The Indian government is reportedly planning to open source the code for its contact tracing app, Aarogya Setu. According to reports, Niti Aayog’s programme director, Arnab Kumar, today, said that the government is mulling over open sourcing the code for the app, though a decision is yet to be taken.
In a report by The Dialogue, the public policy think tank recommended that the government should open source the code for this app, for the sake of transparency. The same has been demanded by various users, security researchers and privacy advocates. The Dialogue’s report also said that the government should allow “independent data auditing" to ensure checks and balances and accountability.
Open sourcing the code for an app allows the entire developer community to take a deeper look into its inner workings. It lets the developer community comb through an app’s code and understand how it works, how it protects user privacy and what kind of data it accesses.
French security researcher Robert Baptiste, who recently pointed out privacy flaws with the app, said that if the government wants to make the app mandatory, then people have the “right to know what the app is really doing". Baptiste recently published an article showing some loopholes in the app, though the Indian government has reiterated that Aarogya Setu isn’t violating anyone’s privacy.
Essentially, the community wants the government to publish the app’s code in a public code repository like Github. This allows the larger developer community to take a look at how the app works and find potential flaws with the system, which it can then submit to the government. Open sourcing is often used by people to develop apps collaboratively and some of the biggest companies in the world, including Microsoft, Google and Apple, have been known to open source some of their applications in order to get support from the wider community.
However, open sourcing the code may be easier said than done. Software engineer Naresh R. pointed out on Twitter that it may expose vulnerabilities to everyone. “Granted, some issues are not okay. The first vulnerability caught by Elliot wasn’t okay but it was fixed. I’m also not saying the app is perfect. Rather, these are exactly why the app can’t be open source immediately — it will only make vulnerabilities visible to everyone," he wrote.
That said, there are other instances of contact tracing apps that have been open sourced. Singapore’s Trace Together app was amongst the first contact tracing apps worldwide and was also open sourced by the government. The United Kingdom’s National Health Services (NHS) has also open sourced the code for its contact tracing apps. Open sourcing also helps speed up development of such apps worldwide.
The Indian government will have to take all of this into consideration when deciding whether to take the open source route. The Aarogya Setu app currently has over 90 million downloads and the government plans to increase its purview to more than just contact tracing. In fact, a telemedicine portal was recently added to the app and the more services the government adds to Aarogya Setu, the more the chances of data leaks will increase too.