Raising Hell: Cracking COVIDSafe: App Mechanics For Beginners
In which we go under the hood of COVIDSafe with an app developer...
Before we get ahead of ourselves, I figured it would be a good idea to clearly lay out how the COVIDSafe app works and what people are saying about it. Not being able to write a single line of code, I sought out Quentin Zervaas, an independent iOS developer and early advocate on the subject to run me through it.
Quentin had been among those in the open source community who pulled apart the COVIDSafe and the Apple-Google iOS Exposure Notification framework to learn how they were built. With time he was one of those who spoke out in the media about what he had found. His argument — and one worth repeating — has consistently been that it is hard to fault anyone for the idea behind an automated contact tracing app. The problem has always been about efficacy and execution.
This conversation has been edited for length and clarity.
Royce Kurmelovs: What got you interested in the COVIDSafe app?
Quentin Zervaas: I became interested when the Australian government began talking about using an adapted version of Singapore’s app. Reading about the issues faced over there, and knowing what I know about Bluetooth on iPhones, it was clear to me early on that the approach the Australian government were taking was never going to work in an effective way. I became even more interested when Apple and Google announced a partnership to develop their own platform for use in contract tracing on iOS and Android phones. This approach would have been more decentralised and addressed some of the technical issues with the proposal for the COVIDSafe contact tracing app.
In April, Apple and Google announced they were building a new set of tools for app developers specifically to detect exposures to COVID-19. This system is called Exposure Notifications — also known as “EN” — and apps were able to make use of this system from iOS 13.5 onward.
I created my own contact tracing app — purely as a proof of concept — using the documentation they published when announcing this new system. Even at that time, it was clear that launching COVIDSafe prematurely — and not using the Apple-Google platform — was going to be a huge mistake.
I tried to raise this issue in the media. My argument was that if the app doesn't work correctly, then it would erode public trust and it would be effectively useless. Speaking as an app developer who has been building apps for over ten years, it is very difficult to get users to adopt new apps. And in this case, when the core premise of the app involves tracking citizens' movements — albeit in a benign way — then that is an extremely tough sell that you must get right first time.
RK: Can you explain how the COVIDSafe contact tracing app is supposed to work for those that may not know?
QZ: If two people, let's say Royce and Quentin, are running COVIDSafe near each other, our phones each exchange a secure key to remember that fact. A secure key is a string of numbers that identifies you as a particular user.
Now, if I were to test positive for COVID-19, I would go into the app on my phone and indicate this. At this point, my phone submits the keys of those who I’ve been in contact with to the central server, allowing the contact tracers to then determine who those keys belong to. The contact tracers can then call the exposed user and conduct an interview.
In the Apple-Google framework, if I test positive, only my keys are sent to the server after I select the upload option in the app. Everybody’s app periodically retrieves the keys of every newly-infected person to see if they’ve ever been near them. So in this example, soon after I upload my keys, your phone would download them from the server and see that they match.
The Government claims that the Apple-Google framework at this point notifies the user — you, in this example — directly via a push notification that you may have been exposed. The Government’s issue with this is they want more control over the notification process, allowing their tracers to call the user instead and conduct an interview.
In actual fact, this claim is a misrepresentation. The Apple-Google framework can be configured to notify the central server that an exposure was detected, so they can then contact you directly to conduct an interview instead of telling you immediately.
“The Government’s issue with this is they want more control over the notification process, allowing their tracers to call the user instead and conduct an interview. In actual fact, this claim is a misrepresentation.”
RK: What did you find upon release?
QZ: I found the issues that were present in Singapore's app were also present in COVIDSafe. Worse though, the code had been modified and new issues had been introduced. I wasn’t surprised to find this, though it’s been frustrating. Today the government likes to say they’ve updated the app 14 times. Most of these updates are to fix self-inflicted wounds that should have been identified earlier. Instead of rushing the app to market, more extensive testing and field trials should have been performed.
RK: In your senate submission you point out that it basically did not work on Apple iPhones for multiple weeks after release, can you explain more about this?
QZ: Not multiple weeks: 13 weeks. From launch until early August.
There was a critical bug on iPhones identified by a member of the public. The bug would cause the app to cease functioning correctly after a short period of time, due to having too many Bluetooth connections active. Whenever your phone detected another Bluetooth device, internally the app would remember that connection and try to keep it active indefinitely. There's a limit to the maximum number of Bluetooth connections a phone can have at once. Once this limit of 100 connections was met, your phone couldn't make any further Bluetooth connections.
This is a system-wide limit — that means it’s not limited to just COVIDSafe — so other apps and Bluetooth devices also ran into the same issue as a result of COVIDSafe. These included devices such as blood glucose monitors, smart watches, cars or other security devices.
That issue has now been fixed, but think about why it mattered before it was: imagine you went to a shopping centre at 10am, and by 10:15am, you’ve walked past 100 people who are running COVIDSafe. At this point, no further Bluetooth connections are possible, so if you stay for another two hours, that's potentially hundreds of people you've encountered that were not recorded. Too bad if you sat in the food court at lunchtime next to somebody who had COVID-19.
With adequate testing and field trials, this bug would have been identified and fixed much sooner than 13 weeks into the public release.
“There's a limit to the maximum number of Bluetooth connections a phone can have at once. Once this limit of 100 connections was met, your phone couldn't make any further Bluetooth connections.”
RK: What other bugs have you found over time?
QZ: I haven't personally been analysing the app for bugs — though there are many others doing this. Again, knowing what I know about the limitations of Bluetooth, I've been advocating instead for adoption of the Apple-Google Exposure Notification framework. This a highly-robust, specialised framework that was built to solve the problem COVIDSafe is trying to solve.
Additionally, it's built by Bluetooth and security experts at two of the biggest and most successful tech companies in the world. They are building this system to work and scale effectively for the global population, across billions of devices. Meanwhile, the Australian government is sticking to its guns over COVIDSafe.
RK: You've also said the app is a good idea, but hasn't been delivered to spec. Why?
QZ: Yes, I strongly believe in the concept of this app — what matters is that it’s built correctly.
The DTA and the Department of Health have refused to address a number of known issues, like the one that causes iPhones to not communicate while running in the background on your phone. COVIDSafe, as it is now, requires constant user intervention to be running in the foreground. This completely ignores the real-life behaviours of phone users, and also means you can't really use your phone properly for other purposes, since the app works best when it's in the foreground.
Even when critical bugs aren't present, at best, COVIDSafe can only detect about 25-to-50 percent of contacts between two locked iPhones. By comparison, the Apple-Google framework detects over 99 percent.
RK: You've developed apps. What do you make of the government's process in all this?
QZ: That they're willing to listen to the experts, as long as the expert opinion is what they want to hear. I believe they've built this app with good intentions and tried to make the best of a difficult situation, but at a certain point, their refusal to address the issues in the app shows they are not really interested in making it work effectively.
“If we want to get back to meaningful international travel, we will eventually be forced to migrate to something that actually works.”
Today they celebrate the app finding 17 otherwise unknown exposures. To me, this is evidence of it greatly underperforming, given the number of COVID-19 cases in Australia is over 25,000.
For example, if everybody with COVID-19 each came in contact with ten people in the days leading up to their diagnosis, that's over 250,000 potential exposures that the app could have found. It's disingenuous to claim how well the app works when you start to understand the exponential scale of these numbers.
RK: How hard has it been over the last few months to get those with authority to listen to the things you and others in the open source community have been saying?
QZ: They're simply not interested in improving the app in a meaningful way.
The Apple-Google framework is being used by over 25 countries including the UK, Netherlands, Ireland, Denmark, US and Japan. Several of these countries have now made their apps interoperate, which means that if you travel between those countries, it will automatically detect if you've been exposed to infected people in any of those countries.
I hold out hope for COVIDSafe. Currently, it has no such cross-region functionality. There's no way any of the apps from other countries can be compatible with COVIDSafe in its current form. And that’s a problem because if we want to get back to meaningful international travel, we may eventually be forced to migrate to something that actually works.
Cracking COVIDSafe is a feature series made in association with Electronic Frontiers Australia. It aims to highlight the importance of Freedom of Information as an essential tool for holding government to account while helping to teach people about the process so they can do it themselves.
The journalism published by Raising Hell will always be free and open to the public, but feature series like these are only made possible by the generous subscribers who pay to support my work. Your money goes towards helping me pay my bills and covering the cost of FOI applications, books and other research materials. If you like what you see share, retweet or tell a friend. Every little bit helps.