Welcome to Coronavirus Government Global Briefing, Mandarin Premium’s morning update on everything in local and global government responses to the COVID-19 outbreak.
Reactions to the COVIDSafe source code, draft legislation
However, the DTA, which has also called for community feedback on the source code, has not released code relating to the COVIDSafe National Information Storage System, reportedly in order to “ensure the privacy of individuals and integrity of the overall system”.
On the importance of community analysis (and also Tasmania)
An update to the app was rolled out at the start of this month — including “changes to address the app causing issues with the operating system for a small number of Android users — while a second series planned for this week; as The Guardian reported last week, the DTA is yet to fix a bug on iPhones that prevents the app recording all required data if it’s operating in the background or on older models.
As Gizmodo reports, one of the earliest, if apparently inconsequential finds from developer scouring the new source code is the omission of Tasmania in a section of unused iOS code.
It's the attention to detail that really stands out pic.twitter.com/GOZeZktpMo
— Anthony B, oh god we're all going to die (@swearyanthony) May 8, 2020
As developers point out in the thread above, the mistakes do not impact the app’s features, but do perhaps show the benefit of a second pair of eyes on code that has, understandably, had to be rushed.
This is why, for developers looking to actively support the system, the decision not to release the server code — currently held by Amazon Web Services — is so frustrating; the DTA’s own Digital Service Standard encourages open source to “increase transparency” and “add benefits, from improvements by other developers”.
“We already have the source code for the app from decompiling it, so the app code won’t tell us anything we don’t already know. It’s the server code that we need,” cybersecurity researcher Vanessa Teague told Gizmodo last week.
“Australia’s tech community could find, and help to fix, the bugs that are almost certainly present in the server code. There are numerous potential areas in which a mistake could undermine the security and privacy protections that millions of Australians are relying on.”
As Teague unpacks in a Twitter thread, Singapore released the source code for the original TraceTogether app, as well as its server code, weeks ago. The country also rotates the encrypted user IDs every 15 minutes, while Australia’s system takes two hours.
As another developer digging into the code, Jim Mussared, told Gizmodo, a direct comparison to TraceTogether forms a core. Mussared alleges that early complains with the the recent 1.0.16 Android and 1.1 iOS versions, including the backgrounding issues on Apple’s iOS system, have since been fixed:
“One very clear result of this is that there were zero functional changes to the iOS BLE backgrounding behaviour (CentralController.swift). We know that the Singapore team knew that background-to-background iPhone didn’t work, so any claims by the DTA that they ‘fixed it’ indicate that either they never actually tested [or] investigated it, or their testing methodology was flawed.”
For more, check out Mussared’s document ‘Privacy issues discovered in the BLE implementation of the COVIDSafe Android app‘. Published 28 April and updated 5 May, the piece warns of the following alleged issues:
- Two flaws that lead to potential long-term (many day) tracking of devices
- Another flaw provides long-term tracking as well as exposure of the user’s name, in some cases
- One issue allows for permanent tracking of an iPhone even when the app is uninstalled
Finally, as ZDNet notes in its roundup of the source code, Labor’s shadow assistant communications minister and shadow assistant cyber security minister, Tim Watts, has pointed to the success of the UK’s National Cyber Security Centre’s central vulnerability disclosure platform as a more developed agency to investigate government vulnerabilities.
The platform, which covers all UK government entities and is operated by HackerOne, forms just one part of Labor’s UK-style active cyberdefence program proposed in recent policy discussion paper, ‘National Cyber Resilience: Is Australia Prepared for a Computer Covid-19?’.
“[This] is a pretty different philosophical approach to security than we have in Australia at the moment,” Watts said during a roundtable hosted by the Australian Strategic Policy Institute International Cyber Policy Centre last week.
COVIDSafe legislation to be introduced today
While the Law Council of Australia has welcomed the release of the source code as a way of “giving all Australians the chance to satisfy themselves that the app will be used in the way that it is intended”, their response focuses instead on the Privacy Amendment (Public Health Contact Information) Bill 2020, which will be introduced to parliament today to replace health minster Greg Hunt’s Determination made under the Biosecurity Act 2015 (Cth).
As an explanation of the draft bill explains, the legislation will cover all requirements in the existing determination — i.e. ensure that data from COVIDSafe is only used to support state and territory health authorities’ contact tracing efforts — and introduce the following additional protections:
- The national privacy regulator, the Office of the Australian Information Commissioner (OAIC), will have oversight of COVIDSafe. They can manage complaints about mishandling of COVIDSafe data and conduct assessments relating to maintenance and handling of that data.
- The Privacy Act’s Notifiable Data Breaches scheme will be extended to apply to COVIDSafe data.
- The interaction between the powers and obligations of the OAIC in relation to COVIDSafe data with the powers of state and territory privacy regulators and the Australian Federal Police will be clarified.
- The administrator of the National COVIDSafe Data Store will delete users’ registration data upon request.
- An individual will be required to delete COVIDSafe data if they receive it in error.
- No data can be collected from users who have chosen to delete COVIDSafe.
- A process will be put in place for COVIDSafe data to be deleted at the end of the COVID-19 pandemic and users to be notified accordingly.
While the Law Council welcomed those improvements, the body also highlighted a number of outstanding concerns relating to oversight and US access:
“These concerns focus on ensuring that comprehensive oversight provisions are provided to the Privacy Commissioner, making the allowance for the prohibitions on the use and disclosure of COVIDSafe app data to have application after the automatic repeal, and applying a gradation to the maximum penalties.
“The Law Council has also called on the Australian government to expedite an executive agreement with the United States government under the US CLOUD Act to minimise the risk that any data obtained will be able to be accessed by US authorities under the US legislation.”
Finally, the council called for the legislation to be subject to the normal processes of parliamentary scrutiny, including committee review, and ongoing consideration once implemented.
- As The New York Times reports, the White House’s campaign to reopen the country — even acknowledging the spike in deaths this will foster — has hit a small snag with multiple senior officials, including Dr. Anthony S. Fauci, currently in quarantine.
- In an op-ed at CNN, Stephen Roach delves into how Donald Trump and the Republican Party’s pursuit of the “Wuhan laboratory” theory points to a 2020 election campaign filled with “China-COVID conspiracy theories”.
- Not unrelatedly, 60 Minutes reports that an American scientist collaborating with the Wuhan Institute of Virology, Peter Daszak, on the origin of the virus had his the U.S. National Institutes of Health grant terminated in the wake of the White House’s unsubstantiated campaign.
- The Intercept reports that a variety of industries — including oil, construction, fast food and chemical manufacturing — are pushing to include their lobbyists in the next round of funds for the small business rescue package, the ‘Paycheck Protection Program’. Senior Democrats such as House Speaker Nancy Pelosi will reportedly accomodate this demand to bailout “professional influence peddlers”.
- Reuters has unpacked how Gilead Sciences Inc will exclusively produce their patented remdesivir drug for the developed world, and how, through trade rules established under the United Nations, least-developed countries will be able to ignore the patent and make more affordable versions of the drug in their markets.
- In a blog post at ‘Too Much Information‘ — a website, it should be noted, started by a former speechwriter for Bernie Sanders — researcher Andrew Perez unpacks how lobbying from the healthcare industry has meant that, seemingly paradoxically, Colorado Democrats have begun retreating on a state public healthcare option amidst the pandemic.
On the home front: Victoria eases restrictions
Yesterday, the Victorian government announced that some stay at home measures will be eased from 11.59pm tonight, Tuesday 12 May. Changes include:
- Having family and friends visit you at home – with up to five visitors being allowed into your home
- Gatherings of people for the purposes of non-contact sport and recreation in public settings, such as national, state and public parks – with groups of up to 10 being allowed to gather
- Small gatherings of up to 10 people at some indoor facilities such as places of worship and community centres – along with those required to run the facilities. The four-square metre rule applies in these settings
As such, the government will allow the following five “reasons” to leave home:
- Shop for food and other necessary goods and services
- Access medical services or provide caregiving – for example, this includes shared parenting obligations or providing care and support to an unwell, disabled, elderly or pregnant friend or relative
- Attend work or education where you can’t do those things from home
- Exercise and participate in some recreational activities adhering to the rules
- Visit friends, family and loved ones while adhering to the rules
These measures have been regulated with an Extension of the Declaration of State of Emergency to 31 May and new directions covering the restricted activities and stay at home orders.
States expand testing facilities
Concurrently, the Victorian government has announced $20 million to extend their tracing “blitz” and create a new “outbreak unit” within the Department of Health and Human Services’ public health team:
“The unit will include new rapid response outbreak squads, staffed by public health specialists and clinicians to ensure appropriate testing, contact tracing and deep cleaning is carried out as soon as a cluster is identified.
“The squads will also make proactive visits to high risk facilities, businesses and industries, and work with local services on infection control and prevention, while also stepping in to quickly manage any high-risk cases should they occur.”
Additionally, mobile testing units — consisting of five metropolitan and three regional pop up testing sites — will continue to operate, while $8 million will go towards research institutes. Finally, public health surveillance will also be increased with ongoing testing of sewerage to track the virus in the community and provide early signposts of localised outbreaks.
In a similar announced, the South Australian government on Sunday unveiled a dedicated SA Pathology team to respond to outbreaks in aged care and other residential facilities.
The team of domiciliary nurses and phlebotomists reportedly have the capacity to immediately test everyone in a facility if an outbreak occurs, and will complement Clinpath Pathology’s work developing a dedicated pathology service for rapid sample collection and testing for COVID-19 at all aged care facilities.
Test, trace and rapid response are keys to containing the COVID-19 spread. The Marshall Gov has established a rapid response group to act if an infection occurs in an aged care facility. We have also launched a new 60-minute turnaround testing capability. https://t.co/G2KKXenjCt
— Stephen Wade (@StephenWadeMLC) May 10, 2020
SA’s mobile service will be available to all metropolitan residential facilities and country facilities within reach of a regional pathology laboratory and patient centres. The media release also notes other residential facilities could benefit such as disability accommodation, prisons, supported residential facilities, boarding houses and residential colleges.
Finally, as the state began their own roadmap to recovery, Tasmania announced an expansion and relocation of mobile testing clinics, which have recently been focused on the North West.
On the advice of Public Health Services, those clinics will begin to be redeployed to new areas to “ensure that we are testing as broadly as possible”; this coming weekend (16-17 May), they will be stationed at Scottsdale, Bothwell and Geeveston.
- Children began returning to school in NSW and Queensland; additionally, the Northern Territory government announced that school attendance has returned to pre-pandemic levels.
- On Sunday, the Victorian government announced:
- agreements with 28 state councils under the ‘Working for Victoria’ to support “more than 2,300 people into jobs that include land and asset management, community outreach, hardship relief delivery and crisis co-ordination”; and
- $17.5 million for frontline legal services, to include Victoria Legal Aid and every Community Legal Centre and Aboriginal legal service in the state.
- Select NSW courts resumed jury trials yesterday with new social distancing and hygiene requirements.
- The SA government announced two new family-oriented initiatives: