MyGovID: source code and technical documentation

Waiting for an internal review by Australian Taxation Office of their handling of this request.

Dear Australian Taxation Office,

I request the following information under the Freedom of Information Act 1982:

(1). Source code of the MyGovID iOS and Android apps, and server applications that form part of the MyGovID system, including build scripts, manifests, software license terms, and media assets (icons, audio files, etc).

(2). Technical documentation about the MyGovID system, such as API documentation, architecture diagrams, security assessments, technical presentation slides, "whitepapers" and similar documents.

If it assists in the expeditious processing of my request, source code may be delivered as a "snapshot" or export of source repositories, in ZIP, "tarball" or similar format. However, the full development history is preferred.

Yours faithfully,

Fraser Tweedale

Australian Taxation Office

2 Attachments

  • Attachment

    attachment.delivery status

    0K Download

  • Attachment

    Freedom of Information request MyGovID source code and technical documentation.txt

    1K Download View as HTML

This is the mail system at host righttoknow.org.au.

I'm sorry to have to inform you that your message could not
be delivered to one or more recipients. It's attached below.

For further assistance, please send mail to postmaster.

If you do so, please include this problem report. You can
delete your own text from the attached returned message.

The mail system

<[ATO request email]>: Host or domain name not found. Name service error for
name=ato.gov.au type=MX: Host not found, try again

Sent request to Australian Taxation Office again.

FOI, Australian Taxation Office

1 Attachment

Dear FOI Applicant,
 
Please see attachment.
 
 
Yours faithfully,
 
FOI Team
 
 
 

show quoted sections

FOI, Australian Taxation Office

1 Attachment

Dear FOI Applicant,

 

 

 

Please see above notice attachment.

 

 

 

Regards,

FOI Team

 

 

show quoted sections

Dear Mr Durnan,

Reference: 1-Q1HU99Q

Thank you for your correspondence dated 28 July 2021, the notice of
intention to refuse access. In particular thank you for outlining
the challenges arising from the scope of my request and the impact
on the ATO's operations.

The scope of my original request was:

1. Source code of the MyGovID iOS and Android apps, and
server applications that form part of the MyGovID system, including
build scripts, manifests, software license terms, and media assets
(icons, audio files, etc).

2. Technical documentation about the MyGovID system, such as
API documentation, architecture diagrams, security assessments,
technical presentation slides, "whitepapers" and similar documents.

I hereby revise my request to the following scope:

1. Source code of the most recent public release of the
MyGovID Android client application, including program source files,
build scripts, manifests, software license terms, and media assets
(icons, audio files, etc).

I will now explain how I believe this revised scope addresses the
grounds for refusal which you outlined.

# Identifying, locating and collating documents within the scope of my request

My request is now limited to source code for a **single release**
of the MyGovID **Android client application**. I have omitted the
iOS client application and all server-side applications from the scope.

With high probability, the source code of the application is stored
in one or a small number of code *repositories* in a
*version control system*. Version control systems track changes to a
software code base over time. In technical jargon the state of the
code base or a branch thereof at a particular point in time is
called a *commit* or a *tag*. A technical employee (such as
a programmer or software project manager) will be able to identify
and produce the source code files identified by the commit or tag
for a particular release in very little time.

It is possible that the identified commit or tag includes files not
of a kind mentioned in my revised request. In particular there
might be "documentation" files of the kind mentioned in part 2 of my
*original* request. For the avoidance of doubt, these documents
are **not in scope** of the revised request.

# Deciding whether to grant access to documents

The scope of my request has been greatly reduced. As a consequence,
to review the identified documents for information that needs to be
redacted will take much less time than your estimate for the
original request. I further expect that by only including source
code and related files in the revised scope, it should be easier and
faster for qualified technical personnel to review these documents
(compared to, say, PDFs, emails, presentations, etc.).

# Impact on the ATO's operations

The same comments about the greatly reduced scope also apply here.
Nevertheless, I am sympathetic to your concern about diverting ATO's
efforts to deal with a FOI request about a soon-to-be-obsoleted
product version.

In light of this information, I propose a further revision to the
request scope: instead of the previous release of the Android app,
the source code for the **upcoming release** (that is, of a recent
test build or pre-release build thereof). With critical security
work already being undertaken (or soon to be), a review of this
*new* code pursuant to my request should require fewer resources, and
such a diversion could less easily be regarded as unreasonable. If
you reach a similar conclusion such that it improves the likelihood
of access to the documents being granted, please consider my request
thus revised.

Yours sincerely,

Fraser Tweedale

FOI, Australian Taxation Office

1 Attachment

Dear FOI Applicant,
 
Please see attachment.
 
 
 
Yours faithfully,
 
FOI Team
 
 
 

show quoted sections

Fraser Tweedale left an annotation ()

Note: at this stage I intend to request an internal review of the decision.

Fraser Tweedale left an annotation ()

I requested internal review of this decision.
The letter can be found at https://frase.id.au/foi/2021-07_ATO_myGo....