Freedom over Government Surveillance: I’m not Installing the Government’s COVID-19 app

“If something is free, you’re not the customer; you’re the product” — Bruce Schneier

The Australian government is planning to release a contact tracing mobile app to combat COVID-19. The app is based on TraceTogether, which was developed by the Singaporean government. The code for TraceTogether has been shared with the Australian government, although the reference implementation — OpenTrace — is open source. The government is thankfully working with the private sector to build the app. You reckon the government could create Netflix? An iPhone? Any app that works well? Me, neither. The government is terrible at technology.

Much has been written about the privacy aspects of TraceTogether. However, very little has been written about the Federal government’s plan to release its own secure app with a month’s development time.

Privacy and security are natural partners but slightly different. There is no privacy without security; that is, security is a necessary requirement for privacy.

Source

What information will the app collect? One’s name, mobile number, postcode, and an age range.

I’ve been in the cyber security industry for over 15 years. Security is an abstract concept best left for another article. (Secure against whom? Secure from what type of attacks? Only an accurate risk profile and threat modelling can answer those questions.)

However, this is what I’d expect in order for a mobile app to be considered “secure”. (Please note that these requirements are meant as a baseline; threat modelling, security non-functional requirements, a review of the design, an independent penetration test, etc. are needed based on a risk profile of the company/solution.)

RequirementTest Method
App developers must follow secure coding standards.1) Manual code reviews by peers.
2) Automated code scanners (SAST tools); e.g., Checkmarx, Veracode.
3) An independent code review.
4) Publishing the source code for public review.
The app itself must be secure. OWASP’s MASVS provides a baseline level of security based on risk.Some requirements can be tested by citing code, some must be functionally tested, and it’s appropriate to have some requirements tested by an independent company under a penetration test.
APIs — used by the app to connect to the centralised server — must be secure.1) Manual code reviews by peers.
2) Automated code scanners (SAST tools); e.g., Checkmarx, Veracode.
3) An independent code review.
4) Publishing the source code for public review.
The backend — the centralised server and its infrastructure — must be secure.1) Compliance against a standard (e.g., SOC 2).
2) An independent assessment.

(If the service sits as IaaS or PaaS on AWS/Azure, then the solution itself — not the datacentres and datacentre services — must be assessed.)
Security NFRs (non-functional requirements) must be identified.All security NFRs must be traced through to the design, ensuring that each one has been implemented. These NFRs will cover the app, the APIs, and the backend.

The standards provide a baseline level of security; the NFRs are specific to the solution.

The Federal Government Gives Australians its Assurance

I can confidently state that the Federal government cannot develop a secure app within a month, even if the government has the entire code base from the Singaporean government. The level of testing/assurance to ensure a secure implementation simply is not achievable in a month. The backend –to which app data is sent — won’t magically appear out of thin air. Designing such a backend takes time. Even if the backend is rolled out through Infrastructure as Code — given by the Singaporean government — the test methods would take months, especially under government bureaucracy.

Heck, even getting contracts in place — necessary to ensure that the developers are following everything I wrote above — with the private sector would take at least a month. And what’s the engagement model between the government and the private sector? The private sector’s claims/solution should not be taken at face value, either.

Likewise, there is no way any meaningful independent assessment of the app could be done within the timeframe. From the ABC, we learn that the government is looking for assurance from other government departments, which hardly fills one with confidence.

“He [Stuart Robert, Minister for Government Services] said the Government had enlisted the help of the Australian Signals Directorate and the Australian Cyber Security Centre, as well as other industry partners, to check the veracity of the security measures in place.”

Moreover, the government will write a privacy impact assessment. In my opinion, any assessment of the government by the government is as utterly useless as the paper on which it’s written. The government will at least release the source code (presumably only of the app, not the APIs, not the backend) and work with “industry partners” — who no doubt have their own incentives to dip their snouts in the government trough — to do… something. Maybe one day we — the people who fund the project — will know what exactly.

Thankfully Scott Morrison has said that the app won’t be mandatory. Each way Albo agreed. The government forcing Australians to install an app is a dangerous precedent (not to mention unenforceable).

The Road to Digital Serfdom Continues

As I’ve argued, the government poses the greatest risk to digital privacy, not companies.

Moreover, Hayek shows a technical issue — often argued by Milton Friedman — with government legislation: It’s rare that legislation is repealed (e.g., “hate speech” laws in the West), rare that nonsensical government programmes are closed down (e.g., Safe Schools in Victoria), and rare that governments decrease in size, power, and influence. For digital privacy, this natural cadence of ever increasing government power can only mean more legislation against citizens’ digital privacy and freedom; this cadence can never mean more digital privacy and freedom. This is the road to digital serfdom”.

The government’s foray into centrally handling Australians’ healthcare data came with MyHealthRecord, yet another unneeded government service for which Australians pay. MyHealthRecord should be privatised but preferably decommissioned. The private sector can manage access to patient data better than any government, and the private sector will do it in a more secure manner because it has more incentive to do so. Again, the government is the greater risk to freedom and digital privacy, not the private sector.

This is the Road to Digital Serfdom: Australians give an inch, the government takes a mile, because the precedent has been set. And, worst, it’s the so-called “Liberal” government making these concessions to freedom and digital privacy.

“Being tracked by the government in order to be free is not acceptable. This is a heavy-handed attack on the liberties of all Australians. History tells us that governments that give themselves extraordinary powers in states of emergency tend not to relinquish them. It took less than three years for metadata laws passed in the name of counterterrorism, for example, to be invoked by local councils to police minor infringements like littering.” — Gideon Rozner, the IPA

But I will say this about the Liberals: Thank goodness we don’t have a Labor government right now. Labor cannot be trusted with the economy, and politically correct drivel — the vanguard of the modern Left — won’t help Australia in a crisis.

Update [20/04/20] — Holding the government to account means we’re conspiracy theorists.

A quote in an article over at ITnews.com.au annoyed me:

“The source code will [also] be made public so every university, every tech company, any conspiracist can pull apart the code and see that we’re only collecting exactly what we say we’re collecting” — Stuart Robert, Minister for Government Services

Conspiracist? Taxpayers holding a government — one with a horrific track record on digital privacy — to account are conspiracy theorists? This quote perfectly displays the attitudes of those in power, a complete ignorance of the government’s past & continued failures to uphold Australians’ freedom and digital privacy.

Publishing the source code for the app only gives Australians very limited assurance. As mentioned above, the entire solution combines an app, APIs, and a backend. No cyber security assessment can be done without source code to all components, requirements, and design documents. The government’s own self-serving privacy impact assessment is useless.

How about the government commit to reproducible builds?

Update [25/04/20] — National security agencies might have access

Law enforcement won’t have access to information on Australians collected by the government’s COVID-19 app; however, national security agencies might have access.

Apparently only state health officials will have access to the information. But with the Road to Digital Sefdom now in full swing, such promises are often correct now but abused in the future.

Update [25/04/20] — The backend uses AWS

Apparently the database keys will be protected by AWS’ KMS. We still do not have a design, and therefore it’s difficult to know which keys are being spoken about in the article.

There is also some concern that the US government would be able to access Australians’ information:

“AWS is subject to a raft of invasive US national security legislation, including the CLOUD Act, a 2018 law compelling US-based technology companies to provide data to federal law enforcement under warrant, regardless of whether the data is held in the US or overseas.”

Stuart Robert’s response wasn’t encouraging:

“Keeping Australian data in Australia will be guaranteed through a determination through the Biosecurity Act and legislation,” he said.

“It will be a criminal offence to transfer data to any country other than Australia. A penalty of imprisonment for five years and/or 300 penalty units ($63,000) could apply to breaches of the direction.

“This is exactly the same way the Australian Government already uses AWS for many other agencies, including the work of our intelligence agencies, including ASD, and ensures Australian data stays in Australia.”

Apparently Stuart doesn’t understand that one can access data over the Internet, from a different country.