Hacker News new | past | comments | ask | show | jobs | submit login

I believe the government, PM and various ministers have said the code will be released. My sources also say exactly the same.

They’re obviously operating with extreme urgency to get the app out. For you.

Give them a few weeks to clean up code and release it (which is very normal) - but in the meantime, here are some tips:

- Turn the HN angry mob mode off - it’s not helpful. We’re all in this together.

- Commend the government on some smart privacy and security choices (data deleted after 21 days, open source code, AWS in Australia, sensible sec practices etc). They won’t get it all right - and we as a tech community can help them. Find a bug & help get them closed.

- When asked by non technical people “Should I install this app? Is my data / privacy safe? Is it true it doesn’t track my location?” - say “Yes” and help them understand. Fight the misinformation. Remind them how little time they think before they download dozens of free, adware crap games that are likely far worse for their data & privacy than this ever would be!

Thank you

I would love to trust them more, but the Australian government does not have a good track record with regards to privacy. Two such recent examples:

- Australian's browser history is being provided to law enforcement even though that practice was excluded from the original intent and law [0]

- Australia passed laws in 2018 which enable law enforcement to compel tech companies into inserting backdoors into their software [1]

0: https://www.theguardian.com/world/2020/feb/07/web-browsing-h...

1: https://www.wired.com/story/australia-encryption-law-global-...

The Australian government is not a single monolothic institution. It's a set of hundreds of thousands of people with different agendas and intentions. You cannot assign singular agency to the entire government; rather we have to go case-by-case to understand the implications of programs like these.

That is a little like saying the human body isn't a single organism because, say, the digestive tract operates with its own agency and intention outside of conscious control. It isn't correct; the politicians in the government have a very high level of agency around what ends up being fed into the institutions and what agendas and intentions are allowed to rise to power.

This isn't the step that gets us to a dystopian future, but it is so cheap and convenient for government to take programs like this and expand them every single time there is a crisis that it may as well be assumed to be coming if people don't kick up a stink each and every time.

We don't need perfect safety. We've can't have perfect safety. Having perfect, technologically enforced safety will create systems that will become corrupted and evil with a high, high likelihood. I don't want the government to have the ability figure out who I'm talking too at all; I'd rather we went in the exact opposite direction of this app and put legal barriers in place to them even asking. COVID-19 is horrible, but it will pass. This tracking strategy will not.

"I'd rather we went in the exact opposite direction of this app and put legal barriers in place to them even asking. COVID-19 is horrible, but it will pass. This tracking strategy will not.".

Absolutely damn correct brother! 10/10.

Yes. But it is the government that creates the law.

Parent also forgot to mention mandatory data retention laws. All isps must retain history of internet traffic for ¿2 years.

That telephone numbers are used in this app should also be regarded as a breach of the referendum we had about the Australia Card back in the 80's. (It is illegal to tie citizens to a number for the sake of tracking, which is exactly what this does...). Which is why scomo (Scott Morrison, the PM) is asking for this app to be voluntary.

This only matters if it's mandatory, which voting is in Australia. This app is voluntary. Whether it has passed or not yet, legislation is planned to make it illegal to force anyone to download or use it. So trying it to a phone number is ok if it's totally voluntary. Also because users are not identified by their phone number under normal circumstances, this is also ok. If someone steals or leaks the key used to encrypt/decrypt all TempIds for all users, or can figure out a pattern in the generation of future TempIds for users, they can possibly tie people to their phone number and identify them. However under normal use there is no way to identify someone, well unless they can snoop the broadcast/encounter json messages and get your device ID and toe that to you

That makes it worse. A well-intentioned, well-meaning government org could create something with proper privacy controls and then another part of the government with worse intentions could get their hands on the data.

"A well-intentioned, well-meaning government org<...>"

Yuh, has there ever been one? If so where and when? (I've been around quite some years now and I've never seen one anywhere.)

Never attribute to malice what can be just as easily attributed to stupidity. While there are clear bad actors, I do believe that many do think what they are doing is for the best. Few people are actually evil, most are just stupid. I'd consider that a win considering that we're chimps that are barely able to communicate with one another even when we speak the same language.

Bollocks. We can attribute to them the desire to gobble up power to control what we can and can't do on the internet and surveil us, because that's the way they all behave.

"The Australian government is not a single monolothic institution. It's a set of hundreds of thousands of people with different agendas and intentions."

Correct! Once we had two camps, you either voted for one or the other. That's all gone now, Identity Politics unfortunately killed the simple life off years ago.

Have you ever thought why the Australian Government is so far ahead in such matters?

Perhaps it has something to do with the bloody-mined, overly-timid sheep that continually vote these bastards into government year after year—despite the current surfeit of draconian law.

Don't forget there's been no stomach to rock the boat in this country for decades and also we haven't had an effective Opposition for many years.

Do you honestly believe that they are trying to do something other than stem the harm from this pandemic, or are you just protesting about something they did in the past that you're not happy about? If it is the latter, have you considered the harm that your protest may be doing?

It is a combination of their previous behavior plus the behavior of the various agencies.

For example: https://www.theguardian.com/australia-news/2020/apr/23/gover...

The fact that law enforcement even asked for this would be to many people completely unacceptable.

It's why, despite their efforts to assuage people, so many people will not trust this government.

The backdoor legislation means that at a later date, after the code is released, they could request a backdoor to the app and _no one_ could talk about it. All the legal provisions are there.

This just goes to show that the police and security services will stop at nothing to increase surveillance of the general population.

It beggars belief that the police see COVID-19 as an opportunity in such an overt manner - but you can bet the security services see it as an opportunity in a much more circumspect manner.

I honestly believe that they will not bypass any opportunity to increase surveillance and that any kind of tracking that is normalized now will be expanded in the future.

I don’t believe that the people pushing this knowingly have bad intentions, but all the last decades have taught is “never give an inch.”

That's a false dichotomy. They could be totally fine with the intent of this app, but concerned with its potential secondary effects. And "something they did in the past" suggests they have stopped doing it.

> "something they did in the past" suggests they have stopped doing it.

No it doesn't. All evidence of their proclivities is from the past. It means they have form, a record, of bad behaviour.

Remember how the use of the Tax File Number was going to be strictly limited? And have you noticed you cannot scratch your bum without quoting it now?

Mission creep is a thing.

My own impression from observing his public behaviour is that Scott Morrison is a lying liar who tells lies when convenient to himself.

Yes, and Scotty will use the crisis to lower company tax and regulations, whilst thousands of poor souls line up at Centrelink. It's sad. The app is poorly conceived and probably useless. This is how we sleepwalk into a surveillance dystopia. But if it tracks politicians' illicit dalliances and time with lobyists, property developers and tax haven financiers, that could be useful. Just need a bureaucrat to do a copy and paste, then send to Wikileaks.

Income tax was introduced as a "temporary measure" to pay for WWII.

Fool me once shame on you, fool me twice, shame on me.

I assume you mean WWI? https://en.wikipedia.org/wiki/Income_tax#Timeline_of_introdu...

If we're talking Australia. If the US, well... Civil War.

But to the sentiment of the comment, I completely agree. That is explicitly why we need the "burn the system down" type of people that I mentioned. they bring to light these kinds of topics and considerations.

> Australia passed laws in 2018 which enable law enforcement to compel tech companies into inserting backdoors into their software

No, it didn't. The bill had language specifically intended to address these concerns. Read the bill [0]. The relevant part is under Part 15 > Division 7 > 317ZG, which you can also see at [1].

This section explicitly forbids the government from requesting that a provider "build a systemic weakness, or a systemic vulnerability, into a form of electronic protection". It also forbids the government from asking a provider to preserve such a weakness.

It also explicitly indicates that this definition includes:

- "a reference to implement or build a new decryption capability in relation to a form of electronic protection"

- "a reference to one or more actions that would render systemic methods of authentication or encryption less effective"

So no, the government did not pass a bill that allows them to request encryption backdoors.

These weren't even amendments made later, this language was present from the very first version of the bill [2].

The reporting around this was simply atrocious and made me lose a lot of respect for news sources I'd otherwise have thought were respectable. Just read Wired's article:

"Systemic vulnerability means a vulnerability that affects a whole class of technology, but does not include a vulnerability that is selectively introduced to one or more target technologies that are connected with a particular person," the Australian law says. In other words, intentionally weakening every messaging platform out there with the same backdoor wouldn't fly, but developing tailored access to individual messaging programs, like WhatsApp or iMessage, is allowed."

They cherry-pick a quote from part of the legislation but just so happen to ignore the rest of section 317ZG, which invalidates their claims.

Other publications were even worse, they couldn't even point to which parts of the law were objectionable.

If you would like to disagree with my assertions, please provide evidence-based claims, as I have.

[0]: https://www.legislation.gov.au/Details/C2018C00495

[1]: http://www5.austlii.edu.au/au/legis/cth/consol_act/ta1997214...

[2]: https://www.aph.gov.au/Parliamentary_Business/Bills_Legislat...

> - Turn the HN angry mob mode off - it’s not helpful. We’re all in this together.

I actually believe this is helpful. Just in any democratic setting you want different types of players. You want the "burn the system down" people, because they provide harsh critiques and don't hold back. You want the "okay, but I have reservations" people, because they will push forward but also consider what they are doing (and will likely whistleblow if things get out of hand). You want the loyalists because they will push forward despite criticism. The trick is that you need a balance of these people (and the unmentioned players).

Specifically here I don't think we've even answered the question of "should we have contact tracing apps?" Because of this, I do think having that angry mob is helpful. They loyalists will push forward building it but the mob will help us decide if we even want that technology in our society. If we decide we do, we'll have it. If we decide we don't, well we'll know better how they would be designed.

__Being critical of those in power is a keystone to democracy.__

The Australian governments track record is bad and we should be critical of that. But I have yet to see important problems with this particular app identified. Lets stick with the facts here rather than 'it must be bad'. People have decompiled the kotlin code and so far I haven't seen anyone report anything bad. Am I missing something?

If we have zero other information about the app other than the creator, that’s the only reasonable thing to base our options on. Aka, if all you know is the software is written by a malware company, would you run it?

I am perfectly willing to change my opinion if given more information, but until then...

That’s a massive understatement. More accurate words describing the government’s track record would be “screwup, coverup, deceit, malicious”.

At every single point in the past where they have had the chance to deal with technology they have done one or more of the following: 1. Screwed up, and then tried to cover it up. 2. Outright lied. 3. Created malicious laws that mandate violating privacy and makes it illegal to tell the truth about it.

Basically they have proven numerous times that they can’t be trusted with technology or privacy.

My feeling is that they are getting it right this time, as science and medicine is still trumping politics in Australia's COVID response. (Though that's beginning to change.)

Getting it right this time means the Government doesn't have any excuses going forward.

Overall Australia is genuinely doing a great job in relation to COVID, mainly because the Government had the good sense to put the experts center stage and give them real authority. Most Australians have spotted this break with the past and have unified to contain COVID. Going forward, maybe the nation can keep sanity in government and avoid the political parties again taking over the asylum?

I agree that the government’s handling of covid-19 has mostly been surprisingly competent in a pleasant way.

It has certainly changed my opinion of them. I used to think that they were out of touch and incompetent, but now I think they can be competent and highly effective when they care, I just don’t think they care about privacy one bit.

My hope is that now Australians have seen what is possible there will be no going back to the old ways.

Requiring a phone number may be in breach of existing legislation, particularly that which resulted from the No vote to the Australia Card in the 80's. Those anti-id laws were ratified in 2005/2006.


This tech can and should be using crypto random hashes rather than phone numbers. The authorities don't need to call anyone, let the app and the fully anonymous central db do it's job to notify others that they need to get tested.

Particularly when we can't (easily) have disposable or non-identifying phone numbers in Australia: https://www.acma.gov.au/acmas-rules-id-checks-prepaid-mobile...

See s477(5) of the Biosecurity Act 2015.

"Being critical of those in power is a keystone to democracy."

That may be so for an ideal democracy but with our far-from-perfect ones where the power imbalance inevitably favors the incumbents, precious little ever changes.

I think this is because people lost sight. Right now parties are often associated with peoples' identities. So being critical to a member of a party is seen as being critical to the identity of that person. We forgot that no single representative can ever capture our beliefs 100%. Which I don't understand, because it would be insane to believe that any other human being understands you perfectly. I don't care if you've been married for 50 years.

But forgetting this is a tactic of divide and rule. My team vs your team. I can tell you as someone that is pretty vocal about my distaste for parties that I am still frequently lumped into the opposing team of whoever I'm talking to as soon as I disagree.

Critique is a keystone to democracy, but it isn't the only one. Unity is as well. But unity doesn't mean we have to agree. Unity means that we recognize that we're on the same team and trying to make our country better, even if we disagree with the methods. It is recognizing that we can't hold all the answers, we're human after all, and that to get closer to the objective reality we need to consider many positions. But that's divide and rule's bread and butter.

This attitude is anti-democratic and harmful. Please stop.

> They’re obviously operating with extreme urgency to get the app out. For you.

Extreme urgency is the perfect justification for governments to destroy the rights of the constituents. Never let a crisis go to waste as they say. Right now is exactly the time to be watching everything the government does with a lens of critical analysis.

> Commend the government on some smart privacy and security choices

The government has passed laws that make these choices irrelevant and has a history of botching anything to do with data/privacy even when well intentioned. This government has one of the worst privacy positions in the entire developed world. No one should be commending them for this.

> When asked by non technical people “Should I install this app? Is my data / privacy safe? Is it true it doesn’t track my location?” - say “Yes” and help them understand. Fight the misinformation.

Saying yes to those questions would be disinformation. The answer is maybe at best, probably not.

You sound like you have best intentions in your mind, but the road to hell is paved with good intentions. Under existing laws, the data and privacy of anyone who downloads this app is NOT safe. If the government is truly well intentioned and wants to help, they need to roll back the insane sweeping anti-privacy laws they rushed through while ignoring the constituents. What you're calling 'HN angry mob mode' is simply these same constituents having the natural, rational reaction to the actions of our government that border on totalitarian. It's not the fault of the constituents, it's the logical outcome of the government's actions. Turning it around like you did is nothing short of victim-blaming.

I'm not going to cover up the sins of this administration by lying to my non-technical friends about the real dangers associated with this app like you ask, sorry.

The irony is that due to public mistrust in the government due to things like AABill, more people may die now than the various agencies ever saved through the systemic destruction of domestic privacy in the name of anti-terrorism or saving the children or whatever other nebulous excuse. Maybe AFP and co can stop their unilateral self-righteous anti-privacy rampage and actually think about the greater good in light of this?

Correct. Extreme urgency is how the US got the PATRIOT Act.

You can easily deny location data to games and people that are concerned about these apps will not share their location lightly.

I have no app on my iPhone with the ability to use my location in the background, not even Waze or Google Maps.

Also I don't care about deletion policies. That data should not be collected in the first place.

I don't know about any specifics, but if the data isn't anonymized somehow, on the client side, such that the government can never trace it back to you, then I'd rather catch the virus personally.

I agree about turning the angry mob mode off, but in times of crisis we would do well to remember that our freedoms are being traded for a little security and in many cases it isn't temporary.

And Australia in particular doesn't have a good track record in preserving those freedoms.

Therefore it isn't unreasonable to ask for source code. This isn't even about the GPL, people need the ability to review the code, especially if it's a public service paid by taxpayers. In my opinion such projects should be developed in the open, always.

Did you know that on iOS it doesn’t even ask for location, and on Android that’s required for Bluetooth?

The source code will show you what is done with that (as others who have decompiled it already have shown it doesn’t use the location anywhere).

You can choose to get the virus - but that’s a pretty silly choice IMHO. And if you do, please stay home and don’t give it to anyone else.

This is more a stand on principles against governments rather than if the app is actually malicious in nature. People are rightly making a stand that a project of this nature should require at the bare minimum for source code to release concurrently with protection laws. Blame successive governments if individuals aren't overly welcoming to putting their blind faith in promises of a government that has let them down in the past.

Exactly this.

The Aus Gov - especially the current one is massively lacking in trust.

Encryption laws, metadata laws. Scope creep on metadata access (ie local councils, horse racing bodies). Lack of transparent reporting when these laws are in use.

Raids on journalists.

Not to mention their lack of transparency over bushfires, sports grants, angus taylor's family connections with mining / paying $90m? for water to associated company. Ministers failing to declare gifts granted by airlines because they fell into previous parliament and not current one. Climate change vs mining interests. Loading the grid management team so they simply push renewables down the road instead of taking action to get wind/solar take up.

Marking spin vs real substance in every single press conference from all the top federal ministers.

The PM waiting for states to take charge of quarantine measures so he didn't get the blame for bringing those in (and get bad PR) early in the covid-19 crisis before we knew how bad it was. School closures. Ruby Princess.

So after all that they want to trust us with an privacy breaching app because it's the right thing to do?

I wouldn't install a hello-world built by current government even if my life depended on it.

To put it in words they will understand "Nothing to hide, nothing to fear"

Agreed -- trust has to be earned, but definitely hasn't been. Quite the opposite. I thought it was very unfortunate that the Australian Nurses' Association was asked to provide their endorsement of the government BS spin at the launch of the app. Wasn't surprised that the AMA did though. The promotional video is hilarious -- indistinguishable from an episode of "Utopia" -- LOL.

You may be right (probably are, as I am from Spain).

But you should not focus on this specific government: the dangers of overstepping are great whatever the color or the chirality or even the deeds of a government.

On the contrary o think we should very much be focusing g on this government: Peter Dutton in particular has pushed repeatedly for increasingly authoritarian measures.

I’m super cautious about handing over data or enabling him at all.

This specific government are the ones releasing the app and telling people to “trust us”.

I know what you're saying, but we _also_ need to focus on this specific government, because they make the situation bad from the get-go, rather than just potentially bad.

You've really lost me with

> You can chose to get the virus

That wasn't your original argument and this does nothing to stop individual people getting the virus.

And the source code is worth nothing. The legal structure is already there to have the app changed without anyone being notified.

If they released an entire buildable set of source that I could use to build and install the app myself, maybe.

But that's about the only time I'd use this.

do you make the same requirement of all software you are using? If not, why would this particular one be differently treated?

Location tracking is indeed a dangerous piece of information. But in the short time that the gov't had to face the issue, the best option is to do this tracking to re-enable the economy. Until proven otherwise, it would be wise to not assume there's already malware. I'm not saying there isn't, but given the probabilities, it's unlikely, while the health and economic benefits are high.

And the source code is going to be released. It's easy (for a professional software engineer) to track down changes to the original code if they released a bad/altered version of the source that doesn't match the released version. And there'd be a track record, and it will be plainly obvious.

I would be much more scared of the unknown apps from dodgy shops that offer their apps for free in exchange for all your contacts, file and camera access.

> why would this particular one be differently treated?

- Because the issuer has vastly more ability to use the app and the data it might collect in ways that impact you.

- Because it's the first app of this kind and scale being issued by the government in Australia.

- Because it's being pushed onto as much of an entire population as possible with great urgency, limiting the time and opportunity for proper precautions to be taken.

- Because the issuer has an objectively _terrible_ track record on technology and privacy related matters.

- Because the ratchet effect means that once granted, privileges are highly unlikely to be ever rolled back.

> I would be much more scared of the unknown apps from dodgy shops

You shouldn't be. No matter how bad an adware mobile game is, the publisher can't put you in jail.

Stop pushing myths. There is no location tracking. You look at the OpenTrace source code or the BlueTrace whitepaper, and see where this is taking place, and let me know. The only way they could location track is if the app data was enriched/correlated with other data, which basically means they can do fuck-all location tracking with this. They only have timestamps, temporary identifiers, mobile device models, transmit power etc. https://github.com/opentrace-community https://bluetrace.io/static/bluetrace_whitepaper-93806365659...

> You can choose to get the virus - but that’s a pretty silly choice IMHO. And if you do, please stay home and don’t give it to anyone else.

I don't think this is unreasonable. Most people on HN are under 65 and thus will only get mild symptoms and likely just be out for a few days. Considering we're all probably working remotely, it is also easy to not infect others. Alternatively, a government overreach can last decades and these typically compound. This is a classic marshmallow now or two later problem.

So a few days to a week of being pretty sick vs potential government overreach? IMO it seems silly not to take the sick days (if we're assuming gov overreach).

> Most people on HN are under 65 and thus will only get mild symptoms and likely just be out for a few days.

This is the most likely case for people how are not vulnerable, but by no means a sure thing. Plenty of people without preexisting conditions have died or had to be hospitalized for days or weeks.

Data is a bit difficult to filter, but as an example 4.5% of deaths in NY are from the 18-44 age group[1]. Presumably a large fraction of those were not vulnerable, or not aware that they were. The fatality rate in that group is somewhere between 0.2% and 0.4%. You are not likely to die, but those are not chances to take without a second thought.


Understand I'm replying not because I think people should necessarily want/try to infect themselves with the virus, but because I'm against spreading misinformation and a misuse of statistics.

Australia is approaching 100 deaths and has several thousand confirmed cases through more widespread testing than new York, doing so at a higher and wider rate than New York who's stats/testing and medical regime show signs of severe failure/ problems.

Australia is yet to record a covid death under 40, and the one we have under 50 was technically a foreigner on a cruise ship.

All evidence from sources I'm familiar with that include widespread testing, good statistics and a healthy population point to a sub 0.2% for healthy young (young defined as sub 40 say, no comorbidities).

Now that being said, what I have seen repeatedly is a misclassification of sedentary young people with worrying lifestyle choices (think overweight/ smokers) as thinking of themselves as healthy with no comorbidities. Especially in some parts of the US, you can't think of yourself as healthy just because you live/look like everyone else.

And obviously, death rates in individual parts of the world will tend to be a function of age distribution, underlying health conditions, medical access, communication and the ability to rest and recuperate.

I personally wouldn't infect myself (the same way I wouldn't ride a motorcycle as my chosen mode of transport), but the relative risks and who the disease targets with mortalities should be better understood, and I'm not supportive of propaganda telling young people they're comparably at risk. They aren't.

I appreciate this. I have not had an easy time finding any data that goes deeper than the 0.2% data point, which clearly doesn't give a full picture because it doesn't dive into the effect of comorbidity. Your sibling post links to data that puts the risk for people under 40 without comorbidity at roughly 1/6 of the 0.2, which is a big difference. Do you have any data, or any sources for your comment about the situation in Australia.


It's a live updated page, so I don't know what stats will be displayed each day, but I'm relatively confident they will support my claim unless things change drastically.

You will find an infographic with breakdowns of positive diagnosis (known cases) and deaths. Both are helpfully split by age groups and gender.

We have quite a lot of mortality data from different countries around the world at this point so I am a bit disappointed that people are still spreading these unsubstantiated claims. I seem to be posting this link a lot lately, but here are the latest Italian stats on their deceased:


Over 23,000 deaths and deaths under 30 have not even passed double digits yet. Only 1.1% of all deaths were people under 50; and that's deaths, not infected.

This is nuts. A 30yo gets sick, infects a 60yo who goes to hospital and lands in ICU.

30yo then gets unrelated disease (chain saw accident. Burst appendix. Slipped in the shower.) Goes to hospital.

Repeat this often enough and suddenly you have a crisis in which there are not enough health care workers and beds, and now all ages are dying equally.

The idea that young people are not affected by this is just braindead stupid. Older people like me are directly affected; younger people indirectly. But we are all in this together.

This was in the context of people choosing to get the virus, where the risk of infecting a 60yo is essentially nil.

At this point, I'd volunteer for infection where I'm locked in a prison cell with a box of Clif bars and some books and am not permitted any human contact until I'm no longer infectious. Am also willing to sign up for periodic re-infection to ensure that I do actually have immunity.

Thank you. I was trying to stress that I believed it was likely that the average HN user could 1) work from home and 2) more easily self isolate than the average person (considering that we're more likely to be "computer people").

I'll admit though, I didn't consider the chances of a chainsaw accident while sick. But you probably shouldn't be using a chainsaw if you're sick.

But we aren’t all in it together. It’s the young loosing jobs, facin a lifetime of higher taxes, moving to a world of mass surveillance and digital dictatorships.

> moving to a world of mass surveillance and digital dictatorships.

that has already happened if you use any website that has google analytics or facebook. Ad for digital dictatorship - is it any different if the dictatorship has a friendly name like google?

I think you're conflating many different issues together: inequality of income, and societal injustice, with the actions needed to return economic activity back to a semblance of normalcy. It's as though you're asking for economic reforms as part of the economic life-line.

how does running the app stop you from getting the virus?

It doesn’t

CovidSafe is based off OpenTrace which is GPLv3. The Aus govt have to release the code. They said they would 2 weeks after the launch of the app. I have reviewed the client side source code for OpenTrace. It doesn't store location information. Also, read the BlueTrace whitepaper, it will answer a lot of questions you might have. The data is anonymised. You are identified by a TempId that is changed every 15 mins, that is based on your UserId and some other data (see white paper). If someone were to decrypt this value, it would reveal your UserId, but not your phone number. The attacker would need access to the server side storage to gain this information, as I believe the client side does not store this.

Hey Mike,

I've attended a few cyber security conferences and spoken to a number of active people in those communities and it amazes me how backwards the Australian government is regarding cyber security.

There seems to be less incentive for them to invest, both financially and in developing governance, than say industry. If a Google, Telstra, NAB had a severe breach, customers would be up in arms, fines would be handed out, financially there would be a big impact. Government just issues an apology and false promises to improve processes and accountability. Then a month later you see more reports in the news about more data safety breaches and unauthorised access from obscure government bodies like the RSPCA.

Uploading the code is one way to show some transparency, but trusting them to make good on their promise of appropriate handling of data and retention is questionable.

Even if the government has the best intentions in this instance, it doesn’t matter. They have already created a set of laws that clearly dictate that this app and this data can be used how ever intelligence communities desire.

They have burned all goodwill and trust with the public. It doesn’t matter what they say today unless they repeal AABill etc. Otherwise they’re just saying empty words.

Interpreting legislation without any common law / precedence is difficult. However as a general rule, if there are two laws that are conflicting (such as previous anti-privacy laws vs the proposed safeguards) the most recent enacted law applies, especially if it is specific. So while I’m by no means a fan of the erosion of privacy that this government has done previously, the proposed safeguards would be effective and not just empty words (at least legally speaking). Also I’m being pedantic, but you repeal Acts, not bills. A Bill is proposed legislation that isn’t law yet

> So while I’m by no means a fan of the erosion of privacy that this government has done previously, the proposed safeguards would be effective and not just empty words (at least legally speaking).

Currently, they are empty words, legally speaking.

The legal text that contains the safeguards is here [0]. It doesn't have most of the safeguards that Hunt announced. They're a pipedream.

For example, the minister said that even in the event of a crime, the data could not be used. However, two parts combine that show actually, they can.

Firstly, possession rather than ownership, controls who can upload data:

> A person must not upload COVID app data from a mobile telecommunications device to the National COVIDSafe Data Store except with the consent of the person who has possession or control of the device.

Secondly, whilst there are controls around who can use that data once it has been uploaded, once it is transferred somewhere for that purpose, there are no restrictions around who can access it once it is outside the data store.

[0] https://www.legislation.gov.au/Details/F2020L00480/Html/Text

That last point is wrong – section 6 of the determination says that “a person must not collect, use or disclose COVID app data“ unless it is for one of the whitelisted purposes in subsection (2). COVID app data includes data that “has been” stored on a phone.

If the data is moved, on the Data Store is no longer the source, because you're getting that data from a secondary place, it is specifically excluded:

> However, it does not include information obtained, from a source other than the National COVIDSafe Data Store, in the course of undertaking contact tracing by a person employed by, or in the service of, a State or Territory health authority.

> For example, the minister said that even in the event of a crime, the data could not be used. However, two parts combine that show actually, they can.

That's incorrect. The only crime that could be a valid reason for using the data is a breach of the emergency biosecurity laws [6(2)(d)] (also see s477 of the Biosecurity Act 2015 (Cth)).

Two common legal 'tools' are inclusive clauses and exhaustive clauses. An inclusive clause lists examples of what a section of legislation or a contract applies to, but it's not a complete list. You may have seen something like this in an employment contract, where the contract lists out your roles and responsibilities with a list that starts with "including, but not limited to: ". E.g the items listed definitely apply but there may be more other items that are not listed. Exhaustive clauses are the opposite, if it's not expressly stated in the list, it doesn't apply.

Part 2 limits how the data can be collected and used by using an exhaustive clause, i.e. section 6(2).

Breaking it down, section 6(1) states: 'A person must not collect, use or disclose COVID app data except as provided by subsection (2).' So unless the reason is expressly listed under subsection 6(2), it cannot be used/collected.

Very roughly paraphrasing the reasons in 6(2):

- 6(2)(a): The person is a State/Territory HEALTH official (i.e. not law enforcement) AND the reason for is contact tracing only

- 6(2)(b): The person is an employee/officer/contractor of the Health Department or Digital Transformation Agency (DTA) to help a Health employee with contact tracing, or to ensure the app / data store is functioning properly. E.g Devs bug fixing the app, API etc

- 6(2)(c) Moving encrypted data from a mobile to the CovidSafe database

- 6(2)(d) Investigating an offence of the emergency biosecurity laws

- 5(2)(e) Using data for 'de-identified' statistics

So going back to the grandparent comment, it's not correct say that the regulation has no effect due to the previous laws that weaken privacy. In fact the wording for the valid uses is refreshingly restrictive. E.g using '..[for the] purpose of, and only to the extent required for the purpose of' and not just 'for the purpose of' is a cue for the courts to interpret the use case quite restrictively.

With all that said, this may be all well and good in theory, but it remains to be seen if the Government can enforce these restrictions in practice. There are some very valid concerns about that. However that's for another conversation/thread.

[edit: formatting]

> That's incorrect. The only crime that could be a valid reason for using the data is a breach of the emergency biosecurity laws

You haven't fully understood what I tried to convey. Whilst it is true that the data can only be copied from the data store for a restrictive reason, such as ensuring the security of the data store, once it is outside that store, it is no longer protected by the limitations.

So this sequence of events is possible, and legal:

+ Data store data is taken off site for a legitimate reason, such as validation, by the correct department.

+ The police upload from a suspect's CovidSafe app, as a matter of policy, to help protect the public.

+ The police issue a data request, such as under the recently passed AABill law, from the Health Department.

The protections around the data only refer to it in two ways: App data, when it is on the phone, or when referencing it in regards to the Data Store in Canberra. Once it leaves, it is no longer protected.

The definitions refer to the data in terms of location, if that location changes, then it's out of those protections.

> Once it leaves, it is no longer protected.

Unless there's something I've missed entirely in the regulation, there's nothing that says the data loses its restrictions once it moved. Happy to be corrected and pointed to the specific clause, I just don't see it.

Section 3: "COVID app data is data relating to a person that...has been collected or generated through the operation of an app... and is, or has been, stored on a mobile telecommunications device." The data is defined by its origin, not its current location. The protections apply wherever it currently is.

Section 8: "A person must not decrypt encrypted COVID app data that is stored on a mobile telecommunications device"

Using your scenario, part two would be illegal (s8 especially) and the data request in part 3 should be rejected. The bigger problem is that's what _should_ happen. Whether it's enforced is another story...

> Unless there's something I've missed entirely in the regulation, there's nothing that says the data loses its restrictions once it moved.

It isn't explicitly stated, which is the point. We only have the data defined two ways: In the Data Store, and on a phone. Once downloaded from the Data Store, it is outside the definitions used within the bill.

This statement is the big one:

> However, it does not include information obtained, from a source other than the National COVIDSafe Data Store, in the course of undertaking contact tracing by a person employed by, or in the service of, a State or Territory health authority.

If the data was at one time obtained from the Data Store, but this new location is used as a source, it is no longer under the definitions of the bill.

Is "latest rules" truly what happens? Or if the law explicitly allows X and also explicitly disallows X, then a person would not be convicted, rendering in this case the latest safeguards in effective?

To say it's complicated is an understatement, there are literally entire books written about it [1]. It's rarely that simple but if one act states X is allowed and another act of the same jurisdiction states the exact opposite (assuming both laws are legally valid), then the most recent law prevails. The principle behind it is that the current parliament/legislature shouldn't be able restrict what future parliaments make laws on (the exception being the Constitution). Otherwise the government of today could make a law thats says 'X is illegal and no law can ever change this'.

[1] https://www.federationpress.com.au/bookstore/book.asp?isbn=9...

[edit: typos]

Why do you think intelligence agencies stick to the law. Half the stuff the Aussie gov is taking flak for is what GCHQ and the NSA were doing in secret before the public even knew about it.

> - Turn the HN angry mob mode off - it’s not helpful. We’re all in this together.

After the abuses of Metadata Retention, and how AABill passed, no. History shows that the Australian Government will and continue to abuse people. The Australian Government cannot be trusted, and if you do, you're naive.

Don't forget censusfail and robodebt. This government does not have a good history with tech.

I will say that this determination from the Health Minister was a breath of fresh air, but it needs to be made law when Parliament sits: https://www.legislation.gov.au/Details/F2020L00480

tl;dr Please trust these proven untrustworthy entities because they say it's good for you.

I think the HN privacy concern is well placed. They are not advocating covering our ears and screaming to ignore the pandemic, just that this phone-based contact-tracing plan has all the makes of a bad idea. It's the perfect way to shift the needle further towards acceptance of mass contact tracking. These institutions have all shown us if we give them an inch, they'll take a mile.

Meanwhile, experts still say this is no substitute for proper, interview-based contact tracing, so it's almost a moot effort anyway.

My most charitable interpretation is that Google and Apple are scrambling for SOMETHING to do with their respective holds on the mobile market, and this is something. It still doesn't mean it's a good idea.

Aus gov has a terrible track record with information systems. Data leaks & breaches, flaky IT services, mass robo-debt claims of which 600,000 needed to be re-evaluated.

Not to mention rushing through privacy destroying laws citing "Islamist terrorism, paedophile networks and organised crime". If you are who I think you are you're probably more knowledgable of the particular 2018 law than me.

And now they're "rushing out" an app that is intended to track everyone in the country's precise location and who they interact with? I'll wait for the source thank you.

The gov only has themselves to blame for this reputation.

Apple and Google are releasing official APIs for this, we're doing amazingly well in Australia, can it not wait a week?

> Remind them how little time they think before they download dozens of free, adware crap games that are likely far worse for their data & privacy than this ever would be!

Isn't it an interesting point that these people would rather trust foreign companies they've never heard of with their location, rather than their own gov?





Assistance and Access Bill:


Telecommunications (Interception and Access) Amendment (Data Retention) Bill:


Peter Dutton's proposed "give me your password" law:


> Under the proposals, people who are not even suspected of a crime would face a fine of up to $50,000 and up to five years’ imprisonment for declining to provide a password to their smartphone, computer or other electronic devices.

> Furthermore, anyone (an IT professional, for example) who refuses to help the authorities crack a computer system when ordered will face up to five years in prison. If the crime being investigated is terrorism-related then the penalty for non-compliance increases to 10 years in prison and/or a $126,000 fine.

> Tech companies who refuse to assist authorities to crack encryption when asked to do so, will face up to $10 million in fines. What’s more, if any employee of the company tells anyone else they have been told to do this, they will face up to five years in gaol.

Data retention is what GCHQ has been doing for years regardless of laws.

Dutton is an ultra conservative border protector type, don’t expect all his proposals to pass.

How many DEFCons and CCC conferences do you have to go to before you hear a rubber hose cryptography joke?

Dan Greer’s realpolitik talk in 2015 mentions that cyber security is all aggression little defence. If it were a soccer game it would be 421-420 at the 20minute mark. The best of the best in the US struggle with this stuff behind closed doors, seeing Australia take the flak in public is fine, but don’t pretend US and UK are innocent. These proposals are not the leading edge of privacy invasion.

It’s inaccurate to call it “Peter Dutton’s give me your password law” – it’s been around since 2001 (although the maximum penalty was increased from 2 to 10 years in 2018), and there are equivalent laws in most developed countries. As far as I am aware, only in the US have people actually spent years in prison solely for refusing to disclose a password: https://arstechnica.com/tech-policy/2020/02/man-who-refused-...

IMHO, the fact that they app is unobfuscated and can thus be easily decompiled is even better than released source code since one can't be sure that the released source code truly matches the actual build in the app store (unless they also go to the effort of having 'reproducible builds' - which would be quite impressive).

Also it's good to keep in perspective that the 'government' can already track people to a great extent, e.g. via cell towers and face recognition.

IIRC, Fdroid rebuilds all the Android apps they host from source so they can be sure their source really matches the app. Actually, this is also what all good Linux distros do with all their software.

I'm not aware of any Linux distros with 100% reproducible builds, though Debian is actively working on it and getting closer.

The distros can be sure without full reproducibility, since they built it. The users are still required to trust the distros built what they said they would though.

The end user isn't the distro though.

The mobile app could be just the tip of a very big iceberg. We need the server side code.

Yes, and presumably the scores of bureaucrats / administrators / call centre operators in all States and Territories accessing the database will read / write to the server via a separate application. So we need the code for those users.

If they're not producing reproducible builds, they're not really being serious are they?

You're seeking completely perfect solutions in a time of crisis where a "good enough" solution might save a lot of lives. Cut them some slack for trying to stem the harm of the pandemic. This situation affects every human.

You seem to be implying a reproducible build is difficult. It can be, if someone hasn't done it before. But in this case fdroid has done it before, and publishes how to do it.

Is there a way to implement reproducible builds for apps released on Google Play? Because that's where the vast majority of people will be downloading the app from.

Also, I don't think there's any such solution for iOS.

Reproducible builds are not a "perfect" solution.

They, and the source code to build them, is the baseline requirement for any trust in what is being provided to people.


The Australian government has a history of extreme incompetence with IT projects, using PR to try and effect adoption, then bullshitting about their failures.

If there's evidence this project is going to be any different, then great. :)

In the meantime, I'm judging them based on their historical actions.

Nope. Why is it normal to take a few weeks to release the source? If it's good enough to release its good enough o publish openly.

This government has ample form. If you want my recommendation you need to open it up.

Firstly, it is not normal in the open source world. Hell, it's not even normal open source projects owned large companies that are the foundation for a major product - like Android. Secondly, as the story points out, it is a fork of an open source app that is already on github. It's not like the infrastructure for it isn't already set up - they just had to do a git clone, and then use standard CI techniques

Maybe the OP isn't familiar with the modern software engineering techniques we now use to improve quality.

If the source code is ALREADY released, what is the harm in immediately releasing the fork? Immediate public release of forks IS common practice.

Especially since the upstream project appears to be GPL-licensed. Sure, they could have contacted the original developer and obtained a different license, but why would they do that? As far as we can tell, it looks like a breach of the license.

Sorry but you're coming across as telling people what to do - it's somewhat patronising.

There's a key principle here - no application with such scope should be closed source.

It is in no-ones interest that it be closed source.

In fact the software becomes more secure when many eyes are on it.

And, once the government has it out there - with the blessing of people like you - then they will have no urgency to make it open source.

Now is exactly the right time to say "we'll use this BUT only if it's open source."

How do you realistically use this app if you have to keep it open. You and everyone else are so focussed on convincing everyone that it’s safe, etc and totally ignoring the practical aspects of it. For someone to have the app open for 15 mins within 1.5m all day.. how will that be done, it requires a large conscious commitment. You might as well just ask the person who is in your personal space for 15 consecutive minutes

If it worked in the background that’s more useful and realistic.

This is my problem with the app. The only reason I'm going to be in public for a 15 minute period at the moment is either being on or waiting for public transport or eating in a food court. In those cases I'm going to be using my phone to browse the net or watch a video meaning that this app won't be functional. At least on iOS, so what is the point?

That's why an OS solution is the only viable solution. Asking for the app to be open is the most ridiculous thing ever.

That doesn't follow at all. Open or not has nothing to do with it. It simply means the app is badly designed.

No, you can't keep an app permanently running in the background on iOS. The operating system does not allow it.

> If it worked in the background that’s more useful and realistic.

It does work in the background on Android, and I gather background scanning is coming on iOS.

As someone above said, don't get the perfect be the enemy of the good. Get it out the door, get it tested while you wait for Apple to get their act together is not only reasonable - it's the by far the best forward as an engineering strategy.

Mate I think you are overcomplicating this something fierce.

It runs in the background. It logs all encounters by either advertising its presence (Peripheral mode) or scanning for devices (Central Mode). They alternate between these states. When two devices encounters it's logged on both sides. That device is blacklisted for a few cycles to avoid constantly logging it.

The 15 minutes 1.5m conditions are applied on the reporting side after it is uploaded.

No conscious effort. Kinda like how your email client pings you when you receive an email. When was the last time you had to consciously think for an email to come into your mailbox?

This is the question I’ve been wondering about, but currently it’s still not clear that you need to do this. I installed the iOS app out of curiosity, and it didn’t tell me I had to leave it foregrounded. However, a few minutes after exiting the app I did receive a notification saying I should reopen it to keep it working – maybe apps can continue scanning in the background for some limited period of time?

Mike my concern as a scientist about this app is it may not help much at this point. If it is only picking up people you spent more than 15 minutes talking to it is going to miss a lot transmission events.

Do we have the contact tracing people to actually make use of this data? Even if we did I can’t see how we are going to avoid the need to interview each positive case to find all the people they came into contact with for less than 15 minutes. How much value is being added?

I am not installing it purely because I am social distancing and won’t be spending 15 minutes talking to anyone face to face outside of my immediate family.

> 15 minutes talking to it is going to miss a lot transmission events.

Honest question (as a scientist myself): is there any serious non-preprint literature on the time needed for a transmission event (I assume estimates will vary wildly)?

I beleive there is also a lack of literature on how useful a contact tracing app would be in the first place. Even for lack of studies, releasing the modelling and assumptions would be useful. Some considerations:

* Possible increase in false positives bogging down testing regime? * Surface-based (i.e. location-based) contact events (e.g. elevator button) * Effectiveness on health-care workers, who themselves will likely be in contact with infected people a lot, perhaps despite having sufficient PPE.

I get that it won't be perfect, and doesn't need to be perfect, but I'd at the least like to see some modelling to see what they've considered, and how likely useful the app will be.

Bluetooth penetrates walls, and travels some distance in all directions, so it will also record a lot of false transmission events, for example in blocks of units, offices, and on public transport. Most transmissions are to immediate family, who are easy to trace manually with the existing procedure.

The government says that if you are party to a (genuine or false) transmission event, you will be contacted by phone, but you will not be told the name of the person who tested positive to the virus. So how will you know if the event is genuine or not? It could be your neighbour on the other side of a common wall, or a colleague who works in the office next to yours -- in either case, no transmission. Also, they say you may be "advised to self-isolate". This is disingenuous -- you are more likely to be ordered to self-isolate under penalty of fines or gaol time. No mention of that in the glossy "Utopia" style promotional video, just happy young models having coffee.

Authorities here were quoted saying that family transmissions are 25% of the cases. Now I wonder, what is part of the remaining 75%?

Not that I know of as this is hard to study. What we have is a lot of case studies that transmission can occur in much less time than this including cases where there was no contact between the parties.

The best write up on this I have seen on this topic has been in Quillette [0]. I know Quillette gets attacked here from those on the left, but they do cover a wide range of topics (not all articles I agree with). They are pro-science and generally provide good references.

0. https://quillette.com/2020/04/23/covid-19-superspreader-even...

Thanks. An interesting and fascinating read. I hope more research is done on the topic: from my semi-untrained (I work in oncology, not in virology, although I studied the immune system for about four years in my career) there far more models around than experimental data (which is obviously far harder to gather correctly).

Non scientist here but I’ve been harping on about the same thing. Someone can cough this virus into my face in a matter of seconds. It would appear this 15 min contact duration minimum is perhaps based on outdated data and knowledge of transmissibility.

The client logs all encounters regardless of time or proximity. It just has to be in range. The 15 minute 1.5m conditions are done on the reporting side when a case is positive and data is uploaded.

Before telling non technical people Yes the app is safe wouldn't it be prudent and ethical to rather say probably but wait until the legislation is passed and the source code is out?

“The choice for mankind lies between freedom and happiness and for the great bulk of mankind, happiness is better.”

― George Orwell, 1984

Doesn’t meet their own privacy impact assessment.

Source code not released.

Source code can be changed at anytime with no notice or need to re-consent data usage.

Protections not legislated.

Using centralised instead of decentralised and anonymised architecture.

Data on the central server has no purging policy. Only local data deleted after 21 days.

De encryption keys stored on the same server as the DB.

Unlike free adware crap games, governments have the power to legislate and enforce laws. Google Facebook amazon whomever other crap freeware games you refer to don’t.

Normalises government mass surveillance and tracking

Can be viewed in line with metadata retention, encryption laws and now this as a path toward digital dictatorship.

Raiding journalists to get the names of government whistleblowers.

Government fan cries: Leave government alone!

So now it turns out that your company may have been involved in the development of COVIDSafe. Are you actually kidding me? Turn off the HN angry mod mode off? I'm even more pissed now.


It's easy to fix the app so that it does not need the phone number and to have the app notify the user of the need to get a test instead of having a contact tracer having to double handle the information and ring the user. I believe the fact the app is doing this more about its heritage than any design here, however as an "Australian innovation" we could fix this and avoid the prospect of vulnerable people being rung up by people pretending to be contact tracers, which will happen, and will not be good when it does. Interestingly if the phone number is not stored, the need to store any potentially personal information will probably disappear as well.

There's no need to see the source code to recognise this is a problem. Could we at least lobby them to fix this? It would make life easier for the contract tracers and it would mean that people could rely on the app's secure channel, so if a scammer does call them they could confidently tell them where to get off.

This is an extremely good point. The potential for misuse through ignorance and misinformation is high. How many "ATO" phone calls have we all received? This service could be genuinely anonymous, although of course under existing laws the government may already have created a back door, and as long as we're using authenticated app stores, nothing is truly untraceable.

Having said that, this might very well help us in the right against the virus.

I'm quite willing to wait for the source code before installing.

On the ATO calls, too many! It's interesting to note a news article about someone spoofing messages to phones claiming they are due to the app already. I actually think the idea of the app isn't a bad one (well at least once the blue tooth issues are properly fixed), but mixing the phone number and the app as a communication channel is already showing how it can cause problems.

Australia is a member of the five eyes. Whatever their government cobbles together will be used to build out the surveillance state. So if asked, by anyone: Tell them to stay at home and never install the app or trust their government with their data. Contact tracing is their wet dream and it will enable them to roll out much more serious measures in the future.

Why is time needed to "clean up the code"? Why not just develop the code on GitHub, in the open, with full transparency?

It could be obfuscation and/or developing a compiler to add "extra features". For security reasons.

My recommendation is that when a non-technical person asks you a question, especially if that person is a friend, is to not lie. To tell them the app preserves their privacy without seeing the source is a lie. The truth is "I don't know".

It is not normal to clean code before releasing it. That would suggest the code either has technical flaws or other deeply rooted problems that you are not comfortable releasing. That's a warning sign, not normal.

We may be in this together but do not assume this is a gesture of good will towards the world. It may be, or it may be a gross invasion of civil rights, and we need to be studious in our analysis to make those determinations on an ongoing basis. The road to hell is paved with good intentions.

Calling everyone here an angry mob and waving off valid concerns by sticking your head in the sand is naive, not mature or brave. Fear is a great tool of oppressors.

Wouldn't you then be telling them the same thing for every app? How many apps & platforms have you reviewed the code for prior to providing your assessment of the risks involved?

That's why I don't typically give recommendations. Even with apps like Signal, we should communicate what we can verify and can't.

We owe it to other people to communicate honestly.

Deletion is not enough. Destruction is instead required.

They need to release their server side code as the mobile app could be just the tip of a very big iceberg.

They should also provide details of the platform ecosystem and how it’s secured; trust boundaries, IAM, PAM, audit, etc.

Point being that Snowden is right when he warns that the architecture of oppression is being built in the name of COVID-19.

We need a tracing system that can only be used to serve the people, and not some wannabe tyrants.

> some wannabe tyrants They're not wannabes - they're actual tyrrants.

“Give them a few weeks to clean up code and release it (which is very normal) ”

In the world of security critical systems, this is completely abnormal.

+1 mcannon. -1 Silly misinformation below. The country is also in the midst of a health induced financial crisis. I advise on both cyber and health. The tracking App is essential to helping the health workers and getting people back to work. It is benign as you can make such a thing.

Let's get behind it. Beers over video are just not the same as those in the pub.

I am no expert but I have two points relating to concerns about data security / privacy - well food for thought:

Our existing medicare data - have we thought about where's it stored? Many make health claims through the Medicare app also. It tracks way more about our health (who we visited, when, what for, pathology tests and more etc.) than this app ever will. I'd bet it's stored on something like AWS also as until recently it was pretty much the only public cloud provider with the necessary PROTECTED certifications in Australia.

I understand mobile phones track our location even if you have zero apps installed and / or location services off. It does this via triangulation off the cell phone towers. If you know the IP address of a mobile device you can put it into any number of publically-available websites and in many cases you can find its general location - and sometimes with a fair degree of accuracy.

If these are concerns for us we are best to discard all our devices asap!

So to me this app seems to track nothing much new at all - it just seems to join a couple of important and potentially life-saving dots.

Beautifully put.

I am hoping you know how to send bug reports to someone who can act on them to improve COVIDCare.

> open source code

The promise of open source code. Which is a very different thing.

Note that this government also promised to get rid of the budget deficit. But did not do so. They have told many other lies and have earned the right to be distrusted.

With this app, if I get the disease and authorise disclosure, it will disclose to government agents the people I have been in contact with. Or, to put it another way, the people who have been in contact with me. Without their consent or knowledge.

TLDR it is not confidential safe or secure.

reap: ass access bill

sow: scepticism

I think that should be reversed: they "sowed" the Assistance and Access Bill, and then "reap" (harvest, get) the scepticism?

But yes. Combined with the census, the "robodebt" project, etc, etc, there's not a lot of trust in government-run IT in Australia ...

Considered and smart response. Thanks!

This isn't the government brought to you by the same people who claimed the laws of maths didn't apply down under, is it? They call themselves liberals.


Turn the HN angry mob mode off

Funny how, to the rich and powerful, any amongst the lower orders who dare to ask questions are always an 'angry mob'.

We’re all in this together

That would have been nice. Too late.

Please don't post in the flamewar style to HN, regardless of how provocative another comment was or you feel it was. I can understand how that bit could have rubbed some commenters the wrong way (it affected me that way too), but confirming the point is not a good way to respond to it.

By HN standards, let alone internet standards, the thread was unusually mild. Of course that provocation made it angrier, but I'm sure it was unintentional.

Unintentional? Are you blind? Nah, just a member of the elite boys club. Bye.

Forcing togetherness or “unity” is the best way to turn me away from anything.

Silly? No, just suspicious of judgements and valuations like those.

I've never heard a call for "unity" that wasn't really saying "abandon your principles for mine."

"Stop critiquing"

Well said

This app records everyone you have been in contact with for more than 15 minutes and there is no timeframe as to when the government will stop needing it. There is no evidence a vaccine will ever exist, which means the government will want people to use this application potentially forever.

This is authoritarianism plain and simple. The government's solution to the virus is to track everybody, all the time. This is the path governments have been going down for a long time, and I personally am sick of it. I don't want them to know where I am, who I associate with, or anything else. They have already encroached too far into my life. Way too far.

Your company is also terrible and barely even hires Australian workers. You and your company represent a lot of what I hate about the path the world has gone down. For anyone who wonders why people use JIRA, despite it being a pile of garbage - it isn't for developers, it is for managers to enable them to micromanage you and show upper managers the reports. I can see why you would love this tracking software, you will probably get asked to analyse the data. JIRA on a global scale.

Your account was created almost a decade ago. Is this really the first and only comment? Why is this? Another user called you "mike" in their comment. Are you famous or noteworthy in relation to this story somehow? Why should your comment have weight behind it?

You can answer your questions by looking at the OP, which will take you to https://twitter.com/mcannonbrookes/status/125437688433222860..., which will take you to https://en.wikipedia.org/wiki/Mike_Cannon-Brookes.

Given the timestamp on your comment I'm guessing that you're not in Australia. I'm not either, so it took some time to piece together the context. Given that the thread was mostly during Australian hours, most commenters probably already had it in cache.

I don’t get the privacy implications. Making a few assumptions here. Government can already get your location data and internet data from telco’s and Microsoft, your identity from bank purchases and social circle from fb/inferences from data. What’s left that a phone could provide, encrypted chat?

Coronavirus app is the least to worry about.

Hey Mike,

Great work. But why do they need to store user data in the server anyway? Couldn’t that all be stored on the persons phone and then when someone tests positive, only send that person’s data to everyone’s phone and do the contact matching locally?

Great Advice Mike!

Need more leaders in the industry, like yourself, in the media fighting the bad press and lies around this.

Thanks for allaying some of the privacy concerns around the place Mike.....

But to be honest, I will wait for the Apple/Google contact tracing app to be released (because it will be soooo open and better and with a generic name can be used beyond the current pandemic).

It will not only tell me I've just sat next to someone with Covid19 on my train ride to work, but that they also updated their status to single this morning with a broken heart emoji. They've also been up all night watching relationship expert advice videos and about to start their 10 hour shift (since they socialize online under different pseudonyms, their employer is none the wiser) as an open heart surgeon... And if i’m inclined and would like to take up a limited special offer, I can get a 50% rebate on my 21yo gold plated private health fund if I can convince the Covid19 case to co-isolate immediately in the seat in front of me with the other Covid19 case. A full rebate if I can convince both of them to get off at the next station!!

1. I trust this government no more than Mr Turnbull was father of the internet in Australia because he was the legal counsel for Ozemail, or many other denial-of-service attacks & census design (IBM) failures they have presided over.

2. What was this App developed in? Is the user interface UX. Is the back-end Xmarin, C++, Java, Objective-C, Swift or what? What API/s &/or Pods were used to achieve encryption and bluetooth handshake?

3. Source code? Really? What do you expect to see. Most usage of APIs and Frameworks explicitly hides the implementation details from the App. These libraries of independently compiled software can be enormous. People are asking for specifics but will be delivered a haystack. Good luck with that.

4. The open source code will be ripped off and repurposed for school / work attendance rolls or dating App hook-ups. Surest way to expose software to malevolent hackers is to give them the source code.

5. Careful what you wish for.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact