RadarCOVID: its code is released, although the demand for more transparency does not stop

Technology News

The must-have contact tracker app RadarCOVID has seen numerous battles in its short life . First were the complaints about the slowness in its conception (mainly motivated by waiting for the joint development of Apple and Google on which it is based). Then, the problems derived from autonomous health management and the need to integrate the app with each of these regional systems. And, along the way, the doubts about privacy that some groups had launched , especially through social networks.

In order to provide transparency to everything that surrounds the application, the Secretary of State for Digitization and Artificial Intelligence released yesterday, September 9, the RadarCOVID code on GitHub , a popular repository owned by Microsoft. “This is an exercise of transparency so that the operation of the application can be audited openly and directly by the public. The objective is that anyone can send observations and suggestions that contribute to improving this tool,” they say from the SEDIA.

This movement was carried out by tracing the deadline set by Carme Artigas herself in this regard and, in this way, complying not only with a political commitment of the Government, but also with the technical specifications of the European DP3T protocol on which this is based. app. In fact, the release of the RadarCOVID code has been done under the same license as the DP3T protocol, the ‘Mozilla Public License 2.0’.

What is missing
Although this step forward in open source has been well received by the community, there have also been some criticisms against the forms and some technical deficiencies in this pioneering exercise of transparency in Public Administration.

One of them, reflected by several developers on social networks, has to do with the mismatch between the code published on GitHub and the current Android application. From the Executive they assure that it is “the last available version of the application”, but some technicians assure that there are differences – minor, that yes – between both, with what is probable that it is not really the last revision but that the still photo of the code has been taken before.

On the other hand, among the numerous comments on improvements and error detection (which, far from being negative, is the ultimate objective of this opening) there are some that are striking. Already when RadarCOVID was only available in the La Gomera pilot project, there were developers who discovered -through reversing techniques- the existence of some private keys in the application code. Although these keys are no longer operational, they are still present in the code released by SEDIA yesterday.

But beyond the code, critical voices appeal to a broader concept and demand not only that the application code be opened, but that many more documents associated with RadarCOVID be published. ” Now it is necessary to publish the Impact Assessment (in relation to Privacy / Protection of Personal Data) and the favorable opinion of the Control Authority (AEPD) as has already been done in Italy and Germany”, defends DigiLegal . “Has the justifying report of the contract, the specifications and the RadarCOVID contract already been published ? ” Asks @mablanes . At the moment, the answer is no to all these questions.

To this we must add the claims made last week by a hundred academics who demanded not only that a repository with the code be made public, but also details “about its deployment, governance and security measures adopted”, as well as “the history of the code used since the beginning ” and a” report on the design of the system with the analyzes that have led to decide the configuration parameters and use of the Google and Apple Notifications Exposure API “.

Pioneering project
Despite these gaps, the opening of the RadarCOVID code constitutes the first major exercise in these struggles of the Spanish AAPP , at least on this scale.

For now, the application continues with its expansion throughout the national territory, being “fully operational” according to SEDIA in thirteen autonomous communities, once the technical process of integration with the health systems of the Community of Madrid has been completed in the last week , the Valencian Community, Navarra, Asturias and La Rioja. In this way, the application is now fully available for almost 70% of the population.

Leave a Reply

Your email address will not be published. Required fields are marked *