Coronavirus tracing app COVIDSafe released by Government to halt spread of COVID-19 in Australia
Smartphone users can download the app for iPhones and Android. People who download the app will be asked to supply a name, which can be a pseudonym, their age range, a mobile number and postcode.
Those who download the software will be notified if they have contact with another user who tests positive for coronavirus.
Prime Minister Scott Morrison has flagged the app as being essential for Australia to be able to ease coronavirus-induced restrictions across the country.
The data remains encrypted on a user’s phone for 21 days, after which it is deleted if they have not been in contact with a confirmed case.
The application will have two stages of consent that people will have to agree to: initially when they download the app so data can be collected, and secondly to release that data on their phone if they are diagnosed with the virus.
If a person with the app tested positive to COVID-19 AND has provided their consent to share the information, it will be uploaded to a central server.
From here, state and territory health authorities can access it and start contacting other people who might have contracted coronavirus.
What will the app do?
- The contact app will allow health officials to tell you if you have come into close contact with someone who is diagnosed with COVID-19 (coronavirus).
- If you become infected with coronavirus, the app will assist health officials to notify people you have been in close contact with so they can self-quarantine and get tested.
- This will speed up current manual processes and make it quicker to stop the spread of the virus, particularly if restrictions are eased.
- The app operates on a person’s phone as they go about their day.
- It securely logs the encrypted reference codes of devices of other people who are using the app who have been in close proximity to you.
- The close contact information can only be accessed by relevant health officials if there has been a positive case to help alert those who may need to be tested.
- The app will never track your location.
How will the contact app work?
- A user voluntarily downloads the app from the app store. The user registers to use the app by entering a name, phone number and postcode and selecting their age range. They will receive a confirmation SMS text message to complete the installation of the app. On the basis of this information, an encrypted reference code is generated for the app on that phone. That code is changed every 2 hours to make it even more secure.
- The app uses Bluetooth to look for other devices that have the app installed. It takes note when that occurs, securely logging the other users’ encrypted reference code. The date and time, distance and duration of the contact are generated on the user’s phone and also recorded. The location is not recorded.
- This information is securely encrypted and stored on the phone.
- The app uses a rolling 21-day window to allow for the maximum 14 day incubation period, and the time taken to confirm a positive test result. The rolling 21-day window allows the app to continuously note only those user contacts that occur during the coronavirus incubation window. Contacts that occurred outside of the 21-day window are automatically deleted from the user’s phone.
- The contact information on the phone is not accessible by anyone (including the user of the phone), until the user is diagnosed with coronavirus and they upload the contact information to a highly secure information storage system.
- The uploaded information enables state or territory health officials to contact the user and close contacts to provide advice on actions they should take to manage their health.
- This cycle continues if a user of the app who was a close contact subsequently tests positive.
If a user receives a close contact notification, will they be advised who the contact was?
- This will operate in the same way as existing contact processes run by State and Territory health officials.
- A phone call will be made to users who have had close contact with another user once that user is independently confirmed as having COVID-19. This phone call will be made by State or Territory health officials.
- Close contact information is only available to State and Territory health officials once a user is confirmed as coronavirus positive, and the user securely uploads the information stored on their phone.
- These calls will only be made to close contacts that have occurred in the 21 days before the information has been uploaded. This early notification allows users to quickly self-quarantine and seek medical attention.
How does the app know a “close contact” has occurred?
- When two (or more) app users come into close proximity their phones exchange Bluetooth signals and make a series of ‘digital handshakes’.
- The app records the encrypted reference code, time and proximity of two users, through the strength of the Bluetooth signals. This allows the approximate distance between the users and the duration the contact occurred to be determined once the data is uploaded to the highly secure information storage system.
- The proximity for a close contact is approximately 1.5 metres, for a period of 15 minutes or more.
- To be effective, users should have the app running in the background of their phone whenever they are coming into contact with people. Users of the app will receive daily notifications to ensure the app is running.
Can the app be used to track a user or contact?
- It does not record an individual’s location or movements. The app only records that a contact occurred to allow health officials to contact those users to enable them to quickly self-quarantine and/or seek medical attention.
- The app cannot be used to enforce quarantine or isolation restrictions or any other laws.
- Commonwealth and state/territory law enforcement agencies will not be allowed to access any information from the app unless investigating misuse of that information itself.
Why does the app ask for your mobile phone number?
- A mobile number is needed to activate an account and to allow health officials to contact you if they need to.
Can a user or health official view the information stored on the phone including the contact log?
- All information that is stored on the phone is digitally encrypted and cannot be accessed or viewed by any users or health officials.
- Contact information older than 21 days on your phone is automatically deleted.
How will the information be stored?
- When a person registers the app, a name, verified mobile number, age-range and postcode are registered and encrypted on the highly secure information storage system. They are provided an encrypted hash code, which is the only data shared as part of the Bluetooth ‘digital handshake’.
- The digital handshakes collected by the contact app are stored locally on the user’s phone.
- Contact information only leaves the users phone if the user is diagnosed as having coronavirus.
- Contacts that are older than 21 days are automatically deleted from the phone.
- The information is uploaded to a highly secure information storage system. Only authorised state and territory health officials will have access to the contact information. State and territory health officials will only have access to view the contact information collected by people from their state or territory diagnosed with COVID-19.
- In accessing and using the uploaded data, health officials will be required to comply with the Australian Privacy Principles and all applicable data protection and information security obligations. It will only be able to be used for alerting individuals if they have come into contact with a person who has contracted coronavirus.
More information at https://www.health.gov.au/resources/apps-and-tools/covidsafe-app