Download original attachment
(PDF file)

This is an HTML version of an attachment to the Freedom of Information request 'DTA blog posts (no longer published)'.


Digital Transformation Agency
What are you looking for today?
Search
This document can be found at Home  >
Key COVIDSafe improvements enhance and protect your privacy
Key COVIDSafe improvements enhance and
protect your privacy
7 September 2020
Tags:  COVID-19 (/taxonomy/term/413)   COVIDSafe (/taxonomy/term/419)
Privacy (/taxonomy/term/251)   Security (/taxonomy/term/14)
Service design (/taxonomy/term/64)
Key improvements have been made to the COVIDSafe app to better protect the security and
privacy of all users.
On 8 May 2020, we released the app’s source code to our GitHub repository
(https://covidsafe.gov.au/app-code-terms-and-conditions.html). As part of our commitment to
transparency, today we’re releasing the COVIDSafe Cryptography Specification
(/sites/default/files/files/COVIDSafe%20cryptography%20specification%20(with%20protocol%2
0version%20numbering)_v3.pdf). We have worked with government experts, academia,
industry specialists and the tech community to make sure the best security and privacy
protections possible for all COVIDSafe app users.
Information that COVIDSafe exchanges between devices
One of the ways your data is protected in COVIDSafe is through the temporary identifier
(“tempID”) from the COVIDSafe servers. The tempIDs are periodically generated and expire
after a certain time. They contain a random unique-identifier. This is used to identify you as an
individual user of the app without including any personally identifiable information, such as
your phone number, name, postcode or age. This keeps your information safe. The tempID
appears completely random to devices that have the COVIDSafe app so they can’t tell who you
are. Only the National Data Store can recover, from a particular tempID, which user it was
issued to.
How COVIDSafe exchanges my temporary identifier with nearby
devices
Whenever you are in range of another COVIDSafe user, your apps perform a “digital
handshake” by exchanging information over Bluetooth. This includes your tempID, and
information about phone model and Bluetooth signal strength. More recent versions of
COVIDSafe include the time each digital handshake occurs as part of the information
exchanged. This allows the server to perform better validation checks. It also means the app
can run for up to a week without needing an internet connection, which improves its
performance. 
When a digital handshake occurs between 2 COVIDSafe users, the information that is
exchanged is encrypted so that only the National Data Store can read it. This encryption is like
a padlock: anyone can use an open padlock to lock up a box of valuables, but only the trusted
person with the key will be able to open it and access what’s inside.


Figure 1: data sent in the digital handshake is now encrypted, so only the COVIDSafe server can
read it
The encrypted encounter data your phone stores from other users is uploaded to the National
Data Store with your consent if you test positive for COVID-19. It cannot be decrypted by
unauthorised third parties.
Figure 2: a user’s tempID can only be unencrypted by the server.
Improved privacy protections
The data exchanged in the digital handshake now changes every 7.5 minutes instead of every 2
hours. This is a significant improvement to the privacy of users. It reduces the time COVIDSafe
sends the same identifier to other app users by up to 93%.
New protections for COVIDSafe data
Working with subject matter experts in industry and academia, we have improved the
COVIDSafe code and design. We have enhanced privacy by adding an additional layer of
encryption to the Bluetooth exchange.
We also continue to work closely with government, industry, academia and members of the
community – including software developers and researchers – to improve the security, privacy
and usability of COVIDSafe. We would like to thank everyone for their feedback and
recommendations, which continue to inform the development of the app.
For media enquiries email us at xxxxx@xxx.xxx.xx (mailto:xxxxx@xxx.xxx.xx)
For other enquiries email us at xxxx@xxx.xxx.xx (mailto:xxxx@xxx.xxx.xx)
© Commonwealth of Australia. With the exception of the Commonwealth Coat of Arms and
where otherwise noted, this work is licensed under the CC BY 4.0 license.