Denmark keeps source code of Coronavirus tracing app secret
Like many other European countries, Denmark also tries to track Sars-CoV-2 infections with a mobile phone tracing app. However, against advice by health organisations and despite positive examples by other countries, the app is proprietary, so not being released under a Free Software (also called Open Source) license.
Smittestop, the official tracing app released by the Danish government, is supposed to supplement the more traditional ways of combatting the Coronavirus with contact tracing. But instead of releasing the source code of the app under a Free Software license and thereby empowering the public as well as the scientific community to inspect, verify, improve and experiment with it, the app's source code is kept hidden.
This goes directly against the most recent recommendations from the WHO as well as the EU Commision's eHealth network. In the referenced paper, the WHO specifically states that:
"There should be full transparency about how the applications and application programming interfaces (APIs) operate, and publication of open source and open access codes. Individuals should also be provided with meaningful information about the existence of automated decision-making and how risk predictions are made, including how the algorithmic model was developed and the data used to train the model. Furthermore, there should be information about the model's utility and insights as to the types of errors that such a model may make."
Had the Danish government published the source code under a Free Software license, such transparency would have been provided to the public, and scientists and IT experts would have been able to peer review and improve the app's error margins, possibly helping interrupt more chains of infection.
On the app's homepage, the Danish government explains that the source code is not being published because of the risk of "security breaches" and to protect the public against malicious actors. However, IT security does not arise through attackers' ignorance of the system under attack, but due to a proper and well-reviewed security design (also read p.22 in our expert publication). This decision, if anything, makes the app less secure – not more. Moreover, since the app is decentralised and uses NemID - the official Danish digital signature - to control access, security breaches are unlikely to occur.
Such false security concerns have not stopped the governments of Germany, Austria, Italy and Great Britain from complying with the WHO's and the EU Commission's transparency requirements and publishing their contact tracing apps under Free Software licenses. In fact, Germany, Austria and Italy all cited security as one of the main points in favour of publishing the source code.
The Free Software Foundation Europe (FSFE) strongly urges the Danish government to immediately rectify this situation and publish its "Smittestop" app under a Free Software license, with the source code fully available to the public.