No longer Open Source?

[Cj-Malone]

The source code here is "1.0.0", and was published 3 weeks ago. However the published binary is actively being updated, as recently as yesterday. Was the source a one time release and it's now proprietary? Or are you intending this to be open source, in which case can you release the source code, ideally with git history.

[miketuck3r]

I agree with this 100% this is not really an open project as only the first version has been published, no updates have been merged (even when they have been released). I think its obvious this is just a repo they put the code in and actual code base is elsewhere.

For all we know there could be numerous security bugs or additional permission/data collected that no-one knows about. Just as bad people nay be putting effort into reviewing code that is not actually there/used anymore.

I considered asking this last week but though i would wait but its now been 13 days without any commits but they were readme updates its actually been 21 days

[Cj-Malone]

Another proprietary release has happened today (2020-05-27). See product page for last update date.

[Xenoamor]

A mention of versioning was here

Not heard anything since though and it would be nice to see the changes

[ac000]

Given this and this and the fact it seems a second app is being built, it may well just be that this thing is a dead end.

If there is a second version of the app, it would be extremely disappointing if they did not release the code to that. I understand of course that they may wish to at least get a working version before releasing the source...

[Xenoamor]

Hopefully we're not all kept in the dark. They're now talking about a track and trace system that would allow localised lockdowns. This does seem to play in to the idea of the centralised model

[robdyke]

@edent is this an active project?

[marksteward]

@Cj-Malone are you sure the binary's changed? The sha256sum I'm getting for base.apk is still 2b78e4925af8d35d4c67111a4155fa7eb6ac1fc518d7f677e85d54e0085e8783, which matches https://github.com/ct-report/UK.

It looks like the app's rating has changed from Everyone to PEGI-3 since 26th. Could that be what was updated?

[robdyke]

Another proprietary release has happened today (2020-05-27). See product page for last update date.

Removed app. Reinstalled app. Exported apk. Run MobSF analysis.

APP INFORMATION
App Name NHS COVID-19
Package Name uk.nhs.nhsx.colocate
Main Activity uk.nhs.nhsx.sonar.android.app.MainActivity
Target SDK 29 Min SDK 24 Max SDK
Android Version Name 1.0.0.223 (0f7579d) Android Version Code 223

FILE INFORMATION
File Name uk.nhs.nhsx.colocate.apk
Size 6.74MB
MD5 978e61de44880def048fc08046f63d58
SHA1 c265d64073e94f417f658a0b61ab4071e870dfc0
SHA256 2b78e4925af8d35d4c67111a4155fa7eb6ac1fc518d7f677e85d54e0085e8783

APP SCORES
Average CVSS 5.8
Security Score 25/100
Trackers Detection 2/285

[bovine3dom]

It looks like the intention at least is for this code to reflect the state of the published app: https://github.com/nhsx/COVID-19-app-Android-BETA/issues/11#issuecomment-626618055

[Cj-Malone]

@marksteward I thought the "updated" field on the play store was about the release of the app, but it may be about the store listing, I'm not sure.

However at the very least, 1.0.0.208 and 1.0.0.223 have been published to the playstore, and distributed to people. After a quick decompile the code in this repo looks closer to 223 than 208, which is good, but I've not done any in depth checks or tried to do a reproducible build.

[AeroNotix]

Is anyone in this thread expecting an actual reply? Tories gonna tory.

[wrapperband]

Yes, I'm expecting and waiting for a reply, have written to my MP as well. Who has written to Mark,

Dear ++++++,

Thank you for contacting me about data misuse. Please accept my apologies for the delay in contacting you. My team and I have been dealing with a large number of enquiries, over 3 times our usual caseload.

Expanding tech-focused and data privacy responses to this global pandemic is an emerging issue in many countries including the UK.

In late March, it was revealed that the NHS would be partnering with a number of Big Tech corporations, most notably Google, Amazon, and data-processing firm Palantir to develop a shared data platform to assist in Covid-19 surveillance. .

The UK government have continued to emphasise that tech corporations involved in the response to Covid-19 do not control the data, nor are these corporations permitted to use confidential patient data for research or commercial purposes. However it will be very important MPs and Parliament play their roles in scrutinising Government.

Beyond this, public scrutiny must also be directed to consider the potential ‘after-life’ of these technologies and data after the crisis. The task at hand will be to continually hold governments to full account . Regulation must take the form of a continued scrutiny and oversight.

Harriet Harman MP, the chair of the House of Common’s Human Rights Committee has been raising concerns about data privacy and the use of data for some time. She has stated there must be robust legal protections for individuals limiting what that data will be used for, who will have access to it and how it will be safeguarded. Although in favour of the track and trace methodology, the committee is concerned about data getting into the wrong hands due to big tech and the UK government’s chequered history with data protection. I very much agree with Harriet's position and Labour will continue to raise these points.

Please look after yourself.

Yours sincerely, Debbie Abrahams Member of Parliament for Oldham East and Saddleworth

[robdyke]

Is anyone in this thread expecting an actual reply? Tories gonna tory.

I have had a reply from edent about this issue.

[sebjameswml]

Hi @robdyke anything else you can share? It would be customary for @edent to comment here, on the GitHub issue...

[robdyke]

Hi @robdyke anything else you can share? It would be customary for @edent to comment here, on the GitHub issue...

Everyone has annual leave, some people even take annual leave.

[Basic0]

Hi @robdyke anything else you can share? It would be customary for @edent to comment here, on the GitHub issue...

Everyone has annual leave, some people even take annual leave.

Is this meant as a joke?

This is supposedly a critical part of our national coronavirus response.

Much as it's rapidly heading towards an outright farce, comments like that are not helpful.

I don't believe for a second that not one single person working on this at NHSX is capable of posting an explanation as to why the repo isn't being updated.

[robdyke]

Hi @robdyke anything else you can share? It would be customary for @edent to comment here, on the GitHub issue...

Everyone has annual leave, some people even take annual leave.

Is this meant as a joke?

This is supposedly a critical part of our national coronavirus response.

Much as it's rapidly heading towards an outright farce, comments like that are not helpful.

I don't believe for a second that not one single person working on this at NHSX is capable of posting an explanation as to why the repo isn't being updated.

No joke. I mentioned @ edent and received a msg from him.

Would be good to have something from NHSX.

@AdamChrimes @bencullimore ?

[AeroNotix]

No-one cares that your pal messaged you privately though.

An actual response from a developer to explain the suspicious behaviour would be better than hearing second hand from someone who appears to be involved in some way with the developers, or at least is involved in the industry.

[bqv]

If you were expecting a happy ending, you clearly haven't been paying attention.

[Basic0]

Just giving them time to respond before drawing the attention of the newspapers to yet another broken promise...

[robdyke]

No-one cares that your pal messaged you privately though.

@AeroNotix - not my pal. Just answering @sebjameswml 's question.

[robdyke]

Just giving them time to respond before drawing the attention of the newspapers to yet another broken promise...

And @Basic0 - Too late. By about a fortnight. https://www.digitalhealth.net/2020/05/google-analytics-trackers-in-contact-tracing-app-code-risks-re-identification/

Not-so-open source Dykes biggest concern with the app’s code was that it was not developed in the open, despite NHSX committing to being open and transparent in its development of the contact-tracer. The organisation has been an advocate for, and previously committed to, open sourcing its work. “This is an organisation that says they’re going to develop in the open and this was not developed in the open,” Dyke said. “We had an army of volunteers for the NHS to do things like shopping and delivering, but you could have had an army of people contributing to this code as well. “It shows, for me, that they missed an opportunity to actually live their behaviours and values around open source.” Instead, NHSX “dumped” 950 files on GitHub rather than showing it’s incremental development. By 11 May more than 700 people were actively watching the iOS and Android code respectively and eight developers had contributed new code to fix bugs in the original system. “Because it’s a dump of code it doesn’t have the things that would make it easier for developers to engage with, like automated testing. We don’t even have a back-end yet to test against,” Dyke added. “There are a lot of expertise and a lot of really good willed people who would love to be getting involved, but because it wasn’t open from the beginning it’s going to be harder for them.”

[miketuck3r]

Hopefully we're not all kept in the dark. They're now talking about a track and trace system that would allow localised lockdowns. This does seem to play in to the idea of the centralised model

I would trust an app more than some person "thinking" they have been near me for 15 minutes. In all honesty unless they can tell me when/where i was in contact with someone im unlikely to listen to them.

[wrapperband]

There is no research so far on the shortest infection time for Covid-19, that I've seen reported - it certainly must be less than 15mins, more likely 1 seconds, for a pollen induced sneeze.

Let's hope the Covid-19 UK trace application designers aren't treating the scientist like mushrooms as well as us (Github / open source contributing public / people paying for the app to be developed).

[Tyfy]

I would trust an app more than some person "thinking" they have been near me for 15 minutes. In all honesty unless they can tell me when/where i was in contact with someone im unlikely to listen to them.

The app apparently doesn't capture location where you meet people only your local postcode. This means that if you travel any distance (e.g. beach or sports event etc.) and interact with someone who later tests positive they don't know where you both were so can only do local lockdowns where you both live.

There is no research so far on the shortest infection time for Covid-19, that I've seen reported - it certainly must be less than 15mins, more likely 1 seconds, for a pollen induced sneeze.

Also considering that BTLE has a max range of between 400m and Around 1,000m (according to the first google result) I still don't believe that they will be able to reliably tell when you have been within 2 meters of someone and not just generate a storm of false positives.

If it requires to be within 2 meters for 20 minutes (one of the original reports said this is what the app did but not sure if that has changed) before the app records that as an interaction then there will be a lot of missed transmissions where people just pass each other.

[stewartsims]

I've been following this carefully. This has gone completely off-topic. The important unanswered question of whether this remains an open source project and how open development is being carried out when it appears code is being released that is not being published here is, if I understand correctly, the essence of this issue and it deserves an answer IMO to restore / maintain trust in this project.

I realise the irony in that I'm contributing to this, but I doubt it is helping our chance of getting an answer by using this repository as a discussion forum. Please in the spirit of getting the answers we all would like and helping to contribute (whether it is to point out problems or suggest improvements) put comments regarding specific app-related issues (which may also be entirely valid) in the relevant threads.

Please also can I again appeal for an answer to the original question about the stalled open development of the project from those working on it?

[edent]

Hello all - and thank you for your patience.

The app is still being actively developed in our private GitHub repos. We're learning from all your comments, along with the security issues raised through HackerOne.

At the moment, all of our effort is going into building, refining, and testing the app. The development team is focused solely on that.

Preparing the app for an open source release takes time. We have to make sure that all secrets and keys have been redacted, that all developers' personal details have been removed, that the git history doesn't contain anything untoward, that we haven't accidentally done something to compromise security, that the licence files are correct etc.

Additionally, it's difficult to code in the open on a high-profile project like this. We want to give our developers the space to work safely and effectively.

My job is to make sure that the source code gets released alongside the public binary - and that it is released under a FOSS licence. I'm working as hard as I can to achieve that goal.

Thank you all for holding us to account over this.

[bovine3dom]

GDS (predominantly gov.uk) do a lot of their development in the open: https://github.com/alphagov.

It might be worth asking them how they deal with the challenges you have mentioned, if you haven't already :)

[edent]

Users are reminded of the repo's code of conduct. As this question has been answered, and to prevent it drifting further off topic, I'm closing and locking it.