The federal government has no plans to introduce a vulnerability disclosure program despite a number of security researchers calling for a better way of notifying about significant flaws such as those found in the digital vaccine certificate. In response to questions on notice from Senate Estimates hearings last year, Services Australia brushed aside concerns about…
Victoria’s COVID-19 digital vaccine certificates are “woefully insecure” and “very easy” to forge in just minutes, according to a number of developers and cryptography experts who have criticised the lack of a national standard for this service. The Victorian Government this week announced the integration of vaccine certification into the Services Victoria QR code check-in…
OPINION: As the government turns its thinking to a vaccination passport or similar, it would do well to learn some of the lessons from COVIDSafe.
COVIDSafe illustrates the need for a good understanding of both policy intent and how the technology works.
Aimed at ‘help[ing] assist health officials understand and contain the spread’ of COVID-19, the app is more than a benign study assistant.
It uses people’s smartphone Bluetooth functionality as an incomplete proxy for distance between potential carriers and other people. Collected data provides an approximate, near real-time social network.
That can be both helpful to understanding the spread of infection and highly invasive of privacy. Like all such data, stripped of context, it can be highly misleading and potentially open to abuse.
So, kudos to the government, which realised it needed strong privacy provisions around COVIDSafe data.
However, it’s not enough to do good on the legislative side alone: government needs to follow through on the technology and implementation.
A fundamental lesson of running a technology shop is that most apparently technical faults aren’t technical in nature but organisational.
A ‘technical failure’, for example, may expose how after a reorganisation, no-one had assumed responsibility for backing up key systems, or that a long-departed contractor had hard-coded passwords.
When these events occur, best practice in a mature technology organisation is to run an all-hands retrospective, after-action review, or blameless post-mortem to understand what happened, to identify systemic issues and a way ahead.
Such exercises are not to find scapegoats but to ask ‘why’ until a root cause is found.
Typically, it takes several iterations, digging progressively deeper. And it requires a healthy, open, informed, constructive, and respectful culture. After all, technology done well is hard; the technology savvy organisation will seek opportunities to improve.
The report by independent researchers Richard Nelson, Vanessa Teague, Jim Mussared and Geoffrey Huntley probably offers the best insight into COVIDSafe’s technical, privacy and security issues.
The organisational issues can only be inferred. For example, the hurried implementation that led to oversights on privacy issues, the prioritisation of user interface changes over privacy and security issues, the choice of security advisories by the Digital Transformation Agency, and persistence with a notification protocol that required workarounds that in turn introduced inconsistencies.
Without digging deeper, root causes can only be guessed at.
What is clear, however, is that the government’s technology competence could be improved, at both the technical and organisational level. As policy is increasingly shaped and implemented through technology, that’s needed.
First, people. Twenty years of outsourcing, combined with a continued erosion of public service knowledge and rapid technological change, makes it hard to argue, aside from some niche areas, that the government is an informed judge of technology.
But more ‘techies’ alone won’t help much. Technologists need to be exposed to the complexity of policy and delivery; policy and program managers need to understand the nature, opportunities, constraints, and weaknesses of technology.
Ministers, too, have a responsibility to be much more familiar with technology than they are now. They need to learn to avoid optimism bias, be wary of vendor promises, and be willing to listen to the practicalities of complex design and implementation.
Second, process. Given the fusing of policy, programs and technology, government needs an appropriate means of oversight—one that has a good grasp of technology and the economic, societal, and national security implications in design, implementation, and operation.
That role cannot be outsourced to either vendors and consultancies, or the national security community, which rightly has a singular focus but typically lacks an empathetic citizen perspective.
The government may consider its own lab for the express purpose of understanding and testing technologies, including hardware and algorithms.
To understand technology well, one must build and run it. There is a precedent from the days when we took such technical expertise seriously: Lucas Heights was built to ensure Australia retained expertise in the nuclear fuel cycle.
Technology is an integral part of people’s lives, society, the economy, and government. It’s going to have a continuing role in how we live with COVID.
Best that government takes it sufficiently seriously to get it right, rather than simply acting to meet political expedience.
Dr Lesley Seebeck is an Honorary Professor at the Australian National University and the former chief executive of the ANU Cyber Institute. She has worked in senior roles across government including as Chief Investment and Advisory Officer at the Digital Transformation Agency.