Kant also thanked several private parties by name for their volunteer efforts in building the app. The gaps in Aarogya Setu’s privacy protections, data usage and perception of intent have been concern areas for activists, with the Internet Freedom Foundation being at the forefront of efforts to address these issues. There have been small victories: The government backtracked on mandating usage of the app during lockdown 3.0 to merely “advisable” in lockdown 4.0. However, this effort still left loopholes open to pressure non-government entities and private organisations to compel employees to use the app. Since it’s introduction on 2 April, the Aarogya Setu app has been criticised for overreach in terms of data collected (it collects Bluetooth contact data as well as location data). The authorities responsible for the development of the app have always maintained that data is anonymised and shared only in case of a positive COVID-19 identification. In a recent interview with Firstpost, security researcher Elliot Alderson said “to potentially be useful, a contact-tracing app needs to be downloaded and used by a lot of people. To ensure adoption of the app on a large scale among the population, you need to gain their trust. Publishing the source code is one way to get this trust.” Alderson had recently uncovered some bugs of moderate concern, which were quickly addressed by MEITY.
What does open-sourcing mean for Aarogya Setu? According to Kant, 98% of Aarogya Setu installs are on Android devices, which explains the initial release of the Android client source code for the app. The app has been open-sourced with the Apache 2.0 license, which means other parties may freely use and change the code, as long as a notice of the change is carried with the code. NITI Aayog and MEITY (Ministry of Electronics & Information Technology) are inviting programmers to look at the code, find bugs and suggest changes and improvements. According to Kant, open-sourcing a government app that operates at this scale has never been done before.
An open-source model also allows for other countries that may be exploring digital contact tracing to get a boost by adopting already-mature, secure and publicly-validated code. Principal Scientific Advisor K. Vijay Raghavan specifically mentioned the applicability of this code to other countries.
The questions that remain
Open-sourcing Aarogya Setu is a confidence-boosting step and hard to argue with. Public availability of code means that the app’s operation can be verified to be secure. Once the server code is available for review, the loop should close.
However, questions of legality remain. At this point, the government encourages, but does not mandate the use of Aarogya Setu. But this does not mean other entities such as the Airports Authority of India, the Indian Railways or private organisations won’t.