Issue 78

Australia's COVIDSafety theatre

Delivered on 18 May 2020 by Justin Pyvis. About a 6 min read.

Australia's coronavirus tracing app, COVIDSafe - which has also become the political buzzword of choice being dribbled ad nauseam in every.single.speech - passed three milestones this week:

  1. Nearly 6 million people have downloaded the app.
  2. The COVIDSafe legislation cleared Parliament.
  3. The app's source code was released.

Sounds good, right? Certainly checks all of my boxes, given that around a month ago I wrote:

Don't rush into installing this app [COVIDSave] until the government can guarantee, through legislation and the source code, that it actually has people's best interests at heart.

Alas, I suppose I should have been clearer. While the situation has no doubt improved since I wrote that, the Australian government unfortunately managed to half-arse everything. Given this late stage - you can't ask people to trust you twice - its poor decisions mean the COVIDSafe app will almost certainly find itself relegated to the role of safety theatre, as opposed to its stated goal of "slowing the spread of COVID-19".

Now I'm going to tell you why.

1. Nearly 6 million people have downloaded the app.

There are about 17 million smartphone users in Australia, meaning that with 6 million downloads COVIDSafe is rapidly closing in on Prime Minister Scott Morrison's 40% adoption target. Unfortunately, total downloads is not the correct metric to use for gauging how many people are actually using a piece of software and the adoption rate may actually be significantly lower.

What the government should be reporting is the number of active users. That metric is commonly known as "DAU" (daily active users) or "MAU" (monthly active users) and it's the gold standard for the tech sector. Not providing those data is at best suspicious, at worst malicious.

Without knowing the number of active users, we have no idea how many Australians actually have a functional, up-to-date version of COVIDSafe installed on their phones. Many people could have installed it out of a sense of civic duty only to subsequently remove it for a variety of reasons, such as its failure to operate as specified, its high battery usage, or privacy concerns.

Keeping the active user data a secret smells an awful lot like a political face-saving exercise designed to avoid the embarrassment of its own poor decision-making process.

2. The COVIDSafe legislation cleared Parliament.

Of the three milestones, this gets the only passing grade. The COVIDSafe legislation was approved by Parliament this week and contains a lot of important protections, including criminal offences for those caught misusing the COVIDSafe app and the data it collects.

However, it places no firm time limit on the retention of the collected data. While there is a requirement for it to be deleted when the Health Minister deems it "is no longer required to prevent or control [COVID-19]; or is no longer likely to be effective in preventing or controlling [COVID-19]", there is no explicit sunset clause, meaning the government can hold onto it for a long, long time.

As the saying goes, nothing is so permanent as a temporary government programme. The legislation does nothing to allay that concern.

3. The app's source code was released.

The Australian government finally released the source code for the COVIDSafe app.

Well, some of it.

For whatever reason, the government again decided to go against best practices and keep the server code closed, meaning we have no idea how stored data are encrypted. Contrast that with the Singaporean government (it provided the framework from which the COVIDSafe app was built), which released the source for both its app and server code. Even the UK's National Health Service (NHS) - also developing a centralised tracing app - released the source code for both its client and server components.

Sadly, it gets worse.

The government also scrubbed the history of changes made to the code (important for auditing), disabled pull requests (this is how the community can suggest improvements to open source products) and has just generally been hostile to developers wanting to help. According to open source software engineer Geoffrey Huntley:

The Australian tech industry really wants to help make it better, but their actions are absolutely hostile. We want to follow what the NHS did, which is build a healthy community that wants to help out. We have a community of software engineers and experts but they are inhibited from looking at the source code because of the licencing problem. They released the source code but did it in the most political, check-box way and scrubbed all of the history and all of the metadata. There's no way to know when a bug was fixed and it's very hard to track at all. They have deleted all of the audit trail and disabled the ability for one to ever happen.

My suspicion is that much like how airport screening is mostly security theatre, Australia's COVIDSafe app will end up as nothing more than safety theatre. Under the safety theatre model, the government will be able to proudly proclaim its world-leading status with a functional, widely downloaded contact tracing app, without actually proving that it has provided any public health benefits (or will in the future).

While the best option at this late stage would be to throw the code out and roll with the superior Apple/Google decentralised framework (which could even be made cross-country compatible to support travellers, unlike COVIDSafe and other centralised solutions), governments rarely treat sunk costs as sunk.

Sadly, I have no doubt that when given the choice by his mandarins Scott Morrison will elect to double down on the dud that is COVIDSafe, given that the alternative involves admitting his government was wrong (essentially kryptonite to a politician).

Enjoy the rest of this week's issue. Cheers,

— Justin

Other bits of interest

Facebook has acquired Giphy

Now why would Facebook want a product that is nothing more than an "online database and search engine that allows users to search for and share short looping videos with no sound, that resemble animated GIF files"?

Simple, really: Giphy is built into virtually everything from the default keyboard on Samsung phones to Apple's iMessage, Snapchat, Telegram, Slack, TikTok, Tinder, Twitter, and even the privacy-focused Signal messenger (although Signal already uses a privacy preserving approach to prevent GIF search providers from receiving user data). Buying Giphy allows Facebook to at least indirectly track all of those users and how they interact, even if they don't use a Facebook product (and if they do it's just another piece to help Facebook compile their personal puzzle to flog to advertisers).

A COVID-19 blow to artificial intelligence

Remember when Elon Musk boldly claimed Tesla would have one million self-driving robo-taxis on the road in 2020? I do. He was wrong:

To perfect their technology, they need to test it on roads. But they need at least two people in the cars to avoid accidents. Because of social distancing rules meant to keep people safe during the coronavirus pandemic, that is often not possible. So many cars are sitting in lots.

A COVID-19 win for streamers

With millions of people working from home - perhaps even permanently - live streaming has been a big winner:

Twitch — the biggest live-streaming platform — saw the most growth in terms of sheer hours, with its hours watched jumping 50 percent between March and April and a full 101 percent year over year. It’s now up to 1.645 billion hours watched per month.

Blockchain in the wild

Reddit is now using Ethereum tokens to power part of its community points/popularity system. Unlike regular voting, "users retain full control, meaning moderators nor Reddit itself can take points away or decide how they should be spent". Could this be the long-sought problem that micropayments can solve?

Europe's GDPR is evil

Apple has started reopening its retail stores worldwide, and is taking multiple measures to make sure customers and staff continue to stay safe during the global health crisis. One of these measures includes temperature checks for customers before they're allowed to enter one of Apple's stores using a non-contact forehead thermometer.

[However], a data protection agency in the German state of Hesse is concerned that Apple's temperature checks on customers violate European Union privacy rules and has launched a probe.

Issue 78: Australia's COVIDSafety theatre was compiled by Justin Pyvis and delivered on 18 May 2020. Join the conversation on the fediverse at