C0050 - COVID Cyber Safety Tech Women

Verdict

Partially True

Credibility Rating 5.5/10

Rating Rationale

True core facts (vulnerability existed) but overstated application (no evidence of domestic violence exploitation), incomplete context (patch timeline, low uptake, technical requirements for exploitation), and imprecise terminology ("broadcast" vs. BLE vulnerability extraction).

Justification: The underlying technical vulnerability is real and concerning, warranting the 5+ score. However, the presentation conflates theoretical technical possibility with documented practical exploitation without evidence, and omits significant mitigating factors (rapid patching, limited uptake, technical difficulty of exploitation). A rating of exactly 5/10 would suggest true-but-missing-context; the 5.5 reflects that the core facts are accurate but the framing is misleading.

COVID Cyber Safety Tech Women

Date Analyzed 29 Jan 2026

Reading time ~4 mins

Evidence Count 🔗 8 sources

Want to cite this?

Use our unique ID when referencing this fact-check in public discourse. C0050

C0050

The Claim

“Failed to mentioned in the COVIDSafe app privacy policy that information about the phone model and device name (e.g. 'Mary's iPhone') is broadcast over Bluetooth. An example of this being exploited is that a domestic violence abuser can tell whether the victim is at home and their house-mates are not, without setting foot in the building.”

COVID Cyber Safety

Original Source: Matthew Davis

Analyzed: 29 Jan 2026

Original Sources Provided

mdavis.xyz

Documentation of Coalition government policies and claims.

Matthew Davis

✅ FACTUAL VERIFICATION

The core claim contains multiple technical and factual elements that require careful verification:

What the CVE Documentation Actually Shows

There IS a genuine Bluetooth vulnerability in COVIDSafe (Android v1.0.17 and earlier), documented as CVE-2020-12860 and CVE-2020-12856 [1][2]. However, the claim's characterization of what information is exposed is partially accurate but requires important context.

According to the CVE-2020-12860 technical documentation, COVIDSafe through v1.0.17 "allows a remote attacker to access phone name and model information because a BLE device can have four roles and COVIDSafe uses all of them" [1]. This allows for "re-identification of a device, and potentially identification of the owner's name" [1].

A separate vulnerability, CVE-2020-12856, discovered by researchers Jim Mussared and Alwen Tiu, describes a "silent pairing issue" where "the bonding process involves exchanges of permanent identifiers of the victim phone: the identity address of the bluetooth device in the phone and a cryptographic key called Identity Resolving Key (IRK)" [3]. Either identifier can be used for "long term tracking of the phone" [3].

Device Name Broadcasting - Clarification Needed

A critical detail: According to a Twitter thread by security researcher Matthew Rocklin (@matthewrdev), "the app does not broadcast the device name" in the standard operation of the app [4]. Instead, "when another phone detects you, you are identified using a Bluetooth address and not a device name" [4].

However, the CVE-2020-12860 vulnerability allows attackers to extract phone model AND device name information through BLE role misuse, meaning the device name IS accessible through exploitation of this vulnerability, even if not broadcast in normal operation [1][2].

Privacy Policy Disclosure

Regarding the claim that this wasn't mentioned in the privacy policy: The QUT academic research on COVIDSafe implementation found that the government provided a Privacy Impact Assessment focusing on Bluetooth data collection [5]. However, the specifics of what information could be extracted through BLE vulnerabilities may not have been explicitly detailed in consumer-facing privacy policy documentation [5]. The privacy policy did note that "a Bluetooth scan can be used to gather information about the location of the user" [6], but may not have detailed the specific vulnerability of device name/model extraction [5].

Missing Context

Timeline and Patch Status

The vulnerability was reported to DTA (Department of Home Affairs) on May 5, 2020, and was fixed in COVIDSafe (Android) v1.0.18 [3]. The app was deployed April 26, 2020, meaning this vulnerability existed for approximately 3 weeks before patches were available [1][3]. The fix was implemented promptly after discovery [3].

Domestic Violence Exploitation - Theoretical vs Proven

While the claim presents a scenario where "a domestic violence abuser can tell whether the victim is at home and their house-mates are not," this appears to be a theoretical vulnerability rather than documented evidence of actual exploitation [1][3].

The CVE documents discuss the technical capability for "long term tracking" through BLE identifier extraction [3], but there is no evidence in the published vulnerability disclosures, academic literature, or media reporting of actual instances where this vulnerability was exploited for domestic violence tracking [2][3].

This is a legitimate security concern that researchers identified and responsibly disclosed, but characterizing it as a known exploitation method without documented instances is an extrapolation beyond what the evidence shows.

Technical Accuracy of "Broadcasting"

The claim uses the word "broadcast" which is technically imprecise. Device names are not continuously broadcast in COVIDSafe's normal operation. Rather, they are exposed through BLE technical vulnerabilities (role misuse) that allow attackers to extract this information from the device's Bluetooth stack [1][2]. This is a meaningful distinction because it affects threat modeling—an attacker would need to actively conduct a technical exploit, not merely be in Bluetooth range [3].

Source Credibility Assessment

The original source is a Google Doc with no identified author, institutional affiliation, or publication credentials listed in the claim file [7]. Without access to view the full document, assessing its credibility is limited. However, the claim does reference legitimate security vulnerabilities (CVE-2020-12860 and CVE-2020-12856) that are well-documented in official sources.

The underlying CVE disclosures and academic research are from credible sources:

CVE-2020-12860: Published by MITRE/NVD (National Vulnerability Database), official vulnerability tracking [1]
CVE-2020-12856: Discovered and disclosed by Jim Mussared (George Robotics) and Alwen Tiu (ANU), published on GitHub with technical documentation [3]
QUT Academic Research: Peer-reviewed article on COVIDSafe implementation from Queensland University of Technology [5]

These sources are credible technical disclosures, not partisan sources.

⚖️

Labor Comparison

Did Labor have equivalent technology privacy failures?

Search conducted: "Labor government technology privacy failures contact tracing"

Labor's involvement with contact tracing technology was limited during this period, as the Coalition government held power (2013-2022) and developed COVIDSafe. Labor was in opposition and did not develop an alternative contact tracing app [8].

However, broader technology privacy concerns existed across both parties:

Both Labor and Coalition governments have faced criticism for inadequate privacy protections in digital government services [8]
Privacy reform efforts in Australia have been cross-party issues, with concerns raised about government data handling practices generally, not specific to one party [8]
The broader privacy framework issues that necessitated special COVIDSafe legislation are systemic to Australia's fragmented privacy law regime, not unique to Coalition implementation [5]

In essence, there is no direct Labor equivalent because Labor was not in government during the COVID-19 pandemic and did not develop contact tracing apps.

🌐

Balanced Perspective

The Legitimate Technical Vulnerability

The claim is correct that a genuine technical vulnerability existed in COVIDSafe that could theoretically expose device model and name information, and that this information could potentially be used to track someone's location/presence [1][3]. The vulnerability was real, documented by credible security researchers, and responsibly disclosed [3].

The Government's Response

Positively, the Australian Government acted on the disclosure by releasing a patch (v1.0.18) within approximately 3 weeks of being notified [3]. The app also included additional privacy protections compared to comparable apps like Singapore's TraceTogether, including criminal penalties for unauthorized data use [5].

Overstated Claims About Practical Exploitation

The leap from "a technical vulnerability exists that theoretically could expose device information" to "domestic violence abusers can exploit this" is not supported by evidence. While the theoretical risk is valid for security advisories, claiming documented exploitation without evidence is misleading [1][3][7].

Privacy Policy and Disclosure Issue

The claim about privacy policy disclosure is partially valid. The government may not have explicitly detailed BLE vulnerability risks to general users, though privacy professionals would expect such risks to be part of security threat modeling [5]. The privacy policy did disclose Bluetooth data collection, but specifics of potential BLE attacks may not have been consumer-facing [5][6].

Actual Impact Assessment

Given that:

The vulnerability was patched relatively quickly (within ~3 weeks) [3]
The app remained voluntary and had low uptake (never reached government targets) [5]
The exploitation would require technical sophistication beyond casual surveillance [3]
No documented cases of exploitation for domestic violence exist [1][3]

The actual practical harm appears limited compared to the severity the claim implies.

PARTIALLY TRUE

5.5

out of 10

The claim is correct that: (1) a genuine technical vulnerability existed allowing device model/name extraction, and (2) this information could theoretically be used to track presence. However, the claim is misleading in: (1) characterizing theoretical vulnerability as documented exploitation for domestic violence, (2) using "broadcast" imprecisely, and (3) omitting that the vulnerability was patched quickly and responsibly disclosed. The claim presents worst-case technical capability as if it were an actual threat scenario with documented exploitation.

Final Score

5.5

OUT OF 10

PARTIALLY TRUE

📚 SOURCES & CITATIONS (8)

Rating Scale Methodology

1-3: FALSE

Factually incorrect or malicious fabrication.

4-6: PARTIAL

Some truth but context is missing or skewed.

7-9: MOSTLY TRUE

Minor technicalities or phrasing issues.

10: ACCURATE

Perfectly verified and contextually fair.

Methodology: Ratings are determined through cross-referencing official government records, independent fact-checking organizations, and primary source documents.

PoliticalClaims.au

The Claim

Original Sources Provided

mdavis.xyz

✅ FACTUAL VERIFICATION

What the CVE Documentation Actually Shows

Device Name Broadcasting - Clarification Needed

Privacy Policy Disclosure

Missing Context

Timeline and Patch Status

Domestic Violence Exploitation - Theoretical vs Proven

Technical Accuracy of "Broadcasting"

Source Credibility Assessment

Labor Comparison

Balanced Perspective

The Legitimate Technical Vulnerability

The Government's Response

Overstated Claims About Practical Exploitation

Privacy Policy and Disclosure Issue

Actual Impact Assessment

PARTIALLY TRUE

PARTIALLY TRUE

📚 SOURCES & CITATIONS (8)

cvedetails.com

nvd.nist.gov

github.com

threadreaderapp.com

lthj.qut.edu.au

reddit.com

docs.google.com

ashurst.com

Rating Scale Methodology

Navigate Between Claims