COVID-19: Italian Contact Tracing App poses security concerns

Ordinance 10/2020 of the Extraordinary Commissioner for the implementation and coordination of measures to contain and combat the epidemiological emergency COVID-19 writes the final word in the chapter “Tracking yes, tracking no”. Italy wasted months idling on the decision to enforce a people’s tracking system. However, now the Government made up its mind and decided to us an “app” licensed free of charge by the developer. At the same time, however, the Commissioner’s Ordinance leaves untold some things related, in particular, to the security of the software, which, given the criticality of the moment, should have been a central element in the selection of the product.

Let’s start from strictly legal aspects: the company that developed the contact tracing software, as the Ordinance verbatim says,

solely out of a spirit of solidarity and, therefore, for the sole purpose of providing its contribution, both voluntary and personal, useful to deal with the ongoing COVID-19 emergency, has expressed its willingness to grant an open, free and perpetual licence to the Extraordinary Commissioner for the implementation and coordination of measures to contain and combat the COVID-19 epidemiological emergency and to the Presidency of the Council of Ministers, the source code and all the application components of the contact tracing system already developed, as well as, for the same reasons and always free of charge, has expressed its willingness to complete the IT developments that will be necessary to allow the national digital contact tracing system to start working.

Upon reading these words, a few remarks come to mind:

Firstly: was it indispensable to specify that the developer licenses the software “exclusively for the spirit of solidarity etc. etc.”? From a copyright point of view, certainly not, unless it is a way to mitigate (or eliminate) liability for damages resulting from the incorrect design or wrong software development. As is well known the “gratuitousness” of software implies a less afflictive liability regime than those who charge for a specially developed package or program.

Secondly: the licensees are the Commissioner and the Presidency of the Council. As sub-licensors they must write a sub-license for those who use this software. Now, as the licence granted by the developer implies source code access, the security verification duty belongs to the licensee. In other words, access to source code means that all responsibility for data mishandling, errors, damage and unauthorised circulation of particular data under Article 9 of the GDPR lies with the Commissioner and the President of the Council.

Thirdly: the Ordinance speaks of an “open” license but does not specify whether it is GPL (the only one that can be called “free”) or one of the many licenses that fall under the Open Source Initiative, or another “independent” form of user license. The difference is not trivial, because while the GPL obliges the redistribution of source code to be modified, other “open” licenses do not allow this possibility. It is unquestionable that the availability of sources improves the quality and security of the software, so one would expect the Government to make sure that the “technical schematics” of the software can be made public. It is not only a question of security but also of democracy: citizens have the right to know “what does” and “how it works” an object on which their life depends. Beware, life, not “privacy”, because if this software is badly written or vulnerable, it can cause irreversible damage, even irreversible damage, compared to which the concern for “privacy” is undoubtedly marginal.

Fourthly: the Ordinance mentions neither the analysis nor the comments on the source code, which are the essential elements to understand how the software works and what it does. Without this information, it is difficult to review a code that must be understood line by line without any help. Debugging, if even allowed, becomes more difficult.

Hopefully, these elements (and several others that I do not indicate for brevity, e.g. who should be responsible for the mandatory analysis under articles 25 – data protection by default and by design and 32 – GDPR security measures) are taken into account in the contract occurring between the parties.

Leave a Reply

Your email address will not be published. Required fields are marked *