The Federal Government has launched its COVIDSafe tracking app, but has not provided the source code as promised.

The COVIDSafe ‘contact tracing’ app is designed to help state and territory health professionals monitor the spread of COVID-19 by providing data on the physical location of infected citizens and their proximity to others.

The voluntary app is available on both Android and iOS.

Health Minister Greg Hunt released a privacy impact assessment on Sunday afternoon, but despite numerous public assurances, the government has not released the source code for independent analysis.

The government claims that the app works by using Bluetooth to make ‘digital handshakes’ when two people with the app are within one-and-a-half metres of one another for 15 minutes or more.

It allegedly creates an “encrypted reference code” for each individual also running the app that a user comes in contact with, marking the “date, time and proximity of the contact”.

The codes and other data are “securely encrypted and stored” on a users’ phone for 21 days before being deleted.

Th government says the app does not collect any physical location data.

If a user is diagnosed with COVID-19, they will be asked to upload the data about who they have come in contact with to the National COVIDSafe Data Store.

Multinational cloud provider Amazon Web Services (AWS) will host the app’s data, raising questions over access by US authorities.

Prime Minister Scott Morrison and government services minister Stuart Robert both say the data will not be available to foreign eyes, or even to the federal government, claiming they will create new laws to restrict access to state and territory health professionals only.

Mr Hunt has used the Biosecurity Act to restrict data access to health professionals until new laws can be introduced later this month.

The laws should also make it illegal to coerce someone into downloading COVIDSafe, so that it can not be required as a pre-condition for employment or entry to premises.

COVIDSafe needs to be kept running in order to log contacts.

Mr Hunt says the iOS app would work when an iPhone is locked or running another app, while on Android devices, COVIDSafe “works best when it is open and running”, but will also work “without [a user] having to open or check COVIDSafe”, according to the government.

iOS users will see a small image on their home page to show the app is working, while Android devices will display a sticky notification in the notifications panel.

The government needs at least 40 percent of the population to for the app to be effective in reducing the spread of coronavirus.

“We are now calling on all Australians to download the COVIDSafe app to help protect you, your family and your community from further spread of COVID-19,” Mr Hunt said in a statement.

“This will be necessary if we are to start easing some of the difficult social restrictions we have had to put in place.

“It will be one of the critical tools we will use to help protect the health of the community by quickly alerting people who may be at risk of having contact with COVID-19.”

The privacy impact assessment (PIA), conducted by law firm Maddocks, is largely approving of the app’s design and implementation.

“We are satisfied the Australian Government has considered the range of privacy risks associated with the app and has already taken steps to mitigate some of these risks,” it said.

“The PIA makes a range of recommendations to ensure privacy issues continued to be addressed as the app is rolled out and app information is collected and used.”

However, Maddocks made 19 recommendations to improve the app and address “potential privacy risks”.

The federal health department says it has accepted all of the recommendations, except one relating to the ability for users to request access to and correct information. The assessment suggested providing an e-form to do this. The government says it agrees with the idea in part.

Most of the concerns in the PIA were do to with ways that states and territories, AWS and the Digital Transformation Agency can minimise risks around the use and disclosure of data.

The Federal Government says these concerns are addressed through provisions in the Biosecurity Act, the AWS contract, and MoU arrangements with the DTA and the states and territories, and future legislation.

The government continues to claim the COVIDSafe source code will be released, but now says such disclosure will be “subject to consultation with the Australian Signals Directorate’s Australian Cyber Security Centre”.

Twitter users are already attempting to reverse engineer the software.