A researcher says he found "security problems" with the software being used to trace the location of travellers returning to New Zealand amid the Covid-19 scare.
Brad Cowie, who works for Waikato University's Computer Science Department, says some of the issues with the site were critical. He also had the overarching concern that it looked, in his opinion 'more like a scam than a legitimate service."
• Coronavirus Covid-19: Can smartphones help NZ stop spread?
• Locate anyone, anytime: Privacy Commissioner warns new system open to abuse
• 2degrees pulls out of Stats NZ's people-tracking project, citing privacy concerns
His opinion when he first says it was that it needed to be "ditched or drastically improved" - but he's heartened that fixes are now underway.
The tracing system uses a combination of txt messages and website links.
Police Commissioner Mike Bush revealed yesterday that 6250 texts had been sent since Monday to Kiwis who had arrived back in the country and "over" 3000 people responded.
The text from 4511 reads: "NZPolice COVID19 self-isolation check under S.70(1)(f) Health Act 1956. Select the link to confirm location."
Cowie says he was first alerted to the tracing system on Wednesday night when a friend, who just returned to NZ, sent him a screen shot of the 4511 message and asked him if it was a scam.
"On Wednesday night, a friend sent through a screenshot of a txt message they received when re-entering the country, asking them to use covid19.loc.nz to submit their location data. They wanted to know if it was legitimate or not. My initial reaction was no.
"The website felt and looked similar to a scam and had a few security problems."
Cowie's reaction was a common one. Government agency Cert NZ (The Computer Emergency Response Team) told the Herald this afternoon it has received multiple queries about whether the 4511 message was a scam.
The researcher quickly established that the tracing system was kosher- but in doing so, he began to uncover other problems.
"On Thursday afternoon, I was put in touch with the Police and Cert NZ, who were very enthusiastic to get the problems sorted. I provided a list of problems I think should be addressed and the vendor has quickly fixed a number of the more critical ones. I am still working through with both of them on some issues - look notably the look and feel of the website and its messaging," Cowie said midday Friday.
Although he found various issues himself, Cowie said criticism from a Geekzone member that the covid19.loc.nz tracing site had no firewall and was exposing data in the public domain was not a fair comment. "The service runs on Azure which implicitly has a firewall layer always sitting there. That firewall as of last night has been reconfigured by the vendor to block more ports than it was before," he said.
The software developer did immediately return a request for comment.
A police spokeswoman disputed Cowie's characterisation of security problems since the Monday launch, offering the general comment that, "We have taken a range of actions to ensure the security of the platform, and provided confidence in the legitimacy of the text. We will continue to investigate further enhancements for the platform moving forward."
Meanwhile, Privacy Commissioner John Edwards has addressed questions about the new system.
Edwards said earlier today that, like his Cert NZ, his office had fielded queries from people wondering if the texts were a scam.
The Privacy Commissioner says Police have explained it was software previously used to a limited extent for search and rescue that has been repurposed and scaled up for the Covid-19 emergency.
The website is currently being redeveloped to make it clear it is an official New Zealand government website.
Edwards said he understood that Police are in the process of completing a privacy impact assessment and security review of the website.
He is reassured that the appropriate steps are being taken to ensure system is being used proportionately and is fit for purpose.
The tracing tool introduced by Police this week is voluntary.
But earlier, Edwards confirmed to the Herald that Police could use technology already in place for emergency tracking to trace the movements of those who could be infected with Covid-19.
"Under the Privacy Act and Telecommunications Information Privacy Code, telcos are able to disclose telecommunications information where they believe on reasonable grounds that it is necessary to prevent or lessen a serious threat to public health," Edwards said.
Tracing steps taken by authorities in New Zealand are so far light-handed next to those taken by the likes of China and Singapore, where smartphone apps are used to trace the movements of citizens en masse amid the coronavirus scare, and Hong Kong, where tracking bracelets are being used.