Bahagyang Totoo

Rating: 5.5/10

Mag-ulat ng Isyu
Coalition
C0050

Ang Claim

“Nabigong banggitin sa privacy policy ng COVIDSafe app na ang impormasyon tungkol sa modelo ng telepono at pangalan ng device (hal. 'iPhone ni Mary') ay ibinroadcast sa pamamagitan ng Bluetooth. Isang halimbawa ng pagsasamantala nito ay ang isang domestic violence abuser ay maaaring malaman kung ang biktima ay nasa bahay at ang kanilang mga kasama sa bahay ay wala, nang hindi pa sumisilay sa gusali.”
COVID Cyber Kaligtasan
Orihinal na Pinagmulan: Matthew Davis
Sinuri: 29 Jan 2026

Orihinal na Pinagmulan

FACTUAL NA BERIPIKASYON

Ang core claim ay naglalaman ng maraming technical at factual na elemento na nangangailangan ng maingat na pag-verify:
The core claim contains multiple technical and factual elements that require careful verification:
 ### Ano ang Ipinapakita ng CVE Documentation
### What the CVE Documentation Actually Shows
 May TUNAY na Bluetooth vulnerability sa COVIDSafe (Android v1.0.17 at mas nauna), na dokumentado bilang **CVE-2020-12860** at **CVE-2020-12856** [1][2].
There IS a genuine Bluetooth vulnerability in COVIDSafe (Android v1.0.17 and earlier), documented as **CVE-2020-12860** and **CVE-2020-12856** [1][2].
 Gayunpaman, ang paglalarawan ng claim sa kung anong impormasyon ang exposed ay bahagyang tama ngunit nangangailangan ng mahalagang konteksto.
However, the claim's characterization of what information is exposed is partially accurate but requires important context.
 Ayon sa CVE-2020-12860 technical documentation, ang COVIDSafe hanggang v1.0.17 ay "nagpapahintulot sa isang remote attacker na ma-access ang impormasyon tungkol sa pangalan at modelo ng telepono dahil ang isang BLE device ay maaaring magkaroon ng apat na roles at ginagamit ng COVIDSafe ang lahat ng ito" [1].
According to the CVE-2020-12860 technical documentation, COVIDSafe through v1.0.17 "allows a remote attacker to access phone name and model information because a BLE device can have four roles and COVIDSafe uses all of them" [1].
 Ito ay nagpapahintulot sa "re-identification ng isang device, at potensyal na pagkilala sa pangalan ng may-ari" [1].
This allows for "re-identification of a device, and potentially identification of the owner's name" [1].
 Ang isang hiwalay na vulnerability, CVE-2020-12856, na natuklasan ng mga mananaliksik na sina Jim Mussared at Alwen Tiu, ay naglalarawan ng isang "silent pairing issue" kung saan "ang bonding process ay nagsasangkot ng pagpapalitan ng permanenteng identifiers ng biktima na telepono: ang identity address ng bluetooth device sa telepono at isang cryptographic key na tinatawag na Identity Resolving Key (IRK)" [3].
A separate vulnerability, CVE-2020-12856, discovered by researchers Jim Mussared and Alwen Tiu, describes a "silent pairing issue" where "the bonding process involves exchanges of permanent identifiers of the victim phone: the identity address of the bluetooth device in the phone and a cryptographic key called Identity Resolving Key (IRK)" [3].
 Ang alinman sa mga identifier na ito ay maaaring gamitin para sa "long term tracking ng telepono" [3].
Either identifier can be used for "long term tracking of the phone" [3].
 ### Device Name Broadcasting - Kailangan ng Paglilinaw
### Device Name Broadcasting - Clarification Needed
 Isang kritikal na detalye: Ayon sa isang Twitter thread ng security researcher na si Matthew Rocklin (@matthewrdev), "ang app *hindi* nagbro-broadcast ng device name" sa karaniwang operasyon ng app [4].
A critical detail: According to a Twitter thread by security researcher Matthew Rocklin (@matthewrdev), "the app *does not* broadcast the device name" in the standard operation of the app [4].
 Sa halip, "kapag ang isa pang telepono ang nakakita sa iyo, ikaw ay nakikilala gamit ang isang Bluetooth address at hindi ang device name" [4].
Instead, "when another phone detects you, you are identified using a Bluetooth address and not a device name" [4].
 Gayunpaman, ang CVE-2020-12860 vulnerability ay nagpapahintulot sa mga attacker na i-extract ang impormasyon tungkol sa modelo ng telepono AT device name sa pamamagitan ng BLE role misuse, ibig sabihin ang device name AY accessible sa pamamagitan ng pagsasamantala sa vulnerability na ito, kahit na hindi broadcast sa karaniwang operasyon [1][2].
However, the CVE-2020-12860 vulnerability allows attackers to extract phone model AND device name information through BLE role misuse, meaning the device name IS accessible through exploitation of this vulnerability, even if not broadcast in normal operation [1][2].
 ### Privacy Policy Disclosure
### Privacy Policy Disclosure
 Tungkol sa claim na ito ay hindi nabanggit sa privacy policy: Natuklasan ng QUT academic research sa COVIDSafe implementation na ang gobyerno ay nagbigay ng Privacy Impact Assessment na nakatuon sa Bluetooth data collection [5].
Regarding the claim that this wasn't mentioned in the privacy policy: The QUT academic research on COVIDSafe implementation found that the government provided a Privacy Impact Assessment focusing on Bluetooth data collection [5].
 Gayunpaman, ang mga detalye kung anong impormasyon ang maaaring ma-extract sa pamamagitan ng BLE vulnerabilities ay maaaring hindi eksplicitong na-detalye sa consumer-facing privacy policy documentation [5].
However, the specifics of what information could be extracted through BLE vulnerabilities may not have been explicitly detailed in consumer-facing privacy policy documentation [5].
 Ang privacy policy ay tandaan na "ang isang Bluetooth scan ay maaaring gamitin upang mangalap ng impormasyon tungkol sa lokasyon ng gumagamit" [6], ngunit maaaring hindi na-detalye ang tiyak na vulnerability ng device name/model extraction [5].
The privacy policy did note that "a Bluetooth scan can be used to gather information about the location of the user" [6], but may not have detailed the specific vulnerability of device name/model extraction [5].

Nawawalang Konteksto

### Timeline at Patch Status
### Timeline and Patch Status
 Ang vulnerability ay iniulat sa DTA (Department of Home Affairs) noong Mayo 5, 2020, at **naayos sa COVIDSafe (Android) v1.0.18** [3].
The vulnerability was reported to DTA (Department of Home Affairs) on May 5, 2020, and **was fixed in COVIDSafe (Android) v1.0.18** [3].
 Ang app ay in-deploy noong Abril 26, 2020, ibig sabihin ang vulnerability na ito ay umiiral ng humigit-kumulang 3 linggo bago ang mga patch [1][3].
The app was deployed April 26, 2020, meaning this vulnerability existed for approximately 3 weeks before patches were available [1][3].
 Ang ayos ay ipinatupad kaagad pagkatapos matuklasan [3].
The fix was implemented promptly after discovery [3].
 ### Domestic Violence Exploitation - Theoretical vs Proven
### Domestic Violence Exploitation - Theoretical vs Proven
 Habang ang claim ay naglalarawan ng isang scenario kung saan "maaaring malaman ng isang domestic violence abuser kung ang biktima ay nasa bahay at ang kanilang mga kasama sa bahay ay wala," ang mga ito ay tila isang **theoretical vulnerability sa halip na dokumentadong ebidensya ng aktwal na pagsasamantala** [1][3].
While the claim presents a scenario where "a domestic violence abuser can tell whether the victim is at home and their house-mates are not," this appears to be a **theoretical vulnerability rather than documented evidence of actual exploitation** [1][3].
 Ang CVE documents ay tinalakay ang technical capability para sa "long term tracking" sa pamamagitan ng BLE identifier extraction [3], ngunit walang ebidensya sa mga nai-publish na vulnerability disclosures, academic literature, o media reporting ng aktwal na mga pagkakataon kung saan ang vulnerability na ito ay sinamantala para sa domestic violence tracking [2][3].
The CVE documents discuss the technical capability for "long term tracking" through BLE identifier extraction [3], but there is no evidence in the published vulnerability disclosures, academic literature, or media reporting of actual instances where this vulnerability was exploited for domestic violence tracking [2][3].
 Ito ay isang **legitimate security concern** na natuklasan at responsableng iniulat ng mga mananaliksik, ngunit ang paglalarawan nito bilang isang kilalang paraan ng pagsasamantala nang walang dokumentadong mga pagkakataon ay isang extrapolation lampas sa ipinapakita ng ebidensya.
This is a **legitimate security concern** that researchers identified and responsibly disclosed, but characterizing it as a known exploitation method without documented instances is an extrapolation beyond what the evidence shows.
 ### Technical Accuracy ng "Broadcasting"
### Technical Accuracy of "Broadcasting"
 Ang claim ay gumagamit ng salitang "broadcast" na technically imprecise.
The claim uses the word "broadcast" which is technically imprecise.
 Ang mga device name ay hindi patuloy na ibinobroadcast sa karaniwang operasyon ng COVIDSafe.
Device names are not continuously broadcast in COVIDSafe's normal operation.
 Sa halip, ang mga ito ay exposed sa pamamagitan ng BLE technical vulnerabilities (role misuse) na nagpapahintulot sa mga attacker na i-extract ang impormasyon na ito mula sa Bluetooth stack ng device [1][2].
Rather, they are exposed through BLE technical vulnerabilities (role misuse) that allow attackers to extract this information from the device's Bluetooth stack [1][2].
 Ito ay isang makabuluhang pagkakaiba dahil ito ay nakakaapekto sa threat modeling—ang isang attacker ay kailangang aktibong magsagawa ng technical exploit, hindi lamang maging sa Bluetooth range [3].
This is a meaningful distinction because it affects threat modeling—an attacker would need to actively conduct a technical exploit, not merely be in Bluetooth range [3].

Pagsusuri ng Kredibilidad ng Pinagmulan

Ang orihinal na pinagmulan ay isang **Google Doc** na walang nakilalang may-akda, institutional affiliation, o publication credentials na nakalista sa claim file [7].
The original source is a **Google Doc** with no identified author, institutional affiliation, or publication credentials listed in the claim file [7].
 Nang walang access upang tingnan ang buong dokumento, ang pagsusuri ng kredibilidad nito ay limitado.
Without access to view the full document, assessing its credibility is limited.
 Gayunpaman, ang claim ay nagre-refer sa mga lehitimong security vulnerabilities (CVE-2020-12860 at CVE-2020-12856) na well-documented sa mga opisyal na pinagmulan.
However, the claim does reference legitimate security vulnerabilities (CVE-2020-12860 and CVE-2020-12856) that are well-documented in official sources.
 Ang mga underlying CVE disclosures at academic research ay mula sa mga kredibleng pinagmulan: - **CVE-2020-12860**: Nai-publish ng MITRE/NVD (National Vulnerability Database), opisyal na vulnerability tracking [1] - **CVE-2020-12856**: Natuklasan at iniulat nina Jim Mussared (George Robotics) at Alwen Tiu (ANU), nai-publish sa GitHub na may technical documentation [3] - **QUT Academic Research**: Peer-reviewed article sa COVIDSafe implementation mula sa Queensland University of Technology [5] Ang mga pinagmulang ito ay mga kredibleng technical disclosures, hindi partisan sources.
The underlying CVE disclosures and academic research are from credible sources: - **CVE-2020-12860**: Published by MITRE/NVD (National Vulnerability Database), official vulnerability tracking [1] - **CVE-2020-12856**: Discovered and disclosed by Jim Mussared (George Robotics) and Alwen Tiu (ANU), published on GitHub with technical documentation [3] - **QUT Academic Research**: Peer-reviewed article on COVIDSafe implementation from Queensland University of Technology [5] These sources are credible technical disclosures, not partisan sources.
⚖️

Paghahambing sa Labor

**Mayroon bang katumbas na technology privacy failures ang Labor?** Isinagawang paghahanap: "Labor government technology privacy failures contact tracing" Ang pagkakasangkot ng Labor sa contact tracing technology ay limitado sa panahong ito, dahil ang Coalition government ang humawak ng kapangyarihan (2013-2022) at bumuo ng COVIDSafe.
**Did Labor have equivalent technology privacy failures?** Search conducted: "Labor government technology privacy failures contact tracing" Labor's involvement with contact tracing technology was limited during this period, as the Coalition government held power (2013-2022) and developed COVIDSafe.
 Ang Labor ay nasa oposisyon at hindi bumuo ng alternatibong contact tracing app [8].
Labor was in opposition and did not develop an alternative contact tracing app [8].
 Gayunpaman, ang mas malawak na technology privacy concerns ay umiiral sa parehong partido: - Ang parehong Labor at Coalition governments ay nakaranas ng pagpuna para sa hindi sapat na privacy protections sa digital government services [8] - Ang mga privacy reform efforts sa Australia ay cross-party na isyu, na may mga alalahanin na naisingit tungkol sa pangkalahatang pamahalaan sa paghawak ng data, hindi partikular sa isang partido [8] - Ang mas malawak na privacy framework issues na nagtulak ng espesyal na COVIDSafe legislation ay systemic sa Australia's fragmented privacy law regime, hindi kakaiba sa Coalition implementation [5] Sa madaling salita, walang direktang Labor equivalent dahil ang Labor ay hindi nasa gobyerno noong COVID-19 pandemic at hindi bumuo ng contact tracing apps.
However, broader technology privacy concerns existed across both parties: - Both Labor and Coalition governments have faced criticism for inadequate privacy protections in digital government services [8] - Privacy reform efforts in Australia have been cross-party issues, with concerns raised about government data handling practices generally, not specific to one party [8] - The broader privacy framework issues that necessitated special COVIDSafe legislation are systemic to Australia's fragmented privacy law regime, not unique to Coalition implementation [5] In essence, there is no direct Labor equivalent because Labor was not in government during the COVID-19 pandemic and did not develop contact tracing apps.
🌐

Balanseng Pananaw

### Ang Legitimate Technical Vulnerability
### The Legitimate Technical Vulnerability
 Ang claim ay **tama na may tunay na technical vulnerability na umiiral** sa COVIDSafe na maaaring theoretically mag-expose ng device model at name information, at na ang impormasyon na ito ay maaaring potensyal na magamit upang subaybayan ang presensya/lokasyon ng isang tao [1][3].
The claim is **correct that a genuine technical vulnerability existed** in COVIDSafe that could theoretically expose device model and name information, and that this information could potentially be used to track someone's location/presence [1][3].
 Ang vulnerability ay totoo, dokumentado ng mga kredibleng security researchers, at responsableng iniulat [3].
The vulnerability was real, documented by credible security researchers, and responsibly disclosed [3].
 ### Ang Tugon ng Gobyerno
### The Government's Response
 Sa positibong aspeto, ang Australian Government ay kumilos sa disclosure sa pamamagitan ng pag-release ng isang patch (v1.0.18) sa loob ng humigit-kumulang 3 linggo mula naiulat [3].
Positively, the Australian Government acted on the disclosure by releasing a patch (v1.0.18) within approximately 3 weeks of being notified [3].
 Ang app ay nagkaroon din ng karagdagang privacy protections kumpara sa mga katulad na app tulad ng Singapore's TraceTogether, kabilang ang criminal penalties para sa hindi awtorisadong paggamit ng data [5].
The app also included additional privacy protections compared to comparable apps like Singapore's TraceTogether, including criminal penalties for unauthorized data use [5].
 ### Overstated Claims Tungkol sa Practical Exploitation
### Overstated Claims About Practical Exploitation
 Ang paglipat mula sa "may technical vulnerability na umiiral na theoretically maaaring mag-expose ng device information" patungo sa "maaaring samantalahin ng domestic violence abusers ito" ay hindi suportado ng ebidensya.
The leap from "a technical vulnerability exists that theoretically could expose device information" to "domestic violence abusers can exploit this" is not supported by evidence.
 Habang ang theoretical risk ay valid para sa security advisories, ang paghahayag ng dokumentadong pagsasamantala nang walang ebidensya ay nakakalinlang [1][3][7].
While the theoretical risk is valid for security advisories, claiming documented exploitation without evidence is misleading [1][3][7].
 ### Privacy Policy at Disclosure Issue
### Privacy Policy and Disclosure Issue
 Ang claim tungkol sa privacy policy disclosure ay bahagyang valid.
The claim about privacy policy disclosure is partially valid.
 Ang gobyerno ay maaaring hindi eksplicitong na-detalye ang mga BLE vulnerability risks sa mga karaniwang gumagamit, bagama't inaasahan ng mga privacy professionals na ang mga panganib na ito ay bahagi ng security threat modeling [5].
The government may not have explicitly detailed BLE vulnerability risks to general users, though privacy professionals would expect such risks to be part of security threat modeling [5].
 Ang privacy policy ay nag-disclose ng Bluetooth data collection, ngunit ang mga tiyak na BLE attacks ay maaaring hindi consumer-facing [5][6].
The privacy policy did disclose Bluetooth data collection, but specifics of potential BLE attacks may not have been consumer-facing [5][6].
 ### Aktwal na Impact Assessment
### Actual Impact Assessment
 Dahil sa: - Ang vulnerability ay mabilis na na-patch (sa loob ng ~3 linggo) [3] - Ang app ay nanatiling boluntaryo at may mababang uptake (hindi kailanman naabot ang mga target ng gobyerno) [5] - Ang pagsasamantala ay nangangailangan ng technical sophistication lampas sa casual surveillance [3] - Walang dokumentadong mga kaso ng pagsasamantala para sa domestic violence [1][3] Ang **aktwal na practical harm ay tila limitado** kumpara sa tindi na ipinapahiwatig ng claim.
Given that: - The vulnerability was patched relatively quickly (within ~3 weeks) [3] - The app remained voluntary and had low uptake (never reached government targets) [5] - The exploitation would require technical sophistication beyond casual surveillance [3] - No documented cases of exploitation for domestic violence exist [1][3] The **actual practical harm appears limited** compared to the severity the claim implies.

BAHAGYANG TOTOO

5.5

sa 10

Ang claim ay tama na: (1) may tunay na technical vulnerability na umiiral na nagpapahintulot sa device model/name extraction, at (2) ang impormasyon na ito ay maaaring theoretically magamit upang subaybayan ang presensya.
The claim is correct that: (1) a genuine technical vulnerability existed allowing device model/name extraction, and (2) this information could theoretically be used to track presence.
 Gayunpaman, ang claim ay nakakalinlang sa: (1) paglalarawan ng theoretical vulnerability bilang dokumentadong pagsasamantala para sa domestic violence, (2) paggamit ng "broadcast" nang hindi precise, at (3) pag-omit na ang vulnerability ay mabilis na na-patch at responsableng iniulat.
However, the claim is misleading in: (1) characterizing theoretical vulnerability as documented exploitation for domestic violence, (2) using "broadcast" imprecisely, and (3) omitting that the vulnerability was patched quickly and responsibly disclosed.
 Ang claim ay naglalarawan ng worst-case technical capability na parang ito ay isang aktwal na threat scenario na may dokumentadong pagsasamantala.
The claim presents worst-case technical capability as if it were an actual threat scenario with documented exploitation.

📚 MGA PINAGMULAN AT SANGGUNIAN (8)

  1. 1
    cvedetails.com

    cvedetails.com

    Cvedetails

  2. 2
    nvd.nist.gov

    nvd.nist.gov

    CVE-2020-12860

  3. 3
    github.com

    github.com

    A bluetooth-related vulnerability in some contact tracing apps - alwentiu/COVIDSafe-CVE-2020-12856

    GitHub
  4. 4
    threadreaderapp.com

    threadreaderapp.com

    Thread by @matthewrdev: The #covidsafe app is now available in Australia However, it's a shame that they have decided not to release the sourr full transparency. Luckily, I'm a curious chap and also a professional mobile developer. So, I've downloaded an…

    Threadreaderapp
  5. 5
    lthj.qut.edu.au

    lthj.qut.edu.au

    Lthj Qut Edu

  6. 6
    reddit.com

    reddit.com

    The heart of the internet
  7. 7
    docs.google.com

    docs.google.com

    Privacy issues discovered in the BLE implementation of the COVIDSafe Android app Jim Mussared jim.mussared@gmail.com https://twitter.com/jim_mussared 28/04/2020 Last updated: 15/05/2020 Status: Public. Updates ongoing. Privacy issues discovered in the BLE implementation of the COVIDSafe Andr...

    Google Docs
  8. 8
    ashurst.com

    ashurst.com

    Australia's first tranche of privacy reforms – a deep dive and why they matter

    Ashurst

Pamamaraan ng Rating Scale

1-3: MALI

Hindi tama sa katotohanan o malisyosong gawa-gawa.

4-6: BAHAGYA

May katotohanan ngunit kulang o baluktot ang konteksto.

7-9: HALOS TOTOO

Maliit na teknikal na detalye o isyu sa pagkakasulat.

10: TUMPAK

Perpektong na-verify at patas ayon sa konteksto.

Pamamaraan: Ang mga rating ay tinutukoy sa pamamagitan ng cross-referencing ng opisyal na mga rekord ng pamahalaan, independiyenteng mga organisasyong nag-fact-check, at mga primaryang dokumento.

Previous: C0049 Next: C0051