BuildTogether – data, code, people for the world


The Singapore Government Technology Agency released, at the end of last week (Friday 20 March 2020) a mobile phone app, called TraceTogether which uses the bluetooth of the mobile phone to establish tiny database with the app residing in the individual’s phone with data of users – all anonymised – running the same application when they are nearby.

The objective is to help with contact tracing so that should an individual be diagnosed with COVID-19, if this app was running on their phones, then the Singapore Ministry of Health can, with the user’s permission, extract the database and initiate contact tracing.

I was initially skeptical about the tool. I rarely turn on the bluetooth on my phone. And TraceTogether needs it to be on all the time. Also, since the code is not yet available under any license, let alone an open source license, I have far less confidence in the the design and architecture of the application. I do, however, I have implict trust that GovTech devs will do the right thing – maybe it is misplaced trust. The possibility for Big Brother surveillance is, nonetheless, real and looming.

To GovTech’s credit, they published a myth busting page which addresses most of the issues and questions. That page is well worth the read, especially myth #7. I am comfortable with that.

While the app was released, over the weekend there were many calls on the Telegram channel “DevSG” to open source the code so that anyone and everyone can take a look at the code and improve it as needed.

GovTech did publish the BlueTrace Manifesto as well. It is sparse on details, but I think once the code is published, we will know more.

Suffice to say, the request has been heard and the code will be open sourced and it should not be delayed any further. The world needed it urgently.

There are three lessons here:

  1. First, all code built by GovTech and any other non-defence non-security services agencies, must default to open source code. I want to see a site like: https://code.gov.sg. The closest is https://github.com/GovTechSG.
  2. Second, since all of these software systems are built using tax payer dollars, it should be released under a strong copyleft license (GPLv3 for example) so that it will always be available to anyone forever. By placing the code on a strong copyleft license, we will be encouraging wider collaboration across both the local and global developer communities. One cannot predict where the next bright idea will come from and by being open, we can guarantee that it will come sooner or later.
  3. Third lesson is that in times of national and global emergencies like COVID-19, trust in technology is foundational. I will never recommend the installation of anything from government if I feel that there is something that I am not comfortable with. This is NOT the time for playing games but a time for building trust and working together.

While the code itself is being waited upon to be released, there are some in the dev community reverse engineering the application. This is a wasteful effort both in time and effort, for if the code is available, let’s work on making it better, together.

When Free and Open Source Software wins, the world wins. And as we say in Red Hat, “Open unlocks the world’s potential”.

[added 11:36 pm 23 March] Addendum: Here’s a post with additional details about TraceTogether.

[added 8:51 am 24 March] Zerotypic’s tweet thread on the reverse engineering done thus far.

[added 12:41 am 25 March] https://medium.com/@meshead/tracetogether-a-technical-look-e48360d4a4a9 – more reverse engineering

[added 5:37 pm 25 March] https://www.securityweek.com/sweyntooth-bluetooth-vulnerabilities-expose-many-devices-attacks an issue with BLE security.

[added 9:19 am 4 April] https://splira.com/2020-03-28/ – an analysis by Kevin Chu.

3 Comments

  1. The future is Open Source, proprietary software is going to go the way of the dinosaurs! Sooner or later, even if one accounts for just the cost advantage, Open Source is bound to win.

    1. The future came a long time ago. It is just not evenly distributed. Those who keep trying to deny it are the real historical relics. While it is important and critical that there are ways to generate a profitable business with open source code/hardware, it should never be at the expense of humanity. Never.

    2. I would prefer to downplay the cost part because that confuses the thinking. It is about empowerment and wider sense of doing the right thing. Thanks for your comment. Appreciated.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.