Publish Source Code to COVID tracing pp

Richard McMillan made this Official Information request to Ministry of Health

The request was refused by Ministry of Health.

From: Richard McMillan

Dear Ministry of Health,

Please publish or provide the source code for the recently released COVID tracing app.

Yours faithfully,

Richard McMillan

Link to this

Ministry of Health


Attachment attachment.gif
7K Download


Kia ora

Thank you for your request for official information received 2 June 2020
for:

"Please publish or provide the source code for the recently released COVID
tracing app."

The Ministry's reference number for your request is: H202003942.

As required under the Official Information Act 1982 we will endeavour to
respond to your request no later than 30 June 2020, being 20 working days
after the day your request was received.  

If we are unable to respond to your request within this time frame, we
will notify you of an extension of that time frame.

If you have any queries related to this request, please do not hesitate to
get in touch.

Ngā mihi

OIA Services
Government Services
Office of the Director-General
Ministry of Health
E: [email address]

show quoted sections

Link to this

Paul Roberts left an annotation ()

Some journalists have already asked for this but the source code won't be released.

https://www.rnz.co.nz/news/national/4171...

Link to this

Ministry of Health


Attachment attachment.gif
7K Download

Attachment H202003942.pdf
524K Download View as HTML


Kia ora Richard

Please find attached a letter regarding your request for official
information.

Ngā mihi

OIA Services
Government Services
Office of the Director-General
Ministry of Health
E: [email address]

show quoted sections

Link to this

From: Richard McMillan

Dear Gaynor,

Thank you for taking the time to consider my request.

I would like to take the chance to ask you to reconsider your response, and ask for further clarification on a few points.

I would contest your grounds for refusal :
-- 9(2)(b)(ii), to protect information where the making available of the information would unreasonably prejudice the commercial position of the person who supplied or who is the subject of the information;

As I understand it there is no particular person that supplied the application, since it was developed by a digital agency. Furthermore I cannot envisage a case for the source code being withheld under this clause, unless there are particular concerns about, for example, the quality of the code, which would then make this very much an issue of overriding public concern.

-- 9(2)(ba)(i), to protect information which is subject to an obligation of confidence and would likely prejudice the supply of similar information, or information from the same source, and it is in the public interest that such information should continue to be supplied.

I’m not at all clear on the case for refusal here; I’m going to assume that the logic goes that by publishing the source code public confidence of the public in supplying information via the application would somehow be compromised - perhaps by . If this is indeed the case then similarly to above it would seem to in fact bolster the case for public interest in the source code of the application.
Either way it’d be enlightening to understand the reasoning behind this point of refusal.

If you feel any of my assumptions above are incorrect, please let me know precisely how and why.

While I note that you have every intention to publish the source code at some point in the future I recognise that this is not a firm commitment and therefore cannot accept the vague and as yet unfulfilled promise of a future release. You state: ‘We are yet to have the supporting capability and processes in place to ensure that any release of the source code does not place data security or privacy at risk.’ - I would contend that releasing the source code should in no way compromise the security or privacy of the application, assuming that no storage or API related secrets are stored in the source code.
Additionally I would point out that the source code is likely already available via application decompilation, so not publishing is in no way a security or privacy preserving measure in itself.

To clarify my request a bit further: I am not asking for details of the application supporting infrastructure, access credentials, secrets or concrete configuration to be published, merely the source code - which in itself should contain no such credentials or secrets if competently developed.

I totally accept that some componentry, libraries or modules used in the application may be licensed restrictively, and of course would not expect them to be published with the source code.

Looking forward to your response.

Yours faithfully,
Richard McMillan

Link to this

Mr Rodgers left an annotation ()

Richard

"As I understand it there is no particular person that supplied the application, since it was developed by a digital agency." — In the context of legislation, a "person" includes a company or other entity.

As to the second point I think what what they are saying is that if we (MoH) give away the source code provided to us by another entity we are not going to get anything from that entity again, and we feel we need their contribution. This clause is regularly used when a department has an informant that they don't want to loose.

Link to this

Things to do with this request

Anyone:
Ministry of Health only: