The Indian government, today, announced that it will be open sourcing the code for the Android version of Aarogya Setu, the government’s contact tracing app. The code will be available after midnight tonight on open source code repository Github.
“This is a unique thing to be done. No other govt product anywhere in the world has been open sourced at this scale. Today its scale and size is 115 million. It cuts across phones, IVRS. Only product available in 12 languages. All covid-19 related apps put together, Aarogya setu is bigger than all of them,” Amitabh Kant, CEO of NITI Aayog said.
The move should help the government quell questions around privacy that many have raised about the app. Open sourcing the code is something that many from the privacy community have asked for over the past few months.
Open sourcing an app’s code means the government will publish it on a public code repository, like Github, for anyone and everyone to see. The government said that all subsequent updates will also be made open source through this repository and the iOS and KaiOS (on JioPhone) versions of the app will also be made open source soon. At the moment, 95% of the app’s users are on Android, said Ajay Prakash Sawhney, secretary, Ministry of Electronics and Information Technology (MeitY).
The government also announced a bug bounty program for the app, which means the government will be paying developers etc. who find any bugs or loopholes in the app. There is a cash prize of Rs. 1 lakh for reporting bugs, which can be found through a FAQ the government is also publishing today.
“This will enable the vast number of entrepreneurs and businesses to build applications on top and unleash the “animal spirit” of the innovations in the post-COVID world,” wrote Ramesh Raskar, MIT Media Lab professor, on Medium. “The open-source code base will increase the trust further, unlock the innovation potential, and invite many engineers, designers, epidemiologists and policy experts to participate to provide improvements and suggest applications way beyond our imaginations,” he added.
It will also keep anyone from making false claims about what data the app takes from users, and let developers pinpoint the kind of data the app publishes. Security researcher Karan Saini, though, pointed out that there are ways for the government to obfuscate the open sourced code, which would make it difficult for developers to read the code and find possible gaps. “Obfuscating the code goes against the whole idea of open sourcing,” he said.
“This release, though useful in its own right, still would not provide any concrete insights into how user data is processed or handled at the back-end,” he added. While the code can show what data is being accessed by the app, how that data is used on the backend cannot be understood from the code.
“It has been built with privacy in mind. The bill is still in Parliament but we have used the principles of the Personal Data Protection bill. Among several others, features of consent from the Bill has also been incorporated in the app,” Sawhney said.
The Indian government is not the first one to open source the code for a contact tracing app either. Britain’s National Health Services (NHS) has also open sourced the code for its app, which has over 40,000 downloads right now.
India’s contact tracing app is currently on over 115 million smartphones. Kant said it has allowed the government to predict over 3000 hotspots at sub-post office level and alerted over 140,000 Indians of possible infections.
There have also been other instances of governments trying to improve their systems through open source. For instance, the Swiss government announced a bug bounty program last year, for as much as 50,000 Swiss Franc to hackers who could game its electronic voting system. The government open sourced the code for the system, and invited a “public hacker test” for it ahead of the nationwide rollout.