[LINK] COVIDSafe a few observations

Karl Auer kauer at biplane.com.au
Sun May 10 00:09:01 AEST 2020 

On Sat, 2020-05-09 at 12:15 +0000, Stephen Loosley wrote:
> Yes well, to me it might seem normal to at least wait till after the
> first update to release/publish source code?

If this were medicine, would you see it as appropriate to have
administered the first 5 million doses to the public at large before
allowing peer review of the research and testing?

If this were a skyscraper, would you expect to have construction
finished and the building occupied before anyone except the developers
got to see the plans?

> to produce a local secure app, for every mobile sold in Australia, in
> such a really short time, then update it after one week, and then to
> release the source code for it, and as well as all this, planning for
> a series of updates is in my opinion something of which we might be
> proud?

No. First up, we don't yet know it's secure because we haven't
necessarily seen the source code for the app that was actually
released. Maybe we did, but there's no way to tell. Some of the more
avid codesters out there may be able to tell us whether it is what it
says on the box. To be fair, initial indications are positive.

Second up, there was no need to produce it so quickly, to deploy it so
quickly, or to hide the source code for two weeks after the release. It
is questionable whether the app is really that groundbreakingly useful.
It would appear, now that some of the dust has settled, that those who
actually know about these things don't regard the app as likely to be
of much practical use at all. It looks a lot like more security theatre
from a Government that just loves security theatre.

Third up, having to release an update after one week is not evidence of
skill. It's mostly evidence of having released it without proper
testing.

And fourth up, we can only hope that future updates will be *preceded*
by the source code for them.

> But anyway, really, what would I know

Hmmm.

Further quotes not from you, but from the press release:

> Prior to launching the application, the source code was reviewed by
> government security agencies, academics and industry specialists.

Yeah? Who? If they are not named then the code might as well have been
shown to Peter Dutton's pet axolotl.

>  We are releasing the app code, but to ensure the privacy of
> individuals and integrity of the overall system, the code that
> relates to the COVIDSafe National Information Storage System will not
> be released.

Why not? If it is secure, no amount of inspection will make it less so.
If it is not secure and they don't know it, the fastest way to find out
is to let lots of eyes look at it. And if it is not secure and they DO
know it, then believing that hiding the code will somehow protect the
system is dangerously, foolishly naive. Three words that pretty well
sum up the Australian Government's when it comes to large-scale IT.

After CensusFail, Robodebt and My Health Record (to name just three
recent high profile screwups[1])[2], I have no faith whatsoever in the
Government's ability to do anything right when it comes to protecting
Australian's privacy or indeed any other rights.

I'd love to be proven wrong, especially with this app.

Regards, K.

[1] Very much not a strong enough term.
[2] Not to mention an almost endless list of unremitting attacks on
privacy and civil liberties
-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Karl Auer (kauer at biplane.com.au)
http://www.biplane.com.au/kauer
http://twitter.com/kauer389

GPG fingerprint: 2561 E9EC D868 E73C 8AF1 49CF EE50 4B1D CCA1 5170
Old fingerprint: 8D08 9CAA 649A AFEF E862 062A 2E97 42D4 A2A0 616D

More information about the Link mailing list