Aarogya Setu, India’s contact-tracing app, goes open-source

At 12 am midnight on the 27th of May 2020, Aarogya Setu — India’s digital contact tracing app — will go open-source and be uploaded to a public GitHub repository. Initially, the Android client code will be available, which will be followed in two weeks by the iOS client (for Apple devices) and KaiOS code (for Jio feature phones). The back-end code for servers that process the data provided by Aarogya Setu users, will also be open-sourced at a future date. This is a significant step forward toward transparency in the collection and usage of sensitive data about COVID-19 patients. India currently leads the world in cases of the Novel Coronavirus (COVID-19).

CEO of NITI Aayog, Amitabh Kant announced at a press conference that Aarogya Setu has been installed 114mn times, reached out to 9 lac contacts and represents a contact tracing app that is larger than the sum total of all other apps used in other countries. The impressive statistics continue: 50mn installs in 13 days, 100mn in 41 days. More than 3000 hotspots at the sub-post office level have been identified thanks to the app, and 1264 potential hotspots predicted, according to a press release by the Ministry of Electronics & Information Technology (MEITY). Stressing the critical importance of digital contact tracing, he said 24% of contacts identified by Aarogya Setu tested positive, allowing for rapid treatment and control of spread. Kant also thanked several private parties by name for their volunteer efforts in building the app. The gaps in Aarogya Setu’s privacy protections, data usage and perception of intent have been concern areas for activists, with the Internet Freedom Foundation being at the forefront of efforts to address these issues. There have been small victories: The government backtracked on mandating usage of the app during lockdown 3.0 to merely “advisable” in lockdown 4.0 . However, this effort still left loopholes open to pressure non-government entities and private organisations to compel employees to use the app. Since it’s introduction on 2 April, the Aarogya Setu app has been criticised for overreach in terms of data collected (it collects Bluetooth contact data as well as location data). The authorities responsible for the development of the app have always maintained that data is anonymised and shared only in case of a positive COVID-19 identification. In a recent interview with Firstpost, security researcher Elliot Alderson said “to potentially be useful, a contact-tracing app needs to be downloaded and used by a lot of people. To ensure adoption of the app on a large scale among the population, you need to gain their trust. Publishing the source code is one way to get this trust.” Alderson had recently uncovered some bugs of moderate concern, which were quickly addressed by MEITY. What does open-sourcing mean for Aarogya Setu? According to Kant, 98% of Aarogya Setu installs are on Android devices, which explains the initial release of the Android client source code for the app. The app has been open-sourced with the Apache 2.0 license, which means other parties may freely use and change the code, as long as a notice of the change is carried with the code. NITI Aayog and MEITY (Ministry of Electronics & Information Technology) are inviting programmers to look at the code, find bugs and suggest changes and improvements. According to Kant, open-sourcing a government app that operates at this scale has never been done before. Neeta Verma, Director General of NIC also announced a bug bounty program across three categories, each carrying a bounty of Rs 1 lac. Again, this is claimed to be unprecedented for a government app. With the source code of the client and server elements of Aarogya Setu being open to public scrutiny, criticisms of potential privacy issues should eventually be put to rest, and fixes verifiable. Simultaneously, the privacy policy for Aarogya Setu has also been modified to remove a clause against “reverse engineering”, which is no longer relevant. At the press conference, MEITY Secretary Ajay Prakash Sawhney repeated that the app does not exchange personally-identifiable data, and only uploads data to the server in case of a positive identification. He added that this is a step toward developing confidence in the app’s efforts. An open-source model also allows for other countries that may be exploring digital contact tracing to get a boost by adopting already-mature, secure and publicly-validated code. Principal Scientific Advisor K. Vijay Raghavan specifically mentioned the applicability of this code to other countries. The questions that remain Open-sourcing Aarogya Setu is a confidence-boosting step and hard to argue with. Public availability of code means that the app’s operation can be verified to be secure. Once the server code is available for review, the loop should close. However, questions of legality remain. At this point, the government encourages, but does not mandate the use of Aarogya Setu. But this does not mean other entities such as the Airports Authority of India, the Indian Railways or private organisations won’t.