If you spot a spelling mistake, grammatical error or inaccuracy please help improve the senate submission by editing this page. Small fixes, over time, add up to huge improvements. Thank-you 💕
Select Committee on COVID-19
Terms of Reference
On 8 April 2020 the Senate established the Select Committee on COVID-19 and referred the following matters to it for inquiry and report on or before 30 June 2022:
- the Australian Government's response to the COVID-19 pandemic; and
- any related matters.
Introduction
To members of the Senate Select Committee on COVID-19. Thank you for the opportunity to participate in this Senate inquiry. Below you will find a submission related to the COVIDSafe application. We are doing seperate submissions on a per-topic basis to optimize for your reading experience.
Members from the https://covidsafe.watch/ community are available to give in-person evidence to future public (or private) hearings by video conference.
We would appreciate a confirmation of the receipt of this submission and welcomes any feedback you may have.
https://covidsafe.watch/ is an online community backed by a team of security researchers, open-source software engineers, community managers and privacy specialists that support the concept of technology based contact tracing.
- We want to see lives saved through the use of this unprecedented technology.
- It is crucial to us that privacy and security issues are addressed promptly and communicated in an inclusive and open manner.
- We believe transparency is essential to achieve both of these goals without compromising either. Compromising privacy risks people’s lives by undermining public trust in the systems built to protect them.
- This can only be achieved by direct collaboration with engineers using transparent open source platforms as done by the UK National Health Service.
It's here! The source code for the COVID-19 BETA Apps.
— NHSX (@NHSX) May 7, 2020
✅Android: https://t.co/fdCzEcND47
✅iOS: https://t.co/6JNR1PmkHE
✅Documentation: https://t.co/OFGq9lbOfg
Experts available for in-person evidence
Geoffrey Huntley
🙌 I'm Geoff, the probono open-source software engineer leading the independent analysis of covidsafe via studying the source code. Software that I maintain is inside Microsoft Visual Studio, GitHub, Atlassian Sourcetree, Amazon Drive, Halo, Slack, is heavily used by the financial services industry and has been installed by other software developers over 21 million times.
Photo licensed under Attribution 4.0 International (CC BY 4.0)
Jim Mussared
I'm a hybrid hardware and software developer, with current professional experience with open-source development and designing/developing BLE-based products for George Robotics. Formerly worked in programming/electronics education at Grok Learning, and before that at Google Australia as a tech lead in the SRE team as well as some time working with the Android team.
My Bluetooth research into contact tracing has received world wide praise. I discovered a Bluetooth security vulrunability (CVE-2020-12856) which requires governments to modify their technological approaches and programs of work.
Photo licensed under Attribution 4.0 International (CC BY 4.0)
Richard Nelson
I'm a professional software engineer of 16 years, 8 of which have been in mobile app development and leadership. I have a strong interest in infosec, and my research into the iPhone application background behaviour identified a coding error as a contributing factor preventing COVIDSafe from working effectively. I discovered a denial of service vulnerability (CVE-2020–12717) in COVIDSafe.
Photo licensed under Attribution 4.0 International (CC BY 4.0)
Contact person(s) for this submission
Technical Expert & Coordinator
Name: Geoffrey Huntley
Email: ghuntley@ghuntley.com
LinkedIn: https://www.linkedin.com/in/geoffreyhuntley
April 27th, 2020 - Initial Discovery
Geoffrey Huntley documented the possibility of the language used in the application as an issue in his COVIDSafe application dissection.
When a user taps the "upload my data" button the next screen asserts "You have tested positive for COVID-19" which may be a false assertion and cause confusion. This text needs changing.
This research featured on the front page of the technology website "Hacker News" and received wide attention from the global technology industry, including from Mike Cannon-Brookes, co-founder of Atlassian.
https://news.ycombinator.com/item?id=22986147
I believe the government, the Prime Minister and various ministers have said the code will be released. My sources also say exactly the same. They’re obviously operating with extreme urgency to get the app out. For you. [... snip ...]
Mike Cannon-Brookes' account was created on the 1st of April 2020. The above comment is his first and only comment on this [very important] technology website. Mike's comments were picked up and widely circulated in the media.
https://www.smartcompany.com.au/coronavirus/angry-mob-cannon-brookes-covidsafe-app/
Whilst Geoffrey Huntley has no evidence that the Digital Transformation Agency read the application dissection document on the 27th. Mike's comments in the media and COVIDSafe being on the front page of this technology website would have most likely resulted in one or more people within the Digital Transformation Agency monitoring the document which was continually updated for weeks.
TFW you spot a UX problem with messaging on launch day, report it and still have yet to get a response back. Today in the news? Sigh. #covidsafe pic.twitter.com/8Yn6nIvdig
— geoffrey huntley (@GeoffreyHuntley) April 30, 2020
April 28th, 2020 - Public Panic
A Melbourne woman feared she had coronavirus after confusing app message. Mother-of-two Holly Donovan from Frankston panicked when she thought the app had diagnosed her with coronavirus.
The message "You have tested positive for COVID-19" appeared when she tapped the button "has a health official asked you to upload your data?".
It is not meant to tell users they have coronavirus, but instead ask them to confirm they have tested positive.
"I got a shock and then I thought people should know about this, because some people would get really panicky and go oh god I've got it," Holly Donovan told 9News.
April 30th, 2020 - Australian Financial Review
https://www.afr.com/politics/federal/tech-community-backs-covidsafe-app-20200430-p54olb
Over 500 met on Wednesday evening by video, after multiple developers and software engineers had reverse-engineered the code base and inspected it for security, integrity and usability.
Led by Queensland open-source software engineer Geoff Huntley, a group of developers and programmers have collated the findings of about a dozen different efforts to review the code and the usability of the app
Mr Huntley told the meeting the group was ready to share their findings with the government's developers to help debug and improve its usability.
The group met up after Atlassian co-founder Mike Cannon-Brookes called on developers and software engineers to help debug the application.
Mr Huntley detailed the issues the group had identified with the app.
These included problems trying to register using Wi-Fi only; the lack of an alternative for SMS authentication – especially in remote areas with poor or no mobile service; and the need to have the app available on international platforms so people who are not on the Australian stores can access.
Also noted was the need to be able to register international phone numbers for visitors who are using international SIM cards.
The app uses bluetooth wireless signals to recognise another COVIDSafe app. There have also been issues of conflicts with other bluetooth applications, such as diabetes apps.
There has also been confusion with a user exploring the app and getting a screen that says "you have tested positive". The screen came up after the user pressed the button used to upload data, after a person has been diagnosed with the virus.
May 4th, 2020 - The Australian
Mr Huntley also points out that anyone checking out all the areas of the app will easily end up on a page with the first line of text: "You have tested positive for COVID-19."
"It has caused public panic and it can still cause public panic," he said.
But he says multiple attempts to contact government agencies to report issues went unacknowledged until he was interviewed in media on Monday morning.
May 4th, 2020 - Software Update Released
COVIDSafe v1.0.15 was released which removed the text from the application. Time to resolution was 10 days.
May 5th, 2020 - The Advocate
https://www.theadvocate.com.au/story/6745024/govt-under-pressure-over-app-bugs-and-flaws/?cs=12
Computer experts have voiced concern that, more than a week after the app was launched, the government was yet to issue a software update or address problems people have encountered in downloading and using the app.
In addition to well-known problems in making the app work effectively on Apple iPhones, users have also encountered issues downloading the app, registering for use and obtaining technical support.
Software engineer Geoffrey Huntley said one of the potentially most alarming yet easily rectified problems was that the app displayed the message "You have tested positive for COVID-19" when users pressed the 'Upload my information' button at the bottom of the main page.
The issue came to public attention within days of the app's launch when a Melbourne woman described her panic after coming across the message.
Mr Huntley said it would be simple to change the wording on the app to fix the problem and was concerned that an update was yet to be rolled out.
He said there were a number of problems with user experience that were yet to be addressed, including blocked access to the app for people with offshore iTunes accounts, the necessity of having an Australian mobile number and the requirement that users have access to SMS in order to register.
Mr Huntley said there was "no customer support" addressing these or other issues raised by users and those attempting to download the app and register for its use.
"The government keeps talking about the number of downloads. That should not be the success metric. The metric should be how it is working," he said.
Closing Remarks and Recommendations
In Geoffrey Huntley's and Richard Nelson's professional opinion 10 days is unacceptable time to resolution as the fix involved removing a single line of text from the application and releasing a new version of the application.
Releasing a new version of the application should have been done immediately after seeing reports that mother-of-two Holly Donovan from Frankston panicked when she thought the app had diagnosed her with coronavirus.
New versions of mobile applications can be automatically released to the Google and Apple stores without human interaction. This is industry best practice - also known as continuous integration/continuous delivery. Geoffrey Huntley has taught these methods as lectures at Microsoft and as in-person training to companies within Australia.
@GeoffreyHuntley talking about fastlane tools and automatic builds with cake. @xamarinhq #xamarin #sydmobile pic.twitter.com/Fr4dXmOpXf
— XAM Consulting (@XAMConsulting) November 8, 2016
For those waiting for the recording of our Fastlane Tools Guest Lecture, @GeoffreyHuntley was kind enough to redo it, and it is posted now.
— Xamarin University (@XamarinU) November 22, 2016
Watched @GeoffreyHuntley's XamU presentation on fastlane. Super keen to implement some of this, especially match. https://t.co/KLMSaXVEYk
— Kent Boogaart (@kent_boogaart) June 17, 2017
@GeoffreyHuntley giving an impromptu brown bag on #FastLane while in town! #InsideReadify pic.twitter.com/oEaVgC095c
— Benjamin Tam 💙 (@BenjaminTam) March 16, 2017
This educational material has been available, free of charge since 2016 and can be obtained at:
- https://github.com/ghuntley/appstore-automation-with-fastlane
- https://www.youtube.com/watch?v=mF0QonkbuqU
- https://fastlane.tools/
Appendix - Timeline
| Day | Date | Notes |
|---|---|---|
| 0 | 26/04/2020 | COVIDSafe app launched |
| 1 | 27/04/2020 | First long-term tracking issues reported to privacy@health.gov.au, ASD, Maddocks (author of the PIA). First reports of the app interacting poorly with other Bluetooth devices (e.g. Continuous Glucose Monitors). |
| 2 | 28/04/2020 | First four issues described in a single document that was distributed widely to the relevant teams (both through official and unofficial channels). |
| 4 | 30/04/2020 | First contact with Singapore OpenTrace team. TempID caching issue fixed same-day. The Singapore team confirms that iPhones in the background are “not expected to work”. ASD confirmed that they will “follow this up”. No further contact. The Cybersecurity CRC confirmed that they have forwarded this doc but are extremely dismissive of the findings. No further contact. Maddocks replied and promised to forward the doc. No further contact. |
| 8 | 04/05/2020 | First contact with DTA. v1.0.15 & v1.0.16 (Android) released containing only updates to graphics and animations and some minor text changes. The only issue fixed is the confusing wording raised by Geoff. risky.biz publishes a high-level summary of the known issues at this stage. |
| 9 | 05/05/2020 | v1.1 (iPhone) released. DTA confirms that they were first aware of the issues on 30/04/2020, but our contact still had not read the document. Full details of CVE-2020-12586 shared with the ASD/ACSC and DTA |
| 10 | 06/05/2020 | DTA CEO questioned by the Select Senate Committee on COVID-19. Topics include the iPhone background behavior and engagement with the tech community. Richard Nelson discovered the remote iPhone crash, reported to DTA. |
| 12 | 8/05/2020 | Source code of v1.0.16 (Android) and v1.1 (iPhone) released, confirming that there are no differences in the Bluetooth implementation to the upstream Singapore codebase. |
| 13 | 9/05/2020 | Same issues discovered in the ABTraceTogether app used by Alberta, Canada. Emailed, and Skype meeting arranged within 24 hours. |
| 17 | 13/05/2020 | DTA confirms that there will be a release tomorrow to fix the iPhone crash but it will fix none of the outstanding privacy issues. |
| 18 | 14/05/2020 | v1.0.17 (Android) and v1.2 (iPhone) released. Contrary to advice from the day before, fixes the first two privacy issues (along with the remote iPhone crash). DTA asked (via SMS to Jim Mussared) for availability to discuss fixes for CVE-2020-12586 in the next couple of days. Jim offered that they can call any time, but then they never followed through on arranging a time. No further contact received from the DTA, all follow-up emails ignored. (Edit: update after this doc was published, see below) |
| 19 | 15/05/2020 | Source code of v1.0.17 (Android) and v1.2 (iPhone) released. |
| 20 | 16/05/2020 | Source code of Alberta, Canada’s ABTraceTogether released. None of the issues raised on 09/05/2020 have been fixed. |
| 21 | 17/05/2020 | v1.3 (iPhone) released. |
| 22 | 18/05/2020 | Source code of v1.3 (iPhone) released. iPhone crash fixed in Singapore OpenTrace. |
| 23 | 19/05/2020 | Full details of CVE-2020-12586 shared with the Singapore & Alberta teams (and other affected countries). |
| 26 | 22/05/2020 | iPhone TempID expiry issue raised with DTA (and Singapore & Alberta). |
| 29 | 25/05/2020 | The The COVIDSafe App - 4 week update document was released publicly. 26 minutes later, update from the DTA with a planned release date for “the remaining Bluetooth issues”. |
| 30 | 26/05/2020 | v1.4 (iPhone) released and available to download, source code partially available same day but unable to compile as source code is missing. v1.0.18 (Android) source code released but Android application but not available to download from the app store. |
| 32 | 28/05/2020 | Submisisons for the Australian Senate Select Committee on COVID-19 close. |
Appendix - Google Android Changelog
| Version | Date | Comments |
|---|---|---|
| v1.0.11 | 2020-04-26 | Initial Release. Implementation in serious breach of privacy policy. Contained text that caused public panic - "You have COVID19" |
| v1.0.15 | 2020-05-04 | Brand new coat of paint and did not resolve privacy breach. Accidentally added 20 second pause to the launch screen. |
| v1.0.16 | 2020-05-04 | Removed 20 second pause from the launch screen. |
| v1.0.17 | 2020-05-14 | Partially resolves privacy breaches. |
| v1.0.18 | 2020-05-27 | Source code released but application not available for download from the app store. Analysis pending. |
Appendix - Apple iPhone Changelog
| Version | Date | Comments |
|---|---|---|
| v1.0 | 2020-04-26 | Initial Release. |
| v1.1 | 2020-05-05 | Debug view removed, updated design and removed com.googleusercontent URLScheme. |
| v1.2 | 2020-05-14 | Largely fixed background behaviour. Implemented the fix for CVE-2020-12717. |
| v1.3 | 2020-05-14 | Removed daily notifications to remind users to keep app in foreground. |
| v1.4 | 2020-05-26 | Application released, source code was partially published but unable to compile as files are missing. Analysis pending. |
