Aarogya Setu goes open source; Govt announces Bug Bounty Programme

In the latest release, Amitabh Kant, CEO, Niti Aayog, said that Aarogya Setu is now open source. This means after 27 May 2020, they will upload the digital contact tracing app on the public GitHub repository. Further, it will be available to the iOS and KaiOS within two weeks. Also, the back end servers will be available in future. This step comes after French Hacker Robert Baptiste released a statement for the app’s vulnerability. After that netizens started demanding the app be open-sourced.

Read More: Netizens demand Open Source Aarogya Setu after French Hacker targets the app

How will Aarogya Setu open source affect the app?

India currently leads the world in cases of the COVID-19. The contract tracing app allows users to identify potential corona cases nearby. It is a Bluetooth and GPS based technology that maintains records of cases. The Government has assured that the app is safe, yet many people raised concerns over the app. Alderson (aka Robert) had recently uncovered some bugs of moderate concern, which MEITY quickly addressed. Open sourcing the app has brought transparency and terms to make it more efficient.

The government has first released the Android client source code for the app. This comes after Kant released a statement stating that 98% of installs are on Android devices. The app has been open-sourced with the Apache 2.0 license. This means other parties may freely use and change the code. But this will be only as long as a notice of the change is carried with the code.

According to Kant, open-sourcing a government app that operates at this scale has never been done before. So, after this open-sourcing, the government has likely put rest to public scrutiny and criticisms of potential privacy issues. Simultaneously, the privacy policy for Aarogya Setu has also been modified to remove a clause against “reverse engineering”, which is no longer relevant.

Is open-sourcing safe?

An open-source model also allows other countries to explore the digital contact tracing app to adopt already-mature, secure and publicly-validated code. Not only is the privacy concern an issue, but also the fact if it is useful. Brushing the fact, Amitabh Kant said 24% of contacts that Aarogya Setu identifies have tested positive. He stressed the critical importance of digital contact tracing that allows rapid treatment and control of spread.

Activists and the Internet Freedom Foundation have been at the forefront to address privacy issues. At a press conference, MEITY Secretary Ajay Prakash Sawhney repeated that the app does not exchange personally-identifiable data. It only uploads data to the server in case of identification. He added that this is a step toward developing confidence in the app’s efforts.

The Bug Bounty programme for Aarogya Setu

Aside from open-sourcing the code, the government has launched the bug bounty programme. So, NITI Aayog and MEITY are inviting programmers to look at the code. Programmers can find bugs and suggest changes and improvements. Security researchers will avail Rs. 1 lakh worth of bounty if they find security vulnerabilities within the app. Also, there will be an additional code improvement bounty of Rs. 1 lakh.

Neeta Verma, Director General of NIC also announced a bug bounty program across three categories, each carrying a bounty of Rs 1 lac. Again, no government app has ever made such a claim.