Govt opens up Aarogya Setu program code, announces reward for finding security flaws

To quell privacy and surveillance concerns, the Centre on Tuesday announced that the source code of Aarogya Setu has now been made open source.

The source code for the Android version of the application is available for review and collaboration on github.

The iOS version of the application will be released as open-source within the next two weeks and the server code will be released subsequently. Almost 98% of Aarogya Setu users are on Android platform.

The government has also launched a Bug Bounty programme with a goal to partner with security researchers and Indian developer community to test the security effectiveness of Aarogya Setu and to improve its security and build user trust. Details will be available at https://innovate.mygov.in.

NITI Aayog CEO Amitabh Kant asserted that no other government in the world has been open source at this scale.

The government has opened the source code to address concerns around privacy of data being collected by the contact tracing app.

"Transparency, privacy and security have been the core design principle of Aarogya Setu. Opening the source code to developer community signifies Government of India continuing principal to these commitments. No other government anywhere in the world has been open source at this scale," Kant said.

Meity Secretary Ajay Prakash Sawhney said that nothing that is done by human being can be perfect by definition but several developers volunteered for the app and made it close to a perfect product.

He said the e-commerce and other companies are using this app as a precaution and get alerted about exposure to coronavirus.

National Informatics Centre Director General Neeta Verma said that there will be four categories of rewards for people who find a bug in the app and come up with a suggestion to improve the programming of the app.

"There are three categories of securities vulnerability for which Rs 1 lakh be given in each of the categories. Then there is Rs 1 lakh prize for code improvement bounty," Verma said.

The app was launched on April 2 and has around 11.5 crore users at present.

"The source code of Aarogya Setu will be available at Github after 12 am-midnight," Verma said.

Advocacy groups have alleged that the government is using Aarogya Setu for mass surveillance especially in the absence of any legislation around privacy. A cybersecurity expert also made similar allegations that there are loopholes in the app.

Following allegations and concern, the government on May 11 issued a set of guidelines for data processing of Aarogya Setu app users and added a few clauses that may lead to imprisonment of persons found guilty of violating certain norms.

The new rules prohibit the storage of data beyond 180 days and enable individuals to seek deletion of their data from the government's Aarogya Setu related record within 30 days of raising the request.

The new norms allow the collection of only demographic, contact, self-assessment and location data of persons infected by the coronavirus or those who come in contact with the infected person.

(With inputs from PTI)