Govt opens Aarogya Setu source code, but is that enough?
by Rukmini RaoFor organisations such as Software Freedom Law Center, India, Internet Freedom Foundation and other individuals who have been vocal about opening up of the source code, it is just a partial win
KEY HIGHLIGHTS
- Only source code of the Android version has been made available on Github
- iOS source code to be released in next two weeks and later server code
- Mismatch in protocol and app with respect to treatment of users' data
Following a huge outrage on social media platforms around privacy concerns and questions around the architecture of the Aarogya Setu app, the Ministry of Electronics and Information Technology announced the opening of the source code for developers to improve the app and fix the problems. The source code for the Android version of the application was made available on Github, a software development platform for developers to review. "With the release of the source code in the public domain, we are looking to expanding collaboration and to leverage the expertise of top technical brains among the talented youth and citizens of our nation and to collectively build a robust and secure technology solution to help support the work of frontline health workers in fighting this pandemic together," said the press release.
ALSO READ: Aarogya Setu is now open source; govt announces reward for finding security flaws
However, for organisations such as Software Freedom Law Center, India (SFLC.in), Internet Freedom Foundation and other individuals who have been vocal about opening up of the source code, it is just a partial win. Mishi Choudhary, Tech Lawyer and Founder, SFLC.in says although choosing Github as a platform and apache licence aligns with global best practices, the server side code has not been open sourced yet, nor do we know anything about what is happening with the iOS version or KaiOS version on which many other phones are running. She added that it is only after the government makes server side code available that there will be a complete sharing of the apps architecture.
After making the android version source code open, developers have raised over 120 issues and nearly 60 pull requests. Srinivas Kodali, an independent researcher working on data and governance, points out that open sourcing of the app is an important step in democratisation of the AarogyaSetu. "To me this is direct participation of people in technology governance aspect, which had been lacking in the country," said Kodali. He further pointed out that unlike earlier instances of Aadhar and UPI, which had architectural flaws and issues with system and was largely built with the help of private volunteers and with no transparency or public accountability, this move at least lets direct participation of people with the technical knowhow to point out the flaws with the code and hopes to get it fixed.
ALSO READ: Aarogya Setu is now open-source for developers, govt announces bug bounty programme
However, the larger problem still persists. Although the government has taken a step back by withdrawing the mandatory nature of the direction on use of Aargoya Setu, on ground it has been mandated by most states for travel, large stores and even private organisations to its workers. Although the terms of service of the app has been updated to delete the clause which absolved the government of any unauthorised access to personal information and modification thereof, Choudhary points out that the government still can't be held responsible for any harm caused "as the liability clauses in the app remains that nobody still has a liable. The government has said it won't be responsible for false negatives or false positives". Moreover with no data law in place, any breach of data or unauthorised use by a third party will still have to be litigated in the courts with no other alternate recourse available.
While the government has said that the iOS version will be released in next two weeks, it hasn't still clarified when the server code will be made available. In its claim to the utility of Aarogya Setu, the government has said that out of the 114 million registered users nearly two-thirds have taken the self-assessment test to evaluate their risk of exposure to COVID-19 with the app also helping in tracing about 500,000 bluetooth contacts of COVID-19 positive cases or the ones who are classified as needing assistance based on their self-assessment. It further said that nearly 24 per cent of those who were recommended for testing for COVID-19 were found to be positive.
ALSO READ: Delhi University closed till May 31; all employees asked to download Aarogya Setu