The Damn Roni App

I initially posted this disjointed rant on Facebook, in April of 2020. When it resurfaced on FB memories I saw it had been shared a few hundred times so I decided to keep it here.

I’ve read a few million posts about it, written several thousand words on it myself for Digital Rights Watch and others, and I’ve been rustled by some festering nonsense amongst some genuinely good commentary from experts in particular fields, so to prevent any further word vomit from me in conversation threads with mates here is some feelpinion.

Privacy and security issues have a unique power to elicit ignorance by privilege. I’ve had conversations with people who’ve done good work on refugee and anti-racism campaigns who dismiss issues like data retention or anti-encryption legislation with a blithe ‘nothing to hide, nothing to fear’, oblivious to the fact that those very same people are the first victims of expanded powers of surveillance for law enforcement and governments. The impact on people who are never targeted by authorities is negligible, but not caring about something that doesn’t personally harm you is exactly the selfishness that has dumped us in a world slow-cooking its way to uninhabitability.

The app doesn’t really work. Singaporeans are compliant and government-trusting in a way Australians aren’t. A 2019 survey found that they trust their government far more than Australians do, yet fewer than 1 in 5 people there downloaded the app after being implored to. Our PM says 40% of people need to use it for it to be effective. Experts elsewhere say that number is 60% or more.

OK, we are a nation overflowing with neighbour-dobbing narcs and let-me-speak-to-the-manager Karens, and if the app was asking people to spy on other people instead of themselves, Australians would in all likelihood disregard the unending series of tech failures from their government over recent years, roll the dice and try to rack up as many covid cop points as they could so they could win the race to be first back to the pub. The PM has none too subtly coerced us to download the app so social restrictions ease sooner, but it is not a real incentive. We haven’t been given any specific rate of uptake that will lead to a set of newer relaxed restrictions, possibly because the app doesn’t really work.

It uses Bluetooth Low Energy to exchange data with other phones with the app in proximity, an elegant design solution that avoids the need to track every single person’s movements over GPS. Go see Dan’s post for details.

Apple in particular has safeguards within iOS to stop data leaking out over Bluetooth. To work at all on an iPhone, users overseas reported the phone needs to be on, unlocked, with the app open and in focus. When you use the phone for anything else or switch the screen off to save battery, the app stops working. Apple and Google have proposed an API (rigidly controlled, at least in Apple’s case) to get around these protections, which the Australian government said won’t be used here.

So, an app that won’t really work that the government reluctantly said will be voluntary to install. Trust is essential in this kind of arrangement. But it is OK because you can trust them. 👍

The government has already lied about data and tracking in the midst of this crisis. Less than a week after saying no, the Australian government is not accessing phone location data like the British government is, it was revealed that this is exactly what they are doing. No reason to lie, it was a reasonable use of aggregated anonymised data. But they can’t help themselves.

After public pressure, the government said they would open source the app. This would be genuinely good, and should be the norm for government tech projects, not an exception. Of course, they’ve since rolled that back, and the rest of the stack remains totally opaque. No info at all on what happens at the government end. They’re desperate for us to think that the app is for health services only. That is as it should be, but also almost entirely beside the point. How and what data is collected is important, but far more so is what the government does with it.

Your Internet Service Provider (ISP) uses metadata to charge people appropriately for the service they use or to guide infrastructure planning. The Australian Federal Police (AFP) use metadata to find a journalists’ confidential source. And then they smash down the door and sift through an underwear drawer.

The extraordinary powers governments have given themselves in recent years (with barely a whisper from the opposition) in combination with this app could lead to a massive increase in surveillance capability. Take the stated purpose out of it and just look at the function. An ability to see when and for how long a meeting between ‘people of interest’ takes place is absolutely porn for Home Affairs jackboots.

Data retention laws mandate the collection and retention of the unique device IDs this app will also use. That info is already being accessed—no need for a warrant—by federal, state and local government agencies for reasons that have absolutely nothing to do with ‘national security’. Cross-referencing tracing app data with that retained metadata would de-anonymise all of it, show who met with who, for how long, and provide a pretty good indication of why.

Last years anti-encryption bill means Australian law enforcement and intelligence agencies can force the tracing app developers to add features, or give them access to all of the data, or both. And they couldn’t tell anyone about it. The penalty for revealing an order to do this is years in prison. Its years more if they don’t do what they’ve been directed to.

This environment of distrust we’re in is the government’s own doing, the result of years of not giving a shit about what they trample on. When these laws passed, it was over the objections of experts warning it meant software built in Australia could not be trusted anymore.

And yet even after all of this, covid-19 is so insidious, it presents such a danger to so many in the community—including me, I am one of the lucky ones with a chronic health condition which puts me in the high risk category—that I can see why some might say the app is a risk we have to take.

Except it Doesn’t. Really. Work.

ok thanks don’t trace me bro.

The hits, they keep coming. The government is using Amazon. Australians’ data from the COVID-19 contact tracing app could end up in hands of US law enforcement, regardless of protections here.