COVIDSafe[14][15] was a digital contact tracing app released by the Australian Government on 26 April 2020[16][17] to help combat the ongoing COVID-19 pandemic.

[19] To achieve this, it used the BlueTrace and Herald protocol, originally developed by the Singaporean Government and VMWare respectively,[20][21] to passively collect an anonymised registry of near contacts.

[23] COVIDSafe first began development in late March, shortly after the Morrison government showed interest in Singapore's TraceTogether app.

[36] Accompanying the release, Peter Dutton, then Minister for Home Affairs, announced new legislation that would make it illegal to coerce one into submitting a contact report, even if a person had already registered with the app and tested positive for COVID-19.

[61][62] In late June, following a "second wave" in Victoria sparked by family gatherings,[63][64][65] COVIDSafe data was accessed by contact tracers over 90 times.

[68] At the same time, a COVID-19 positive protester who attended the Melbourne Black Lives Matter rally on 6 June 2020 was criticised in the media for having not downloaded the app.

[76] Mina Zaki, the wife of the CEO of Delv Pty Ltd, was a Liberal Party candidate for the federal seat of Canberra in the 2019 election.

[78] In a 22 July 2020 Sky News interview, Minister for Government Services Stewart Robert blamed the failure of COVIDSafe on the unwillingness of Apple and Google to modify their existing, globally deployed, Exposure Notification framework (ENF) to work with the app.

[89] By 29 November 2020, the Digital Transformation Agency was reportedly considering incorporating VMWare's Herald protocol to improve performance and detection success rate.

[11] On 2 February 2021, the Digital Transformation Agency announced a new update enabling the app to display state and territory COVID-19 case statistics.

[90] It was announced on 26 February 2021 that the app had been updated to feature state and territory restrictions, as well as improving battery consumption on Android devices.

[92] Similarly, every other state and territory in Australia has their own QR-code based solution:[citation needed] On 2 December 2021, NSW and Victorian health officials admitted to The Guardian that the data collected by the app had not been used a single time in 2021,[93] despite the extensive outbreaks and lockdowns that year.

[100] Users in contact logs are identified using anonymous time-shifting "temporary IDs" issued by a central Department of Health (DoH) server.

Furthermore, since temporary IDs change on a regular basis, malicious third parties cannot track users by observing log entries over time.

However, this method also presents some issues, primarily the lack of human in the loop reporting, leading to a higher occurrence of false positives.

[96][114][112] During the 6 May 2020 Senate Select Committee public hearing on COVID-19 and the COVIDSafe app,[43] the Digital Transformation Agency (DTA) announced they were looking into transitioning the protocol from BlueTrace to the Google and Apple developed Exposure Notification framework (ENF).

[122] The role of state and territory health authorities in the process would also change significantly, as they would no longer be responsible for determining and contacting encounters.

Versions 1.0 and 1.1 of COVIDSafe for iOS did not scan for other devices when the application was placed in the background, resulting in far fewer recorded contacts than was possible.

[143][144][145] Additionally, several privacy watchdogs raised concerns over the data collected by the app, and the potential for the centralised reporting server to become a target for hackers.

[146][147][148] To address concerns, the Attorney General launched an investigation into the app to ensure it had proper privacy controls and was sufficiently secure.

[37] The app was supposed to be source available to allow it to be audited and analysed by the public,[150] however, this was delayed[151] until a review by the Australian Signals Directorate had been completed.

[44] Issue was also taken with the fact the backend of the app runs on the Amazon Web Services (AWS) platform,[153] meaning the US Government could potentially seize the data of Australian citizens.

[2]: 02:59:30 Following the global rollout of the Google and Apple developed Exposure Notification Framework (ENF) in late June 2020,[156] public concerns were raised that the government or the companies were tracking users without their knowledge or consent.

On 29 May 2020, a group of independent security researchers including Troy Hunt, Kate Carruthers, Matthew Robbins, and Geoffrey Huntley released an informal report raising a number of issues discovered in the decompiled app.

[167][132][168] Their primary concerns were two flaws in the implementation of the protocol that could potentially allow malicious third parties to ascertain static identifiers for individual clients.

The bug occurred with a supposedly random, regularly changing three-byte string included in that was, in fact, static for the entire lifetime of an app instance.

[179] The second issue was located in GattServer.kt, the class responsible for managing BLE peripheral mode, where the cached read payload is incorrectly cleared.

[41][42] The determination and bill makes it illegal for anyone to access COVIDSafe app data without both the consent of the device owner[39]: §7.1  and being an employee or contractor of a state or territory health authority.