The Singapore Government Technology Agency released, at the end of last week (Friday 20 March 2020) a mobile phone app, called TraceTogether which uses the bluetooth of the mobile phone to establish tiny database with the app residing in the individual’s phone with data of users – all anonymised – running the same application when they are nearby.
The objective is to help with contact tracing so that should an individual be diagnosed with COVID-19, if this app was running on their phones, then the Singapore Ministry of Health can, with the user’s permission, extract the database and initiate contact tracing.
I was initially skeptical about the tool. I rarely turn on the bluetooth on my phone. And TraceTogether needs it to be on all the time. Also, since the code is not yet available under any license, let alone an open source license, I have far less confidence in the the design and architecture of the application. I do, however, I have implict trust that GovTech devs will do the right thing – maybe it is misplaced trust. The possibility for Big Brother surveillance is, nonetheless, real and looming.
To GovTech’s credit, they published a myth busting page which addresses most of the issues and questions. That page is well worth the read, especially myth #7. I am comfortable with that.
While the app was released, over the weekend there were many calls on the Telegram channel “DevSG” to open source the code so that anyone and everyone can take a look at the code and improve it as needed.
Suffice to say, the request has been heard and the code will be open sourced and it should not be delayed any further. The world needed it urgently.
There are three lessons here:
- First, all code built by GovTech and any other non-defence non-security services agencies, must default to open source code. I want to see a site like: https://code.gov.sg. The closest is https://github.com/GovTechSG.
- Second, since all of these software systems are built using tax payer dollars, it should be released under a strong copyleft license (GPLv3 for example) so that it will always be available to anyone forever. By placing the code on a strong copyleft license, we will be encouraging wider collaboration across both the local and global developer communities. One cannot predict where the next bright idea will come from and by being open, we can guarantee that it will come sooner or later.
- Third lesson is that in times of national and global emergencies like COVID-19, trust in technology is foundational. I will never recommend the installation of anything from government if I feel that there is something that I am not comfortable with. This is NOT the time for playing games but a time for building trust and working together.
While the code itself is being waited upon to be released, there are some in the dev community reverse engineering the application. This is a wasteful effort both in time and effort, for if the code is available, let’s work on making it better, together.
[added 11:36 pm 23 March] Addendum: Here’s a post with additional details about TraceTogether.
[added 8:51 am 24 March] Zerotypic’s tweet thread on the reverse engineering done thus far.
[added 12:41 am 25 March] https://medium.com/@meshead/tracetogether-a-technical-look-e48360d4a4a9 – more reverse engineering
[added 5:37 pm 25 March] https://www.securityweek.com/sweyntooth-bluetooth-vulnerabilities-expose-many-devices-attacks an issue with BLE security.
[added 9:19 am 4 April] https://splira.com/2020-03-28/ – an analysis by Kevin Chu.