Experts seek full Aarogya Setu code, not bits of it2 min read . Updated: 24 Nov 2020, 06:16 AM IST
- Security experts have questioned the privacy implications associated with the app, which is capable of tracking users continuously
Contact tracing app Aarogya Setu is facing renewed criticism for lack of transparency, with many security experts pointing out that what the government released on Friday as the app’s ‘back-end code’ was not what it was claimed to be.
“What they’ve released right now is some non-functional code snippets. It is client-side code loaded onto the app from a web address and not the server functions or the data-handling part. The back-end code, which handles the data, including the data schemas, has still been kept secret," said Anivar Aravind, an advisory board member at the Software Freedom Law Center (SFLC), who had challenged the mandatory imposition of the app in the Karnataka high court, highlighting its implications on privacy.
Another security researcher, Karan Saini, explained that the code that the government has ‘open sourced’—made the code public and usable by others—only shows how the client-facing side (users’ device) of the application functions. It doesn’t let anyone understand what kind of data processing the application is doing, how that data is being stored or even how it is accessed.
“It doesn’t allow you to glean any kind of useful information about the functioning of Aarogya Setu, apart from a few superficial snippets," he said.
Security experts said that if this were indeed back-end code, it would allow users to run their own versions of the app. The government had open-sourced part of the code for the app’s front-end; so adding the back-end code would allow developers to make their own versions of the app, experts said.
Saini and Aravind are joined by many others who spoke out on this on Twitter.
Aarogya Setu has quickly become the world’s most-downloaded contact-tracing app. With over 100 million downloads on Android devices, it is expected to become part of the government’s future e-health related initiatives as well.
Many have questioned the privacy implications associated with the app, which is capable of tracking users continuously. Open sourcing the app’s code is one of the things security experts have been asking for, but many say true open sourcing isn’t achieved unless the back-end code is also made available.
The Aarogya Setu app has been questioned for transparency on several occasions.
The Central Information Commission (CIC) recently sought an explanation from the National Informatics Center (NIC) for evasive replies to a right to information request about who had made the app.
The ministry of electronics and information technology (MeitY) later clarified the app had been developed by the NIC in collaboration with volunteers from industry and academia.
An email sent to the MeitY remained unanswered till press time.