How does it work?
The app operates by using your device’s Bluetooth functionality to identify nearby devices that also have the app installed. The app records the anonymised ID of that other user and uploads that information into a database which is only accessibly by state and territory public health officials. Importantly, the app does not operate to pair your device with any other device; it simply operates as a radar which identifies other devices with the app. So there is no risk that other uses of the app will have access to your device or data on your device.
Is it secure?
Whilst the source code for the app has still not been released, it has been decompiled by various developers. It has been identified from a technical perspective that there are some security deficiencies in the app which ought to be resolved. These deficiencies make the app insecure and therefore more vulnerable to a malicious attack should someone wish to gain access to the app on your device.
However, consider the consequences if this occurred. The app only collects your name, phone number, postcode and an age group. This kind of basic information is hardly powerful and could not be used to steal your identity or do any real damage. It is likely you share far greater personal information with Google, Facebook or other social media platforms or online sellers.
What about my privacy?
As is pointed out in the advertisement campaign, the government is subject to legal restrictions regarding the collection, use, disclosure and storage of personal information. These obligations are contained in the Privacy Act. The government cannot disclose your personal information overseas unless you give express consent, which does not appear to be included in the app itself. The use of Amazon Web Services to store the data in the cloud should not be of concern: AWS is perhaps the most secure cloud storage provider and given the government’s legal obligations, it is likely that the data will be stored in the servers located and accessible only in Australia.
Further, if a data breach occurs, the government has obligations under the notifiable data breach regime to immediately take steps to remedy the breach (if possible), and if not, to alert affected individuals. Again though, given the type of information that is inputted into the app, it is difficult to see how any real harm could come to individuals if there was an unfortunate data breach.
Additionally, on Monday the Attorney-General released an exposure draft of a bill which seeks to amend the Privacy Act by inserting a jail term of up to 5 years for the collection, use or disclosure of data from the app for any purpose other than contact tracing of COVID-19 by anyone other than a state or territory health authority or behalf of an authority.