While that might be an argument in general, the protocol Google and apple are working in is cryptographically secure. They provably can't back out data about you.
A PDF document with a specification is not even close to "open source code". There is no way to know whether the specification actually matches the implementation.
> There is no way to know whether the specification actually matches the implementation.
That would be true even if Apple suddenly decided "oh these folks on HN want to see the code for that tracing component, better open source our complete OS". I've seen assurances that parts of this will be open sourced as far as they can but I honestly don't see how that matters. You have, as is a general tradition, a description of what this system does cryptographically. The rest is a matter of reverse engineering that hardly benefits from having the code. It's not like Play store updates or whatever Apple uses to push this are reproducible builds the end user can verify. And you always have the closed source blob of whatever BTLE chipset your device uses which you can mistrust.
edit: Let me qualify "but I honestly don't see how that matters" for the question of trust in what runs on your phone here. If you read a dig at OSS into this you're generalizing far over what I'm addressing here.
There are defiantly benefits from having the source code when it comes to being able to verify that the implementation does in fact match the specification. Sure, reverse engineering the binary would be possible but far more difficult. Reading open source code is far easier than reverse engineering. (Added in edit: From what I've read, the spec itself doesn't seem bad. The point is, assurance that does not require trust in another entity that the spec was implemented as written would drastically improve the confidence in the system.)
I have compiled some of the apps on my phone myself so I know that the result does in fact come from the same source code. That may not work in the case of iOS devices, though.
> And you always have the closed source blob of whatever BTLE chipset your device uses which you can mistrust.
That is a good point and it'd be great if that chipset could also be open sourced but one step at a time.
> That would be true even if Apple suddenly decided "oh these folks on HN want to see the code for that tracing component, better open source our complete OS".
You are correct if it was simply open sourcing the OS. If it was possible to compile and install the OS ourselves, that would completely change the game.
There is no code available at that link, and no indication whatsoever that Google and Apple’s implementation of the algorithms and protocols described in those documents will be open source.
Realistically, those APIs will be analysed soon after they're available in the same way COVIDSafe was. If they do something different than what's in the design, we'll know pretty quickly.
