Aarogya Setu not ‘open source’ in real sense, claim cybersecurity activists, say server code must be made public

On 26 May, NITI Aayog CEO Amitabh Kant announced in a press conference that the Aarogya Setu app would be made open-source from the midnight of 27 May. However, over two weeks on, some cybersecurity activists have questioned whether this has actually taken place, and have termed the government’s claim as half-truth. The Union government has stated that it has released the source code for the COVID-19 contact tracing on GitHub, a source code sharing platform. As on 12 June, there were 134 pull requests to the code and 257 issues had been flagged on the platform. A pull request is recorded when a user on the platform downloads code from the repository. [caption id=“attachment_8480211” align=“alignnone” width=“640”] A screenshot of the Aarogya Setu app github repository. Image courtesy: github[/caption] However, Akshay Dinesh, a medical professional and coder, said that the source code that has been made public is on a separate repository from the one that has been used for the current version of the app. Speaking with Firstpost, Dinesh said, “The government did not state that the code that it made public was a snapshot from a repository that was private. They did not give any reason for doing so either. In my opinion, this shows a complete lack of transparency. So, to call the Aarogya Setu app open source is a half-truth, and, in effect, a lie.” He further noted, “The Android app’s source code has been put in the public domain, but the code of the website it loads within the app (web.swaraksha.gov.in/ncv19) is nowhere to be seen. Even a snapshot of the code has not been made available.” The government’s decision to make the source code of the app came after sustained criticism from various quarters. One of these sources of criticism was a review by the  Masachusetts Institute of Technology (MIT), which gave the app only one out of five stars. The app was only given a positive rating on the point of ‘data destruction’, while it failed to meet the MIT’s criteria on limitations on usage of data, minimisation of data, transparency and being voluntary in nature. According to Anivar Aravind, a Bengaluru-based software engineer and public interest technologist, the announcement on making Aarogya Setu ‘open source’ appears to be an attempt to counter criticism from quarters such as the MIT. However, he, too, is not convinced by the government’s claims. Speaking with Firstpost, Aravind said, “A major concern with Aarogya Setu is that it collects more information than perhaps any other such contact tracing app. In this context, for there to be actual transparency, the server code has to be made public, not just the client-side code. Until this happens, the government’s claims of having brought in transparency remain suspect. Open sourcing Aarogya Setu is not an act of charity, but is something that must be done according to existing policies.” The policy that Aravind referred to was the Union Ministry of Communication and Information Technology’s ‘Policy on Adoption of Open Source Software for Government of India’, which was formulated in 2014. Section 3 of the policy states, “Government of India shall endeavour to adopt Open Source Software in all e-Governance systems implemented by various Government organisations, as a preferred option in comparison to closed source software (CSS)”. However, the policy does provide for an exception under Section 7, which states that “in certain specialised domains where OSS solutions meeting essential functional requirements may not be available or in case of urgent / strategic need to deploy CSS based solutions or lack of expertise (skill set) in identified technologies, the concerned Government Organisation may consider exceptions, with sufficient justification". It is not clear whether the Centre provided an official justification for not making the app open source initially, as envisaged in the policy. Aravind has filed a petition in the Karnataka High Court, contending that the government is not adhering to principles of data minimisation on Aarogya Setu. He has also argued that the Data Access Protocol for Aarogya Setu has no force of law, and can be used as an excuse to mandate the use of the app. During a hearing of the petition on 12 June, the Central Government told the court that downloading the app is not mandatory for people travelling by air or rail. However, Additional Solicitor General MB Nargund told the court that people who do not download the app will need to give a self-declaration. Firstpost attempted to get in touch with Ajay Prakash Sawhney, Secretary in the Ministry of Electronics and Information Technology (MEITY), over phone and email, but did not get a response. Nevertheless, a release by the Press Information Bureau (PIB) does state that the server code of Aarogya Setu will be made public, although no exact timeline has been announced yet. The release further states, “The app has over 114 million users as on 26 May, which is more than any other contact tracing app in the world… The key pillars of Aarogya Setu have been transparency, privacy and security and in line with India’s policy on Open Source Software, the source code of Aarogya Setu has now been made open source.” [caption id=“attachment_8480201” align=“alignnone” width=“640”] A screenshot of the Aarogya Setu app listed on the Google Play Store. As per the service, the app has been downloaded more than 10 crore times. Image Courtesy: Google Play Store[/caption] While questions linger on whether the source code of Aarogya Setu has been made public in the real sense of the term, there are several other concerns as well. The Free Software Community of India — a collective of Free Software users, advocates and developers — pointed to the involvement of private players in the development of the app, and said, “Complete transparency would entail disclosure of the extent of such involvement, the processes followed in such public-private collaboration, including disclosure of tenders or contracts given to private companies for the work they contributed in the app, the guarantees available to the public about strict separation of data from the hands of private collaborators, and also details on procedures which allow more stakeholders, including civil society and rights activists, to shape the further development of the platform.” As per media reports, several individual volunteers have worked on the app, including former Google India executive Lalitesh Katragadda and MakeMyTrip founder Deep Kalra. But apart from concerns on security and transparancy, a broader question remains as to whether a contact tracing app would be significantly useful in the fight against COVID-19. Dinesh said, “My personal opinion is that a technological solution is an ill-advised misfit in our country. Our strengths are in community health workers and the decentralised health system that we have built over the decades. We should rely on that rather than assuming that we can mandate our way into making everyone walk around with a smartphone with Bluetooth on all the time.”