Damian Ivereigh suggested that the government could avoid using code from the Singapore government to build a contact-tracing app for COVID-19 as one step to make it easier to convince Australians of the integrity of the app.
In a blog post, he said that while open-sourcing the code no matter its origins was a must, the government could go one step further and make it a home-grown open-source app.
The government has said it needs at least 40% take-up for the data that is provided by the app to make a difference.
"After all the past scares about cyber security including the Census bungle, the Data Retention Laws etc, the Australian Government has some way to go before the Australian people consider it trustworthy around privacy.
"So my prediction is that this app will be a complete waste of time due to the low take-up rate."
But Ivereigh added that the government could roll out the app in a better way, using a protocol and not a platform approach, along with some practices that open-source projects adopted.
Apart from making the source code accessible, he said development could take place in different places, making it possible for people to download the code from the place they trusted the most.
"The government would set out the 'protocol' which would define how these apps are to interact with each other, how the data is stored and how the data is released," he said.
The following scenario was suggested by him:
- "The app is downloaded and a single random number is created – this number is only stored on the phone and is unique to you.
- "The app turns on Bluetooth and watches for interactions with other phones.
- "Once an interaction has exceeded a criterion (as defined by the government protocol) the two phones running the app swap the random number generated in step 1. These numbers are stored along with the date/time on the phone only. Note that these are just numbers, nobody knows who they belong to.
- "Everyone’s app also subscribes to a list of electronically published numbers that the health authorities would like to contact.
- "If at some point in the future you test positive to COVID-19, at that point you are asked, but not forced, if you would be willing to share either your random number and/or your list of numbers (interactions) – there are subtle privacy differences here but either will work.
- "Your number is then either added to the list of numbers that other people’s apps should check to see if they have had any interaction with, alternatively a number could be broadcast saying “we need to contact this person”.
- "Your app would then offer up a notification to you saying that the health authorities would like to contact you. You can choose to follow this or just ignore it as you see fit."
Ivereigh said using this procedure would mean the aim of the health authorities could be achieved (contact tracing) without the people involved ever revealing their location, or even proximity to anyone else without their express permission.