India said it will publicly release the source code of its contact tracing app, Aarogya Setu, in a relief to privacy and security experts who have been advocating for this ever since the app launched in early April.
Ajay Prakash Sawhney, secretary in the ministry of electronics and information technology, made the announcement on Tuesday, dubbing it as “opening the heart” of Aarogya Setu app, which has amassed over 114 million users in less than two months — an unprecedented scale globally, to allow engineers to inspect and tinker with the code.
The source code of Aarogya Setu’s Android app will be published on GitHub at midnight Tuesday (local time). Sawhney said the government will also offer cash prizes of up to $1,325 to security experts for identifying and reporting bugs and vulnerabilities in the code of Aarogya Setu. (Nearly 98% of Aarogya Setu app users are on Android platform.)
Several privacy and security advocates, as well as India’s opposition party, had urged the government to release the code of the app for public auditing after some alleged lapses in the app were found, which New Delhi dismissed as features at the time.
Sawhney said today’s move should allay people’s concern with the app that is designed to help curb the spread of the coronavirus disease. Earlier this month, Sawhney said the government was not open sourcing Aarogya Setu app as it worried that it would overburden the team, comprising of mostly volunteers, that is tasked to develop and maintain the app.
The ministry said today that two-thirds of Aarogya Setu users had taken the self-assessment test to evaluate their risk of exposure. More than half a million Indians have been alerted to have made contact with someone who is likely ill with the disease, it said.
The app, which uses both Bluetooth and location data to function, has advised more than 900,000 users to quarantine themselves, or test for potential exposure to the disease to date. Almost 24% of them have confirmed to be positive with Covid-19, the ministry said.
“Opening the source code to the developer community signifies our continuing commitment to the principles of transparency and collaboration,” the ministry of electronics and information technology said in a statement. “Aarogya Setu’s development has been a remarkable example of collaboration between government, industry, academia, and citizens.”
Aarogya Setu, unlike the contact tracing technology developed by smartphone vendors Apple and Google, stores certain data in a centralized server. Privacy experts, including researcher Baptiste Robert, had argued that this approach would result in leakage of sensitive details of several Indians if that server was ever compromised.
“Open-sourcing Aarogya Setu is a unique feat for India. No other government product anywhere in the world has been open-sourced at this scale,” said Amitabh Kant, chief executive of government-run think-tank NITI Aayog, in a press conference today.