[LINK] itN: 'COVIDSafe code released, but developers unhappy'

Roger Clarke Roger.Clarke at xamax.com.au
Tue May 12 09:24:50 AEST 2020 

[ The government clearly isn't serious about release of the source-code. 
  It's just a PR play:

> Mr Huntley said the group [which had reverse engineered the Android 
version prior to public release of the soiurce-code] uncovered a number 
of bugs and security vulnerabilities, with some posing a significant 
threat to privacy.
> But he said he has struggled to contact the government over these 
issues, and none have been fixed despite COVIDSafe being given an update 
last week, which Mr Huntley said was just a “new coat of paint”.
...
> ... the government has not followed good open source practice, Mr 
Huntley said, with no audit trail of the changes made to the code and no 
way to directly suggest changes or raise concerns around a potential 
vulnerability, and pull requests disabled.

[ And this is despite the absence to date of any discoveries that throw 
doubt on the government's good faith in the implementation of the design.

[ It appears that several government agencies have been honestly trying 
hard to do as well as they can with technology that isn't a fit to what 
they want to achieve.

[ But their defensive habits of operating in an enclosed environment are 
just too strong, so they invite suspicion and criticism.]


COVIDSafe code released, but developers unhappy
Denham Sadler
itNews
11 May 2020
https://www.innovationaus.com/covidsafe-code-released-but-developers-unhappy/

The source code for Australia’s COVID-19 contact tracing app has finally 
been publicly released, but a group of developers scrutinising the 
service say it has not been properly open sourced and feedback has been 
blocked.

The Digital Transformation Agency released the source code for its 
COVIDSafe app on Friday evening, two weeks after the service was 
launched nationally, with more than 5 million people having since 
downloaded it.

The source code, hosted on a GitHub repository, has already been combed 
over by a number of academics, and legal and digital rights experts.

The DTA said the code was reviewed by government security agencies, 
academics and industry specialists before the app was released.

Open source software engineer Geoffrey Huntley formed a group of tech 
experts to analyse the COVIDSafe app when it was first released more 
than two weeks ago. The group was able to scrutinise the source code 
before it was publicly released by reverse engineering the Android version.

Mr Huntley said the group uncovered a number of bugs and security 
vulnerabilities, with some posing a significant threat to privacy. But 
he said he has struggled to contact the government over these issues, 
and none have been fixed despite COVIDSafe being given an update last 
week, which Mr Huntley said was just a “new coat of paint”.

While the source code for COVIDSafe is now public, the government has 
not followed good open source practice, Mr Huntley said, with no audit 
trail of the changes made to the code and no way to directly suggest 
changes or raise concerns around a potential vulnerability, and pull 
requests disabled.

The National Health Service in the UK has also recently revealed the 
source code for its own contact tracing app, and this was done in a much 
friendlier way more conducive to working with the tech community to 
improve the safety of the service, Mr Huntley said.

The terms and conditions associated with accessing the code has also 
concerned a number of the tech experts looking to help, he said.

“The Australian tech industry really wants to help make it better, but 
their actions are absolutely hostile,” Mr Huntley told InnovationAus.

“We want to follow what the NHS did, which is build a healthy community 
that wants to help out. We have a community of software engineers and 
experts but they are inhibited from looking at the source code because 
of the licencing problem,” he said.

“They released the source code but did it in the most political, 
check-box way and scrubbed all of the history and all of the metadata. 
There’s no way to know when a bug was fixed and it’s very hard to track 
at all. They have deleted all of the audit trail and disabled the 
ability for one to ever happen.”

In contrast to this, the NHS has welcomed feedback on its code and has 
followed open source best practice, Mr Huntley said.

“They did a big announcement saying that if you’ve got time, space and 
capacity, can you help us out? The source code is on GitHub, it’s all 
open source and the software development is happening online as you’d 
expect with an open source community,” he said.

“Anyone in the world can help them build a better app. [In Australia] 
the source code has been published online but they’ve disabled the 
ability for people to submit improvements, they archived the repository 
and they’ve removed all history from the app, so it’s very hard to see 
how it was developed.

“It’s not good behaviour if they wanted to build a healthy community – 
they won’t do that with this approach. This software has been paid for 
by the Australian public, but it’s not open source and there’s no 
ability to contribute to it.”

QTE.am executive chair and software developer Jessica Glenn has also 
been analysing the COVIDSafe source code and shares concerns about the 
app not being properly open source.

“While the source code has been released for viewing, it is definitely 
not what would be considered ‘open source’. This distinction is 
important, it means that read access has been granted for people to view 
what is inside the code, but that there is no ability for community 
contribution or collaboration,” Ms Glenn told InnovationAus.

In releasing the code, the DTA did acknowledge it had received feedback 
on the app and potential issues to be resolved, and launched a new email 
address to facilitate more responses, support at covidsafe.gov.au.

“While we may be unable to reply to every individual who provides 
feedback, please know that your feedback will be reviewed and triaged 
depending on its impact on security and usability. In some instances, 
the DTA may contact you to gain a deeper understanding about the issues 
raised,” the DTA said.

The first update for COVIDSafe was rolled out last week, with another 
expected in the coming days.

The DTA is also working with Apple and Google and told a Senate hearing 
last week that it would be able to implement a fix for the issues the 
service is encountering on iPhones in the next fortnight.

The code released on Friday by the government reflects what many in tech 
community have already revealed about the COVIDSafe app through reverse 
engineering the Android version, and does only what the government said 
it would, Ms Glenn said.

“What we do know from the code that was released falls into line with 
what we were able to find, and what other independent researchers have 
backed up, when reverse engineering the apps over the last couple of 
weeks,” she said.

“The application is innocuous, and we haven’t been able to find any 
malicious code, or intentional overreach. Most of the issues of note are 
not about the technical implementation of the application.

“The largest issues with the roll-out of COVIDSafe are communications, 
both with the wider community and the tech community specifically. We 
have hopes that the communications plan will be improved iteratively.”



-- 
Roger Clarke                            mailto:Roger.Clarke at xamax.com.au
T: +61 2 6288 6916   http://www.xamax.com.au  http://www.rogerclarke.com

Xamax Consultancy Pty Ltd      78 Sidaway St, Chapman ACT 2611 AUSTRALIA
Visiting Professor in the Faculty of Law            University of N.S.W.
Visiting Professor in Computer Science    Australian National University

More information about the Link mailing list