-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathindex.html
168 lines (155 loc) · 16.2 KB
/
index.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<meta name="description" content="">
<title>Is the COVIDSafe app safe yet?</title>
<link rel="stylesheet" href="style.css">
<link rel="stylesheet" href="//fonts.googleapis.com/css?family=Lato:300,400,400italic" type="text/css">
<link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/bootstrap/4.4.1/css/bootstrap.min.css" integrity="sha384-Vkoo8x4CGsO3+Hhxv8T/Q5PaXtkKtu6ug5TOeNV6gBiFeWPGFN9MuhOf23Q9Ifjh" crossorigin="anonymous">
<!-- <link rel="icon" type="image/png" href="/favicon.png" /> -->
<!-- HTML5 shim and Respond.js IE8 support of HTML5 elements and media queries -->
<!--[if lt IE 9]>
<script src="//oss.maxcdn.com/libs/html5shiv/3.7.0/html5shiv.js"></script>
<script src="//oss.maxcdn.com/libs/respond.js/1.4.2/respond.min.js"></script>
<![endif]-->
</head>
<body>
<div class="container">
<h1 class="display-4" style = "text-align: center">Is the <a href = "https://www.health.gov.au/resources/apps-and-tools/covidsafe-app">COVIDSafe app</a> safe yet?</h1>
<!--
<h1 class="display-2 text-danger" style = "text-align: center">
No.
</h1>
-->
<h1 class="display-4 text-warning" style = "text-align: center">
No (but improving)
</h1>
<!--
<h1 class="display-2 text-success" style = "text-align: center">
Yes!
</h1>
-->
<div class="row">
<div class="col-lg-12 col-md-12 col-sm-12">
<hr />
<h1 style = "text-align: center">Why not?</h1>
<br />
<p>Currently the COVIDSafe app <strong>meets 1/4</strong> of the conditions required for <strong>reasonable safety</strong>. These conditions however, are all achievable by the government and can allow for significantly greater confidence in the app and their own integrity. These conditions are:</p>
<h4>Code integrity</h4>
<p><strong>State:</strong> <span class = "text-success">Good</span></p>
<p>
DTA has released the source code within the promised timeframe<sup><a href = "#ref-21">[21]</a></sup>. The source code is missing some data and there are some questions around the licensing of the code, but overall this is great.
</p>
<p>
A number of developers have decompiled and analysed the source code of the Android version of the app, and have shown it to be correct in terms of data promised to be collected and no known exploits/backdoors.<sup><a href = "#ref-19">[19]</a></sup>.
</p>
<h4>Data access and retention</h4>
<p><strong>State:</strong> <span class = "text-warning">Improving</span></p>
<p><strong>Ways to improve:</strong> Once parliament sits, pass laws to match the existing Emergency Determination.</p>
<p>
An Emergency Determination<sup><a href = "#ref-6">[6]</a></sup> has been introduced by Health Minister Greg Hunt limiting how data can be collected by COVIDSafe and who can access it. However concerns have been raised<sup><a href = "#ref-7">[7]</a></sup><sup><a href = "#ref-8">[8]</a></sup> over the <strong>lack of provision for oversight and reporting</strong>. It is expected that proper laws related to privacy protection and restrictions to data will be introduced in May<sup><a href = "#ref-9">[9]</a></sup> when parliament re-sits.
</p>
<p>
Part of the Emergency Determination made states that it is illegal to <i>"cause COVID app data ... to be retained on a mobile telecommunications device for more than 21 days."</i><sup><a href = "#ref-6">[6]</a></sup>. The Determination also states that the Australian Government <i>"must cause COVID app data in the National COVIDSafe Data Store to be deleted after the COVID‑19 pandemic has concluded."</i>.
</p>
<p>
Draft legislation (the <i>Privacy Amendment (Public Health Contact Information) Bill 2020</i><sup><a href = "#ref-23">[23]</a></sup>) has been put forward to parliament, which mirrors fairly well the Emergency Determination<sup><a href = "#ref-22">[22]</a></sup>.
</p>
<h4>Independent audit</h4>
<p><strong>State:</strong> <span class = "text-warning">Average</span></p>
<p><strong>Ways to improve:</strong> Form the committee promised and release reports. Release report from the CSCRC, and any reports from the ASD.</p>
<p>
Both Health Minister Greg Hunt and Shadow Health Minister Chris Bowen have indicated that there is to be a "parliamentary oversight committee" to scrutinise the COVIDSafe app<sup><a href = "#ref-4">[4]</a></sup><sup><a href = "#ref-12">[12]</a></sup>. However, <strong>no indication has been given</strong> as to when this will be or what this committee will be scrutinising. Given parliament don't sit again until May, it's likely <strong>the horse will already have bolted</strong> at this stage.
</p>
<p>
The Department of Health has stated that they will seek "independent" advice from the Australian Signals Directorate in relation to data security<sup><a href = "#ref-13">[13]</a></sup>. No transparency has been provided on this however - the ASD has not provided any public statement, nor has any report relating to measures taken been published.
</p>
<p>
The Cyber Security Cooperative Research Centre have released a statement stating it has "no major concerns about the app". The organisations review is being handed to the government on Tuesday, however it has not been confirmed if this review will be made public. <sup><a href = "#ref-14">[14]</a></sup>.
</p>
<h4>Guaranteed sovereignty of data</h4>
<p><strong>State:</strong> <span class = "text-danger">Poor</span></p>
<p><strong>Ways to improve:</strong> Ideally move all backend to an Australian based provider. At minimum, ensure that encryption keys are stored with an Australian provider and are never used on non-soverign hardware.</p>
<p>
Concerns have been raised about the government's use of Amazon Web Services to store both the encrypted contact data from COVIDSafe, and the encryption keys used to decrypt the data<sup><a href = "#ref-15">[15]</a></sup>. The primary issue from this relates to the CLOUD Act, law introduced in the US in 2018 that allow the US government to require US based cloud providers operating in Australia (such as Amazon Web Services) to "to hand over data requested by US law enforcement authorities"<sup><a href = "#ref-16">[16]</a></sup>.
</p>
<p>
<del>Labor MP Ed Husic has raised stated he had been in formed that the Australian Signals Directorate has raised concerns around AWS and the Sydney data centre in question, and - a month earlier - the Department of Home Affairs has advised the Government to move their data out of there by September this year<sup><a href = "#ref-17">[17]</a></sup>.</del>
<br />
The Digital Transformation Agency has come out on record to ITWire, stating <i>"No COVIDSafe information will be stored in Global Switch facilities"</i><sup><a href = "#ref-18">[18]</a></sup>.
</p>
<p>
Concerns have also been raised over Australian based providers being overlooked, despite having the relevant government accreditations to host such data, such as AUCloud, Macquarie Telecom, Sliced Tech and Vault<sup><a href = "#ref-15">[15]</a></sup>.
</p>
</div>
</div>
<!--
<sup><a href = "#ref-X">[X]</a></sup>
-->
<div class="row">
<div class="col-lg-12 col-md-12 col-sm-12">
<!--
<hr />
<h3>Q&A</h3>
<h4>Don't the government already have all my data? Why should I care?</h4>
<p>Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.</p>
-->
<hr />
<h4>Additional interesting data</h4>
<ul>
<li>Interesting twitter threads (about decompiling/reverse engineering)
<ul>
<li><a href = "https://twitter.com/GeoffreyHuntley/status/1254319376620072960">Geoffrey Huntley</a></li>
<li><a href = "https://twitter.com/matthewrdev/status/1254336105203200000">Matthew Robbins</a></li>
<li><a href = "https://twitter.com/jedws/status/1254683412465479685">Jed Wesley-Smith</a></li>
</ul>
</li>
<li><a href = "https://docs.google.com/document/d/17GuApb1fG3Bn0_DVgDQgrtnd_QO3foBl7NVb8vaWeKc/edit#">Google Doc discussing Dissection of COVIDSafe</a></li>
<li><a href = "https://en.wikipedia.org/wiki/COVIDSafe">Wikipedia article</a></li>
</ul>
<hr />
<h4>References</h4>
<ul>
<li><span id = "ref-1"><sup>[1]</sup> <a href = "https://www.abc.net.au/news/2018-05-31/privacy-precedent-what-can-the-government-reveal-about-us/9816700">Privacy decision sets worrying precedent for what the Government can reveal about us - ABC</a></span></li>
<li><span id = "ref-2"><sup>[2]</sup> <a href = "https://www.theguardian.com/australia-news/2020/mar/08/melbourne-professor-quits-after-health-department-pressures-her-over-data-breach">Melbourne professor quits after health department pressures her over data breach - The Guardian</a></span></li>
<li><span id = "ref-3"><sup>[3]</sup> <a href = "https://www.theguardian.com/technology/2020/feb/28/australian-government-officials-accused-of-cavalier-disregard-for-unauthorised-metadata-access">Australian government officials accused of 'cavalier disregard' for unauthorised metadata access - The Guardian</a></span></li>
<li><span id = "ref-4"><sup>[4]</sup> <a href = "https://www.itnews.com.au/news/govt-to-release-source-code-of-forthcoming-covid-trace-app-546884">Govt to release source code of forthcoming 'COVID trace' app - IT News</a></span></li>
<li><span id = "ref-5"><sup>[5]</sup> <a href = "https://www.abc.net.au/radio/programs/am/heath-minister-says-govt-will-release-covidsafe-source-code/12187634">Federal Heath minister says Govt will release COVIDSafe source code - ABC</a></span></li>
<li><span id = "ref-6"><sup>[6]</sup> <a href = "https://www.legislation.gov.au/Details/F2020L00480">Biosecurity (Human Biosecurity Emergency) (Human Coronavirus with Pandemic Potential) (Emergency Requirements—Public Health Contact Information) Determination 2020 - Federal Register of Legislation</a></span></li>
<li><span id = "ref-7"><sup>[7]</sup> <a href = "https://www.zdnet.com/article/covidsafe-privacy-report-calls-on-state-health-bodies-to-comply-with-privacy-act/">COVIDSafe privacy report calls on state health bodies to comply with Privacy Act - ZDNet</a></span></li>
<li><span id = "ref-8"><sup>[8]</sup> <a href = "https://www.lawcouncil.asn.au/media/media-releases/tracing-app-has-been-released-but-privacy-concerns-still-exist">Tracing app has been released but privacy concerns still exist - Law Council of Australia</a></span></li>
<li><span id = "ref-9"><sup>[9]</sup> <a href = "https://www.innovationaus.com/covidsafe-code-to-be-released-within-two-weeks/">COVIDSafe code to be released within two weeks - Innovation Aus</a></span></li>
<li><span id = "ref-10"><sup>[10]</sup> <a href = "https://www.afr.com/technology/five-eyes-fears-rise-over-aussie-encryption-laws-20190221-h1bj6f">Five Eyes fears rise over Aussie encryption laws - AFR</a></span></li>
<li><span id = "ref-11"><sup>[11]</sup> <a href = "https://junkee.com/encryption-bill-labor-vote/185652">Labor Spent This Week Criticising The Encryption Bill. Then They Voted For It Anyway. - Junkee</a></span></li>
<li><span id = "ref-12"><sup>[12]</sup> <a href = "https://www.smh.com.au/politics/federal/former-top-public-servant-i-won-t-download-the-coronavirus-app-20200427-p54nn9.html">Former top public servant: I won't download the coronavirus app - SMH</a></span></li>
<li><span id = "ref-13"><sup>[13]</sup> <a href = "https://www.health.gov.au/sites/default/files/documents/2020/04/covidsafe-application-privacy-impact-assessment-agency-response.pdf">Privacy Impact Assessment (PDF) - Department of Health</a></span></li>
<li><span id = "ref-14"><sup>[14]</sup> <a href = "https://www.smh.com.au/politics/federal/nothing-particularly-disturbing-coronavirus-app-safe-review-finds-20200420-p54lea.html">'Nothing particularly disturbing': Coronavirus app safe, review finds - SMH</a></span></li>
<li><span id = "ref-15"><sup>[15]</sup> <a href = "https://www.abc.net.au/news/2020-04-24/amazon-to-provide-cloud-services-for-coronavirus-tracing-app/12176682">Australia's coronavirus tracing app's data storage contract goes offshore to Amazon - ABC</a></span></li>
<li><span id = "ref-16"><sup>[16]</sup> <a href = "https://www.itnews.com.au/news/australia-us-negotiate-cloud-act-data-swap-pact-532005">Australia, US negotiate CLOUD Act data swap pact - IT News</a></span></li>
<li><span id = "ref-17"><sup>[17]</sup> <a href = "https://www.itwire.com/government-tech-policy/covidsafe-app-aws-using-chinese-owned-data-centre-in-sydney,-says-husic.html">COVIDSafe app: AWS using Chinese-owned data centre in Sydney, says Husic - IT Wire</a></span></li>
<li><span id = "ref-18"><sup>[18]</sup> <a href = "https://www.itwire.com/government-tech-policy/dta-says-aws-will-not-store-covidsafe-data-at-chinese-owned-data-centre.html">DTA says AWS will not store COVIDSafe data at Chinese-owned data centre - IT Wire</a></span></li>
<li><span id = "ref-19"><sup>[19]</sup> <a href = "https://docs.google.com/document/d/17GuApb1fG3Bn0_DVgDQgrtnd_QO3foBl7NVb8vaWeKc/edit#">Google Doc, contributed to by many developers - Geoffrey Huntley</a></span></li>
<li><span id = "ref-20"><sup>[20]</sup> <a href = "https://www.smartcompany.com.au/coronavirus/angry-mob-cannon-brookes-covidsafe-app/">‘Turn the angry-mob mode off’: Cannon-Brookes calls on divided tech industry to back government’s COVIDSafe app - SmartCompany</a></span></li>
<li><span id = "ref-21"><sup>[21]</sup> <a href = "https://www.dta.gov.au/news/dta-publicly-releases-covidsafe-application-source-code">DTA publicly releases COVIDSafe application source code - DTA</a></span></li>
<li><span id = "ref-22"><sup>[22]</sup> <a href = "https://www.theguardian.com/australia-news/2020/may/04/government-releases-draft-legislation-for-covidsafe-tracing-app-to-allay-privacy-concerns">Government releases draft legislation for Covidsafe tracing app to allay privacy concerns - The Guardian</a></span></li>
<li><span id = "ref-23"><sup>[23]</sup> <a href = "https://www.ag.gov.au/RightsAndProtections/Privacy/Pages/COVIDSafelegislation.aspx">COVIDSafe draft legislation - Attorney-General's Department</a></span></li>
<!--
<li><span id = "ref-X"><sup>[X]</sup> <a href = "LINK">TITLE</a></span></li>
<li><span id = "ref-X"><sup>[X]</sup> <a href = "LINK">TITLE</a></span></li>
-->
</ul>
<p>
<br/><small>Created by <a href = "https://github.com/whiteydude">Andrew White</a>, an Australian nerd who is concerned with the carte blanche approach to privacy that seems commonplace.</small>
</p>
<p>
<small>Are there mistakes, or could there be improvements? Corrections and design changes are welcome. <a href = "https://github.com/WhiteyDude/iscovidsafesafe.com/pulls">Pull requests</a> are preferred, or just <a href = "https://github.com/WhiteyDude/iscovidsafesafe.com/issues">open an issue</a> if you're not technical!</small>
</p>
<p class="timestamp"><small>Page updated 16:33 30/04/2020</small></p>
</div>
</div>
</div>
</body>
</html>