‘Committed to Making Aarogya Setu Open Source Soon’: App Official

The source code of Aarogya Setu, Government of India’s contact tracing app, will be made open to the scientific and research community soon, a top NITI Aayog official and member of the app’s core team has confirmed.

At a time when the app has come under sustained criticism for lack of transparency, Arnab Kumar, Program Director, Frontier Technologies at NITI Aayog, said the app development team was “committed” to making Aarogya Setu “open source soon once the product has stabilised”.

It is meant to help determine if an individual have come in contact with someone who could be COVID-19 positive.

“There is no running away from open sourcing the product and no intention to hide anything,” Kumar told The Quint.

‘Open Source Not Just a Possibility But a Commitment’

Kumar added that the app’s source code has, in fact, been tested by a number of competent authorities, including the Data Security Council of India (DSCI) as well as IIT-Madras professor V Kamakoti. Kamakoti is also a member of the National Security Advisory Board, which operates under the PMO.

There is, however, no information yet on the feedback or results of the app’s audit by those who have undertaken such an exercise.

“We are dealing with something which is not a predictable variable. The moment we become comfortable that the product has stabilised, we will do it,” he added.

The NITI Aayog official added that the reason the app has not been made open source yet is because it had been developed in two weeks and has been under continuous improvements and expansion.

Aarogya Setu has often been compared to Singapore’s ‘Trace Together’ contact tracing app, with transparency having been highlighted as a major contrast.

“It is not static, like Trace Together. It is a very dynamic product. We are continuously adding new information, new features,” Kumar said.

Open Source Improves App Security: Experts

At a webinar organised by Medianama and attended by The Quint, Subhasis Banerjee, professor of computer science and engineering at IIT Delhi, stated that it is important for the code to be open source and “reverse engineering must not be prohibited.”

The current Terms of Use explicitly prohibit users from reverse-engineering the app for any purpose.

“In any case, reverse engineering must not be required, it should be an open source app at this scale. The design principles should have also been detailed in a white paper. Without that, it just seems like a red herring, that makes people run around without clarity,” professor Banerjee had said.

Security researchers have pointed out that making an application open source helps in improving the app by allowing researchers and experts to audit it and identify vulnerabilities.

“Making the source code available enhances transparency and this also improves security, as the code is open to community audit,” Software Freedom Law Centre India had stated in its statement, regarding the primary concerns with the app.

Srikanth Lakshmanan, a software professional working in digital payments, FOSS and open data, however, points out that there is a difference between "making source code public" and open sourcing.

“Open source means that it will be fixed far more quickly than the closed source model and, perhaps more importantly, the fix will likely be better scrutinised by the open source model than the closed source model,” he added.