Dear Australian Taxation Office,

I request the following information under the Freedom of Information Act 1982:

(1). The Android package (.apk) file of the Android "myID" application - the version that is current at the time you receive this request.

Yours faithfully,

Fraser Tweedale

Dear FOI Team,

I appreciate the 30 day decision period for my request included a Christmas shut-down period. I agree to a 7 day extension of time to compensate for the shut-down. I do not agree to a 30 day extension.

Yours sincerely,

Fraser Tweedale

Dear Jessica M,

**Re: 1-1577AMA2**

Pursuant to FOI Act section 54, I am applying for an internal review
of your access refusal decision of 17 January 2025. My request,
which you received on 17 December 2024, was for:

> (1) The Android package (.apk) file of the Android “myID”
> application – the version that is current at the time you receive
> this request

In your decision you claim a section 47E(d) conditional exemption,
giving reasons, and further argue that these reasons outweigh the
public interest in disclosure. My counterarguments follow.

### Release does not increase risk to users or agency

Your reasons state that release of the .apk file:

> compromises existing safeguards by creating an unauthorised
> distribution channel. These safeguards ensure that users download
> a verified and up to date version of the application, prevent
> unauthorised modifications or tampering with the distributed
> “.apk” and limit the distribution of outdates or unsupported
> versions, which could contain vulnerabilities.

The argument that release creates an "unauthorised distribution
channel" is sound. However, it is a trivial matter to extract the
`.apk` from a phone. Anyone wishing to (re)distribute the
application (whether unmodified or modified in some way) outside of
official channels can do so with just a little technical knowledge
and the freely available Android SDK (software development kit).
For example, see
https://stackoverflow.com/questions/4032...

There are many alternative "mirrors" and distribution channels for
Android apps. Their trustworthiness is questionable. For people
preferring not to use the Google Play Store, release of the .apk
directly from the ATO, whether via the FOI process or other
publication process, in fact improves the security story for those
users. Some of the most security-critical and security-conscious
applications make their .apks available outside the official "app
stores", directly from their own website; for example, the encrypted
messaging app Signal: https://signal.org/android/apk/.

In your reasons, you also state:

> Creation of an unauthorised distribution channel could increase
> the risk of misuse, unauthorised modifications, or the
> distribution of compromised versions to end users. This, in turn,
> could undermine the secure and efficient operation of the myID
> application and it supporting systems, leading to a loss of public
> confidence in the ATO’s ability to keep its, and the broader
> Commonwealth’s, IT systems secure, impacting the conduct of its
> key operations.

As explained above, access to the .apk file delivered via authorised
channels (i.e. Google Play Store) is a simple matter. For someone
minded to misuse, modify, and distribute compromised versions of the
application, there is not one barrier they face that is removed or
weakened by release of the .apk file directly by the ATO.

For all these reasons, release of the .apk via the FOI process does
not increase the risk to the agency or to users of the application
above the risk latent and inherent in the current distribution
model.

It also warrants mention that installation of applications outside
the Google Play Store channel is an advanced operation. The
overwhelming majority of users only install applications via the
“app store” for their phone platform, and therefore remain protected
by all the safeguards of this distribution model and by whatever
additional measures the ATO has in place to ensure the absence of
counterfeit (and possibly malicious) variants of the application in
the authorised channels.

### Public interest in access to the program without requiring a Google account

In your reasons, you refer to:

> circumstances where the file is already available via authorised
> distribution channels (such as Google Play Store)

Access to the Google Play Store requires a Google account. Google
is a foreign multinational company whose business model involves the
collection of enormous amounts of personal data. To use their
services requires agreement to their Terms of Service, a contractual
arrangement which a person, as an Australian citizen, may not wish
to enter into. Even if a person has a Google account, they may
prefer not to use their account on their mobile device. Agencies
should ensure access to their digital services is available to all
without the mediation of, or requirement to enter into contract
with, any private entities—especially powerful foreign-owned
multinational tech giants.

Therefore, there is a public interest in the ATO making the myID
application available via other means. It would be preferable for
the ATO to make the current `.apk` directly available from your
website (which is a trustworthy channel). Because this option
currently does not exist, there is a public interest in release of
the `.apk` via the FOI request process.

### Closing

For the reasons stated above, release of the .apk has no adverse
impact on the ATO's operations and section 47E(d) does not apply.
But even if 47E(d) did apply, the need for a trustworthy source for
the .apk outside the standard "app store" (Google Play Store)
channel gives weight to the public interest of disclosure.

In my reasons above, I suggested that the ATO could publish the .apk
directly via your website. This would be a very good thing and
would extinguish this FOI request and (should my request succeed as
I believe it should) future FOI requests for updated versions of the
application.

Yours sincerely,

Fraser Tweedale