We rely on myGov, but can we trust its code?

Millions of Australians use myGov to access essential services like Medicare, the ATO, and Centrelink.  The myGov Code Generator app is one of the options for enhancing myGov login security.

But is it actually secure?  Services Australia, the agency who publishes it, claims it is.  But when I requested the app's source code under Freedom of Information (FOI) laws, Services Australia refused, arguing that releasing the code would help "nefarious actors" and compromise security.  In other words: "Security by Obscurity".

True security requires transparency. Hiding the code prevents independent experts from auditing the system for flaws.  It also denies secure access to government services for people who do not live in the Google or Apple "walled gardens", or to people with disabilities and culturally and linguistically diverse cohorts who cannot use the app as designed, but who could use modified or translated versions.

A merits review at the Administrative Review Tribunal (ART)

After years of waiting for the OAIC's review of Services Australia's access refusal decision - which they punted on due to the technical nature of the matter - I applied to the Administrative Review Tribunal (ART) for review.  In this proceeding I will challenge the government's claim that hiding public, publicly-funded software is necessary and in the public interest.

This is not just a fight about source code—it is a fight for the right to know how our government's essential digital infrastructure works, and for the right to make it better for everyone.

The government will use taxpayers' money (probably lots of it!) to employ top legal counsel to defend their position of secrecy and control. I need your help to level the playing field in this fight for transparency, security, and freedom.

Summary of Services Australia's decision

• Services Australia applied section 47E(d) of the Freedom of Information Act 1982, claiming that release of the source code would have a substantial adverse effect on the proper and efficient conduct of the operations of an agency.  Their argument has two main limbs:
  • That the release would compromise the security of the systems, leading to myGov account compromise or penetration of agency systems.
  • That the release would enable people to develop and distribute counterfeit versions of the application, leading to myGov account compromise.
• Because s 47E(d) is a conditional exemption, they also have to show that release would be contrary to the public interest.  They argue the cybersecurity concerns outweigh the public interest factors favouring disclosure, which include transparency, the opportunity for re-use, the opportunity to improve the app, and enabling distribution outside the Google and Apple walled gardens.

You can see the original request, Services Australia's decision, and my OAIC review application letter at https://www.righttoknow.org.au/request/mygov_code_generator_app_source.  I will publish more complete records of the case on a dedicated website soon.

Our case

It's a bit too early to reveal our whole legal strategy :)  For now I will say that there are are good arguments with supporting evidence to counter everything Services Australia has said so far.  I will publish all submissions and evidence filed with the ART, from both parties, as those milestones are reached (subject to confidentiality orders, etc).

We will engage expert witnesses to assist the Tribunal.  Dr Vanessa Teague, an internationally recognised expert in cryptography, will provide independent technical evidence on software security in general and on particular evidence relating to the myGov Code Generator app.  I am also seeking an expert in Android application security to give evidence to the Tribunal.

Challenges and risks

• The Tribunal could agree with Services Australia's s 47E(d) Security by Obscurity arguments.  This would set an unfortunate precedent in case law.
• We could lose for other reasons.  In which case, the Tribunal may decline to make a decision on the s47E(d) exemption, and an opportunity to make case law on this important topic would be lost.
• Even if we win, Services Australia could appeal the ART decision to the Federal Court.

How will the funds be used?

I have retained the services of Wise Law, a boutique firm with specialist experience in both cybersecurity and administrative law.  Because of the public interest nature of this case, they have generously offered their services at a deep discount.  Nevertheless, good legal assistance and representation is not cheap.  It is almost certain that costs will exceed $10,000 - but it could end up costing several times that.  For that reason, I'm setting a funding target of $20,000.

Not one cent will be wasted.  The largest expense will be Wise Law's services.  The work they will do includes:

• Review the case up to this point, and research relevant case law
• Assist with drafting the Statement of Facts, Issues and Contentions (a critical document that articulates our whole case)
• Assist with taking expert witness statements
• Help me manage procedural aspects of the case (directions hearings, case conferencing, etc)
• Attend substantive hearing(s) in person.  There will probably be one such hearing, but it could span multiple days.

In addition to Wise Law's services, funds will pay for:

• Travel and accommodation to attend in-person hearings for myself, representation, and expert witnesses, as required.
• Fees charged and costs incurred by expert witnesses in preparation of their testimony.
• Any other fees necessarily incurred in the course of this proceeding.
• Fees levied by the ART for access to transcripts or other case material.
• Fees which could be levied by Services Australia for access to the requested information, if successful.

Funds raised will be held in a bank account in my name used exclusively for this purpose.  I am committed to complete transparency and will publish all invoices and bank statements.

For the avoidance of doubt, raised money will not be used for:

• The ART review application fee of $1148, which I paid.  This action is on my initiative and I will eat this fee.  I would not feel comfortable asking others for money unless I had skin in the game myself.
• Domain name registration or hosting costs for the campaign site (which I will set up soon).  These are small costs, and I will maintain the site long after this saga is over and accounts finalised.

What if there's money left over?

If we win the case, Services Australia could appeal in Federal Court.  Likewise, we could appeal if we lose.  Costs to run an appeal would likely be an order of magnitude higher than the ART proceeding.

So, if there are funds left over at the end of the ART proceeding, we will hold onto them until we find out if an appeal is happening.  If it is, leftover funds will go towards the appeal proceedings.  Otherwise, all remaining funds will be donated to the Open Australia Foundation, the ACNC-registered charity (no longer a DGR, sadly) that operates RightToKnow.org.au and other services aimed at improving government transparency.  Every dollar not used for my FOI matter will go to this very worthy charity!