Independent Oversight

the World Health Organization is making a contact tracing app, and the latest system architecture diagram is here: https://www.lucidchart.com/documents/view/3ce4e176-551f-4e71-9ec5-1c2e38071dea/0_0

The thing that I think is most interesting about this diagram is that its authors have indicated that they do not trust users, community contributors or 3rd party platforms, but they do trust Google Cloud. On the surface, I can understand why they would not trust users, contributors or 3rd party platforms: the WHO app contributors can't control the actions and security of these. It makes me wonder who the authors are, and whether they're employed by Google. Google employees trust Google, but the only way others can fully trust this solution is with Independent Oversight.

I'm also surprised at which components were given explicit trust. Is it that they don't trust the information given by the user? Or do they suspect malicious intent? For the system architecture design document, I would suspect the latter. But all the user should be transmitting is the six variables in the Firestore table. And to become a trusted community contributor, you merely have to pass a Pull Request Review. How much of the Oversight and Audit function needs to look at the contributing developers?

I researched further, and found the name of the author is Advay Mengle, https://www.linkedin.com/in/advaymengle/ a former Google employee.

@Aaron Maxwell I suspect the latter as well. I don't think I fully comprehend your last question. Can you please elaborate further?

No problem. So I was explicitly thinking about how you transition from a Community Contributors to GitHub to the Public Repo Contributor. So let's say I go and fork the server side codebase. I'm treated as untrustworthy. But if I submit an "improvement" to the public portion of the code, am I still treated as untrustworthy? In other words, should the audit look at who gets access to and can make edits to the code that is used? What about those who work at the private codebase, which deals with the client side of the code.

Yes I believe data access will be a specific element in both Cybersecurity and Privacy, what data? and who has access to what? Who has access to data itself and in what form? Who has access to the process code, and it what way? How are malicious actors in both places managed?

@Aaron Maxwell Ah, I see what you're asking: whether contact tracing app audit rules that are related to Trust should look at contributions from developers in an open-source setting, in order to control who can edit the code. I wonder whether auditing developer contributions will help us build trust between users and app builders. Genuinely unsure. What do you think?

@Michelle Calabro I think it might, so long as the audit focuses on the right thing. I mean, no one asks for a list of the developers who worked on the app that they just downloaded onto their phone. We just have an implicit level of trust because we assume it has been sent through some kind of tests to get into a recognized app store. As a user, I don't care as much about who added code, as what they added and when they did so. So the technical portion of the Oversight and Audit should focus on ensuring that proper development practices have been adhered to. Then anything that impedes privacy and security, whether malicious or not, can easily be removed. That's not to say a malicious actor can't sneak onto the code development team and do some real damage. But it's less likely.

In my opinion, Independent Oversight and product/service development should not happen at the same time. As we've stated in the past, auditing should happen at pre-determined intervals, whether that's 1 year or a shorter amount of time for products/services developed for crisis response.