, BCG promises, will revolutionize all healthcare and make Karolinska a world-renowned pioneer. But after a series of revelations about huge invoice amounts and suspected conflicts of interest, the hospital ends its cooperation with the consultants. Karolinska is forced to deal with budget gaps, mass exodus of employees and patients who die in growing operating queues.
More recent investigations have turned up stories that are considerably darker. A New York Times investigation published January described how a BCG subsidiary helped Isabel dos Santos — Africa’s richest woman who infamously “ripped off Angola” — by “[facilitating] her efforts to profit from her country’s wealth while lending their legitimacy”. A second, earlier investigation from The Times revealed how BCG had also helped Crown Prince Mohammed bin Salman of Saudi Arabia — the same man who ordered the murder of journalist Jamal Khashoggi — ingratiate himself among western powers as he did the circuit of capitals from London to Washington soon after taking the throne. From The Times article:
In February 2016, consultants for McKinsey and BCG escorted five emissaries from the Saudi royal court to make the rounds of think tanks in Washington. They informed Gulf experts about Mohammed bin Salman’s grand goals to remake Saudi life while the consultants, who outnumbered the Saudis, quietly took notes.
BCG has been deeply enmeshed in laying out the economic blueprint of the country, called Vision 2030, which aims to wean Saudi Arabia from its dependency on oil revenues.
Boston Consulting Group focused on unspecified “intelligence.” In a statement, BCG said it focused in Saudi Arabia on work that could “positively contribute to economic and societal transformation” and that the company has turned down work that goes against that principle. The firm declines projects that involve military or intelligence strategy, a spokesman said.
Here in Australia, BCG’s local arm has to date been free of similar negative publicity. The company has mostly enjoyed a good reputation as business advisors who, unlike some of their competitors, don’t have tax audit issues. In many ways the company has been ever-present but never prominent. Standing in the background, their role has been to supply the ideas and technical reports that often lend technocratic legitimacy to naked political ambition.
One example is the company’s contribution to the conversation around privatising Australia Post. Early into the Abbott government, BCG was contracted to conduct a review of the postal services’ operations. When its report was delivered in July 2014, it was quickly called out by The Australia Institute in a review of its work as a transparent attempt to lay the groundwork for privatisation:
The key themes in the BCG report are clearly designed to deliver the ultimate goal of outsourcing and privatising the mail delivery business in Australia. […] While projecting straight lines out for 10 years helps to make for some alarming reading, it is the lack of evidence on which such long run projections are made that should truly alarm readers of the BCG report.
In November 2019, the company was handed another $1.9 million to write a follow-up review on Australia Posts’ performance.
As far as local scandals go, the only recent incident on the horizon relates to a COVIDSafe-adjacent story involving the Australian National University (ANU).
The trouble started in July this year when an ANU alumni group invited a graduate employed by BCG onto a panel to talk about their work on the COVIDSafe contact tracing app. ANU academic Dr Priya Dev was initially asked to chair the panel, but later un-invited in circumstances that remain unclear.
When Denham Sadler later wrote up the story for InnovationAus, he explained Dr Dev had once published an article critical of the app’s development and the university had a close relationship with BCG. When Sadler followed up with ANU about whether Dr Dev’s removal constituted a breach of academic freedom, the university’s administration told Sadler: “there was no pressure applied from any parties involved.”
All of which helped explain a few things. I had previously heard about the panel while working on a story about COVIDSafe for The Saturday Paper in late June. When I had asked for a copy of the recording, I was told it was simply not available.
“Thanks for getting in touch,” an ANU spokesperson said. “Unfortunately we don’t have a recording we can pass on at this stage, but we will chase up for you and let you know if we’re able to provide one.”
I never did hear back. Sadler’s report would fill in some gaps when it explained the university had not made the video public after unnamed participants refused to give their permission.
If much about the situation seemed strange, that thought also occurred to Myriam Robin, a columnist at The Financial Review. Robin went on to wage her own Freedom of Information campaign to make the video public and was partially successful despite some push back.
When I contacted BCG to ask about the incident, I received a message giving the company’s side of the story. I have included the response in full, except to remove the name of the employee as they were not approached directly for comment and the company was speaking on their behalf:
“BCG allows employees to speak in their own capacity as alumni at university events, but when they do, they are not representing or speaking on behalf of BCG or its clients. [Dale] was invited by his former lecturer to take part in an ANU event which he understood would be an audience of current and former ANU students keen to hear about the COVIDSafe app. On this occasion, BCG was aware that Dale had been asked to speak at the event in his capacity as a former student, and was reminded to respect BCG’s obligations on client confidentiality and restrict his remarks to information that was in the public domain.
“When Dale learned the moderator was planning to ask questions about the app he knew he would not be able to answer out of respect for client confidentiality, he expressed reservations about this to his lecturer because he thought it might diminish the value of the event. Dale did not pressure anyone from ANU to remove Dr Dev from the panel, ANU staff made that decision entirely on their own. BCG was not in any way involved in the replacement of Dr Dev as the moderator of the panel. This has been confirmed by the ANU in their response to an InnovationAus article. The Freedom of Information release shows that Dr Dev herself also appeared to have concerns about whether she was the right person to moderate the panel.
“Like many companies, BCG offers graduate opportunities to universities across Australia including ANU. The InnovationAus article did not suggest there was a connection between BCG’s recruitment of graduates and the panel discussion. BCG was not in any way involved in the ANU’s decision to remove the moderator from the alumni panel and no decision of ANU would ever influence BCG to stop offering career opportunities to ANU students.”
After receiving this, I followed up with Dr Priya Dev who declined to comment except to address BCG’s contention that she “appeared to have concerns about whether she was the right person to moderate the panel.”
In a written statement, Dr Dev said:
“I never had concerns about whether I was the right person to moderate a panel discussion on the COVIDSafe app. Given that [the graduate] had expressed reservations about questions being asked by his former lecturer, I am surprised that the panel discussion on the COVIDSafe app took place as one cannot have a discussion on the app without asking questions about the app. Had the student not expressed reservations to the organiser of the event, would the organiser have still removed me as moderator from the panel? Given my discussions with the organiser — who stressed the importance of academic freedom — I find that an unlikely scenario.”
The Hired Guns
Until 2020, BCG had virtually no contact with the Digital Transformation Agency (DTA) — just a single contract worth $110,000. Across the broader machinery of government, BCG had by my count locked down 64 government contracts totaling $76 million from January 2017 until September 2020. The other agencies reliant on BCG for IT services or management advice included:
Australian Taxation Office
Department of Defence
Department of Employment
Department of Finance
Department of Health
Department of Home Affairs
Department of Infrastructure
Department of Industry
Department of Prime Minister and Cabinet
Department of Social Services
Fair Work Commission
Prior to the COVIDSafe app, Home Affairs had been the company’s most profitable partnership. There, BCG had helped to author a failed plan to privatise an immigration visa-processing platform. When that initiative proved controversial and was dumped in March this year, BCG still pocketed $43 million, roughly half the total $92 million spent on the project.
According to the DTA it was Home Affairs that first contracted in BCG to work on COVIDSafe before the project was pulled across to the agency. Around this time there had also been a key staffing change within the DTA. Dr Anthony Vlasic, the agency’s chief strategy officer, left in February 2020 to take a job as a BCG partner and associate director. Before working with the DTA, Dr Vlasic kicked off his career by spending two years as a consultant with BCG from January 2005 to April 2007.
Dr Vlasic wasn’t the only one to move through the revolving door. Back in July 2018, Randall Brugeaud was permanently appointed as the DTA’s new CEO after acting in that capacity for several weeks. Though in recent years he had worked in various government departments overseeing technology projects, Brugeaud had served as an executive for BCG between 2008 and 2010.
These appointments — and the contract for COVIDSafe — marked the start of a profitable relationship for BCG. Since the start of 2020, the company has racked up $2.3 million in government contracts from the DTA. When I asked BCG about this, the company directed any questions on procurement and contracting to the agency, saying it “fully complies with all DTA tender and procurement requirements”.
To actually do the heavy lifting on the app, BCG deployed a subsidiary: the Boston Consulting Group Digital Ventures (BCGDV). BCGDV’s website describes its activities as: “A corporate investment and incubation firm. We invent, build and invest in startups with the world's most influential companies.”
Though a marketing exercise, a QandA published to BCG’s Medium account serves as a rare public record of officials speaking directly about the company’s work on the app. Participant in the interview was Miguel Carrasco, CEO of BCG Platinion in Asia-Pacific and the Global leader at BCG’s Center for Digital Government, and Kevin Lucas, managing director and partner at BCGDV
Together they explained how their role was largely to rope together the host of organisations collaborating on the project. Carrasco explained its goals saying “privacy and security have been key considerations throughout the design of this product”. Lucas, meanwhile, outlined who did what on the project:
“BCG and BCGDV were involved from a relatively early stage in the development cycle. The BCG team was focused on supporting the coordination between the various government agencies involved, and particularly in supporting the Department of Health in getting ready for the product launch by helping train various state and territory health teams. The BCGDV team was closer to the product development efforts, creating the user journey flows and designs and providing product management to support a number of technology partners, notably [Amazon Web Services] and Shine Solutions.”
Today BCGDV’s contract with the DTA has ended, but it remains unclear how the company’s performance was assessed or how the effectiveness of the app has been determined.
One simple measure would be to look at the number of active users but to date no reliable user figures have been released. Both the company and the DTA prefer to rely on the total number of downloads — 7.1 million — as a mark of success. This figure — “total downloads” — is, however, misleading as those who download the app may not actually use it. While it is technically possible to generate the number of active users by measuring how often a phone checks in with the central server, the agency has so far refused to release the information on grounds it “may endanger public safety”.
If the lack of reliable user information marked one problem with judging the company’s performance, there was also the raft of exploits, errors and limitations that shipped with the app’s release.
Of all those that have been discovered to date, one of the more significant was a vulnerability that allowed someone with a little Bluetooth know-how to take control of a person’s phone. The issue was discovered through a partnership between Jim Mussared, a member of the open source community, and ANU academic Dr Alwen Tiu. Since Bluetooth technology worked by allowing two devices to silently “pair”, they found they could trick a phone into thinking another device was a keyboard and then give it commands. The flaw was so serious they registered it with The Mitre Corporation, a non-profit cybersecurity research organisation, and logged it on the public Critical Vulnerabilities and Exposure database where it was given a severity rating of 9.8 out of ten. Since then Google has taken steps to remove the vulnerability on Android phones.
"It's also worth noting that this vulnerability primarily allowed permanent tracking of the device, even after COVIDSafe was uninstalled,” Mussared said. “In my mind that's far more serious than the keyboard thing.”
Alone, this would be enough to raise serious questions about the developer’s work. It was also hard to square with the company’s representation of how it had approached the build.
When I asked BCG about this, the company directed all questions on the app’s performance to the DTA.
When the DTA were asked about the performance of the app, the agency’s hiring practices, how performance on the contract was assessed and the agency’s view on BCG’s work to date, the DTA said in a statement:
“The Government used relevant external expertise as appropriate, procured on an as-needs basis following standard Commonwealth Government Procurement Rules. It is important to note that contracts are developed to maximise value for money for the government, with options to allow the government to continue engagements as needed.
“All engagements undergo a value for money assessment and the most suitable qualified supplier is engaged, including for COVIDSafe.
“The COVIDSafe app continues to be improved and enhanced through iterative updates. Consistent with the Commonwealth Government Procurement Rules, the DTA will approach the market for support, development and enhancements as required to deliver on the government’s requirements.”
The agency may have been sticking to its talking points but this statement revealed more than it perhaps intended. The key word was the phrase “iterative updates” — something often repeated in the public communications about the app. It was one of those buzzwords that suggested insight but had no real meaning to those outside the tech world.
Understanding it meant first getting to grips with how programmers think about what they do. When people talk about “software engineering”, the word “engineer” is more of an aspirational moniker than an literal description of the role. In this view, writing code is considered a wholly different activity to building a bridge. If a flaw in a bridge might get someone killed, an error found in an app can be patched out after release with no harm done. This basic reality is generally held up as a reason why software engineers shouldn’t be held to the same duty of care as civil engineers.
In this way COVIDSafe cannot be considered “engineered” in any sense. When government and company officials throw around terms like “iterative design process” and “sprint plan” to describe the methodology by which the app was built, it is more an exercise in marketing than science. These words show the speaker has a fluency in the language of Silicon Valley-style project management but says nothing about a meaningful commitment to best practice.
Had the reverse been true, the result for COVIDSafe may have been different. Sprint plans and iterative design processes are real things that are actually useful. Tech giant Atlassian has built its product management software to accommodate this way of working. With the right systems in place for people to report errors or security issues and an openness to critique — elements that have largely been absent from COVIDSafe app — it can prove an good way of managing risk or limits on expertise.
What is clear, however, is that speed was the development team’s priority. Based on what is known to date, this can be forgiven. Confronted by a global pandemic, the federal government clearly wanted to be seen doing something at a time of great uncertainty. The consultants, meanwhile, were only too happy to oblige
Whether it was the right approach to building COVIDSafe remains an open question. A medical information app that seeks out and stores a history of close contacts in an effort to contain the spread of a highly infectious illness is wholly different to an app that counts your steps. Beyond the obvious privacy considerations, an automated contact tracing system constitutes a new public service not unlike building a new bridge.
An app will not solve a pandemic, but it may go some way to helping to manage risk and educate people along the way. The long range benefit of getting it right from the start extended beyond the current pandemic to maybe helping stem the next one. It also offered a rare opportunity to build public trust in the ability of institutions to respond in a crisis. Framed this way, those who commissioned and built such a system — whatever their contractual arrangements — bore an enormous responsibility to the public they were ultimately serving — especially a public who had been unable to give any meaningful feedback on the design before it was put to work.
So, why rush?
Why no one stopped to take some time and consider their options is a question that could be added to the pile BCG were looking to handball over to the DTA and which the agency wasn’t too keen on discussing in meaningful detail. While BCG might not have been willing to talk about the performance of the app, it did however make a point to quibble over the description of the COVIDSafe app as “medical information technology”.
“The COVIDSafe app is not a piece of medical technology, it is a digital tool to support state and territory public health officials with contact tracing,” a company spokesperson said.
Whatever you want to call it, the tools a society creates and the context in which they are created reveal much about the people who made them. In this specific case, the story of COVIDSafe’s origins owes much to the interplay between the public sphere and private entities. How this precise dynamic came to be is a story about ideas — in this case, those ideas we have about the best way to run the machinery of government.
Cracking COVIDSafe is a feature series made in association with Electronic Frontiers Australia. It aims to highlight the importance of Freedom of Information as an essential tool for holding government to account while helping to teach people about the process so they can do it themselves.
The journalism published by Raising Hell will always be free and open to the public, but feature series like these are only made possible by the generous subscribers who pay to support my work. Your money goes towards helping me pay my bills and covering the cost of FOI applications, books and other research materials. If you like what you see share, retweet or tell a friend. Every little bit helps.