COVID19-Tracing/-Tracking App in Singapore under GPL-3.0

Fri Apr 10 13:52:30 UTC 2020

On Friday 10. April 2020 12.00.34 Jan Wey. wrote:
> I was made aware of this just 5 minutes ago. Sorry, if this was already
> mentioned on this ML in the past few days.
> 
> Singapore decided to release their Tracing-App under GPL-3.0 [0], which
> obviously would establish better trust and would benefit other countries
> and regions as well, as the software (or parts of it) could be re-used,
> being in line with PMPC[1] as well as the FSFE's call to release any
> COVID19 Tracking App under a Free Software License.

[...]

> [0] https://github.com/opentrace-community
> [1] https://publiccode.eu/
> [2] https://fsfe.org/news/2020/news-20200402-02.html

This is interesting to hear about! Reading the Norwegian news recently, it 
would appear that the "app" being developed for this country's public health 
agency will not be Free Software. Here's a reasonable Norwegian language entry 
point to the news coverage:

https://www.nrk.no/norge/fhi-appen-smittestopp-gjennomgas-na-av-sikkerhetseksperter-1.14977918

The justification for this is fairly weak:

https://www.simula.no/news/digital-smittesporing-apen-kildekode

One reason given is that making the source code available helps people with 
"hostile intent" to do bad things. Obviously, one can also argue that making 
the code available allows people with helpful intent to remedy the bad things 
that may be in the software, these being there through accident, questionable 
judgement or even malicious intent.

To justify their position, the case of the Heartbleed vulnerability is 
mentioned, with it being stated that the bug that caused it lingered for two 
years in Free Software without the anticipated scrutiny being brought to bear. 
Certainly, those who pitch "open source" largely as an efficiency or economic 
tool (the ones who talk about bugs and eyeballs) don't do the Free Software 
movement many favours by reducing the spectrum of benefits down to a single 
easy-to-sell metric of success.

But as we know, the real reason for things like Heartbleed occurring is the 
chronic underinvestment in Free Software by companies making colossal amounts 
of money using Free Software. These companies are happy to see "open source" 
in broad use, but they are not prepared to adequately invest in the 
maintenance and further development of the software. When the auditing 
audience is burned-out volunteers and bad guys, the situation is obviously not 
favourable to those wanting to see high reliability and security engineered 
into the code.

The fact is, however, that Free Software characteristics are largely 
orthogonal to how good any software might be. There is nothing to stop the 
best quality software being Free Software, and there is nothing to stop 
commercially "valuable" proprietary software being complete garbage. Sadly, 
academic and research institutions are often bamboozled by predatory 
"innovation" advocacy that equates value with scarcity and secrecy, leading to 
the hoarding of research benefits for application within privileged niches 
instead of helping to strengthen society at large.

With regard to the news article on the topic, there are various attempts at 
reassurance about how serious the developers are taking the work. For example:

"Måten vi jobber på er nok veldig likt hvordan åpen kildekode-miljøet ville 
jobbet. Det er også den typen folk som sitter i gruppen, sier lederen av 
ekspertgruppen."

("The way we work is probably rather like how the open source community would 
have worked. It is also this kind of people working in our group, says the 
leader of the expert group.")

In other words, a form of imitation of how Free Software developers might work 
is occurring based on a perception of a particular "kind of person". Seeing 
how well the industry tends to imitate various recommended practices more 
generally, typically failing in a burdensome way, I'm not sure how much 
confidence I would have from such reassurances.

Reassurances from the government also seem to be readily forthcoming:

"Vi vil selvfølgelig ikke lansere en løsning hvis det skulle vise seg at den 
ikke er sikker. Ekspertgruppens uavhengige vurdering vil selvsagt være viktig 
for oss i den sammenhengen, sier helseminister Bent Høie til NRK."

("We would obviously not release a solution if there were indications that it 
wasn't secure. The expert group's independent assessment will, of course, be 
important for us in that regard, says health minister Bent Høie til NRK.")

I would take government reassurances more seriously if we hadn't previously 
heard lazy brushing aside of concerns about attacks on electoral processes and 
infrastructure by the prime minister. A while ago there were reports of 
intrusions and data breaches at one of the regional health providers, but all 
that seemed to emerge from that episode were vague "nothing to see here" 
claims from these ministers.

For more criticism, a Norwegian language article (and its comments) linked to 
from the above news article is somewhat worth reading:

https://nrkbeta.no/2020/04/02/advarer-mot-a-installere-fhis-korona-app/

Here, the Singapore application is mentioned along with indications that 
Germany may also take it into use. There also appear to be architectural 
differences between the way these applications work: centralised versus 
decentralised communication, for instance.

Fundamentally, Free Software means having control over the software we choose 
(or are asked to choose) to run on our devices. Denying us the ability to know 
what that software does is simply exploitative. It is rather telling that 
Simula - the developers of the Norwegian application - don't even dignify this 
fundamental aspect of Free Software in their response to criticism. And it is 
interesting that a country renowed for its surveillance and social control is 
more open about the technology it uses than a country that actively projects 
an entirely different image of itself to the rest of the world.

Paul

P.S. I find it also laughable that the following statement is paraded early on 
in the Simula article:

"Åpenhet og kunnskapsdeling er en del av ryggmargen vår."

("Openness and knowledge sharing is an essential part of who we are.")

As far as I know Simula is part of the software patenting "innovation" circus 
in this country, which is fundamentally incompatible with true openness and 
sharing.