Read on Twitter
Here's what I've learnt this morning about the security and privacy of Singapore's TraceTogether app that Australia is apparently planning to copy/paste.
Thread
Thread
I feel the SG gov has done a great job of communicating the security posture here: https://www.tracetogether.gov.sg/common/privacystatement
And tackling some myths here: https://bit.ly/3cnXcq8
Someone decompiled the Android app and described a few things they found. (Spoiler: There weren't really any big surprises.) https://medium.com/@frankvolkel/tracetogether-under-the-hood-7d5e509aeb5d
Taking SG's Digital Services team them at their word from the pages above, we also know...
The only data they collect server-side is your mobile number and a randomly assigned unique ID.
The only data they collect server-side is your mobile number and a randomly assigned unique ID.
When your phone goes near other phones, it will share with that phone an encrypted version of your ID, only decipherable by their MoH.
Importantly, this encrypted ID that is shared changes regularly, so no one can "follow" you by seeing where your ID shows up.
No *location* data is collected or stored. 
It is simply other devices storing your ID if you went near that device (in an encrypted form that the other device's owner can't access).
It is simply other devices storing your ID if you went near that device (in an encrypted form that the other device's owner can't access).
None of this contact data (your encrypted anonymous ID) is sent to the MoH until someone registers that they've been infected. At this point, the encrypted IDs are sent to MoH, which we can assume are then decrypted to link to mobile numbers to be used for informing contacts.
The BlueTrace protocol (the Bluetooth Low Energy (BLE) tech underlying the interactions) has been made open source, along with reference implementations of the server-side and mobile app code: https://github.com/OpenTrace-community
All the above is great. However, there is still a level of trust involved. I believe the open sourced code is not the actual app, it's a reference implementation (a white-labelled fork?). So there's trust assumed that this open source stuff is close to what's actually deployed.
How could this be a problem? A government could in theory change their actual app to always upload every contact made, meaning they would quickly collect a database of mobile numbers that associate.
Unfortunately, I can't see a way to protect against that, at least on my iPhone. One theoretical way to prevent that happening would be if devices allowed us to prevent an app from connecting to the Internet except when we approve it, like personal firewalls on PCs do.
Of course, even if that were possible, the app needs Bluetooth enabled to work, so a sneaky gov, faced with a user disabling internet access, could proxy their data through other users' phones.
Would I install this app? If the Aus Gov is planning to deploy the same tech, I'd be willing to give it a go. The risks seem low if they deploy the tech as described.
However, I'd REALLY like to see:
* the actual app code being open-sourced; and/or
* some independent security reviews of the app and servers being published.
Governments expect the latter from banks and other regulated orgs. I think it's fair for citizens to expect it of them.
* the actual app code being open-sourced; and/or
* some independent security reviews of the app and servers being published.
Governments expect the latter from banks and other regulated orgs. I think it's fair for citizens to expect it of them.
I'm hopeful this app could help with the "road out" of COVID-19, and I really want to trust my government. I think they're often incompetent at tech more than a threat, though recent extensions of their authority are increasingly concerning. https://www.theguardian.com/australia-news/commentisfree/2019/nov/12/the-government-is-in-authoritarian-mode-and-now-is-not-the-time-for-complacency
Unfortunately, the Aus government's infinite sequence of I.T. gaffes have eroded much of the public's trust in their ability to manage something requiring a high level of security and privacy. It's great they're looking to leverage existing tech. Can they still stuff it up?
Already, @ScottMorrisonMP has missed an opportunity to clarify on air that the app doesn't collect location info, which suggests he may not actually understand it. It's going to be hard to sell something like this if you don't understand or can't explain.
https://www.pm.gov.au/media/interview-gareth-parker-6pr
https://www.pm.gov.au/media/interview-gareth-parker-6pr
That's the end of the thread. What do you think about this app? Will you be downloading it? What could the gov do to help assure you that there's little privacy concern?
@troyhunt I'd be super keen (and I'm sure many others would be) to hear your thoughts on this proposed contact tracing app.
