部分属实

评分: 5.5/10

报告问题
Coalition
C0050

声明内容

“未在COVIDSafe应用程序隐私政策中提及手机型号和设备名称(例如'Mary的iPhone')会通过蓝牙广播的信息。一个被利用的例子是:家庭暴力施虐者可以在不踏入建筑物的情况下,判断受害者是否在家以及其室友是否不在家。”
新冠疫情 网络安全 安全
原始来源: Matthew Davis
分析时间: 29 Jan 2026

原始来源

事实核查

核心hé xīn hé xīn 声明shēng míng shēng míng 包含bāo hán bāo hán 多个duō gè duō gè 需要xū yào xū yào 仔细zǐ xì zǐ xì 核实hé shí hé shí de de 技术jì shù jì shù 事实shì shí shì shí 要素yào sù yào sù
The core claim contains multiple technical and factual elements that require careful verification:
 ###### ### CVECVE CVE 文档wén dàng wén dàng 实际shí jì shí jì 显示xiǎn shì xiǎn shì de de 内容nèi róng nèi róng
### What the CVE Documentation Actually Shows
 COVIDSafeCOVIDSafe COVIDSafe AndroidAndroid Android v1.0v1.0 v1.0 .. . 1717 17 gèng gèng zǎo zǎo 版本bǎn běn bǎn běn 确实què shí què shí 存在cún zài cún zài 一个yí gè yí gè 真正zhēn zhèng zhēn zhèng de de 蓝牙lán yá lán yá 漏洞lòu dòng lòu dòng 记录jì lù jì lù wèi wèi ** * ** * CVECVE CVE -- - 20202020 2020 -- - 1286012860 12860 ** * ** * ** * ** * CVECVE CVE -- - 20202020 2020 -- - 1285612856 12856 ** * ** * [[ [ 11 1 ]] ] [[ [ 22 2 ]] ]
There IS a genuine Bluetooth vulnerability in COVIDSafe (Android v1.0.17 and earlier), documented as **CVE-2020-12860** and **CVE-2020-12856** [1][2].
 然而rán ér rán ér 声明shēng míng shēng míng duì duì 暴露bào lù bào lù 信息xìn xī xìn xī 特征tè zhēng tè zhēng de de 描述miáo shù miáo shù 部分bù fèn bù fèn 准确zhǔn què zhǔn què dàn dàn 需要xū yào xū yào 重要zhòng yào zhòng yào de de 背景bèi jǐng bèi jǐng 说明shuō míng shuō míng
However, the claim's characterization of what information is exposed is partially accurate but requires important context.
 根据gēn jù gēn jù CVECVE CVE -- - 20202020 2020 -- - 1286012860 12860 技术jì shù jì shù 文档wén dàng wén dàng COVIDSafeCOVIDSafe COVIDSafe v1.0v1.0 v1.0 .. . 1717 17 gèng gèng zǎo zǎo 版本bǎn běn bǎn běn "" " 允许yǔn xǔ yǔn xǔ 远程yuǎn chéng yuǎn chéng 攻击者gōng jī zhě gōng jī zhě 访问fǎng wèn fǎng wèn 手机shǒu jī shǒu jī 名称míng chēng míng chēng 型号xíng hào xíng hào 信息xìn xī xìn xī 因为yīn wèi yīn wèi BLEBLE BLE 设备shè bèi shè bèi 可以kě yǐ kě yǐ 具有jù yǒu jù yǒu 四种sì zhǒng sì zhǒng 角色jué sè jué sè ér ér COVIDSafeCOVIDSafe COVIDSafe 使用shǐ yòng shǐ yòng le le 所有suǒ yǒu suǒ yǒu 四种sì zhǒng sì zhǒng 角色jué sè jué sè "" " [[ [ 11 1 ]] ]
According to the CVE-2020-12860 technical documentation, COVIDSafe through v1.0.17 "allows a remote attacker to access phone name and model information because a BLE device can have four roles and COVIDSafe uses all of them" [1].
 zhè zhè 允许yǔn xǔ yǔn xǔ "" " 重新chóng xīn chóng xīn 识别shí bié shí bié 设备shè bèi shè bèi 以及yǐ jí yǐ jí 可能kě néng kě néng 识别shí bié shí bié 所有者suǒ yǒu zhě suǒ yǒu zhě 姓名xìng míng xìng míng "" " [[ [ 11 1 ]] ]
This allows for "re-identification of a device, and potentially identification of the owner's name" [1].
 lìng lìng 一个yí gè yí gè yóu yóu 研究yán jiū yán jiū 人员rén yuán rén yuán JimJim Jim MussaredMussared Mussared AlwenAlwen Alwen TiuTiu Tiu 发现fā xiàn fā xiàn de de 漏洞lòu dòng lòu dòng CVECVE CVE -- - 20202020 2020 -- - 1285612856 12856 描述miáo shù miáo shù le le 一个yí gè yí gè "" " 静默jìng mò jìng mò 配对pèi duì pèi duì 问题wèn tí wèn tí "" " 其中qí zhōng qí zhōng "" " 配对pèi duì pèi duì 过程guò chéng guò chéng 涉及shè jí shè jí 交换jiāo huàn jiāo huàn 受害者shòu hài zhě shòu hài zhě 手机shǒu jī shǒu jī de de 永久yǒng jiǔ yǒng jiǔ 标识符biāo shí fú biāo shí fú 手机shǒu jī shǒu jī zhōng zhōng 蓝牙lán yá lán yá 设备shè bèi shè bèi de de 身份shēn fèn shēn fèn 地址dì zhǐ dì zhǐ 以及yǐ jí yǐ jí 一个yí gè yí gè 称为chēng wéi chēng wéi 身份shēn fèn shēn fèn 解析jiě xī jiě xī 密钥mì yào mì yào IRKIRK IRK de de 加密jiā mì jiā mì 密钥mì yào mì yào "" " [[ [ 33 3 ]] ]
A separate vulnerability, CVE-2020-12856, discovered by researchers Jim Mussared and Alwen Tiu, describes a "silent pairing issue" where "the bonding process involves exchanges of permanent identifiers of the victim phone: the identity address of the bluetooth device in the phone and a cryptographic key called Identity Resolving Key (IRK)" [3].
 任一rèn yī rèn yī 标识符biāo shí fú biāo shí fú dōu dōu 用于yòng yú yòng yú "" " 长期cháng qī cháng qī 追踪zhuī zōng zhuī zōng 手机shǒu jī shǒu jī "" " [[ [ 33 3 ]] ]
Either identifier can be used for "long term tracking of the phone" [3].
 ###### ### 设备shè bèi shè bèi 名称míng chēng míng chēng 广播guǎng bō guǎng bō -- - 需要xū yào xū yào 澄清chéng qīng chéng qīng
### Device Name Broadcasting - Clarification Needed
 一个yí gè yí gè 关键guān jiàn guān jiàn 细节xì jié xì jié 根据gēn jù gēn jù 安全ān quán ān quán 研究yán jiū yán jiū 人员rén yuán rén yuán MatthewMatthew Matthew RocklinRocklin Rocklin @@ @ matthewrdevmatthewrdev matthewrdev de de TwitterTwitter Twitter 讨论tǎo lùn tǎo lùn chuàn chuàn "" " gāi gāi 应用程序yìng yòng chéng xù yìng yòng chéng xù ** * 不会bú huì bú huì ** * 广播设备guǎng bō shè bèi guǎng bō shè bèi 名称míng chēng míng chēng "" " [[ [ 44 4 ]] ]
A critical detail: According to a Twitter thread by security researcher Matthew Rocklin (@matthewrdev), "the app *does not* broadcast the device name" in the standard operation of the app [4].
 相反xiāng fǎn xiāng fǎn "" " dāng dāng lìng lìng 一部yī bù yī bù 手机shǒu jī shǒu jī 检测jiǎn cè jiǎn cè dào dào shí shí shì shì 通过tōng guò tōng guò 蓝牙lán yá lán yá 地址dì zhǐ dì zhǐ ér ér 不是bú shì bú shì 设备shè bèi shè bèi 名称míng chēng míng chēng lái lái 识别shí bié shí bié de de "" " [[ [ 44 4 ]] ]
Instead, "when another phone detects you, you are identified using a Bluetooth address and not a device name" [4].
 然而rán ér rán ér CVECVE CVE -- - 20202020 2020 -- - 1286012860 12860 漏洞lòu dòng lòu dòng 允许yǔn xǔ yǔn xǔ 攻击者gōng jī zhě gōng jī zhě 通过tōng guò tōng guò BLEBLE BLE 角色jué sè jué sè 滥用làn yòng làn yòng 提取tí qǔ tí qǔ 手机shǒu jī shǒu jī 型号xíng hào xíng hào 设备shè bèi shè bèi 名称míng chēng míng chēng 信息xìn xī xìn xī zhè zhè 意味着yì wèi zhe yì wèi zhe 即使jí shǐ jí shǐ 设备shè bèi shè bèi 名称míng chēng míng chēng zài zài 正常zhèng cháng zhèng cháng 操作cāo zuò cāo zuò zhōng zhōng 不会bú huì bú huì 广播guǎng bō guǎng bō 通过tōng guò tōng guò 利用lì yòng lì yòng 漏洞lòu dòng lòu dòng 确实què shí què shí 可以kě yǐ kě yǐ 获取huò qǔ huò qǔ gāi gāi 信息xìn xī xìn xī [[ [ 11 1 ]] ] [[ [ 22 2 ]] ]
However, the CVE-2020-12860 vulnerability allows attackers to extract phone model AND device name information through BLE role misuse, meaning the device name IS accessible through exploitation of this vulnerability, even if not broadcast in normal operation [1][2].
 ###### ### 隐私yǐn sī yǐn sī 政策zhèng cè zhèng cè 披露pī lù pī lù
### Privacy Policy Disclosure
 关于guān yú guān yú wèi wèi zài zài 隐私yǐn sī yǐn sī 政策zhèng cè zhèng cè zhōng zhōng 提及tí jí tí jí 问题wèn tí wèn tí de de 声明shēng míng shēng míng QUTQUT QUT 关于guān yú guān yú COVIDSafeCOVIDSafe COVIDSafe 实施shí shī shí shī de de 学术研究xué shù yán jiū xué shù yán jiū 发现fā xiàn fā xiàn 政府zhèng fǔ zhèng fǔ 提供tí gōng tí gōng le le 一份yī fèn yī fèn 重点zhòng diǎn zhòng diǎn 关注guān zhù guān zhù 蓝牙lán yá lán yá 数据shù jù shù jù 收集shōu jí shōu jí de de 隐私yǐn sī yǐn sī 影响yǐng xiǎng yǐng xiǎng 评估píng gū píng gū [[ [ 55 5 ]] ]
Regarding the claim that this wasn't mentioned in the privacy policy: The QUT academic research on COVIDSafe implementation found that the government provided a Privacy Impact Assessment focusing on Bluetooth data collection [5].
 然而rán ér rán ér 通过tōng guò tōng guò BLEBLE BLE 漏洞lòu dòng lòu dòng 可能kě néng kě néng 提取tí qǔ tí qǔ de de 具体jù tǐ jù tǐ 信息xìn xī xìn xī 可能kě néng kě néng wèi wèi zài zài 面向miàn xiàng miàn xiàng 消费者xiāo fèi zhě xiāo fèi zhě de de 隐私yǐn sī yǐn sī 政策zhèng cè zhèng cè 文档wén dàng wén dàng zhōng zhōng 明确míng què míng què 详细xiáng xì xiáng xì 说明shuō míng shuō míng [[ [ 55 5 ]] ]
However, the specifics of what information could be extracted through BLE vulnerabilities may not have been explicitly detailed in consumer-facing privacy policy documentation [5].
 隐私yǐn sī yǐn sī 政策zhèng cè zhèng cè 确实què shí què shí 注明zhù míng zhù míng "" " 蓝牙lán yá lán yá 扫描sǎo miáo sǎo miáo 用于yòng yú yòng yú 收集shōu jí shōu jí 用户yòng hù yòng hù 位置wèi zhì wèi zhì 信息xìn xī xìn xī "" " [[ [ 66 6 ]] ] dàn dàn 可能kě néng kě néng wèi wèi 详细xiáng xì xiáng xì 说明shuō míng shuō míng 设备shè bèi shè bèi 名称míng chēng míng chēng // / 型号xíng hào xíng hào 提取tí qǔ tí qǔ de de 具体jù tǐ jù tǐ 漏洞lòu dòng lòu dòng [[ [ 55 5 ]] ]
The privacy policy did note that "a Bluetooth scan can be used to gather information about the location of the user" [6], but may not have detailed the specific vulnerability of device name/model extraction [5].

缺失背景

###### ### 时间shí jiān shí jiān 线xiàn xiàn 修复xiū fù xiū fù 状态zhuàng tài zhuàng tài
### Timeline and Patch Status
 gāi gāi 漏洞lòu dòng lòu dòng 20202020 2020 nián nián 55 5 yuè yuè 55 5 报告bào gào bào gào gěi gěi DTADTA DTA 内政部nèi zhèng bù nèi zhèng bù bìng bìng zài zài ** * ** * COVIDSafeCOVIDSafe COVIDSafe AndroidAndroid Android v1.0v1.0 v1.0 .. . 1818 18 ** * ** * zhōng zhōng 得到dé dào dé dào 修复xiū fù xiū fù [[ [ 33 3 ]] ]
The vulnerability was reported to DTA (Department of Home Affairs) on May 5, 2020, and **was fixed in COVIDSafe (Android) v1.0.18** [3].
 gāi gāi 应用程序yìng yòng chéng xù yìng yòng chéng xù 20202020 2020 nián nián 44 4 yuè yuè 2626 26 部署bù shǔ bù shǔ 意味着yì wèi zhe yì wèi zhe gāi gāi 漏洞lòu dòng lòu dòng zài zài 修复xiū fù xiū fù 可用kě yòng kě yòng qián qián 存在cún zài cún zài le le 大约dà yuē dà yuē 33 3 zhōu zhōu [[ [ 11 1 ]] ] [[ [ 33 3 ]] ]
The app was deployed April 26, 2020, meaning this vulnerability existed for approximately 3 weeks before patches were available [1][3].
 发现fā xiàn fā xiàn hòu hòu 迅速xùn sù xùn sù 实施shí shī shí shī le le 修复xiū fù xiū fù [[ [ 33 3 ]] ]
The fix was implemented promptly after discovery [3].
 ###### ### 家庭暴力jiā tíng bào lì jiā tíng bào lì 利用lì yòng lì yòng -- - 理论lǐ lùn lǐ lùn vsvs vs 实证shí zhèng shí zhèng
### Domestic Violence Exploitation - Theoretical vs Proven
 虽然suī rán suī rán 声明shēng míng shēng míng 提出tí chū tí chū le le 一种yī zhǒng yī zhǒng 场景chǎng jǐng chǎng jǐng "" " 家庭暴力jiā tíng bào lì jiā tíng bào lì 施虐shī nüè shī nüè zhě zhě 可以kě yǐ kě yǐ 判断pàn duàn pàn duàn 受害者shòu hài zhě shòu hài zhě 是否shì fǒu shì fǒu 在家zài jiā zài jiā 以及yǐ jí yǐ jí 室友shì yǒu shì yǒu 是否shì fǒu shì fǒu 在家zài jiā zài jiā "" " dàn dàn zhè zhè 似乎sì hū sì hū shì shì 一种yī zhǒng yī zhǒng ** * ** * 理论lǐ lùn lǐ lùn 漏洞lòu dòng lòu dòng ér ér fēi fēi yǒu yǒu 记录jì lù jì lù de de 实际shí jì shí jì 利用lì yòng lì yòng 证据zhèng jù zhèng jù ** * ** * [[ [ 11 1 ]] ] [[ [ 33 3 ]] ]
While the claim presents a scenario where "a domestic violence abuser can tell whether the victim is at home and their house-mates are not," this appears to be a **theoretical vulnerability rather than documented evidence of actual exploitation** [1][3].
 CVECVE CVE 文档wén dàng wén dàng 讨论tǎo lùn tǎo lùn le le 通过tōng guò tōng guò BLEBLE BLE 标识符biāo shí fú biāo shí fú 提取tí qǔ tí qǔ 进行jìn xíng jìn xíng "" " 长期cháng qī cháng qī 追踪zhuī zōng zhuī zōng "" " de de 技术jì shù jì shù 能力néng lì néng lì [[ [ 33 3 ]] ] dàn dàn zài zài 发布fā bù fā bù de de 漏洞lòu dòng lòu dòng 披露pī lù pī lù 学术xué shù xué shù 文献wén xiàn wén xiàn huò huò 媒体报道méi tǐ bào dào méi tǐ bào dào zhōng zhōng 没有méi yǒu méi yǒu 证据zhèng jù zhèng jù 表明biǎo míng biǎo míng gāi gāi 漏洞lòu dòng lòu dòng 实际shí jì shí jì bèi bèi 用于yòng yú yòng yú 家庭暴力jiā tíng bào lì jiā tíng bào lì 追踪zhuī zōng zhuī zōng [[ [ 22 2 ]] ] [[ [ 33 3 ]] ]
The CVE documents discuss the technical capability for "long term tracking" through BLE identifier extraction [3], but there is no evidence in the published vulnerability disclosures, academic literature, or media reporting of actual instances where this vulnerability was exploited for domestic violence tracking [2][3].
 这是zhè shì zhè shì 一个yí gè yí gè ** * ** * 合理hé lǐ hé lǐ de de 安全ān quán ān quán 担忧dān yōu dān yōu ** * ** * 研究yán jiū yán jiū 人员rén yuán rén yuán 识别shí bié shí bié bìng bìng 负责fù zé fù zé 任地rèn dì rèn dì 披露pī lù pī lù dàn dàn jiāng jiāng 描述miáo shù miáo shù wèi wèi 没有méi yǒu méi yǒu 记录jì lù jì lù 实例shí lì shí lì de de 已知yǐ zhī yǐ zhī 利用lì yòng lì yòng 方法fāng fǎ fāng fǎ 超出chāo chū chāo chū le le 证据zhèng jù zhèng jù suǒ suǒ 显示xiǎn shì xiǎn shì de de 范围fàn wéi fàn wéi
This is a **legitimate security concern** that researchers identified and responsibly disclosed, but characterizing it as a known exploitation method without documented instances is an extrapolation beyond what the evidence shows.
 ###### ### "" " 广播guǎng bō guǎng bō "" " de de 技术jì shù jì shù 准确性zhǔn què xìng zhǔn què xìng
### Technical Accuracy of "Broadcasting"
 声明shēng míng shēng míng 使用shǐ yòng shǐ yòng le le "" " 广播guǎng bō guǎng bō "" " 一词yī cí yī cí zhè zhè 在技术上zài jì shù shàng zài jì shù shàng shì shì 精确jīng què jīng què de de
The claim uses the word "broadcast" which is technically imprecise.
 设备shè bèi shè bèi 名称míng chēng míng chēng zài zài COVIDSafeCOVIDSafe COVIDSafe de de 正常zhèng cháng zhèng cháng 操作cāo zuò cāo zuò zhōng zhōng 不会bú huì bú huì 持续chí xù chí xù 广播guǎng bō guǎng bō
Device names are not continuously broadcast in COVIDSafe's normal operation.
 相反xiāng fǎn xiāng fǎn 它们tā men tā men shì shì 通过tōng guò tōng guò 允许yǔn xǔ yǔn xǔ 攻击者gōng jī zhě gōng jī zhě cóng cóng 设备shè bèi shè bèi 蓝牙lán yá lán yá 协议xié yì xié yì zhàn zhàn 提取tí qǔ tí qǔ 信息xìn xī xìn xī de de BLEBLE BLE 技术jì shù jì shù 漏洞lòu dòng lòu dòng 角色jué sè jué sè 滥用làn yòng làn yòng ér ér 暴露bào lù bào lù de de [[ [ 11 1 ]] ] [[ [ 22 2 ]] ]
Rather, they are exposed through BLE technical vulnerabilities (role misuse) that allow attackers to extract this information from the device's Bluetooth stack [1][2].
 这是zhè shì zhè shì 一个yí gè yí gè yǒu yǒu 意义yì yì yì yì de de 区别qū bié qū bié 因为yīn wèi yīn wèi 影响yǐng xiǎng yǐng xiǎng le le 威胁wēi xié wēi xié 建模jiàn mó jiàn mó 攻击者gōng jī zhě gōng jī zhě 需要xū yào xū yào 主动zhǔ dòng zhǔ dòng 进行jìn xíng jìn xíng 技术jì shù jì shù 利用lì yòng lì yòng ér ér 不仅仅bù jǐn jǐn bù jǐn jǐn shì shì 处于chǔ yú chǔ yú 蓝牙lán yá lán yá 范围fàn wéi fàn wéi nèi nèi [[ [ 33 3 ]] ]
This is a meaningful distinction because it affects threat modeling—an attacker would need to actively conduct a technical exploit, not merely be in Bluetooth range [3].

来源可信度评估

原始yuán shǐ yuán shǐ 来源lái yuán lái yuán shì shì 一份yī fèn yī fèn ** * ** * GoogleGoogle Google 文档wén dàng wén dàng ** * ** * zài zài 声明shēng míng shēng míng 文件wén jiàn wén jiàn zhōng zhōng 没有méi yǒu méi yǒu 列出liè chū liè chū 确定què dìng què dìng de de 作者zuò zhě zuò zhě 机构jī gòu jī gòu 隶属lì shǔ lì shǔ 关系guān xì guān xì huò huò 发布fā bù fā bù 凭证píng zhèng píng zhèng [[ [ 77 7 ]] ]
The original source is a **Google Doc** with no identified author, institutional affiliation, or publication credentials listed in the claim file [7].
 由于yóu yú yóu yú 无法wú fǎ wú fǎ 查看chá kàn chá kàn 完整wán zhěng wán zhěng 文档wén dàng wén dàng 评估píng gū píng gū 可信度kě xìn dù kě xìn dù 受到限制shòu dào xiàn zhì shòu dào xiàn zhì
Without access to view the full document, assessing its credibility is limited.
 然而rán ér rán ér gāi gāi 声明shēng míng shēng míng 确实què shí què shí 引用yǐn yòng yǐn yòng le le 合法hé fǎ hé fǎ de de 漏洞lòu dòng lòu dòng CVECVE CVE -- - 20202020 2020 -- - 1286012860 12860 CVECVE CVE -- - 20202020 2020 -- - 1285612856 12856 这些zhè xiē zhè xiē 漏洞lòu dòng lòu dòng zài zài 官方guān fāng guān fāng 来源lái yuán lái yuán 中有zhōng yǒu zhōng yǒu 充分chōng fèn chōng fèn 记录jì lù jì lù
However, the claim does reference legitimate security vulnerabilities (CVE-2020-12860 and CVE-2020-12856) that are well-documented in official sources.
 基础jī chǔ jī chǔ de de CVECVE CVE 披露pī lù pī lù 学术研究xué shù yán jiū xué shù yán jiū 来自lái zì lái zì 可信kě xìn kě xìn 来源lái yuán lái yuán
The underlying CVE disclosures and academic research are from credible sources: - **CVE-2020-12860**: Published by MITRE/NVD (National Vulnerability Database), official vulnerability tracking [1] - **CVE-2020-12856**: Discovered and disclosed by Jim Mussared (George Robotics) and Alwen Tiu (ANU), published on GitHub with technical documentation [3] - **QUT Academic Research**: Peer-reviewed article on COVIDSafe implementation from Queensland University of Technology [5] These sources are credible technical disclosures, not partisan sources.
 -- - ** * ** * CVECVE CVE -- - 20202020 2020 -- - 1286012860 12860 ** * ** * yóu yóu MITREMITRE MITRE // / NVDNVD NVD 国家guó jiā guó jiā 漏洞lòu dòng lòu dòng 数据库shù jù kù shù jù kù 发布fā bù fā bù 官方guān fāng guān fāng 漏洞lòu dòng lòu dòng 追踪zhuī zōng zhuī zōng [[ [ 11 1 ]] ]
-- - ** * ** * CVECVE CVE -- - 20202020 2020 -- - 1285612856 12856 ** * ** * yóu yóu JimJim Jim MussaredMussared Mussared GeorgeGeorge George RoboticsRobotics Robotics AlwenAlwen Alwen TiuTiu Tiu ANUANU ANU 发现fā xiàn fā xiàn bìng bìng 披露pī lù pī lù zài zài GitHubGitHub GitHub shàng shàng 发布fā bù fā bù bìng bìng yǒu yǒu 技术jì shù jì shù 文档wén dàng wén dàng [[ [ 33 3 ]] ]
-- - ** * ** * QUTQUT QUT 学术研究xué shù yán jiū xué shù yán jiū ** * ** * 来自lái zì lái zì 昆士兰kūn shì lán kūn shì lán 科技kē jì kē jì 大学dà xué dà xué de de 关于guān yú guān yú COVIDSafeCOVIDSafe COVIDSafe 实施shí shī shí shī de de 同行tóng háng tóng háng 评审píng shěn píng shěn 文章wén zhāng wén zhāng [[ [ 55 5 ]] ]
这些zhè xiē zhè xiē 来源lái yuán lái yuán shì shì 可信kě xìn kě xìn de de 技术jì shù jì shù 披露pī lù pī lù ér ér fēi fēi 党派dǎng pài dǎng pài 来源lái yuán lái yuán
⚖️

工党对比

** * ** * LaborLabor Labor 政府zhèng fǔ zhèng fǔ 是否shì fǒu shì fǒu yǒu yǒu 同等tóng děng tóng děng de de 技术jì shù jì shù 隐私yǐn sī yǐn sī 失败shī bài shī bài
**Did Labor have equivalent technology privacy failures?** Search conducted: "Labor government technology privacy failures contact tracing" Labor's involvement with contact tracing technology was limited during this period, as the Coalition government held power (2013-2022) and developed COVIDSafe.
 ** * ** *
Labor was in opposition and did not develop an alternative contact tracing app [8].
 搜索sōu suǒ sōu suǒ 进行jìn xíng jìn xíng "" " LaborLabor Labor 政府zhèng fǔ zhèng fǔ 技术jì shù jì shù 隐私yǐn sī yǐn sī 失败shī bài shī bài 接触jiē chù jiē chù zhě zhě 追踪zhuī zōng zhuī zōng "" "
However, broader technology privacy concerns existed across both parties: - Both Labor and Coalition governments have faced criticism for inadequate privacy protections in digital government services [8] - Privacy reform efforts in Australia have been cross-party issues, with concerns raised about government data handling practices generally, not specific to one party [8] - The broader privacy framework issues that necessitated special COVIDSafe legislation are systemic to Australia's fragmented privacy law regime, not unique to Coalition implementation [5] In essence, there is no direct Labor equivalent because Labor was not in government during the COVID-19 pandemic and did not develop contact tracing apps.
 LaborLabor Labor 在此期间zài cǐ qī jiān zài cǐ qī jiān duì duì 接触jiē chù jiē chù zhě zhě 追踪zhuī zōng zhuī zōng 技术jì shù jì shù de de 参与cān yù cān yù 有限yǒu xiàn yǒu xiàn 因为yīn wèi yīn wèi CoalitionCoalition Coalition 政府zhèng fǔ zhèng fǔ 执政zhí zhèng zhí zhèng 20132013 2013 -- - 20222022 2022 nián nián bìng bìng 开发kāi fā kāi fā le le COVIDSafeCOVIDSafe COVIDSafe
LaborLabor Labor 当时dāng shí dāng shí 处于chǔ yú chǔ yú 反对党fǎn duì dǎng fǎn duì dǎng 地位dì wèi dì wèi 没有méi yǒu méi yǒu 开发kāi fā kāi fā 替代tì dài tì dài de de 接触jiē chù jiē chù zhě zhě 追踪zhuī zōng zhuī zōng 应用程序yìng yòng chéng xù yìng yòng chéng xù [[ [ 88 8 ]] ]
然而rán ér rán ér 两党liǎng dǎng liǎng dǎng dōu dōu 存在cún zài cún zài gèng gèng 广泛guǎng fàn guǎng fàn de de 技术jì shù jì shù 隐私yǐn sī yǐn sī 问题wèn tí wèn tí
-- - LaborLabor Labor CoalitionCoalition Coalition 政府zhèng fǔ zhèng fǔ dōu dōu yīn yīn 数字shù zì shù zì 政府zhèng fǔ zhèng fǔ 服务fú wù fú wù zhōng zhōng 隐私yǐn sī yǐn sī 保护bǎo hù bǎo hù 不足bù zú bù zú ér ér 受到shòu dào shòu dào 批评pī píng pī píng [[ [ 88 8 ]] ]
-- - 澳大利亚ào dà lì yà ào dà lì yà de de 隐私yǐn sī yǐn sī 改革gǎi gé gǎi gé 努力nǔ lì nǔ lì shì shì kuà kuà 党派dǎng pài dǎng pài 问题wèn tí wèn tí duì duì 政府zhèng fǔ zhèng fǔ 数据处理shù jù chǔ lǐ shù jù chǔ lǐ de de 担忧dān yōu dān yōu 普遍存在pǔ biàn cún zài pǔ biàn cún zài 特定tè dìng tè dìng mǒu mǒu 党派dǎng pài dǎng pài [[ [ 88 8 ]] ]
-- - 需要xū yào xū yào COVIDSafeCOVIDSafe COVIDSafe 特别tè bié tè bié 立法lì fǎ lì fǎ de de gèng gèng 广泛guǎng fàn guǎng fàn 隐私yǐn sī yǐn sī 框架kuāng jià kuāng jià 问题wèn tí wèn tí shì shì 澳大利亚ào dà lì yà ào dà lì yà 分散fēn sàn fēn sàn de de 隐私yǐn sī yǐn sī 法律fǎ lǜ fǎ lǜ 制度zhì dù zhì dù suǒ suǒ 固有gù yǒu gù yǒu de de 并非bìng fēi bìng fēi CoalitionCoalition Coalition 实施shí shī shí shī suǒ suǒ 独有dú yǒu dú yǒu [[ [ 55 5 ]] ]
本质běn zhì běn zhì shàng shàng 没有méi yǒu méi yǒu 直接zhí jiē zhí jiē de de LaborLabor Labor duì duì děng děng 产品chǎn pǐn chǎn pǐn 因为yīn wèi yīn wèi LaborLabor Labor zài zài COVIDCOVID COVID -- - 1919 19 流行liú xíng liú xíng 期间qī jiān qī jiān 没有méi yǒu méi yǒu 执政zhí zhèng zhí zhèng 没有méi yǒu méi yǒu 开发kāi fā kāi fā 接触jiē chù jiē chù zhě zhě 追踪zhuī zōng zhuī zōng 应用程序yìng yòng chéng xù yìng yòng chéng xù
🌐

平衡视角

###### ### 合法hé fǎ hé fǎ de de 技术jì shù jì shù 漏洞lòu dòng lòu dòng
### The Legitimate Technical Vulnerability
 gāi gāi 声明shēng míng shēng míng zài zài ** * ** * 确实què shí què shí 存在cún zài cún zài 一个yí gè yí gè 可能kě néng kě néng 暴露bào lù bào lù 设备shè bèi shè bèi 型号xíng hào xíng hào 名称míng chēng míng chēng 信息xìn xī xìn xī de de 技术jì shù jì shù 漏洞lòu dòng lòu dòng ** * ** * 方面fāng miàn fāng miàn shì shì 正确zhèng què zhèng què de de 这些zhè xiē zhè xiē 信息xìn xī xìn xī 理论lǐ lùn lǐ lùn shàng shàng 用于yòng yú yòng yú 追踪zhuī zōng zhuī zōng 某人mǒu rén mǒu rén de de 位置wèi zhì wèi zhì // / 在场zài chǎng zài chǎng 情况qíng kuàng qíng kuàng [[ [ 11 1 ]] ] [[ [ 33 3 ]] ]
The claim is **correct that a genuine technical vulnerability existed** in COVIDSafe that could theoretically expose device model and name information, and that this information could potentially be used to track someone's location/presence [1][3].
 gāi gāi 漏洞lòu dòng lòu dòng shì shì 真实zhēn shí zhēn shí de de yóu yóu 可信kě xìn kě xìn de de 安全ān quán ān quán 研究yán jiū yán jiū 人员rén yuán rén yuán 记录jì lù jì lù bìng bìng 负责fù zé fù zé 任地rèn dì rèn dì 披露pī lù pī lù [[ [ 33 3 ]] ]
The vulnerability was real, documented by credible security researchers, and responsibly disclosed [3].
 ###### ### 政府zhèng fǔ zhèng fǔ de de 回应huí yìng huí yìng
### The Government's Response
 积极jī jí jī jí de de shì shì 澳大利亚政府ào dà lì yà zhèng fǔ ào dà lì yà zhèng fǔ zài zài 收到shōu dào shōu dào 披露pī lù pī lù hòu hòu 采取cǎi qǔ cǎi qǔ le le 行动xíng dòng xíng dòng zài zài 大约dà yuē dà yuē 33 3 周内zhōu nèi zhōu nèi 发布fā bù fā bù le le 修复xiū fù xiū fù 补丁bǔ dīng bǔ dīng v1.0v1.0 v1.0 .. . 1818 18 [[ [ 33 3 ]] ]
Positively, the Australian Government acted on the disclosure by releasing a patch (v1.0.18) within approximately 3 weeks of being notified [3].
 新加坡xīn jiā pō xīn jiā pō de de TraceTogetherTraceTogether TraceTogether děng děng 同类tóng lèi tóng lèi 应用程序yìng yòng chéng xù yìng yòng chéng xù 相比xiāng bǐ xiāng bǐ gāi gāi 应用程序yìng yòng chéng xù yìng yòng chéng xù hái hái 包括bāo kuò bāo kuò 额外é wài é wài de de 隐私yǐn sī yǐn sī 保护措施bǎo hù cuò shī bǎo hù cuò shī 包括bāo kuò bāo kuò duì duì 未经wèi jīng wèi jīng 授权shòu quán shòu quán 使用shǐ yòng shǐ yòng 数据shù jù shù jù de de 刑事xíng shì xíng shì 处罚chǔ fá chǔ fá [[ [ 55 5 ]] ]
The app also included additional privacy protections compared to comparable apps like Singapore's TraceTogether, including criminal penalties for unauthorized data use [5].
 ###### ### 关于guān yú guān yú 实际shí jì shí jì 利用lì yòng lì yòng de de 夸大kuā dà kuā dà 声明shēng míng shēng míng
### Overstated Claims About Practical Exploitation
 cóng cóng "" " 理论lǐ lùn lǐ lùn shàng shàng 可能kě néng kě néng 暴露bào lù bào lù 设备shè bèi shè bèi 信息xìn xī xìn xī de de 技术jì shù jì shù 漏洞lòu dòng lòu dòng 存在cún zài cún zài "" " dào dào "" " 家庭暴力jiā tíng bào lì jiā tíng bào lì 施虐shī nüè shī nüè zhě zhě 可以kě yǐ kě yǐ 利用lì yòng lì yòng 漏洞lòu dòng lòu dòng "" " de de 跳跃tiào yuè tiào yuè 没有méi yǒu méi yǒu 得到dé dào dé dào 证据zhèng jù zhèng jù 支持zhī chí zhī chí
The leap from "a technical vulnerability exists that theoretically could expose device information" to "domestic violence abusers can exploit this" is not supported by evidence.
 虽然suī rán suī rán 理论lǐ lùn lǐ lùn 风险fēng xiǎn fēng xiǎn duì duì 安全ān quán ān quán 建议jiàn yì jiàn yì 有效yǒu xiào yǒu xiào dàn dàn 没有méi yǒu méi yǒu 证据zhèng jù zhèng jù jiù jiù 声称shēng chēng shēng chēng yǒu yǒu 记录jì lù jì lù de de 利用lì yòng lì yòng 行为xíng wéi xíng wéi 具有jù yǒu jù yǒu 误导性wù dǎo xìng wù dǎo xìng [[ [ 11 1 ]] ] [[ [ 33 3 ]] ] [[ [ 77 7 ]] ]
While the theoretical risk is valid for security advisories, claiming documented exploitation without evidence is misleading [1][3][7].
 ###### ### 隐私yǐn sī yǐn sī 政策zhèng cè zhèng cè 披露pī lù pī lù 问题wèn tí wèn tí
### Privacy Policy and Disclosure Issue
 关于guān yú guān yú 隐私yǐn sī yǐn sī 政策zhèng cè zhèng cè 披露pī lù pī lù de de 声明shēng míng shēng míng 部分bù fèn bù fèn 有效yǒu xiào yǒu xiào
The claim about privacy policy disclosure is partially valid.
 政府zhèng fǔ zhèng fǔ 可能kě néng kě néng 没有méi yǒu méi yǒu xiàng xiàng 普通用户pǔ tōng yòng hù pǔ tōng yòng hù 明确míng què míng què 详细xiáng xì xiáng xì 说明shuō míng shuō míng BLEBLE BLE 漏洞lòu dòng lòu dòng 风险fēng xiǎn fēng xiǎn 尽管jǐn guǎn jǐn guǎn 隐私yǐn sī yǐn sī 专业人士zhuān yè rén shì zhuān yè rén shì huì huì 期望qī wàng qī wàng 此类cǐ lèi cǐ lèi 风险fēng xiǎn fēng xiǎn 成为chéng wéi chéng wéi 安全ān quán ān quán 威胁wēi xié wēi xié 建模jiàn mó jiàn mó de de 一部分yī bù fèn yī bù fèn [[ [ 55 5 ]] ]
The government may not have explicitly detailed BLE vulnerability risks to general users, though privacy professionals would expect such risks to be part of security threat modeling [5].
 隐私yǐn sī yǐn sī 政策zhèng cè zhèng cè 确实què shí què shí 披露pī lù pī lù le le 蓝牙lán yá lán yá 数据shù jù shù jù 收集shōu jí shōu jí dàn dàn 潜在qián zài qián zài de de BLEBLE BLE 攻击gōng jī gōng jī 细节xì jié xì jié 可能kě néng kě néng 不是bú shì bú shì 面向miàn xiàng miàn xiàng 消费者xiāo fèi zhě xiāo fèi zhě de de [[ [ 55 5 ]] ] [[ [ 66 6 ]] ]
The privacy policy did disclose Bluetooth data collection, but specifics of potential BLE attacks may not have been consumer-facing [5][6].
 ###### ### 实际shí jì shí jì 影响yǐng xiǎng yǐng xiǎng 评估píng gū píng gū
### Actual Impact Assessment
 鉴于jiàn yú jiàn yú
Given that: - The vulnerability was patched relatively quickly (within ~3 weeks) [3] - The app remained voluntary and had low uptake (never reached government targets) [5] - The exploitation would require technical sophistication beyond casual surveillance [3] - No documented cases of exploitation for domestic violence exist [1][3] The **actual practical harm appears limited** compared to the severity the claim implies.
 -- - gāi gāi 漏洞lòu dòng lòu dòng zài zài 相对xiāng duì xiāng duì jiào jiào duǎn duǎn de de 时间shí jiān shí jiān nèi nèi 得到dé dào dé dào 修复xiū fù xiū fù yuē yuē 33 3 周内zhōu nèi zhōu nèi [[ [ 33 3 ]] ]
-- - gāi gāi 应用程序yìng yòng chéng xù yìng yòng chéng xù 仍然réng rán réng rán shì shì 自愿zì yuàn zì yuàn de de 采用率cǎi yòng lǜ cǎi yòng lǜ hěn hěn 从未cóng wèi cóng wèi 达到dá dào dá dào 政府zhèng fǔ zhèng fǔ 目标mù biāo mù biāo [[ [ 55 5 ]] ]
-- - 利用lì yòng lì yòng 需要xū yào xū yào 超出chāo chū chāo chū 日常rì cháng rì cháng 监视jiān shì jiān shì de de 技术jì shù jì shù 能力néng lì néng lì [[ [ 33 3 ]] ]
-- - 没有méi yǒu méi yǒu 家庭暴力jiā tíng bào lì jiā tíng bào lì 利用lì yòng lì yòng de de 记录jì lù jì lù de de 实例shí lì shí lì [[ [ 11 1 ]] ] [[ [ 33 3 ]] ]
** * ** * 声明shēng míng shēng míng 暗示àn shì àn shì de de 严重yán zhòng yán zhòng 程度chéng dù chéng dù 相比xiāng bǐ xiāng bǐ 实际shí jì shí jì 实际shí jì shí jì 危害wēi hài wēi hài 似乎sì hū sì hū 有限yǒu xiàn yǒu xiàn ** * ** *

部分属实

5.5

/ 10

gāi gāi 声称shēng chēng shēng chēng zài zài 以下yǐ xià yǐ xià 方面fāng miàn fāng miàn shì shì 正确zhèng què zhèng què de de 11 1 确实què shí què shí 存在cún zài cún zài 一个yí gè yí gè 允许yǔn xǔ yǔn xǔ 提取tí qǔ tí qǔ 设备shè bèi shè bèi 型号xíng hào xíng hào // / 名称míng chēng míng chēng de de 技术jì shù jì shù 漏洞lòu dòng lòu dòng 以及yǐ jí yǐ jí 22 2 这些zhè xiē zhè xiē 信息xìn xī xìn xī 理论lǐ lùn lǐ lùn shàng shàng 用于yòng yú yòng yú 追踪zhuī zōng zhuī zōng 在场zài chǎng zài chǎng 情况qíng kuàng qíng kuàng
The claim is correct that: (1) a genuine technical vulnerability existed allowing device model/name extraction, and (2) this information could theoretically be used to track presence.
 然而rán ér rán ér gāi gāi 声称shēng chēng shēng chēng zài zài 以下yǐ xià yǐ xià 方面fāng miàn fāng miàn 具有jù yǒu jù yǒu 误导性wù dǎo xìng wù dǎo xìng 11 1 jiāng jiāng 理论lǐ lùn lǐ lùn shàng shàng de de 漏洞lòu dòng lòu dòng 描述miáo shù miáo shù wèi wèi 针对zhēn duì zhēn duì 家庭暴力jiā tíng bào lì jiā tíng bào lì de de 有据可查yǒu jù kě chá yǒu jù kě chá de de 利用lì yòng lì yòng 行为xíng wéi xíng wéi 22 2 准确zhǔn què zhǔn què 使用shǐ yòng shǐ yòng "" " 广播guǎng bō guǎng bō "" " 一词yī cí yī cí 以及yǐ jí yǐ jí 33 3 忽略hū lüè hū lüè le le gāi gāi 漏洞lòu dòng lòu dòng zài zài 负责fù zé fù zé 任地rèn dì rèn dì 披露pī lù pī lù hòu hòu 迅速xùn sù xùn sù bèi bèi 修复xiū fù xiū fù de de 事实shì shí shì shí
However, the claim is misleading in: (1) characterizing theoretical vulnerability as documented exploitation for domestic violence, (2) using "broadcast" imprecisely, and (3) omitting that the vulnerability was patched quickly and responsibly disclosed.
 gāi gāi 声称shēng chēng shēng chēng jiāng jiāng 最坏zuì huài zuì huài 情况qíng kuàng qíng kuàng xià xià de de 技术jì shù jì shù 能力néng lì néng lì 描述miáo shù miáo shù wèi wèi 仿佛fǎng fú fǎng fú shì shì 有据可查yǒu jù kě chá yǒu jù kě chá de de 实际shí jì shí jì 利用lì yòng lì yòng 场景chǎng jǐng chǎng jǐng
The claim presents worst-case technical capability as if it were an actual threat scenario with documented exploitation.

📚 来源与引用 (8)

  1. 1
    cvedetails.com

    cvedetails.com

    Cvedetails

  2. 2
    nvd.nist.gov

    nvd.nist.gov

    CVE-2020-12860

  3. 3
    github.com

    github.com

    A bluetooth-related vulnerability in some contact tracing apps - alwentiu/COVIDSafe-CVE-2020-12856

    GitHub
  4. 4
    threadreaderapp.com

    threadreaderapp.com

    Thread by @matthewrdev: The #covidsafe app is now available in Australia However, it's a shame that they have decided not to release the sourr full transparency. Luckily, I'm a curious chap and also a professional mobile developer. So, I've downloaded an…

    Threadreaderapp
  5. 5
    lthj.qut.edu.au

    lthj.qut.edu.au

    Lthj Qut Edu

  6. 6
    reddit.com

    reddit.com

    The heart of the internet
  7. 7
    docs.google.com

    docs.google.com

    Privacy issues discovered in the BLE implementation of the COVIDSafe Android app Jim Mussared jim.mussared@gmail.com https://twitter.com/jim_mussared 28/04/2020 Last updated: 15/05/2020 Status: Public. Updates ongoing. Privacy issues discovered in the BLE implementation of the COVIDSafe Andr...

    Google Docs
  8. 8
    ashurst.com

    ashurst.com

    Australia's first tranche of privacy reforms – a deep dive and why they matter

    Ashurst

评分方法

1-3: 不实

事实错误或恶意捏造。

4-6: 部分属实

有一定真实性,但缺乏背景或有所偏颇。

7-9: 基本属实

仅有微小的技术性或措辞问题。

10: 准确

完全经过验证且客观公正。

方法论: 评分通过交叉参照政府官方记录、独立事实核查机构和原始文件确定。

Previous: C0049 Next: C0051