Covidsafe app Australia has source code released.

[mr moose]

https://www.abc.net.au/news/2020-05-14/experts-concerned-about-coronavirus-tracing-covidsafe-security/12245122

 

The source code for the Australian contact tracing app Covidsafe has been available to the public for almost a month now,  since the release the ABC (Australian news source) has written an article collecting the thoughts and comments from industry related groups including the  human rights commission, security researchers, the federal opposition and some un-named privacy law experts.

 

It appears on the surface that the app does in fact do all they claimed it would and that the laws presented to parliament and passed also do indeed prevent the data from being used by any person or organization for any purpose other than intended contact tracing directly. 

 

Quote

 

Some privacy law professionals believe the current version of the COVIDSafe bill does go a long way to protecting the use and disclosure of personal information collected by the app. The Australian Human Rights Commission also acknowledges that the bill contains several important protections.

Those protections appear to prevent the data from being used for purposes beyond contact tracing by Australian authorities.

 

 

The bill according tot he ABC even goes as far as invalidating any other law from over ruling it and being used to gain access to information which includes forcing employees/volunteers to either install or uninstall the app itself.

 

Quote

The bill also cancels out other laws that could be used to access the data. And it will go a long way in deterring attempts by individuals or corporations to coerce people into using the app.

 

 

It would appear that most of the concerns regarding this app are centered around fears the app can be exploited with malware,  not having a specific end date for any data that is collected (there is no way to know how long covid19 needs to be monitored) and the fact the server side code has not been made public (it is claimed this is due to security).

 

Having a read through the actual bill passed in parliament, it does indeed make it a criminal offense to access or use the data from the covidsafe app outside of the strict health official guidelines.   The app is reported to delete all contents after 21 days thus only retaining the very recent contact data.  Which makes sense because who they were in contact with more than 3 weeks before a known infection is irrelevant data. However the law does include a requirement for all data (server side as well) to be deleted once it is deemed the data is no longer likely to be helpful.  Which basically means as soon as it appears pointless it will be deleted. 

 

Another news outlet covering the release have added more contention and raised concerns stating that the app has not followed open source practice. 

 

Quote

While the source code for COVIDSafe is now public, the government has not followed good open source practice, Mr Huntley said, with no audit trail of the changes made to the code and no way to directly suggest changes or raise concerns around a potential vulnerability, and pull requests disabled.

 

Quote

 

 

“They released the source code but did it in the most political, check-box way and scrubbed all of the history and all of the metadata. There’s no way to know when a bug was fixed and it’s very hard to track at all. They have deleted all of the audit trail and disabled the ability for one to ever happen.”

 

However even they admitted:

Quote

“The application is innocuous, and we haven’t been able to find any malicious code, or intentional overreach. Most of the issues of note are not about the technical implementation of the application.

 

https://www.innovationaus.com/covidsafe-code-released-but-developers-unhappy/

 

My opinion:

The app is not an open source project and was only opened to the public so as to be scrutinized and verified that the government were not tracking and keeping data they said they wouldn't.   The app does not need all it's iterations listed and prior bugs spelled out as the finished app is the only thing that the people are downloading and not earlier versions.  The DTA want anyone with concerns or problems found in the code to contact them directly rather than make the potential exploits publicly known while the app is in mass use.  That seems a fairly logical and much more secure way to fix security holes.

 

 

All in all there does not seem to be a smoking gun for privacy violation in any of the code,  many people fear governments overstepping their authority (and rightly so in many countries) however the app's biggest issues are being exploited (though no proof of concept has been produced) and the fact they can't put a specific end date on it's use.   The server side code while hidden from the public is cemented in the laws that prevent it from being abused. 

 

There is lot more info regarding the law and the effects of that law linked inside the original source, however it is of little technical value in regard to the app itself.

 

 

I waited a few weeks to post this, I was hoping for more detailed news articles to come forth, but it appears that the whole thing is either not news worthy, I think that's because a "privacy breach" sells articles while a "this is fine" article does not.

 

 

 

 

 

 

 

 

[mr moose]

6 minutes ago, VegetableStu said:

(although i'm not sure when will they adopt the Apple-Google covid API)

The Australian government won't, scomo basically ruled it out on grounds that he didn't trust google to be able to guarantee Australians privacy.

[leadeater]

8 hours ago, mr moose said:

I waited a few weeks to post this, I was hoping for more detailed news articles to come forth, but it appears that the whole thing is either not news worthy, I think that's because a "privacy breach" sells articles while a "this is fine" article does not.

8 hours later, no further comments. Yep, seems like an accurate statement here too. Similar story here in NZ, App released and nobody talking about it other than release news articles. So to address the issue of nobody posting comments online when there aren't problems, here is my first contribution. "No problems here mate, +1".

[LAwLz]

That's really good news.

Personally, I think any gonverment funded software should be open source.

If it's taxpayer money paying for it, why shouldn't the taxpayers also be able to look at the source code?

[straight_stewie]

11 hours ago, mr moose said:

it does indeed make it a criminal offense to access or use the data from the covidsafe app outside of the strict health official guidelines

Australia is one of the founding FVEY partners. Any attempt to increase the gathering of personally identifiable information for use by the government or a government supported agency is at least as bad as it would be in the US, even when it appears otherwise.

[RejZoR]

Only way these apps should exist is by having source code available. They are a privacy liability as it is and I don't trust any of them. Especially because they don't provide any real benefit. Before anyone gets confirmed diagnosis and tracking app links everyone in contact together, everyone has already infected so many people in between I see zero point or value in these apps. If you're in some rural hellhole, maybe. But if you have a virus and you pass through a huge international airport, all of this is literally pointless entirely.

[Trik'Stari]

And how long before they realize the public aren't paying attention and quietly allow themselves to sell the data?

[leadeater]

9 hours ago, RejZoR said:

But if you have a virus and you pass through a huge international airport, all of this is literally pointless entirely.

I don't know if you noticed but these are mostly closed or mandatory quarantine is required on entry, health officials aren't stupid and they know where the biggest risk source is when a country doesn't have wide community spread. Contact tracing is largely useless if you never got a handle on the spread, when you're projecting 40%+ of the population is going to get it you might as well assume every will because at that point the measures you have to put in place are effectively the same.

[mr moose]

3 hours ago, Trik'Stari said:

And how long before they realize the public aren't paying attention and quietly allow themselves to sell the data?

Won't happen,  the second they try to use that data for anything the federal opposition, the The IPA and the human rights department will tear them a new one through our very independent court system.  Lest of all the fact that the first politician to try is signing a suicide note for their career and the career of their party for the next 15 years.   There is a reason this app is so benign right now and only voluntary, doing anything else with it would be political suicide.

 

EDIT: also they made it illegal to access that data if you are not part of the health administration using it directly to combat covid19 and only covid19.  That means any person, politician or otherwise,  faces 5 years in jail or a $50,000 personal fine for trying to access that data.  And don't think our courts won't apply it to a politician.

[RejZoR]

3 hours ago, leadeater said:

I don't know if you noticed but these are mostly closed or mandatory quarantine is required on entry, health officials aren't stupid and they know where the biggest risk source is when a country doesn't have wide community spread. Contact tracing is largely useless if you never got a handle on the spread, when you're projecting 40%+ of the population is going to get it you might as well assume every will because at that point the measures you have to put in place are effectively the same.

And how do you have a "handle" between someone being infected, having diagnosis, putting that into contact tracing system, people in contact getting the notification and assuming everyone self quarantines (yeah good luck after seeing how people just dropped everything when quarantine was declared over and started crowding together again). It's just entirely inefficient and impossible to do anything. The spread will happen beyond some stupid contact tracing can prevent.

 

Mr Moose, seeing how incompetent governments are, it doesn't even have to be government's official abusing it. All gov systems are always full of holes and last thing you want is some "hacker" getting hands on it. Who is all the human rights organizations and courts going to punish then?

[mr moose]

14 minutes ago, RejZoR said:

 

 

Mr Moose, seeing how incompetent governments are, it doesn't even have to be government's official abusing it. All gov systems are always full of holes and last thing you want is some "hacker" getting hands on it. Who is all the human rights organizations and courts going to punish then?

Governments are not incompetent,  they are actually very well educated and know exactly what they are doing.   The problem is many people just don't like what they are doing for many different reasons. 

 

Alas politics aside,  in this case it is pretty simple, the law was written and scrutinized by several independent bodies and given the tick.  The app's code was released and the code was scrutinized and given the tick.  In countries like Australia where corruption is actually very low and political transparency is very high, many different organizations (some with the power to criminally charge any politician) are holding the government to their word.  It is more probable that I will be kidnapped by Iranian terrorists than have my data stolen by the government and me not find out about it or the government not be held to account.  

 

The laws, the code, the definitions, provisions and terms are all public for everyone to see.  There is literally no way they could take the data (which is only your name phone number, BT ID and the anyone you've been in contact with for more than 15 minutes over the last 21 days) without breaching federal law.   

 

This whole thing is a nothing burger, a zilch, people are looking for a reason to be angry or upset about it,  but this is such a non event that the best the media could do was complain about it not being proper open source.   In fact if there is any news in this at all it should be that the level of transparency and bipartisan  support they had to go to to introduce it means they are unwilling to do just anything with privacy and that Australia has a very good system for human rights in that regard.

 

 

[leadeater]

32 minutes ago, RejZoR said:

And how do you have a "handle" between someone being infected, having diagnosis, putting that into contact tracing system, people in contact getting the notification and assuming everyone self quarantines (yeah good luck after seeing how people just dropped everything when quarantine was declared over and started crowding together again). It's just entirely inefficient and impossible to do anything. The spread will happen beyond some stupid contact tracing can prevent.

Well does your comment apply to Aus, or NZ but not directly relevant? Reality check it has been working fine for both, not in theory but actually.

 

Here the App is also optional but entering a business or premises is not, it is mandatory that business keep names, time and contact number for everyone and they have the freedom to choose how or allow the use of the App.

 

The capacity to do contact tracing here in NZ is around 1000 people per day, Aus it's about 5 times our capacity per capita and if we look at say South Korea the actual requirement was in the low hundreds per day. It seems the capability is there to do it, countries have been doing it, and it's not impossible if you didn't do nothing from the start or gave up because "too hard" or "it's impossible".

 

As to why it actually works, you can have same day diagnosis and start tracing immediately, you don't have to wait for the diagnosis you can start work and preparation then stop if no longer required. Of all the cases we've had in total I think there is only 1 or 2 where we don't know exactly where it came from, when, who came in contact etc. But I haven't checked recently on those select few cases if that information is now known.

[Stormseeker9]

Good good.  Ow hope the Dutch government will adopt this approach to and not force us anything!

[Trik'Stari]

6 hours ago, mr moose said:

Won't happen,  the second they try to use that data for anything the federal opposition, the The IPA and the human rights department will tear them a new one through our very independent court system.  Lest of all the fact that the first politician to try is signing a suicide note for their career and the career of their party for the next 15 years.   There is a reason this app is so benign right now and only voluntary, doing anything else with it would be political suicide.

 

EDIT: also they made it illegal to access that data if you are not part of the health administration using it directly to combat covid19 and only covid19.  That means any person, politician or otherwise,  faces 5 years in jail or a $50,000 personal fine for trying to access that data.  And don't think our courts won't apply it to a politician.

I hope you're right, but I have little faith in any governments ability to police itself.

[mr moose]

56 minutes ago, Trik'Stari said:

I hope you're right, but I have little faith in any governments ability to police itself.

In this case the government no longer have any control over the data and are just as cut off from it as we mere citizens, any breach automatically becomes a criminal investigation and anyone with their hands on the data (or even coercing someone to use or not use the app) will find themselves in very hot water.  The law is set and the only way they could change it is to introduce a new law into parliament to undo it and that would be public knowledge straight away (because not  single thing said in the house of reps or the senate is behind closed doors) and would require the opposition to agree and then get the support of the independents in the senate,  that will not happen.

[Trik'Stari]

47 minutes ago, mr moose said:

In this case the government no longer have any control over the data and are just as cut off from it as we mere citizens, any breach automatically becomes a criminal investigation and anyone with their hands on the data (or even coercing someone to use or not use the app) will find themselves in very hot water.  The law is set and the only way they could change it is to introduce a new law into parliament to undo it and that would be public knowledge straight away (because not  single thing said in the house of reps or the senate is behind closed doors) and would require the opposition to agree and then get the support of the independents in the senate,  that will not happen.

Who does have direct access to the data, at an infrastructure level?

[leadeater]

37 minutes ago, Trik'Stari said:

Who does have direct access to the data, at an infrastructure level?

It's encrypted and only uploaded to the Health Service servers when the user themselves goes in to the App and tells it to and agrees to the data upload. If zero people click that then there is actually zero contact data. If you test positive the Government and Health Ministry will already know, they do the testing and they already have all the information about you so this changes nothing in that regard. If you do choose to upload your tracing data the data they are interested in is the Temporary IDs that is encrypted using the User ID and the Ministry private key, so all you are providing is a list of User IDs that were close to you for 15 minutes in the last 21 days.

 

When you sign up to the App you register and provide information the Government already knows about you, nothing new is being provided. This information is already collected in multiple different ways e.g. Your birth, the Census which you are legally required to complete, National Health Service, Drivers License, when you purchase a phone SIM etc.

 

So even if you are someone like myself with infrastructure access the data is useless without access to the application that can translate User IDs to peoples names and phone numbers. Further to that infrastructure access likely won't even get that because anyone with a brain would be encrypting the stored data at the application layer and access auditing would be enabled on the database layer and through the application and disabling auditing is itself an audit event.

[Trik'Stari]

49 minutes ago, leadeater said:

It's encrypted and only uploaded to the Health Service servers when the user themselves goes in to the App and tells it to and agrees to the data upload. If zero people click that then there is actually zero contact data. If you test positive the Government and Health Ministry will already know, they do the testing and they already have all the information about you so this changes nothing in that regard. If you do choose to upload your tracing data the data they are interested in is the Temporary IDs that is encrypted using the User ID and the Ministry private key, so all you are providing is a list of User IDs that were close to you for 15 minutes in the last 21 days.

 

When you sign up to the App you register and provide information the Government already knows about you, nothing new is being provided. This information is already collected in multiple different ways e.g. Your birth, the Census which you are legally required to complete, National Health Service, Drivers License, when you purchase a phone SIM etc.

 

So even if you are someone like myself with infrastructure access the data is useless without access to the application that can translate User IDs to peoples names and phone numbers. Further to that infrastructure access likely won't even get that because anyone with a brain would be encrypting the stored data at the application layer and access auditing would be enabled on the database layer and through the application and disabling auditing is itself an audit event.

That sounds well thought out, surprisingly.

 

I don't like the precedent of it on principle, but I can see how it could be very helpful in dealing with an epidemic. Especially if it was one that was worse.

 

That it is optional, I feel is the most important part.

 

On further thought, it DOES set a good precedent for why unbreakable encryption is vital to security.

[mr moose]

10 hours ago, leadeater said:

It's encrypted and only uploaded to the Health Service servers when the user themselves goes in to the App and tells it to and agrees to the data upload. If zero people click that then there is actually zero contact data. If you test positive the Government and Health Ministry will already know, they do the testing and they already have all the information about you so this changes nothing in that regard. If you do choose to upload your tracing data the data they are interested in is the Temporary IDs that is encrypted using the User ID and the Ministry private key, so all you are providing is a list of User IDs that were close to you for 15 minutes in the last 21 days.

 

When you sign up to the App you register and provide information the Government already knows about you, nothing new is being provided. This information is already collected in multiple different ways e.g. Your birth, the Census which you are legally required to complete, National Health Service, Drivers License, when you purchase a phone SIM etc.

 

So even if you are someone like myself with infrastructure access the data is useless without access to the application that can translate User IDs to peoples names and phone numbers. Further to that infrastructure access likely won't even get that because anyone with a brain would be encrypting the stored data at the application layer and access auditing would be enabled on the database layer and through the application and disabling auditing is itself an audit event.

Just in addition to this, the other thing it does is send you txt if a person you were in contact with has tested positive,  Which means I don't have to wait for traditional investigators to work out where someone has been (often going of only memory) and then try to work out who else was there too.   I can isolate and get myself tested right away saving lots of time and avoiding me spreading it to someone else (like my mum).  

 

Yes I have it installed.

[TheGreenBeam]

We have a similar app called Aarogya Setu here in India for contact tracing and self-assessment. It uses the Bluetooth and GPS location of the device to determine if the user has been near an infected person, and then alerts them. Earlier the source code of the app was not public, but after growing security and privacy concerns it was made public around last month. 

It also displays how many covid-19 infected persons are within a 1km, 3km, 5km... radius.

[Teddy07]

German covid app also open sourced the code but they use google and apple api which is not open source

[Curious Pineapple]

But you know that the conspiritards will just claim that the released code dosn't have the 5G mind control software in it

[Fetzie]

5 hours ago, Teddy07 said:

German covid app also open sourced the code but they use google and apple api which is not open source

github link: https://github.com/corona-warn-app

 

Also has the source for the website and the web services the apps use.