Health minister now unsure if source code for COVID contact tracing app is safe to release

Health minister Greg Hunt has put a question mark over whether a promise to release all source code for the federal government’s forthcoming COVID-19 contact tracing app is actually possible due to security concerns.

Talking on Triple M Hobart’s ‘The Spoonman’ show with Brian Carlton on Tuesday, Hunt would not commit or back up Government Services minister Stuart Robert’s assurance last week that the full code of the app would be available for inspection.

According to Hunt, the app will drop sometime next week.

The question of whether the contact tracing app will be open sourced remains a pivotal one – not least because of the high levels of public distrust in the federal government’s repeated assurances that the app’s functions will be strictly limited, and questions over its technical ability to deliver the software.

And the government’s changing story.

“Your government has said that you'll release the source code so all the pointy heads, the geeks, and the nerds can go through it line by line basically to see what it what it contains and whether those promises are actually true. Are you prepared to do that still?” pressed Carlton.

“The first thing we want to do is make sure that we're protecting the safety and the privacy of individuals. Everything that can be released, will be, for sure,” Hunt answered, opening the door to doubt.

Asked outright by Carlton whether the government was now “not going to release the complete source code for the app” as promised by Robert, Hunt, somewhat muddled, replied that the question was a “technical one” and appeared to suggest limits to what code is released may be contingent on efforts “to make sure that nobody else can hack into it.”

Which is not really how open source, and its value in hardening security by exposing and fixing flaws, works.

“But everything that can be safely released will be released,” Hunt continued, before apologising that the topic was “a little bit beyond my technical capabilities” – and then adding another qualifier.

“Subject to making sure that we are protecting everybody's data, which is the first task, all the details of it will certainly be released and made available in public,” Hunt said – though what “it” actually is is a little unclear.

And then there was the matter of who gets access to the app data and the persistent question of whether police could put the app or its data to use, a suggestion the federal government continues to reject.

“It's not available to law enforcement - that's going to be prohibited. An individual will have zero access to the data as well, so I can’t use it to find out whom I've been in contact with. It literally sits as an encrypted set of data on the phone,” Hunt said.

The data only travelled to “public health officials” if there was a positive diagnosis for the app user and even then the app user themselves had to push the contact data up to the government.

“It's triggered by the individual themselves - they have to type in the release,” Hunt said.

What’s left hanging there is a huge question about what happens when the app user may not be in a position to self-report through the app, especially if they are only diagnosed when they become seriously ill and potentially unresponsive.

The key question is not so much if, but how, the government will legitimately obtain information from a phone to warn other people who have been in contact when consent or a data push can’t be obtained.

Hunt said pushed contact data would “go to the state health officials and that “the Commonwealth or the Australian Government never sees the data, doesn't have access to the data, cannot use the data."

"Compared with what happens every day in terms of your engagements with Google or Apple or [Amazon], it's a scintilla,” Hunt stressed.

How Apple and Google receive the federal government’s app remains to be seen, especially when their own solution is in the works.

It appears it’s not the technology people don’t trust, perhaps more the people promoting it.

And that in itself is a substantial problem.