NEW DELHI : India on Tuesday said it will release the code for the Android version of its contact tracing app Aarogya Setu on open-source code repository Github. The government also rolled out a bug bounty programme, promising a reward of ₹1 lakh for those who discover bugs or loopholes in the app.
Starting Wednesday, anyone will be able to see and study the Aarogya Setu code on Github. The government said all subsequent updates will be made open-source through this repository and the iOS and KaiOS (on JioPhone) versions of the app will also be made open-source soon.
“This is a unique thing to be done. No other government product anywhere in the world has been open-sourced at this scale. Today, its scale and size is 115 million. It cuts across phones, IVRS. Only product available in 12 languages. All covid-19 related apps put together, Aarogya Setu is bigger than all of them,” Amitabh Kant, chief executive of NITI Aayog said. The move should help the government quell questions around privacy that many have raised about the app. Privacy activists have demanded open-sourcing the app’s code ever since it was released.
“This will enable the vast number of entrepreneurs and businesses to build applications on top and unleash the “animal spirit” of the innovations in the post-covid world,” wrote Ramesh Raskar, MIT Media Lab professor, on Medium. “The open-source code base will increase the trust further, unlock the innovation potential, and invite many engineers, designers, epidemiologists and policy experts to participate to provide improvements and suggest applications way beyond our imaginations.”
It will also keep anyone from making false claims about what data the app takes from users, and let developers pinpoint the kind of data the app publishes.
Security researcher Karan Saini, though, pointed out that there are ways for the government to obfuscate the open-sourced code, which would make it difficult for developers to read the code and find possible gaps. “Obfuscating the code goes against the whole idea of open-sourcing,” he said.
“This release, though useful in its own right, still would not provide any concrete insights into how user data is processed or handled at the back end,” he added. While the code can show what data is being accessed by the app, how that data is used on the back end cannot be understood from the code.
At the moment, 95% of the app’s users are on Android, said Ajay Prakash Sawhney, secretary, Ministry of Electronics and Information Technology (Meity). “It has been built with privacy in mind. The bill is still in Parliament but we have used the principles of the Personal Data Protection bill. Among several others, features of consent from the Bill has also been incorporated in the app,” he added. India is not the first to open-source the code for a contact tracing app. Britain’s National Health Services (NHS) has also open-sourced the code for its app, which has been downloaded over 40,000 times.
India’s contact tracing app is currently on over 115 million smartphones. Kant said it has allowed the government to predict over 3000 hotspots at sub-post office level and alerted over 140,000 Indians of possible infections.