Aarogya Setu: Is open-source secure enough?

The civil aviation minister recently said that downloading Aarogya Setu was preferable, but not mandatory, for air travel
Image: Ajay Aggarwal/Hindustan Times via Getty Images

At a time when the coronavirus compelled countries to bring life to a standstill, Niti Aayog and the ministry of electronics and information technology in mid-March roped in 50+ volunteers to develop an application that would help control the spread of the virus in India. Named Aarogya Setu, the contact tracing application was launched on April 2 and is now available in 12 languages across platforms.

Related stories

• 

  No time for fear: Day in the life of a doctor on Covid-19 duty

• 

  Mental health: How to beat the pandemic blues

• 

  I don't expect a protracted recession for India: Uday Kotak

“It was built in a record 15 days and is being used by 110 million users in the country,” claims Abhishek Singh, CEO, MyGov, a citizen engagement platform founded by the government of India.

Using Bluetooth, Aarogya Setu captures information from other devices that has the app installed. For instance, if any of your contacts—people you have interacted with in the last 14 days—has tested positive for the coronavirus, the app calculates your risk and recommends appropriate action. “Information about the same is also sent to health authorities to proactively administer necessary medical intervention,” says Singh.

The app is equipped with a self-assessment test, based on Indian Council of Medical Research (ICMR) guidelines. By integrating with the ICMR database through APIs, Aarogya Setu gets real-time testing alerts on Covid-19 positive cases. “Aarogya Setu has alerted more than 140,000 people so far of the potential risk of infection, through Bluetooth contacts traced from approximately 26,000 users who have tested positive,” says Amitabh Kant, CEO, Niti Aayog.

The app has seen a number of revisions in its design. Jay Datta, senior vice president, experience design for MakeMyTrip (and Goibibo), and one of the volunteers for Aarogya Setu, recalls starting work on the project with no brief, reviews, marketing report or complaints. “As we breached the 50-million mark on day 13, the usage pattern changed faster and new learnings emerged for us,” he says. By day 20, the third app version was released.

Privacy concerns

Within days of its launch, however, Aarogya Setu faced flak for privacy and transparency issues, and was criticised for excessive data collection practices. 

Devdutta Mukhopadhyay, associate counsel (litigation & RTI), Internet Freedom Foundation, says the collection of real-time location data through GPS could also increase the potential of the app being used as a tool for mass surveillance by the government.

In response to the criticism, the government, which had earlier made the app mandatory, made it voluntary on May 17. It is mandatory for railway passangers and delivery agents, and recommended for air travel.

On May 26, Kant announced that the source code of the app was open. This means that the developer community is open to review and work on it.

“By releasing and maintaining the source code in the public domain, we are looking to leverage the expertise of top technical brains in our bid to collectively build a robust technology solution to fight this pandemic together,” says Kant, adding that the app was always meant to be open sourced, once the product stabilised.

“Releasing the source code of a rapidly evolving product that is live at this massive scale, within eight weeks of launch is a first for a government product,” claims Arnab Kumar, ex-programme director, NITI Aayog. Experts, however, say several issues still remain unaddressed. “The source code cannot indicate the government departments with which the information is being shared, and how and whether this information is being used outside the public health system,” explains Divij Joshi, Mozilla technology policy fellow. Mukhopadhyay believes that Aarogya Setu needs a legislative framework to ensure that data is not used for law enforcement or commercial purposes. “It should also be made clear that the use of the app cannot be a pre-condition for accessing goods, services and public facilities,” he says.

Kumar, however, says, “Aarogya Setu’s privacy policy has several firsts, including automated data destruction policy, clear purpose limitation to the Covid-19 effort without exception and maximizing data kept on device, minimizing data transferred to the cloud and an explicit sunset clause.” Officials state that data is only shared with government authorities directly involved in COVID-19 related medical and administrative interventions on a strictly need-to-know basis and limited in scope only to their direct work.

Global use

China and South Korea have been using similar contact tracing applications that have helped them flatten the curve. Others like Singapore, Israel and Australia have also launched contact-tracing applications, which are open source. “For a country of our size and complexity, we needed an app that not only does contact tracing but also helps in identifying hotspots that can be sanitised, and containment measures can be taken on time to prevent spread of the virus,” explains Singh.

All countries, including India, have adopted a centralised approach. “The government must publicly explain the reasons behind the design choices of the app. For instance, why did it adopt a centralised model where data is uploaded to a government server instead of a decentralised one where data is stored locally on the device,” says Mukhopadhyay.

Switzerland’s Swiss Federal Institute of Technology Lausanne and ETC Zurich have been the first to launch a product called SwissCovid, based on technology provided by Apple and Google. This application relies on a decentralised approach, which helps make user choice paramount in deciding what information to share and how it can be used.

Joshi says currently only the app code is released for Aarogya Setu. “The server code (where much of the decryption and privacy-sensitive functions happen) is still not public. Since this is a centralised app, the server code needs to be public to understand more fully how the app is functioning,” he says.