Today, the Australian government released COVIDSafe, the Government’s coronavirus tracking app, based on Singapore’s TraceTogether version. The release comes complete with the Government’s predictable reassuring and cajoling and guilt-tripping. Should Australians trust them and use the app? Really? For us, there is a very simple answer: when and only when Vanessa Teague gives the all clear.
Vanessa is an expert on cryptography and, as it happens, is an ex-student and a good friend. She is very smart and is as principled a person as we have ever met. Along with many of her colleagues, Vanessa has been critical of the Government’s needless (and entirely predictable) secrecy over COVIDSafe. She has written a series of blogposts about their underlying concerns, and in particular the Government’s failure to follow up on promises and release COVIDSafe’s source code. This is Vanessa’s current stance on using the app (as of 23/04):
“In its TraceTogether form, I would be happy to run it on the train but refuse to run it in my home or office. I need to see the details of Australia’s version before I decide.”
And, if that’s what Vanessa suggests then that’s what we’ll do, right up until Vanessa and her colleagues suggest otherwise. We’ll regularly be checking on Vanessa’s blog and twitter account.
Postscript: We had planned on writing about Vanessa a month or so ago, when she made the news. That story is highly relevant, since it involves privacy concerns, government screw-up, an arrogant and inept minister, a limp lettuce watchdog, a thuggish department secretary being matey matey with a vice chancellor, and a spineless university. Yep, same old, same old. But, given the speed of the times, we’ll probably have to leave that story be.
The Minister for Health has today made an undertaking to release the source code “within two weeks”. We’ll see. (The formal agency response on privacy (26/4) states that such release will be “subject to consultation with the Australian Signals Directorate’s Australian Cyber Security Centre”.)
Vanessa and her colleagues have a new blog post (27/4). The post has been written “on a best-effort basis using decompiled code from the app, without access to server-side code or technical documentation.” Their conclusion:
Like TraceTogether, there are still serious privacy problems if we consider the central authority to be an adversary. That authority, whether Amazon, the Australian government or whoever accesses the server, can
- recognise all your encryptedIDs if they are heard on Bluetooth devices as you go,
- recognise them on your phone if it acquires it, and
- learn your contacts if you test positive.
We’re not going to bother with the nasty guilt-tripping on the COVIDSafe app, including from numerous media nitwits who should know better. This from Bernard Keane suffices.
Vanessa now has a very good twitter thread on the seemingly contradictory safe/not-safe messages from IT folk.
UPDATE (11/5) Vanessa has a twitter thread (08/05) on ScoMoFo’s latest round of silly buggers.
UPDATE (13/5) This will come as a great surprise, but it turns out that Greg Hunt is a dishonest piece of shit.
UPDATE (15/5) Vanessa and her colleagues have a new blog post (14/5): The missing server code, and why it matters.
UPDATE (20/5) Vanessa and her colleague Chris Culnane have a new blog post (19/5), on flaws in and corrections to the UK covid app (and why this was possible). Vanessa also has an accompanying twitter thread.
18 Replies to “Vanessa’s Appt Concerns”
Checked out the app on Google Play and saw it has a very very high rating, which surprised me. I’m sure there’s absolutely nothing going on there.
Thanks, Craig. Actually, I do doubt there’s anything going on there, except a biased sample. Pretty much anyone who downloads the app is presumably in favour of wide usage, and so are voting accordingly. Those who are sceptical don’t download the app and then (I assume) don’t get to vote.
Consider checking out Official Secrets and or Citizen 4 before downloading this tracking device.
“You are either with us or a terrorist ….” to quote the false dichotomy of the coalition of the willing
Thanks, Steve. Yes, the government has well earned the suspicion of them. I have no idea who those groups/people are. I will probably stick to Vanessa, with a dose of Crikey. I looked a little at the debate (i.e. propaganda) today, but decided I don’t have time to do any decent evaluation.
If anyone tells me that my data are safe and my data will be used only for prescribed purposes, I don’t believe them.
Thanks, Terry. Why?
Experience. If I do provide data to someone (and it is part of daily life), I do so realising that my data may be neither safe nor accurate.
A very wise position to take. I can’t think of anything that suggests otherwise.
Perhaps a simpler test: I will (probably not, but pretend I will) download this app when every member of the federal coalition downloads and installs said app.
Since this has not happened, I am left with many, many questions and very few answers.
Oh, RF, the coalition is a barnyard of crazies. Hardly a fair test.
Barnyard of crazies …a great collective noun
Being familar with the Barn-MegaParsec unit of volume when sweetening your hot drink it may be
time to introduce those other alternative non SI units summarised by the Furlong Firkin Fortnight (FFF)
The Canard as a measurement of pseudoscience quackery when listening to the POTUS news briefings .
The Dirac as a measure of information flow could be used on drive time radio or political broadcasts
The New York Second has many applications in a COVID lockdown whilst social distancing
a few others are summarised here
I like Mill as a unit of currency – especially the plural
Perfect timing https://www.theguardian.com/technology/2020/may/03/home-affairs-data-breach-may-have-exposed-personal-details-of-700000-migrants
Thanks, SRK. It’s like a set piece from Duck Soup, with David Speers in the role of Margaret Dumont.
For those interested…
Here are the small print terms and conditions of use by the DTA and a link to download the “as is” app source code on Github
Thanks, Steve. I’m not sure what you mean by “as is”, but Vanessa has explained very clearly why the “release of the source code” is a sleazy shell game. And, yes, the T & C have that fascistic tone that the government just can’t or won’t give up.
Reading the very small print in 3. of the T&C above “As Is” appears to mean that this cut of the source code is likely to be an “unsigned of” Beta version of the product which can be updated at any time by the consultants who developed it for the DTA to fix any security and other issues as discovered as it gets tested on those who have downloaded it already.
The current application doesn’t work well with devices running IOS systems before version 10 so they may be fixing that?
They will be constantly fixing it, which is fundamentally a good thing. What is bad is that (a) They didn’t give it to people like Vanessa before release to pre-fix things; (b) they’re not releasing the server code, which means that people like Vanessa cannot even test for the fuck-ups at that end; (c) they’re not releasing the server code, which means no one has any fucking idea what they’re doing.
It’s a fucking mess. In their hearts, they are authoritarian fuckers.