Read on Twitter
I promised I'd do a round up of sharing level-headed analysis of the Australian government's #covidsafe app. I'll post a little of my own commentary at the end.
Firstly, this is the most readable thread for those wanting a run-down. #auspol https://twitter.com/matthewrdev/status/1254336105203200000
Firstly, this is the most readable thread for those wanting a run-down. #auspol https://twitter.com/matthewrdev/status/1254336105203200000
Jack is a wonderful human being, and also justifiably one of the people most critical of the Australian government's privacy record.
The fact that he's decompiled #covidsafe, and found it seems to be doing what it says on the lid, is reassuring. https://twitter.com/developerjack/status/1254321369166123011
The fact that he's decompiled #covidsafe, and found it seems to be doing what it says on the lid, is reassuring. https://twitter.com/developerjack/status/1254321369166123011
Last night, @xssfox did one of the first decompiles, also finding that is seemed to be doing what it said in the privacy policy.
So I think it's safe to say the folks who built the app are sincere and wanted to do things right, even under time pressure. https://twitter.com/xssfox/status/1254258634902499328
So I think it's safe to say the folks who built the app are sincere and wanted to do things right, even under time pressure. https://twitter.com/xssfox/status/1254258634902499328
On the other side of the fence, here's a discussion from an epidemiologist on what contract tracing actually looks like, and how an app would work with that. https://twitter.com/peripatetical/status/1254351060891627520
Finally, @GeoffreyHuntley has done a full decompile, uploaded the results to github, formed a discord server, and is coordinating in-depth analysis of #covidsafe. https://twitter.com/GeoffreyHuntley/status/1254319376620072960
So, a few observations.
Firstly, it doesn't help that the Australian government said they'd release the source to the app, and then went back on that.
It may also be breaking the licence the code is based upon, if the government has used it under GPLv3. https://twitter.com/rgmerk/status/1254589426698555392
Firstly, it doesn't help that the Australian government said they'd release the source to the app, and then went back on that.
It may also be breaking the licence the code is based upon, if the government has used it under GPLv3. https://twitter.com/rgmerk/status/1254589426698555392
I think it's safe to say the Australian government's stance on privacy is viewed extremely poorly by the tech community.
They have a track record of recording too much data, and that data being used for things they promised that would never happen. https://www.theguardian.com/world/2020/feb/07/web-browsing-histories-are-being-given-to-australian-police-under-data-retention-powers
They have a track record of recording too much data, and that data being used for things they promised that would never happen. https://www.theguardian.com/world/2020/feb/07/web-browsing-histories-are-being-given-to-australian-police-under-data-retention-powers
Between mandatory metadata retention, dubious practises around anonymity in the Australian census, and a track record of going back on promises in tech and privacy, it's no surprise people viewed the government's release of their own COVID-19 tracking app with extreme scepticism.
And from everything I can see, despite the best intentions of the people building the app, it was rushed out too soon.
It requires iPhones be unlocked and the app and in the foreground to function. https://mobile.abc.net.au/news/2020-04-26/coronavirus-tracing-app-covidsafe-apple-iphone-covid-19/12187448
It requires iPhones be unlocked and the app and in the foreground to function. https://mobile.abc.net.au/news/2020-04-26/coronavirus-tracing-app-covidsafe-apple-iphone-covid-19/12187448
On Android, the user is asked to give fine location permissions, and while that's required for any app to use Bluetooth, it also freaked a lot of people out, because the government has been bad at privacy in the past, and it's easy to jump to conclusions. https://twitter.com/pjf/status/1254256428631523329
Apple and Google at looking at releasing their contact tracing API in the next couple of days. It would presumably not require you leave your phone unlocked, or that you agree to a scary looking permission.
It feels hurried not to wait for this. https://techcrunch.com/2020/04/23/first-version-of-apple-and-googles-contact-tracing-api-should-be-available-to-developers-next-week/
It feels hurried not to wait for this. https://techcrunch.com/2020/04/23/first-version-of-apple-and-googles-contact-tracing-api-should-be-available-to-developers-next-week/
Contact tracing is most useful the more people who opt-in for it, so trust is *enormously* important.
Saying the source will be released and then not doing so, having a poor privacy record, and having an app that's not really usable on iPhone, are not great for trust-building.
Saying the source will be released and then not doing so, having a poor privacy record, and having an app that's not really usable on iPhone, are not great for trust-building.
Waiting just a little longer until the tracing APIs are available feels like it would have been the most trust-gaining course. But having said that, there's been more than a million downloads, which is huge for Australia. https://mobile.abc.net.au/news/2020-04-27/coronavirus-tracing-app-covidsafe-one-million-downloads/12187806
And if I were back in Aus? Yeah, I'd probably install it myself.
Not because I trust the Australian government, but because I trust the analysis of the folks who have decompiled it, and who examined what it's collecting and how.
Not because I trust the Australian government, but because I trust the analysis of the folks who have decompiled it, and who examined what it's collecting and how.
It's my hope that the app will upgrade to the Google/Apple tracing APIs when they become available. That would fix a lot of the technical limitations, and would hopefully allow the (currently necessary) fine location permission to be removed.
Having said that, I'm not in Australia right now. I've not dug into the code myself. My energy levels mean I haven't been able to keep across all the discussions and analysis.
So please do keep listening to experts, in tech, medicine, and epidemiology. They are experts afterall.
So please do keep listening to experts, in tech, medicine, and epidemiology. They are experts afterall.
