The government, on Tuesday, 26 May, released the source code for the Android version of Aarogya Setu App. “Aarogya Setu is now open source,” declared Amitabh Kant, CEO, NITI Aayog at the press conference.
Stating that the app is committed to transparency, security and privacy, Kant iterated that “opening the source code signifies government of India’s continued commitment to these values.” According to Kant, the app has predicted more than 3.000 coronavirus hotspots 15 to 17 days ahead of time.
Terming it as a “major step”, Ajay Prakash Sawney, Secretary, Electronics & IT Ministry, said, “We are opening the heart of this functional system used by 11.5 crore people.”
Responding to recent criticism regarding the app’s privacy policy and data collection mechanism, Sawhney stated that even though the Personal Data Protection Bill is pending in Parliament, the app has incorporated the principles within it.
“Principles of data minimisation, purpose limitation, time limitation along with the feature of consent have been incorporated already,” Sawhney announced at the conference.
The Quint has learnt that several security researchers and analysts were approached over the past couple weeks by the core team of Aarogya Setu to access the source code and provide feedback.
The coordination was facilitated by the Data Security Council of India (DSCI).“DSCI has recommended a number of security analysts to take a look at the app’s source code before the official announcement,” said a Mumbai-based threat intelligence analyst.
Dr Neeta Vera, Director General, National Informatics Centre, (NIC) announced the app will also contain a bug bounty scheme.
A bug bounty amount of Rs 1 lakh each will be paid for detecting vulnerabilities in the app as well as for code improvement.
The source code for the Android version of the application is available for review and collaboration on GitHub platform from midnight.
Earlier on Tuesday, Aarogya Setu, in an update of its terms, announced that reverse engineering of the app will no longer be punishable. Till now, security analysts were not allowed to reverse engineer the app in order to learn about its algorithm and arhcitecture.
On 30 April, in an interview with The Quint, Arnab Kumar, Program Director, Frontier Technologies at NITI Aayog, said the app development team was “committed” to making Aarogya Setu “open source soon once the product has stabilised.”
Asked why the app had not made open source, Kumar had said “It is not static, like (Singapore’s) Trace Together App. It is a very dynamic product. We are continuously adding new information, new features.”
“The product is evolving, once we are comfortable that we are in a space where the product goes into maintenance... that is probably the right time to open source it,” he added.
Amid criticism about lack of transparency, Kumar had said that the app’s source code had, in fact, already been tested by a number of authorities, including the Data Security Council of India (DSCI) as well as IIT-Madras professor V Kamakoti.
Kamakoti is also a member of the National Security Advisory Board, which operates under the PMO.
“Open Sourcing the app will allow a collaborative approach to problem-solving and increase community participation. Moreover, in order to improve on the security architecture of the app, recommendations from the tech community will be crucial,” said Kazim Rizvi, founder, technology policy think tank, The Dialogue.
“This move will address concerns surrounding transparency and verifiability of the functioning of the app,” Rizvi added.
Launched on 2 April, Aarogya Setu, a contact tracing tool, has been developed by the Government of India along with NITI Aayog and a team of private volunteers, including former Google India head Lalitesh Katragadda.
It is meant to help determine if an individual have come in contact with someone who could be COVID-19 positive.
(At The Quint, we question everything. Play an active role in shaping our journalism by becoming a member today.)