The Australian Government has just released the COVIDSafe app to help with contact tracing in Australia during the COVID-19 pandemic. Here’s a brief outline of how it works:

You download the app from the Play Store or App Store.

You then register in the app with a phone number, name, age range and postcode. Your phone number is transmitted to the a secure server and recorded with a unique User ID.

The app on your phone gets sent a Unique ID valid for two hours from the server. When receiving the Unique ID the app will respond to the server effectively stating “Yes, I received a new ID”.

Every two hours the app will request a new Unique ID from the server.

If you do not have an internet connection or the app is not running the previous Unique ID will continue to be used.

The “Yes, I received a new ID” reports will be used by the Department of Health to determine how many people are using the app and how many people have it actively enabled.

When two people using the app come into contact the Unique IDs, Bluetooth signal strength and date/time of the encounter are recorded on both devices. This happens every one minute whilst the two people are in contact.

Each phone keeps a copy of all the encounters. This log of encounters is kept only on the phone and is not sent to the server without permission.

After 21 days each encounter record will be automatically deleted.

If you test positive for COVID-19 you can choose to transfer the history of encounters to the server.

The Health Authority can match the encounters you have uploaded, to the User IDs and phone numbers used to register and start contacting the people you have been in contact with that may have been exposed to COVID-19.

Here are some other interesting points of the implementation:

The implementation itself has a fairly high degree of privacy but you do have to have a fair amount of trust and confidence that it all works as advertised and that the data is being used for this one purpose only.

On Android the requested permissions include location. This is related to Bluetooth permissions and no location data is actually obtained.

COVIDSafe considers “close contact” as exposure of 1.5m for a period of 15 minutes or more. The distance between people is measured using Bluetooth signal strength. Seeing as the Bluetooth signal strength is recorded as part of the encounter and uploaded to the server if you test positive, it looks like the calculation of signal strength-to-distance is something that happens after you test positive. The same appears true of the 15 minute encounter duration. Recommendation 18 of the COVIDSafe PIA would seem to confirm this.

Given that this requires an app to be in installed, it would seem that phone numbers shouldn’t be mandatory and the whole process could be kept anonymous by using push notifications. At least making this an option would be an improvement.

Name absolutely does not seem required for this to work - so feel free to use a fake one. I’d love to see the database of hilarious fake names at the end of this.

Daily notifications will appear on your phone so you can have confidence that the app is running in the background correctly.

Differences between COVIDSafe and TraceTogether: