The source code of Aarogya Setu, Government of India’s contact tracing app, will be made open to the scientific and research community soon, a top NITI Aayog official and member of the app’s core team has confirmed.
At a time when the app has come under sustained criticism for lack of transparency, Arnab Kumar, Program Director, Frontier Technologies at NITI Aayog, said the app development team was “committed” to making Aarogya Setu “open source soon once the product has stabilised”.
Launched on 2 April, Aarogya Setu, a contact tracing tool, has been developed by the Government of India along with NITI Aayog and a team of private volunteers, including former Google India head Lalitesh Katragadda.
It is meant to help determine if an individual have come in contact with someone who could be COVID-19 positive.
Security researchers and privacy activists, who have analysed the app, have however highlighted surveillance concerns as well as the lack of auditing and transparency.
“There is no running away from open sourcing the product and no intention to hide anything,” Kumar told The Quint.
‘Open Source Not Just a Possibility But a Commitment’
Kumar added that the app’s source code has, in fact, been tested by a number of competent authorities, including the Data Security Council of India (DSCI) as well as IIT-Madras professor V Kamakoti. Kamakoti is also a member of the National Security Advisory Board, which operates under the PMO.
There is, however, no information yet on the feedback or results of the app’s audit by those who have undertaken such an exercise.
Speaking on opening up the source code, Kumar said, “It is not a possibility but a commitment. We have said we will make it open source.”
“We are dealing with something which is not a predictable variable. The moment we become comfortable that the product has stabilised, we will do it,” he added.
The NITI Aayog official added that the reason the app has not been made open source yet is because it had been developed in two weeks and has been under continuous improvements and expansion.
Aarogya Setu has often been compared to Singapore’s ‘Trace Together’ contact tracing app, with transparency having been highlighted as a major contrast.
“It is not static, like Trace Together. It is a very dynamic product. We are continuously adding new information, new features,” Kumar said.
“The product is evolving, once we are comfortable that we are in a space where the product goes into maintenance... that is probably the right time to open source it.”Arnab Kumar, Program Director, Frontier Technologies at NITI Aayog
Open Source Improves App Security: Experts
At a webinar organised by Medianama and attended by The Quint, Subhasis Banerjee, professor of computer science and engineering at IIT Delhi, stated that it is important for the code to be open source and “reverse engineering must not be prohibited.”
The current Terms of Use explicitly prohibit users from reverse-engineering the app for any purpose.
“In any case, reverse engineering must not be required, it should be an open source app at this scale. The design principles should have also been detailed in a white paper. Without that, it just seems like a red herring, that makes people run around without clarity,” professor Banerjee had said.
Security researchers have pointed out that making an application open source helps in improving the app by allowing researchers and experts to audit it and identify vulnerabilities.
“Making the source code available enhances transparency and this also improves security, as the code is open to community audit,” Software Freedom Law Centre India had stated in its statement, regarding the primary concerns with the app.
“The app primarily collects personal data from user cellphones and cellphones are an immense repository of personal data of users and sometimes, of a user’s contacts and acquaintances. In this scenario, keeping the source code of such an app proprietary is not advisable,” SLFC.
Srikanth Lakshmanan, a software professional working in digital payments, FOSS and open data, however, points out that there is a difference between "making source code public" and open sourcing.
“Former is a static move fixed in time, while latter is making the development of software itself in a transparent way,” Lakshmanan said.
“Open source means that it will be fixed far more quickly than the closed source model and, perhaps more importantly, the fix will likely be better scrutinised by the open source model than the closed source model,” he added.