In a departure from its previous stance, the Centre on Tuesday released the source code of its contact tracing app Aarogya Setu and announced cash prizes for those who find a bug or vulnerability in it. Government officials overseeing the mobile application development also told The Indian Express that they will soon provide anonymised data to researchers to conduct their own analysis on COVID-19 trends in the country.
The release of the app’s Android source code (which 98 per cent of the 115 million Aarogya Setu users use) comes nearly two months after the app was released on April 2. When asked about the delay in releasing the code after significant calls from India’s developer community, IT Secretary Ajay Prakash Sawhney told The Indian Express: “Even the best developers don’t document their code when they are rushing to make it functional. Now, they have properly cleaned the code. We even plan to release the code for the server function so that other countries can pick it up and use this app in their country as well.”
National Informatics Center Director General Neeta Verma said the government’s internal assessment found potential vulnerabilities in the app, calling for developers to attempt to solve the concerns in a detailed technical document. The Centre’s first-ever bug bounty programme will give up to Rs 3 lakh for two reward categories — security vulnerability reporting and suggestions for improvement in the source code.
Although the IT Ministry’s own policy from 2016 states that all software used by the government will be open source as far as possible, the Ministry had barred individuals from reverse engineering the code of Aarogya Setu.
Reverse engineering allows individuals and firms to deconstruct the working of a software or a hardware by tracing back steps from the final product, often to enhance the working of the source code or find a bug in the system.
May help assuage concerns over privacy, security
With the opening up of the source code for developers as well as the announcement of a bounty scheme for finding bugs in the Aarogya Setu app, the government has opened itself to scrutiny of coders across the world. This will, however, restore some faith in skeptical minds as they can now read and understand the code for themselves. It will also help in assuaging the data privacy and security concerns surrounding the app.
Sawhney told The Indian Express the Centre shares Aarogya Setu data in three buckets. “Personal data is shared to medical officials in order to fight the pandemic. Anonymised, aggregate data is shared with supporting departments like the planning development to assess the inventory required. And we will begin to share ‘hard anonymised’ data with research institutions who request such data and are cleared by a committee soon to be set up by the Principal Scientific Advisor.”
Till date, 1,264 emerging hotspots have been identified across India through the app.
“Transparency, privacy and security have been the core design principles of Aarogya Setu since its inception and opening the source code up to the developer community signifies the government of India’s continuing commitment to these principles,” Niti Aayog CEO Amitabh Kant said, while announcing the release of the source code. He said that if 70-80 per cent of a community has the app downloaded, they can achieve “digital immunity.”
The opening up of the source code fulfills a long pending demand of cyberlaw experts from across the country and the world.
“Aarogya Setu should always have been open source, right from the get go. Everything developed by the government should always be open source as that uses taxpayers money. Work to ensure that the app doesn’t mutate into any other vehicle that plays with sensitive information of such a large population should continue,” Mishi Choudhary, technology lawyer and founder, SFLC.in said.
Aarogya Setu has become mandatory for central government employees and for travelers crossing several borders across parts of the nation.
📣 The Indian Express is now on Telegram. Click here to join our channel (@indianexpress) and stay updated with the latest headlines