MyGovID: source code and technical documentation

Fraser Tweedale made this Freedom of Information request to Australian Taxation Office

This request has been closed to new correspondence from the public body. Contact us if you think it ought be re-opened.

The request was refused by Australian Taxation Office.

Dear Australian Taxation Office,

I request the following information under the Freedom of Information Act 1982:

(1). Source code of the MyGovID iOS and Android apps, and server applications that form part of the MyGovID system, including build scripts, manifests, software license terms, and media assets (icons, audio files, etc).

(2). Technical documentation about the MyGovID system, such as API documentation, architecture diagrams, security assessments, technical presentation slides, "whitepapers" and similar documents.

If it assists in the expeditious processing of my request, source code may be delivered as a "snapshot" or export of source repositories, in ZIP, "tarball" or similar format. However, the full development history is preferred.

Yours faithfully,

Fraser Tweedale

Australian Taxation Office

2 Attachments

  • Attachment

    attachment.delivery status

    0K Download

  • Attachment

    Freedom of Information request MyGovID source code and technical documentation.txt

    1K Download View as HTML

This is the mail system at host righttoknow.org.au.

I'm sorry to have to inform you that your message could not
be delivered to one or more recipients. It's attached below.

For further assistance, please send mail to postmaster.

If you do so, please include this problem report. You can
delete your own text from the attached returned message.

The mail system

<[ATO request email]>: Host or domain name not found. Name service error for
name=ato.gov.au type=MX: Host not found, try again

Sent request to Australian Taxation Office again.

FOI, Australian Taxation Office

1 Attachment

Dear FOI Applicant,
 
Please see attachment.
 
 
Yours faithfully,
 
FOI Team
 
 
 

**********************************************************************

IMPORTANT

    The information transmitted is for the use of the intended

recipient only and may contain confidential and/or legally

privileged material. Any review, re-transmission, disclosure,

dissemination or other use of, or taking of any action in

reliance upon, this information by persons or entities other

than the intended recipient is prohibited and may result in

severe penalties. If you have received this e-mail in error

please notify the Privacy Hotline of the Australian Taxation

Office, telephone 1300 661 542 and delete all copies of this

transmission together with any attachments.

*********************************************************************

hide quoted sections

FOI, Australian Taxation Office

1 Attachment

Dear FOI Applicant,

 

 

 

Please see above notice attachment.

 

 

 

Regards,

FOI Team

 

 

**********************************************************************

IMPORTANT

    The information transmitted is for the use of the intended

recipient only and may contain confidential and/or legally

privileged material. Any review, re-transmission, disclosure,

dissemination or other use of, or taking of any action in

reliance upon, this information by persons or entities other

than the intended recipient is prohibited and may result in

severe penalties. If you have received this e-mail in error

please notify the Privacy Hotline of the Australian Taxation

Office, telephone 1300 661 542 and delete all copies of this

transmission together with any attachments.

*********************************************************************

hide quoted sections

Dear Mr Durnan,

Reference: 1-Q1HU99Q

Thank you for your correspondence dated 28 July 2021, the notice of
intention to refuse access. In particular thank you for outlining
the challenges arising from the scope of my request and the impact
on the ATO's operations.

The scope of my original request was:

1. Source code of the MyGovID iOS and Android apps, and
server applications that form part of the MyGovID system, including
build scripts, manifests, software license terms, and media assets
(icons, audio files, etc).

2. Technical documentation about the MyGovID system, such as
API documentation, architecture diagrams, security assessments,
technical presentation slides, "whitepapers" and similar documents.

I hereby revise my request to the following scope:

1. Source code of the most recent public release of the
MyGovID Android client application, including program source files,
build scripts, manifests, software license terms, and media assets
(icons, audio files, etc).

I will now explain how I believe this revised scope addresses the
grounds for refusal which you outlined.

# Identifying, locating and collating documents within the scope of my request

My request is now limited to source code for a **single release**
of the MyGovID **Android client application**. I have omitted the
iOS client application and all server-side applications from the scope.

With high probability, the source code of the application is stored
in one or a small number of code *repositories* in a
*version control system*. Version control systems track changes to a
software code base over time. In technical jargon the state of the
code base or a branch thereof at a particular point in time is
called a *commit* or a *tag*. A technical employee (such as
a programmer or software project manager) will be able to identify
and produce the source code files identified by the commit or tag
for a particular release in very little time.

It is possible that the identified commit or tag includes files not
of a kind mentioned in my revised request. In particular there
might be "documentation" files of the kind mentioned in part 2 of my
*original* request. For the avoidance of doubt, these documents
are **not in scope** of the revised request.

# Deciding whether to grant access to documents

The scope of my request has been greatly reduced. As a consequence,
to review the identified documents for information that needs to be
redacted will take much less time than your estimate for the
original request. I further expect that by only including source
code and related files in the revised scope, it should be easier and
faster for qualified technical personnel to review these documents
(compared to, say, PDFs, emails, presentations, etc.).

# Impact on the ATO's operations

The same comments about the greatly reduced scope also apply here.
Nevertheless, I am sympathetic to your concern about diverting ATO's
efforts to deal with a FOI request about a soon-to-be-obsoleted
product version.

In light of this information, I propose a further revision to the
request scope: instead of the previous release of the Android app,
the source code for the **upcoming release** (that is, of a recent
test build or pre-release build thereof). With critical security
work already being undertaken (or soon to be), a review of this
*new* code pursuant to my request should require fewer resources, and
such a diversion could less easily be regarded as unreasonable. If
you reach a similar conclusion such that it improves the likelihood
of access to the documents being granted, please consider my request
thus revised.

Yours sincerely,

Fraser Tweedale

FOI, Australian Taxation Office

1 Attachment

Dear FOI Applicant,
 
Please see attachment.
 
 
 
Yours faithfully,
 
FOI Team
 
 
 

**********************************************************************

IMPORTANT

    The information transmitted is for the use of the intended

recipient only and may contain confidential and/or legally

privileged material. Any review, re-transmission, disclosure,

dissemination or other use of, or taking of any action in

reliance upon, this information by persons or entities other

than the intended recipient is prohibited and may result in

severe penalties. If you have received this e-mail in error

please notify the Privacy Hotline of the Australian Taxation

Office, telephone 1300 661 542 and delete all copies of this

transmission together with any attachments.

*********************************************************************

hide quoted sections

Fraser Tweedale left an annotation ()

Note: at this stage I intend to request an internal review of the decision.

Fraser Tweedale left an annotation ()

I requested internal review of this decision.
The letter can be found at https://frase.id.au/foi/2021-07_ATO_myGo....

Dear Australian Taxation Office,

On 8 September, 2021 I applied for internal review of your access refusal
decision dated 10 August, 2021 on my Freedom of Information Request
reference 1-Q1HU99Q. I sent the request to [email address] and called
the ATO to confirm receipt of my application on the same day.

The 54C(3) 30 day period for you to give notice of a decision expired more
than one week ago. Could you please update me on the status of the internal
review? Did the ATO apply to the Information Commissioner under 54D for
further time to deal with my application?

Yours sincerely,

Fraser Tweedale

FOI, Australian Taxation Office

4 Attachments

  • Attachment

    Picture Device Independent Bitmap 1.jpg

    0K Download

  • Attachment

    Picture Device Independent Bitmap 2.jpg

    0K Download

  • Attachment

    Picture Device Independent Bitmap 3.jpg

    0K Download

  • Attachment

    Picture Device Independent Bitmap 4.jpg

    0K Download

Dear FOI Applicant,
 
We have checked our records and do not appear to have received an internal
review requested by you on 8 September 2021 to [1][ATO request email].
 
Could you please send a copy of the email (as sent) so we can confirm
whether it was received by us.
 
Could you please also advise who confirmed via telephone that the internal
review request had been received.
 
Regards,
 

FOI
Australian Taxation Office
 

[2][IMG] [3][IMG] [4][IMG] [5][IMG]

 
ATO. Working for all Australians

 
 
 
 

**********************************************************************

IMPORTANT

    The information transmitted is for the use of the intended

recipient only and may contain confidential and/or legally

privileged material. Any review, re-transmission, disclosure,

dissemination or other use of, or taking of any action in

reliance upon, this information by persons or entities other

than the intended recipient is prohibited and may result in

severe penalties. If you have received this e-mail in error

please notify the Privacy Hotline of the Australian Taxation

Office, telephone 1300 661 542 and delete all copies of this

transmission together with any attachments.

*********************************************************************

References

Visible links
1. mailto:[ATO request email]
2. https://www.facebook.com/ato.gov.au
3. https://twitter.com/ato_gov_au
4. https://www.linkedin.com/company/austral...
5. https://community.ato.gov.au/

hide quoted sections

Dear FOI,

Right To Know does not support sending attachments, so I resent the internal review
application letter from my personal email address, just a minute ago. The letter has also
been published at:

https://frase.id.au/foi/2021-07_ATO_myGo...

Unfortunately I cannot recall the name of the person who confirmed receipt. It was through the
main switchboard and individual help system. I could not find a way to contact the FOI team
directly or be put through to you. The person I spoke to did confirm that they could see an email
from me, received September 8, 2021 (the same day), in the ATO's systems.

Yours sincerely,

Fraser Tweedale

Dear FOI,

Further to my earlier email of today October 20, 2021, I must correct a mistake and can
now provide additional information.

I sent the internal review application by email on September 8, 2021. In my previous message
I said that I called the ATO on the same day to confirm receipt, but in fact it was the next day
September 9, 2021. I apologise for my mistake and regret any confusion it may have caused.

The ATO's reference for this phone call is 1051898127326. This record shows that I called to seek
confirmation that the ATO had received my email. The record does not state that the person I spoke
to affirmed that she could see that an email from me had been received on either September 8 or
September 9. This satisfied me that the ATO had received my internal review application. Had I not
been satisfied, I would certainly have followed up further. You might be able to use the reference
number to make further inquiries - perhaps to discuss the call with the representative I spoke to?

For the avoidance of doubt, my application for internal review was not sent from Right To Know but
from my personal email address <[email address]>, to <[email address]>.

Yours sincerely,

Fraser Tweedale

Fraser Tweedale left an annotation ()

The ATO were unable to confirm receipt of my internal review application on 2021-09-08, but have agreed to process my internal review application as received on 2021-10-20. I am grateful to the ATO for agreeing to process my internal review application outside the s54B(1)(a) 30 day application period for internal review of access refusal decisions.

Note that a refusal of an agency to process an internal review application received after the statutory application period is an IC reviewable decision, and the FOI Guidelines are clear that an Agency must have good reasons to refuse it.

Fraser Tweedale left an annotation ()

IR affirmed the original decision. Letter: https://frase.id.au/foi/2021-07_ATO_myGo...

They continued to rely on s 47 (trade secrets and commercially valuable information) and s 47E(d) (certain operations of agencies). Whilst I do not agree with the s 47E(d) aspect of the decision, I can't see a way through on s 47 (which is an UNconditional exemption). The original decision did not adequately explain or justify their use of s 47 but the IR does make a plausible argument.

So, that is where this one ends, I think.