I believe the government, PM and various ministers have said the code will be released. My sources also say exactly the same.
They’re obviously operating with extreme urgency to get the app out. For you.
Give them a few weeks to clean up code and release it (which is very normal) - but in the meantime, here are some tips:
- Turn the HN angry mob mode off - it’s not helpful. We’re all in this together.
- Commend the government on some smart privacy and security choices (data deleted after 21 days, open source code, AWS in Australia, sensible sec practices etc). They won’t get it all right - and we as a tech community can help them. Find a bug & help get them closed.
- When asked by non technical people “Should I install this app? Is my data / privacy safe? Is it true it doesn’t track my location?” - say “Yes” and help them understand. Fight the misinformation. Remind them how little time they think before they download dozens of free, adware crap games that are likely far worse for their data & privacy than this ever would be!
> - Turn the HN angry mob mode off - it’s not helpful. We’re all in this together.
I actually believe this is helpful. Just in any democratic setting you want different types of players. You want the "burn the system down" people, because they provide harsh critiques and don't hold back. You want the "okay, but I have reservations" people, because they will push forward but also consider what they are doing (and will likely whistleblow if things get out of hand). You want the loyalists because they will push forward despite criticism. The trick is that you need a balance of these people (and the unmentioned players).
Specifically here I don't think we've even answered the question of "should we have contact tracing apps?" Because of this, I do think having that angry mob is helpful. They loyalists will push forward building it but the mob will help us decide if we even want that technology in our society. If we decide we do, we'll have it. If we decide we don't, well we'll know better how they would be designed.
__Being critical of those in power is a keystone to democracy.__
This attitude is anti-democratic and harmful. Please stop.
> They’re obviously operating with extreme urgency to get the app out. For you.
Extreme urgency is the perfect justification for governments to destroy the rights of the constituents. Never let a crisis go to waste as they say. Right now is exactly the time to be watching everything the government does with a lens of critical analysis.
> Commend the government on some smart privacy and security choices
The government has passed laws that make these choices irrelevant and has a history of botching anything to do with data/privacy even when well intentioned. This government has one of the worst privacy positions in the entire developed world. No one should be commending them for this.
> When asked by non technical people “Should I install this app? Is my data / privacy safe? Is it true it doesn’t track my location?” - say “Yes” and help them understand. Fight the misinformation.
Saying yes to those questions would be disinformation. The answer is maybe at best, probably not.
You sound like you have best intentions in your mind, but the road to hell is paved with good intentions. Under existing laws, the data and privacy of anyone who downloads this app is NOT safe. If the government is truly well intentioned and wants to help, they need to roll back the insane sweeping anti-privacy laws they rushed through while ignoring the constituents. What you're calling 'HN angry mob mode' is simply these same constituents having the natural, rational reaction to the actions of our government that border on totalitarian. It's not the fault of the constituents, it's the logical outcome of the government's actions. Turning it around like you did is nothing short of victim-blaming.
I'm not going to cover up the sins of this administration by lying to my non-technical friends about the real dangers associated with this app like you ask, sorry.
The irony is that due to public mistrust in the government due to things like AABill, more people may die now than the various agencies ever saved through the systemic destruction of domestic privacy in the name of anti-terrorism or saving the children or whatever other nebulous excuse. Maybe AFP and co can stop their unilateral self-righteous anti-privacy rampage and actually think about the greater good in light of this?
You can easily deny location data to games and people that are concerned about these apps will not share their location lightly.
I have no app on my iPhone with the ability to use my location in the background, not even Waze or Google Maps.
Also I don't care about deletion policies. That data should not be collected in the first place.
I don't know about any specifics, but if the data isn't anonymized somehow, on the client side, such that the government can never trace it back to you, then I'd rather catch the virus personally.
I agree about turning the angry mob mode off, but in times of crisis we would do well to remember that our freedoms are being traded for a little security and in many cases it isn't temporary.
And Australia in particular doesn't have a good track record in preserving those freedoms.
Therefore it isn't unreasonable to ask for source code. This isn't even about the GPL, people need the ability to review the code, especially if it's a public service paid by taxpayers. In my opinion such projects should be developed in the open, always.
I've attended a few cyber security conferences and spoken to a number of active people in those communities and it amazes me how backwards the Australian government is regarding cyber security.
There seems to be less incentive for them to invest, both financially and in developing governance, than say industry. If a Google, Telstra, NAB had a severe breach, customers would be up in arms, fines would be handed out, financially there would be a big impact. Government just issues an apology and false promises to improve processes and accountability. Then a month later you see more reports in the news about more data safety breaches and unauthorised access from obscure government bodies like the RSPCA.
Uploading the code is one way to show some transparency, but trusting them to make good on their promise of appropriate handling of data and retention is questionable.
Even if the government has the best intentions in this instance, it doesn’t matter. They have already created a set of laws that clearly dictate that this app and this data can be used how ever intelligence communities desire.
They have burned all goodwill and trust with the public. It doesn’t matter what they say today unless they repeal AABill etc. Otherwise they’re just saying empty words.
> - Turn the HN angry mob mode off - it’s not helpful. We’re all in this together.
After the abuses of Metadata Retention, and how AABill passed, no. History shows that the Australian Government will and continue to abuse people. The Australian Government cannot be trusted, and if you do, you're naive.
tl;dr Please trust these proven untrustworthy entities because they say it's good for you.
I think the HN privacy concern is well placed. They are not advocating covering our ears and screaming to ignore the pandemic, just that this phone-based contact-tracing plan has all the makes of a bad idea. It's the perfect way to shift the needle further towards acceptance of mass contact tracking. These institutions have all shown us if we give them an inch, they'll take a mile.
Meanwhile, experts still say this is no substitute for proper, interview-based contact tracing, so it's almost a moot effort anyway.
My most charitable interpretation is that Google and Apple are scrambling for SOMETHING to do with their respective holds on the mobile market, and this is something. It still doesn't mean it's a good idea.
Aus gov has a terrible track record with information systems. Data leaks & breaches, flaky IT services, mass robo-debt claims of which 600,000 needed to be re-evaluated.
Not to mention rushing through privacy destroying laws citing "Islamist terrorism, paedophile networks and organised crime". If you are who I think you are you're probably more knowledgable of the particular 2018 law than me.
And now they're "rushing out" an app that is intended to track everyone in the country's precise location and who they interact with? I'll wait for the source thank you.
The gov only has themselves to blame for this reputation.
Apple and Google are releasing official APIs for this, we're doing amazingly well in Australia, can it not wait a week?
> Remind them how little time they think before they download dozens of free, adware crap games that are likely far worse for their data & privacy than this ever would be!
Isn't it an interesting point that these people would rather trust foreign companies they've never heard of with their location, rather than their own gov?
IMHO, the fact that they app is unobfuscated and can thus be easily decompiled is even better than released source code since one can't be sure that the released source code truly matches the actual build in the app store (unless they also go to the effort of having 'reproducible builds' - which would be quite impressive).
Also it's good to keep in perspective that the 'government' can already track people to a great extent, e.g. via cell towers and face recognition.
How do you realistically use this app if you have to keep it open. You and everyone else are so focussed on convincing everyone that it’s safe, etc and totally ignoring the practical aspects of it. For someone to have the app open for 15 mins within 1.5m all day.. how will that be done, it requires a large conscious commitment. You might as well just ask the person who is in your personal space for 15 consecutive minutes
If it worked in the background that’s more useful and realistic.
Mike my concern as a scientist about this app is it may not help much at this point. If it is only picking up people you spent more than 15 minutes talking to it is going to miss a lot transmission events.
Do we have the contact tracing people to actually make use of this data? Even if we did I can’t see how we are going to avoid the need to interview each positive case to find all the people they came into contact with for less than 15 minutes. How much value is being added?
I am not installing it purely because I am social distancing and won’t be spending 15 minutes talking to anyone face to face outside of my immediate family.
Before telling non technical people Yes the app is safe wouldn't it be prudent and ethical to rather say probably but wait until the legislation is passed and the source code is out?
Source code can be changed at anytime with no notice or need to re-consent data usage.
Protections not legislated.
Using centralised instead of decentralised and anonymised architecture.
Data on the central server has no purging policy. Only local data deleted after 21 days.
De encryption keys stored on the same server as the DB.
Unlike free adware crap games, governments have the power to legislate and enforce laws. Google Facebook amazon whomever other crap freeware games you refer to don’t.
Normalises government mass surveillance and tracking
Can be viewed in line with metadata retention, encryption laws and now this as a path toward digital dictatorship.
Raiding journalists to get the names of government whistleblowers.
So now it turns out that your company may have been involved in the development of COVIDSafe. Are you actually kidding me? Turn off the HN angry mod mode off? I'm even more pissed now.
It's easy to fix the app so that it does not need the phone number and to have the app notify the user of the need to get a test instead of having a contact tracer having to double handle the information and ring the user. I believe the fact the app is doing this more about its heritage than any design here, however as an "Australian innovation" we could fix this and avoid the prospect of vulnerable people being rung up by people pretending to be contact tracers, which will happen, and will not be good when it does. Interestingly if the phone number is not stored, the need to store any potentially personal information will probably disappear as well.
There's no need to see the source code to recognise this is a problem. Could we at least lobby them to fix this? It would make life easier for the contract tracers and it would mean that people could rely on the app's secure channel, so if a scammer does call them they could confidently tell them where to get off.
Australia is a member of the five eyes. Whatever their government cobbles together will be used to build out the surveillance state. So if asked, by anyone: Tell them to stay at home and never install the app or trust their government with their data. Contact tracing is their wet dream and it will enable them to roll out much more serious measures in the future.
Instead of requesting codes from a central government server to be distributed to people you come into contact with, your phone could have generated its own codes for distribution.
Then when a COVID infection is found, the gov could simply publish a list of all codes collected by the infected person.
Your phone could request this public list daily and you could choose to get a COVID test if your code is in the public list.
The government would have no way to link any codes to a particular phone or person. A lot less data would need to collected, stored, and managed.
This app is designed to allow the government to find and collect anybody they think needs testing. It can also be used to find and punish anybody breaking social distancing laws.
They are pushing for a standard protocol that incorporates this mechanism. It may or may not be compatible with the joint effort of Google and Apple, and with Singapore's under-development BlueTrace standard.
It's interesting to see these tracing app discussions crop up all over the world at the moment. In Germany it quite literally took dozens of public interest groups, two weeks of media attention, EU guidance and an open letter by hundreds of scientists to make the government switch from central data collection to an acceptable decentralised approach.
The amount of misinformation put out by lobby groups in the process was frankly astonishing, is that similar in Australia or is this app primarily driven by the government itself?
> is that similar in Australia or is this app primarily driven by the government itself?
I'm an Australian - and from my perspective the answer is "no".
They are doing the best job they can. In this case, the mandarins running the place (we have a West Minister system) look to be very unfamiliar with open sources development practices, and the positive impacts it has software reliability, productivity and the trust you can place in it. But to answer your question - no one selfishly perusing personal agendas or trying to enrich themselves here.
That's not a good excuse for getting it wrong as they have done in this instance of course. But it is just a question of them coming to grips with something they've never bothered to familiarise themselves with. Up until now when they needed a large IT project done, they've just hired IBM at an exorbitant fee. Amazingly, failures brought on by this waterfall style approach of the order of $4B in one instance (and there are many), the collapse of the census and a few weeks ago the collapse of a keystone of their infrastructure never made them consider alternatives. The fact that most successful companies on the planet, the FANG's, main infrastructure is based on open source and it's development model seems to have pass them by unnoticed. So this alternative style of IT development being shoved down their throats is a huge bridge for them to cross.
> In Germany it quite literally took dozens of public interest groups, two weeks of media attention, EU guidance and an open letter by hundreds of scientists to make the government switch from central data collection to an acceptable decentralised approach.
Interesting. Do you have any pointer on the current German approach? I've been looking at the Robert protocol from Inria+Fraunhofer, and I'm not sure I like the central secret DB it requires.
For this specific case, it would be a grave mistake to license under anything, which does not contain a copyleft to make sure they release the source code as well and grant the 4 freedoms.
I think this discussion is putting the cart before the horse. If there is no alternative to this app, what protections should it have? That's the second question to ask. The first one, which hardly anyone is asking, is whether the thing is necessary to start with.
There is one very strong reason to suspect Australians don't need this: the app has only been here 3 days, but the novel coronavirus has been around for 3 months, and it has never looked like getting out of control. Turns out that telephones and old-school contact tracing still work, and they work even better with some help from DNA manipulating virus detection robots. Who would have thunk it?
Plus, at this point, each app user has a 1 in a million chance of being exposed to the virus. Talk about number needed to treat!
Australia should focus on prisons, aged care facilities and concentration camps, where the risks are still meaningful. And we should rack our brains to imagine other ways that the virus could rapidly spread beyond our capacity to contain it. If things keep going right, we won't need this app. If something goes wrong, it will be an unexpected thing that the app can't fix.
I've been running COVIDSafe on Android for most of today, Samsung's Battery monitor is showing 3% battery use by COVIDSafe after 6 hours. I guess that's about a 10-12% battery hit over a full day, but at least it's using less battery than Spotify or TuneIn or Pocket Casts when they were in use with the screen off. So we're not talking Pokemon Go levels of battery drain here.
It works fine in the background on Android. Much like the Pebble smartwatch app does for its Bluetooth connection, you get a permanent notification, and you have to disable battery saver to stop the app sleeping. But you can still use your phone for other things. Battery monitor regards the app as in "Active" use the whole time, not in "background" use.
It was interesting to hear a lead story on the nightly news talking about data privacy issues related to where the data was stored, saying that the data would be stored on “American company Amazon’s Servers”.
Would anybody be interested in setting up a bounty? I'm thinking first team to show a major break in privacy wins the pool. I'll put in $100, and I hope others do too.
Edit: to be explicit, I'm talking about REing the app locally, nothing server side
The Au Gov got the code for TraceTogether (what OpenTrace, the open source implementation of BlueTrace is based on) weeks before the source was publicly released as GPL.
The government is planning to release the source code “subject to consultation with the Australian Signals Directorate’s Australian Cyber Security Centre.”
Take that for what you will. I suspect some people will take this to mean they won’t be releasing the source, however at this point I think it’s reasonable to believe it is still going through this process.
The Australian government is not to be trusted, they (both parties) have been trying to take control of the internet for decades now, and even when they're not trying to do something nefarious, government IT projects have a long history of incompetence. Even recently (but before CV19) they've been drastically increasing the reach of the state to spy on people and force backdoors into software.
> Remind them how little time they think before they download dozens of free, adware crap games that are likely far worse for their data & privacy than this ever would be!”
Does this randomize the Bluetooth address too? I saw the README (from the dissection) mention a function that hides the name "so the other side only gets the address", which would defeat the entire purpose of rotating identifiers.
If it does randomize the Bluetooth address, does it use a separate identifier, and if so, does it rotate both at the same time? Otherwise, you can use an identifier that changes at time 1 to link the other identifier with its new version when it changes at a different time.
I'd love to know where 15 minutes exposed came from. Feels like a value imputed from a join over battery drain and usefulness. I thought five minutes made more sense. If you are 15 min within 1.5m of a stranger in most Australian states you're probably mildly in beach of social distancing.
I'm wondering how the application protects against people running malicious clients works? If the point of this app is to broadcast identifiable information into the public domain, what is stopping others from snooping this information and creating their own tracing DB?
My biggest worry (apart from the fact that any Australian law enforcement agency or intelligence service could serve the department that released the app with a notice under the TOLA Act (AA bill) to add a backdoor, and they would be compelled to do it and then deny its existence), is that it probably just won't be extremely effective, but people will see it as a magic bullet out of lockdown.
There is a lot of pressure from the right wing and business lobbies to re-open everything, but the only reason that we have had such low numbers is because we locked down early and hard.
People are saying "Install the app so we can go back to normal quicker" already - this is dangerous. With commercial grade hardware and software not designed for this, we can't assume the app will be reliable all (or even most) of the time. The period of time somebody is infectious seems to be quite long. So using the app as an excuse to ease lockdown will not work and would probably just result in unrestrained community transmission. Especially as we are coming into winter, we really don't want a second wave!
[+] [-] mcannon|5 years ago|reply
They’re obviously operating with extreme urgency to get the app out. For you.
Give them a few weeks to clean up code and release it (which is very normal) - but in the meantime, here are some tips:
- Turn the HN angry mob mode off - it’s not helpful. We’re all in this together.
- Commend the government on some smart privacy and security choices (data deleted after 21 days, open source code, AWS in Australia, sensible sec practices etc). They won’t get it all right - and we as a tech community can help them. Find a bug & help get them closed.
- When asked by non technical people “Should I install this app? Is my data / privacy safe? Is it true it doesn’t track my location?” - say “Yes” and help them understand. Fight the misinformation. Remind them how little time they think before they download dozens of free, adware crap games that are likely far worse for their data & privacy than this ever would be!
Thank you
[+] [-] discordance|5 years ago|reply
- Australian's browser history is being provided to law enforcement even though that practice was excluded from the original intent and law [0]
- Australia passed laws in 2018 which enable law enforcement to compel tech companies into inserting backdoors into their software [1]
0: https://www.theguardian.com/world/2020/feb/07/web-browsing-h...
1: https://www.wired.com/story/australia-encryption-law-global-...
[+] [-] godelski|5 years ago|reply
I actually believe this is helpful. Just in any democratic setting you want different types of players. You want the "burn the system down" people, because they provide harsh critiques and don't hold back. You want the "okay, but I have reservations" people, because they will push forward but also consider what they are doing (and will likely whistleblow if things get out of hand). You want the loyalists because they will push forward despite criticism. The trick is that you need a balance of these people (and the unmentioned players).
Specifically here I don't think we've even answered the question of "should we have contact tracing apps?" Because of this, I do think having that angry mob is helpful. They loyalists will push forward building it but the mob will help us decide if we even want that technology in our society. If we decide we do, we'll have it. If we decide we don't, well we'll know better how they would be designed.
__Being critical of those in power is a keystone to democracy.__
[+] [-] missosoup|5 years ago|reply
> They’re obviously operating with extreme urgency to get the app out. For you.
Extreme urgency is the perfect justification for governments to destroy the rights of the constituents. Never let a crisis go to waste as they say. Right now is exactly the time to be watching everything the government does with a lens of critical analysis.
> Commend the government on some smart privacy and security choices
The government has passed laws that make these choices irrelevant and has a history of botching anything to do with data/privacy even when well intentioned. This government has one of the worst privacy positions in the entire developed world. No one should be commending them for this.
> When asked by non technical people “Should I install this app? Is my data / privacy safe? Is it true it doesn’t track my location?” - say “Yes” and help them understand. Fight the misinformation.
Saying yes to those questions would be disinformation. The answer is maybe at best, probably not.
You sound like you have best intentions in your mind, but the road to hell is paved with good intentions. Under existing laws, the data and privacy of anyone who downloads this app is NOT safe. If the government is truly well intentioned and wants to help, they need to roll back the insane sweeping anti-privacy laws they rushed through while ignoring the constituents. What you're calling 'HN angry mob mode' is simply these same constituents having the natural, rational reaction to the actions of our government that border on totalitarian. It's not the fault of the constituents, it's the logical outcome of the government's actions. Turning it around like you did is nothing short of victim-blaming.
I'm not going to cover up the sins of this administration by lying to my non-technical friends about the real dangers associated with this app like you ask, sorry.
The irony is that due to public mistrust in the government due to things like AABill, more people may die now than the various agencies ever saved through the systemic destruction of domestic privacy in the name of anti-terrorism or saving the children or whatever other nebulous excuse. Maybe AFP and co can stop their unilateral self-righteous anti-privacy rampage and actually think about the greater good in light of this?
[+] [-] bad_user|5 years ago|reply
I have no app on my iPhone with the ability to use my location in the background, not even Waze or Google Maps.
Also I don't care about deletion policies. That data should not be collected in the first place.
I don't know about any specifics, but if the data isn't anonymized somehow, on the client side, such that the government can never trace it back to you, then I'd rather catch the virus personally.
I agree about turning the angry mob mode off, but in times of crisis we would do well to remember that our freedoms are being traded for a little security and in many cases it isn't temporary.
And Australia in particular doesn't have a good track record in preserving those freedoms.
Therefore it isn't unreasonable to ask for source code. This isn't even about the GPL, people need the ability to review the code, especially if it's a public service paid by taxpayers. In my opinion such projects should be developed in the open, always.
[+] [-] TJA1|5 years ago|reply
I've attended a few cyber security conferences and spoken to a number of active people in those communities and it amazes me how backwards the Australian government is regarding cyber security.
There seems to be less incentive for them to invest, both financially and in developing governance, than say industry. If a Google, Telstra, NAB had a severe breach, customers would be up in arms, fines would be handed out, financially there would be a big impact. Government just issues an apology and false promises to improve processes and accountability. Then a month later you see more reports in the news about more data safety breaches and unauthorised access from obscure government bodies like the RSPCA.
Uploading the code is one way to show some transparency, but trusting them to make good on their promise of appropriate handling of data and retention is questionable.
[+] [-] salan781|5 years ago|reply
They have burned all goodwill and trust with the public. It doesn’t matter what they say today unless they repeal AABill etc. Otherwise they’re just saying empty words.
[+] [-] alfiedotwtf|5 years ago|reply
After the abuses of Metadata Retention, and how AABill passed, no. History shows that the Australian Government will and continue to abuse people. The Australian Government cannot be trusted, and if you do, you're naive.
[+] [-] basilgohar|5 years ago|reply
I think the HN privacy concern is well placed. They are not advocating covering our ears and screaming to ignore the pandemic, just that this phone-based contact-tracing plan has all the makes of a bad idea. It's the perfect way to shift the needle further towards acceptance of mass contact tracking. These institutions have all shown us if we give them an inch, they'll take a mile.
Meanwhile, experts still say this is no substitute for proper, interview-based contact tracing, so it's almost a moot effort anyway.
My most charitable interpretation is that Google and Apple are scrambling for SOMETHING to do with their respective holds on the mobile market, and this is something. It still doesn't mean it's a good idea.
[+] [-] PudgePacket|5 years ago|reply
Not to mention rushing through privacy destroying laws citing "Islamist terrorism, paedophile networks and organised crime". If you are who I think you are you're probably more knowledgable of the particular 2018 law than me.
And now they're "rushing out" an app that is intended to track everyone in the country's precise location and who they interact with? I'll wait for the source thank you.
The gov only has themselves to blame for this reputation.
Apple and Google are releasing official APIs for this, we're doing amazingly well in Australia, can it not wait a week?
> Remind them how little time they think before they download dozens of free, adware crap games that are likely far worse for their data & privacy than this ever would be!
Isn't it an interesting point that these people would rather trust foreign companies they've never heard of with their location, rather than their own gov?
https://www.theguardian.com/australia-news/2016/jul/29/austr...
https://www.abc.net.au/news/2016-08-09/abs-website-inaccessi...
https://www.theguardian.com/australia-news/2019/nov/22/pay-t...
https://www.techdirt.com/articles/20181208/14440541184/austr...
[+] [-] metta2uall|5 years ago|reply
Also it's good to keep in perspective that the 'government' can already track people to a great extent, e.g. via cell towers and face recognition.
[+] [-] shermozle|5 years ago|reply
This government has ample form. If you want my recommendation you need to open it up.
[+] [-] andrewstuart|5 years ago|reply
There's a key principle here - no application with such scope should be closed source.
It is in no-ones interest that it be closed source.
In fact the software becomes more secure when many eyes are on it.
And, once the government has it out there - with the blessing of people like you - then they will have no urgency to make it open source.
Now is exactly the right time to say "we'll use this BUT only if it's open source."
[+] [-] neximo64|5 years ago|reply
If it worked in the background that’s more useful and realistic.
[+] [-] danieltillett|5 years ago|reply
Do we have the contact tracing people to actually make use of this data? Even if we did I can’t see how we are going to avoid the need to interview each positive case to find all the people they came into contact with for less than 15 minutes. How much value is being added?
I am not installing it purely because I am social distancing and won’t be spending 15 minutes talking to anyone face to face outside of my immediate family.
[+] [-] AussieCit|5 years ago|reply
[+] [-] tmpz22|5 years ago|reply
― George Orwell, 1984
[+] [-] crypto2me|5 years ago|reply
Source code not released.
Source code can be changed at anytime with no notice or need to re-consent data usage.
Protections not legislated.
Using centralised instead of decentralised and anonymised architecture.
Data on the central server has no purging policy. Only local data deleted after 21 days.
De encryption keys stored on the same server as the DB.
Unlike free adware crap games, governments have the power to legislate and enforce laws. Google Facebook amazon whomever other crap freeware games you refer to don’t.
Normalises government mass surveillance and tracking
Can be viewed in line with metadata retention, encryption laws and now this as a path toward digital dictatorship.
Raiding journalists to get the names of government whistleblowers.
[+] [-] inshadows|5 years ago|reply
[+] [-] alfiedotwtf|5 years ago|reply
https://www.innovationaus.com/atlassian-and-the-covidsafe-te...
[+] [-] dghcrypto|5 years ago|reply
There's no need to see the source code to recognise this is a problem. Could we at least lobby them to fix this? It would make life easier for the contract tracers and it would mean that people could rely on the app's secure channel, so if a scammer does call them they could confidently tell them where to get off.
[+] [-] dna_polymerase|5 years ago|reply
[+] [-] jay_kyburz|5 years ago|reply
Instead of requesting codes from a central government server to be distributed to people you come into contact with, your phone could have generated its own codes for distribution.
Then when a COVID infection is found, the gov could simply publish a list of all codes collected by the infected person.
Your phone could request this public list daily and you could choose to get a COVID test if your code is in the public list.
The government would have no way to link any codes to a particular phone or person. A lot less data would need to collected, stored, and managed.
This app is designed to allow the government to find and collect anybody they think needs testing. It can also be used to find and punish anybody breaking social distancing laws.
(Updated for clarity)
[+] [-] jessriedel|5 years ago|reply
https://www.covid-watch.org/article#contactTracing
They are pushing for a standard protocol that incorporates this mechanism. It may or may not be compatible with the joint effort of Google and Apple, and with Singapore's under-development BlueTrace standard.
https://en.m.wikipedia.org/wiki/BlueTrace
[+] [-] tastroder|5 years ago|reply
The amount of misinformation put out by lobby groups in the process was frankly astonishing, is that similar in Australia or is this app primarily driven by the government itself?
[+] [-] rstuart4133|5 years ago|reply
I'm an Australian - and from my perspective the answer is "no".
They are doing the best job they can. In this case, the mandarins running the place (we have a West Minister system) look to be very unfamiliar with open sources development practices, and the positive impacts it has software reliability, productivity and the trust you can place in it. But to answer your question - no one selfishly perusing personal agendas or trying to enrich themselves here.
That's not a good excuse for getting it wrong as they have done in this instance of course. But it is just a question of them coming to grips with something they've never bothered to familiarise themselves with. Up until now when they needed a large IT project done, they've just hired IBM at an exorbitant fee. Amazingly, failures brought on by this waterfall style approach of the order of $4B in one instance (and there are many), the collapse of the census and a few weeks ago the collapse of a keystone of their infrastructure never made them consider alternatives. The fact that most successful companies on the planet, the FANG's, main infrastructure is based on open source and it's development model seems to have pass them by unnoticed. So this alternative style of IT development being shoved down their throats is a huge bridge for them to cross.
Here's hoping they make it to the other side :D
[+] [-] temac|5 years ago|reply
Interesting. Do you have any pointer on the current German approach? I've been looking at the Robert protocol from Inria+Fraunhofer, and I'm not sure I like the central secret DB it requires.
[+] [-] addandsubtract|5 years ago|reply
[0] https://www.ccc.de/en/updates/2020/corona-tracing-app-offene...
[+] [-] lukevdp|5 years ago|reply
[+] [-] em10fan|5 years ago|reply
That's not to say its non-compliant, they could have reached out to the (one) contributor and licenced it separately.
[+] [-] dathinab|5 years ago|reply
[+] [-] ajdlinux|5 years ago|reply
[+] [-] zelphirkalt|5 years ago|reply
[+] [-] gumby|5 years ago|reply
Or they could have GPLed the entire app; no reason not to have.
[+] [-] thisrod|5 years ago|reply
There is one very strong reason to suspect Australians don't need this: the app has only been here 3 days, but the novel coronavirus has been around for 3 months, and it has never looked like getting out of control. Turns out that telephones and old-school contact tracing still work, and they work even better with some help from DNA manipulating virus detection robots. Who would have thunk it?
Plus, at this point, each app user has a 1 in a million chance of being exposed to the virus. Talk about number needed to treat!
Australia should focus on prisons, aged care facilities and concentration camps, where the risks are still meaningful. And we should rack our brains to imagine other ways that the virus could rapidly spread beyond our capacity to contain it. If things keep going right, we won't need this app. If something goes wrong, it will be an unexpected thing that the app can't fix.
[+] [-] SyneRyder|5 years ago|reply
It works fine in the background on Android. Much like the Pebble smartwatch app does for its Bluetooth connection, you get a permanent notification, and you have to disable battery saver to stop the app sleeping. But you can still use your phone for other things. Battery monitor regards the app as in "Active" use the whole time, not in "background" use.
[+] [-] ferros|5 years ago|reply
No mention of Australian regions or GovCloud etc.
[+] [-] aaron695|5 years ago|reply
You can release you code as GPL. But you can also release you code however, separately if you want.
Also it depends on OpenTrace's libraries and if it's been contributed to.
[+] [-] alfiedotwtf|5 years ago|reply
Edit: to be explicit, I'm talking about REing the app locally, nothing server side
[+] [-] aapeli|5 years ago|reply
The Au Gov got the code for TraceTogether (what OpenTrace, the open source implementation of BlueTrace is based on) weeks before the source was publicly released as GPL.
[+] [-] lukevdp|5 years ago|reply
The government is planning to release the source code “subject to consultation with the Australian Signals Directorate’s Australian Cyber Security Centre.”
Take that for what you will. I suspect some people will take this to mean they won’t be releasing the source, however at this point I think it’s reasonable to believe it is still going through this process.
[+] [-] hyperpallium|5 years ago|reply
They also said location would not be used, but
Can't trust them on things that can be checked; therefore can't trust them on the things that that can't be checked.[+] [-] Sophistifunk|5 years ago|reply
[+] [-] scoot_718|5 years ago|reply
Not a convincing argument for anything.
[+] [-] tgsovlerkhgsel|5 years ago|reply
If it does randomize the Bluetooth address, does it use a separate identifier, and if so, does it rotate both at the same time? Otherwise, you can use an identifier that changes at time 1 to link the other identifier with its new version when it changes at a different time.
[+] [-] enturn|5 years ago|reply
https://www.welivesecurity.com/2020/02/07/google-critical-an...
[+] [-] ggm|5 years ago|reply
[+] [-] bamboozled|5 years ago|reply
[+] [-] bfgeek|5 years ago|reply
(preview link might be more useful).
[+] [-] stephen_g|5 years ago|reply
There is a lot of pressure from the right wing and business lobbies to re-open everything, but the only reason that we have had such low numbers is because we locked down early and hard.
People are saying "Install the app so we can go back to normal quicker" already - this is dangerous. With commercial grade hardware and software not designed for this, we can't assume the app will be reliable all (or even most) of the time. The period of time somebody is infectious seems to be quite long. So using the app as an excuse to ease lockdown will not work and would probably just result in unrestrained community transmission. Especially as we are coming into winter, we really don't want a second wave!