I was made aware of this just 5 minutes ago. Sorry, if this was already mentioned on this ML in the past few days.
Singapore decided to release their Tracing-App under GPL-3.0 [0], which obviously would establish better trust and would benefit other countries and regions as well, as the software (or parts of it) could be re-used, being in line with PMPC[1] as well as the FSFE's call to release any COVID19 Tracking App under a Free Software License.
Kind regards and stay healthy, Jan
[0] https://github.com/opentrace-community [1] https://publiccode.eu/ [2] https://fsfe.org/news/2020/news-20200402-02.html
On Friday 10. April 2020 12.00.34 Jan Wey. wrote:
I was made aware of this just 5 minutes ago. Sorry, if this was already mentioned on this ML in the past few days.
Singapore decided to release their Tracing-App under GPL-3.0 [0], which obviously would establish better trust and would benefit other countries and regions as well, as the software (or parts of it) could be re-used, being in line with PMPC[1] as well as the FSFE's call to release any COVID19 Tracking App under a Free Software License.
[...]
[0] https://github.com/opentrace-community [1] https://publiccode.eu/ [2] https://fsfe.org/news/2020/news-20200402-02.html
This is interesting to hear about! Reading the Norwegian news recently, it would appear that the "app" being developed for this country's public health agency will not be Free Software. Here's a reasonable Norwegian language entry point to the news coverage:
https://www.nrk.no/norge/fhi-appen-smittestopp-gjennomgas-na-av-sikkerhetsek...
The justification for this is fairly weak:
https://www.simula.no/news/digital-smittesporing-apen-kildekode
One reason given is that making the source code available helps people with "hostile intent" to do bad things. Obviously, one can also argue that making the code available allows people with helpful intent to remedy the bad things that may be in the software, these being there through accident, questionable judgement or even malicious intent.
To justify their position, the case of the Heartbleed vulnerability is mentioned, with it being stated that the bug that caused it lingered for two years in Free Software without the anticipated scrutiny being brought to bear. Certainly, those who pitch "open source" largely as an efficiency or economic tool (the ones who talk about bugs and eyeballs) don't do the Free Software movement many favours by reducing the spectrum of benefits down to a single easy-to-sell metric of success.
But as we know, the real reason for things like Heartbleed occurring is the chronic underinvestment in Free Software by companies making colossal amounts of money using Free Software. These companies are happy to see "open source" in broad use, but they are not prepared to adequately invest in the maintenance and further development of the software. When the auditing audience is burned-out volunteers and bad guys, the situation is obviously not favourable to those wanting to see high reliability and security engineered into the code.
The fact is, however, that Free Software characteristics are largely orthogonal to how good any software might be. There is nothing to stop the best quality software being Free Software, and there is nothing to stop commercially "valuable" proprietary software being complete garbage. Sadly, academic and research institutions are often bamboozled by predatory "innovation" advocacy that equates value with scarcity and secrecy, leading to the hoarding of research benefits for application within privileged niches instead of helping to strengthen society at large.
With regard to the news article on the topic, there are various attempts at reassurance about how serious the developers are taking the work. For example:
"Måten vi jobber på er nok veldig likt hvordan åpen kildekode-miljøet ville jobbet. Det er også den typen folk som sitter i gruppen, sier lederen av ekspertgruppen."
("The way we work is probably rather like how the open source community would have worked. It is also this kind of people working in our group, says the leader of the expert group.")
In other words, a form of imitation of how Free Software developers might work is occurring based on a perception of a particular "kind of person". Seeing how well the industry tends to imitate various recommended practices more generally, typically failing in a burdensome way, I'm not sure how much confidence I would have from such reassurances.
Reassurances from the government also seem to be readily forthcoming:
"Vi vil selvfølgelig ikke lansere en løsning hvis det skulle vise seg at den ikke er sikker. Ekspertgruppens uavhengige vurdering vil selvsagt være viktig for oss i den sammenhengen, sier helseminister Bent Høie til NRK."
("We would obviously not release a solution if there were indications that it wasn't secure. The expert group's independent assessment will, of course, be important for us in that regard, says health minister Bent Høie til NRK.")
I would take government reassurances more seriously if we hadn't previously heard lazy brushing aside of concerns about attacks on electoral processes and infrastructure by the prime minister. A while ago there were reports of intrusions and data breaches at one of the regional health providers, but all that seemed to emerge from that episode were vague "nothing to see here" claims from these ministers.
For more criticism, a Norwegian language article (and its comments) linked to from the above news article is somewhat worth reading:
https://nrkbeta.no/2020/04/02/advarer-mot-a-installere-fhis-korona-app/
Here, the Singapore application is mentioned along with indications that Germany may also take it into use. There also appear to be architectural differences between the way these applications work: centralised versus decentralised communication, for instance.
Fundamentally, Free Software means having control over the software we choose (or are asked to choose) to run on our devices. Denying us the ability to know what that software does is simply exploitative. It is rather telling that Simula - the developers of the Norwegian application - don't even dignify this fundamental aspect of Free Software in their response to criticism. And it is interesting that a country renowed for its surveillance and social control is more open about the technology it uses than a country that actively projects an entirely different image of itself to the rest of the world.
Paul
P.S. I find it also laughable that the following statement is paraded early on in the Simula article:
"Åpenhet og kunnskapsdeling er en del av ryggmargen vår."
("Openness and knowledge sharing is an essential part of who we are.")
As far as I know Simula is part of the software patenting "innovation" circus in this country, which is fundamentally incompatible with true openness and sharing.
Thanks for sharing!
I just passed it on to a government mailing list in my country (Peru).
I did a quick search and found an article by the Singaporean government explaining their logic, which I shared also.
https://www.tech.gov.sg/media/technews/six-things-about-opentrace
Hope it helps!
Regards, Sebastian
El vie, 10 de abr de 2020 a las 15:52, Paul Boddie paul@boddie.org.uk escribió:
On Friday 10. April 2020 12.00.34 Jan Wey. wrote:
I was made aware of this just 5 minutes ago. Sorry, if this was already mentioned on this ML in the past few days.
Singapore decided to release their Tracing-App under GPL-3.0 [0], which obviously would establish better trust and would benefit other countries and regions as well, as the software (or parts of it) could be re-used, being in line with PMPC[1] as well as the FSFE's call to release any COVID19 Tracking App under a Free Software License.
[...]
[0] https://github.com/opentrace-community [1] https://publiccode.eu/ [2] https://fsfe.org/news/2020/news-20200402-02.html
This is interesting to hear about! Reading the Norwegian news recently, it would appear that the "app" being developed for this country's public health agency will not be Free Software. Here's a reasonable Norwegian language entry point to the news coverage:
https://www.nrk.no/norge/fhi-appen-smittestopp-gjennomgas-na-av-sikkerhetseksperter-1.14977918
The justification for this is fairly weak:
https://www.simula.no/news/digital-smittesporing-apen-kildekode
One reason given is that making the source code available helps people with "hostile intent" to do bad things. Obviously, one can also argue that making the code available allows people with helpful intent to remedy the bad things that may be in the software, these being there through accident, questionable judgement or even malicious intent.
To justify their position, the case of the Heartbleed vulnerability is mentioned, with it being stated that the bug that caused it lingered for two years in Free Software without the anticipated scrutiny being brought to bear. Certainly, those who pitch "open source" largely as an efficiency or economic tool (the ones who talk about bugs and eyeballs) don't do the Free Software movement many favours by reducing the spectrum of benefits down to a single easy-to-sell metric of success.
But as we know, the real reason for things like Heartbleed occurring is the chronic underinvestment in Free Software by companies making colossal amounts of money using Free Software. These companies are happy to see "open source" in broad use, but they are not prepared to adequately invest in the maintenance and further development of the software. When the auditing audience is burned-out volunteers and bad guys, the situation is obviously not favourable to those wanting to see high reliability and security engineered into the code.
The fact is, however, that Free Software characteristics are largely orthogonal to how good any software might be. There is nothing to stop the best quality software being Free Software, and there is nothing to stop commercially "valuable" proprietary software being complete garbage. Sadly, academic and research institutions are often bamboozled by predatory "innovation" advocacy that equates value with scarcity and secrecy, leading to the hoarding of research benefits for application within privileged niches instead of helping to strengthen society at large.
With regard to the news article on the topic, there are various attempts at reassurance about how serious the developers are taking the work. For example:
"Måten vi jobber på er nok veldig likt hvordan åpen kildekode-miljøet ville jobbet. Det er også den typen folk som sitter i gruppen, sier lederen av ekspertgruppen."
("The way we work is probably rather like how the open source community would have worked. It is also this kind of people working in our group, says the leader of the expert group.")
In other words, a form of imitation of how Free Software developers might work is occurring based on a perception of a particular "kind of person". Seeing how well the industry tends to imitate various recommended practices more generally, typically failing in a burdensome way, I'm not sure how much confidence I would have from such reassurances.
Reassurances from the government also seem to be readily forthcoming:
"Vi vil selvfølgelig ikke lansere en løsning hvis det skulle vise seg at den ikke er sikker. Ekspertgruppens uavhengige vurdering vil selvsagt være viktig for oss i den sammenhengen, sier helseminister Bent Høie til NRK."
("We would obviously not release a solution if there were indications that it wasn't secure. The expert group's independent assessment will, of course, be important for us in that regard, says health minister Bent Høie til NRK.")
I would take government reassurances more seriously if we hadn't previously heard lazy brushing aside of concerns about attacks on electoral processes and infrastructure by the prime minister. A while ago there were reports of intrusions and data breaches at one of the regional health providers, but all that seemed to emerge from that episode were vague "nothing to see here" claims from these ministers.
For more criticism, a Norwegian language article (and its comments) linked to from the above news article is somewhat worth reading:
https://nrkbeta.no/2020/04/02/advarer-mot-a-installere-fhis-korona-app/
Here, the Singapore application is mentioned along with indications that Germany may also take it into use. There also appear to be architectural differences between the way these applications work: centralised versus decentralised communication, for instance.
Fundamentally, Free Software means having control over the software we choose (or are asked to choose) to run on our devices. Denying us the ability to know what that software does is simply exploitative. It is rather telling that Simula - the developers of the Norwegian application - don't even dignify this fundamental aspect of Free Software in their response to criticism. And it is interesting that a country renowed for its surveillance and social control is more open about the technology it uses than a country that actively projects an entirely different image of itself to the rest of the world.
Paul
P.S. I find it also laughable that the following statement is paraded early on in the Simula article:
"Åpenhet og kunnskapsdeling er en del av ryggmargen vår."
("Openness and knowledge sharing is an essential part of who we are.")
As far as I know Simula is part of the software patenting "innovation" circus in this country, which is fundamentally incompatible with true openness and sharing. _______________________________________________ Discussion mailing list Discussion@lists.fsfe.org mailto:Discussion@lists.fsfe.org https://lists.fsfe.org/mailman/listinfo/discussion
This mailing list is covered by the FSFE's Code of Conduct. All participants are kindly asked to be excellent to each other: https://fsfe.org/about/codeofconduct
On Friday 10. April 2020 22.09.06 Sebastian Silva wrote:
Thanks for sharing!
I just passed it on to a government mailing list in my country (Peru).
I did a quick search and found an article by the Singaporean government explaining their logic, which I shared also.
https://www.tech.gov.sg/media/technews/six-things-about-opentrace
Some of the insights are interesting in various blog posts. For instance:
"Aside from the technical challenge, using location data for contact tracing also raises serious privacy and data security concerns. If users are hesitant to download the app for fear of inadvertently revealing their movements, its ability to link the dots would be greatly diminished."
https://www.tech.gov.sg/media/technews/tracetogether-behind-the-scenes-look-...
This is in agreement with the European Data Protection Board advice:
"Contact tracing apps do not require location tracking of individuals users. Their goal is not to follow the movements of individuals or to enforce prescriptions. [...] Collecting an individual’s movements in the context of contact tracing apps would violate the principle of data minimisation. In addition, doing so would create major security and privacy risks."
https://edpb.europa.eu/sites/edpb/files/files/file1/edpbletterecadvisecodiv-...
Interestingly, the ACLU has a white paper on the topic which includes the following remarks:
"In addition, the location data typically generated by cell phones is not precise enough to identify epidemiologically relevant contacts, i.e. such as those within the requisite distance or with the relevant type of exposure. We reject these privacy-unfriendly TACT proposals outright because they do not strike the right balance between effectiveness, necessity, and intrusion."
https://www.aclu.org/report/aclu-white-paper-principles-technology-assisted-...
(The ACLU document is a solid summary of a number of different concerns and, of course, favours Free Software, advocates reproducible builds and release archiving, amongst other things - see the "Auditable and fixable" section.)
In contrast to this, the Norwegian agency and partners seem to have fixated on the recognised limitations of Apple products:
"– Vi mener at lokasjonsdata er et nødvendig supplement til Bluetooth både for å validere data før utsending av varsler (for å hindre falske varsler) og spore nærkontakter som man ikke finner ved Bluetooth. Lokasjon vil også gjøre det mulig å ha forskjellige algoritmer for nærkontakt på forskjellige steder."
("We believe that location data is a necessary supplement to Bluetooth both for validating data before sending alerts (to prevent false alarms) and to trace others that cannot be found with Bluetooth. Location data will also make it possible to have different algorithms for proximity detection in different places.")
https://nrkbeta.no/2020/04/16/personvernrad-i-eu-mener-norsk-app-bryter-med-...
I find it rather interesting that location information is supposedly so helpful in the absence of Bluetooth signals. As the Singapore group openly admits...
"While GPS works well in wide, open spaces, it fares poorly when it comes to indoor and highly urbanised settings, said Mr Jason Bay, Senior Director of Government Digital Services at GovTech. “If you are one floor down in a building, your GPS location could look the same as someone in the floor above you because of signal reflections and multipath propagation effects,” he explained."
Indeed, precise indoor positioning (which is arguably most important in this situation) is a notorious problem with plenty of different, imperfect solutions despite being a lucrative area of research. I think I trust the person talking about reflections and propagation effects while giving an understandable example of false positives, as opposed to the person being vague about "different algorithms" and keeping their options open to the maximum.
It should be said that location information is already used for surveillance, tracking, "analytics" and so on, with such data being traded for commercial advantage. This should not automatically make its use acceptable because "no- one has any privacy anyway" or that there is an opportunity to normalise such activities in another realm. Moreover, there is a real risk that such solutions applied in this realm could cause panic situations and impact the wellbeing of the population.
Meanwhile, a preliminary report was delivered about aspects of an official review of the Norwegian "app". Some extracts:
"Posisjonsdata som breddegrad, lengdegrad, nøyaktighet, hastighet, høyde og nøyaktighet på høyde blir periodisk lagret i en ukryptert lokal database på telefonen."
("Position information such as latitude, longitude, [geographic?] accuracy, speed, height and height accuracy are periodically stored in an unencrypted local database on the telephone.")
"Det brukes permanente og enhets-spesifikke identifikatorer mellom enhetene. Dette vil potensielt åpne for muligheter til å utlede andres identitet eller smittestatus."
("Permanent and unit-specific identifiers are used by devices. This could potentially make it possible to extract the identity or infection status of others.")
"Tilgangsstyring, logging av tilgang, prosedyrer for sletting og aggregering av data i Azure er enda enten ikke påbegynt eller ferdig implementert. Denne funksjonaliteten er avgjørende for å kunne vurdere om personvernet er godt nok ivaretatt i løsningen."
("Access control, access logging, processes for deletion and aggregation of data in [Microsoft's cloud solution] Azure are either not yet established or finalised. This functionality is critical in assessing whether privacy is safeguarded in this solution.")
https://www.regjeringen.no/globalassets/departementene/hod/fellesdok/rapport...
Noting that this report was filed about a week ago, maybe some progress was made since then before launch. I don't think anyone knows why the agency responsible and their partners did not decide to build on other efforts. Reassurances from the politicians don't really count for so much when one reads this...
"Rett etter skjøt statsminister Erna Solberg inn at denne løsningen vil bidra til å gi nordmenn «mer frihet, raskere»."
("Immediately after [the health minister's insistence of the legal compliance of the solution], the prime minister, Erna Solberg, shot in with the observation that the solution will help give Norwegians "more freedom, more quickly".")
This being a government that attempted to introduce emergency legislation curtailing the powers of the legislature, described as "madness" by one legal expert [1]. But, of course, only foreign people can be autocrats and dictators!
Sorry for the long message!
Paul
[1] https://www.nrk.no/norge/regjeringen-legger-frem-ny-korona-lov-som-gir-krise...
Am Freitag 10 April 2020 12:00:34 schrieb Jan Wey.:
Singapore decided to release their Tracing-App under GPL-3.0 [0], which obviously would establish better trust and would benefit other countries and regions as well, as the software (or parts of it) could be re-used, being in line with PMPC[1] as well as the FSFE's call to release any COVID19 Tracking App under a Free Software License.
https://github.com/opentrace-community
Am Samstag 11 April 2020 05:09:06 schrieb Sebastian Silva:
I did a quick search and found an article by the Singaporean government explaining their logic, which I shared also.
https://www.tech.gov.sg/media/technews/six-things-about-opentrace
Yes, I think it helps to share more infos.
Note that in Germany is a large debate about a possible app ongoing, with news almost daily. If you want a good coverage by folks you know what Free Software and privacy is, I can recomment netzpolitik.org.
E.g. https://netzpolitik.org/2020/faq-corona-apps-die-wichtigsten-fragen-und-antw... an FAQ where it say under 10.:
"Singapur, Österreich und Island haben dabei gute Erfahrungen mit quelloffener Software, dezentraler Speicherung und der Beschränkung auf die Bluetooth-Funktion gemacht"
rough translation "Singapore, Austria and Island have made good experiences with Free Software, decentral storage and limitation on bluetooth functionality."
Best Regards, Bernhard