46 comments

[ 2.7 ms ] story [ 119 ms ] thread
Wow I never expected this from Indian Govt irrespective of the political party. And bounty on top of that for security issues is definitely next level.
Likewise - this is welcome news.

If it's mandatory, it should definitely be open source. Hell, anything that is funded by taxpayer dollars should be open sourced.

EDIT: My bad, didn't read correctly!

What's more interesting, and rather disappointing, is that they are going to open source only the iOS and KaiOS version of the app [1]. I'll be honest, I had to lookup what KaiOS is. Why not Android?

[1] https://tech.hindustantimes.com/tech/news/aarogya-setu-s-and...

What do you mean ? The link you added says in the first line

> The government today made the Android version of Aarogya Setu open source

The techcrunch link also said android version is being made opensource.

All 3 versions are being open sourced. Says so in the article you linked.
Finally it would put to rest all the fake news about big brother surveillance and privacy noise that was around this app.
No, what would have put all the legitimate concerns to rest would have been:

a) transparency into who the developers are, and what the terms of engagement are

b) even if they didn't / couldn't open source the code from the get go, a clear date and target of when they would do so

c) even before the app was launched, a single one page document of the architecture, the regulations governing data retention, etc (all were released post facto, after the "fake news" and "privacy noise").

Concerns about the govt collecting massive, potentially identifiable data on an individual level for an application that they originally mandated everyone had to use to travel, is not "fake news". Perhaps one may feel such concern was unwarranted (and I disagree there), but how is that "fake news"?

We may have differences of opinion on the level of trust one can have on govts, but I'm sure we can agree that transparency and visibility into such critical decisions is reasonable to demand and expect.

You're spot on. I've seen a lot of folks talk about how the government rushed into putting out the app without having an open consultation with technologists. Rather, a closed-door discussion with a vague set of "industry players".

Nonetheless, this is the first step the government has taken. Let's hope continued pressure will result in audits and better protocols in the future.

> Concerns about the govt collecting massive, potentially identifiable data on an individual level for an application that they originally mandated everyone had to use to travel, is not "fake news". Perhaps one may feel such concern was unwarranted (and I disagree there), but how is that "fake news"?

I'm not the OP but from what I've heard there's a mix of genuine concerns and conspiracy theories about this (as often happens), and its quite hard for a layperson to understand what to believe. I read the OP as saying "finally, we get to see what's really happening and can thus determine if the concerns for data privacy are legitimate and put the conspiracy theories to rest"

Like every other thing, even this was politicized in India. There are people terming the app as a "surveillance app" without a proper technical analysis[0].

0. https://www.nationalheraldindia.com/india/aarogya-setu-is-a-...

How does one do proper "technical analysis" without access to the code, or knowing the architecture? None of those were available when the app was released. Was the shrill noise over the top? IMO, perhaps; but that does not detract from the fact that the application was just announced, with mandatory use if you had to travel (now diluted to encouraged), without any transparency..

National herald is not an unbiased source; it's clearly anti-current incumbent govt, but the argument that people were criticizing without "technical analysis" when no data was provided nor were they (initially) open to even sharing the code for scrutiny, makes me wonder how one could have assumed the app did what it said on the tin, except by blindly trusting the govt.

Which, personally, I'm not a fan of. There is a reason the US federal govt is constrained by the 1st amendment, and not private corps. Govts are unique entities in our societies, with a monopoly on multiple forms of power, and their oversight should be held to a higher standard (again, IMO)

Well, people have decompiled the Android app. I believe if someone wants to term the app as a complete sham then they should at least do that.

Note that I am not against criticism of the app. Privacy concerns are full valid and I also want the app to be open sourced in its entirety.

Fair point; I think we both probably agree that there was a lot of needless hysteria. However, the ability to decompile / reverse engineer the app itself was explicitly disallowed in the app ToS [1]:

“...You agree that you will not tamper with, reverse-engineer or otherwise use the App for any purpose for which it was not intended including, but not limited to, accessing information about registered users stored in the App, identifying or attempting to identify other registered users or gaining or attempting to gain access to the cloud database of the Service.”

exposing the software engineer / group that did it & published the analysis to significant harassment & risk.

One could argue that this was for data protection, but it reeks of security through obscurity, especially the way the clause is worded (including but not restricted to). Whatever the intentions, the initial roll-out was a disaster from the transparency / info-sec PoV IMO.

[1] https://sflc.in/our-concerns-aarogya-setu-app

edit: added link to the Software Freedom Law Center India site with details on the clause prohibiting reverse engineering

While the source code will be open-sourced, the fact that data is being stored in a centralized server is still worrisome.

There was no fake news. The topic was debated, discussed, in the public domain.

How would just open sourcing the code imply that surveillance is fake news?
How would it put to rest when multiple govt agencies continuously leak private information? The data is still stored in the app. Only the source has been published now. It can be vetted for security but not the server code
I have only heard rumors, is there a good source that summarizes what these concerns are?
> The data is still stored in the app.

What's the issue with the data being stored in the app?

sorry I meant a centralized server. Storing it in device is not a problem. But when they have already published private details (Aadhar) of millions of people without any sort of care, its really worrying
Published as in? Is the data available on some site?
apparently on the darkweb, etc [1], among other leaks [2,3]. To be fair, the issue doesn't appear to be with the aadhaar database itself but the many agencies that use / store the data but do not protect it properly. Poor to non-existent data handling practices, limited understanding of privacy risks at the end user level..

Aadhaar has been transformational; but I hope we don't go down the path of the US SSN: one of the simplest vectors for massive identity theft in the US. I don't think we will, but it does appear that there are significant teething issues that could be better addressed if the powers that be were more willing to acknowledge shortcomings instead of saying the data is protected by 13 feet walls. [4]

[1] https://www.moneylife.in/article/aadhaar-data-breach-largest...

[2] https://www.thehindu.com/sci-tech/technology/major-aadhaar-d...

[3] https://techcrunch.com/2019/01/31/aadhaar-data-leak/

[4] https://www.news18.com/news/india/aadhaar-data-protected-by-...

Thanks for this. I was tired to do a 20 second google search
Thanks for the links. I am aware about the leaks and understand that the loophole isn't exactly fixed. I was concerned that it's actually published on some site and can be readily accessed by anyone.
Server side code will be released as well.
I really despise how the term "fake news" can now liberally be applied to any dialog that challenges the status quo. There are legitimate conversations that should happen around broad surveillance, shutting that down because some actors derail the topic with wild unsubstantiated claims is just wrong.

With such a huge signal/noise ratio for information these days it seems we are rapidly heading toward people not thinking for themselves and deferring to 'approved' sources of information. All the 'fake news' will be taken down, this will include dissent obviously.

I worry for the future.

People accept contact tracing and don't see how this is exactly what the Chinese govt. have been doing for a number of years, something we used to reject as authoritarian and against western ideals. It's astonishing what we have lost in such a small period of time.

Any policy made today will almost certainly be carried indefinitely forward, the the "new normal". Another term that horrifies and depresses me.

The current (mis)use of the term "fake news" has really been normalized by Trump - I don't know that its meaning will ever be recovered.
Trump is a symptom, not the cause. He was elected after all.
The privacy angle is a total distraction. The intent of these "exposure notification" apps is to tell you that you have been exposed. Six degrees from Kevin Bacon means everyone gets a notification, everyone lives in fear. Fear is the most powerful tool for control.
(comment deleted)
Even though I'm sure this won't be perfect, this is still something I hope other apps follow suit with. I currently use the Citizen app in NYC, but I'm not necessarily a fan of the contact tracing functionality they're rolling out. Open-sourcing it would (hopefully) ease some of my concerns... or maybe aggravate them if I saw some things I didn't like... but at least I'd know how my data is being used one way or the other.
For those who're looking for the source code, the repository will be live tonight at 12:00 IST and will be available at: https://github.com/nic-delhi/AarogyaSetu_Android.

iOS repo will be open-sourced a week later[^1].

[^1]: https://twitter.com/SetuAarogya/status/1265281058532016128

Who works at 12:00IST in India?
A lot of people?

Relevantly, a lot of developers and ops folks who need overlaps with US hours.

Someone that goes for lunch at 1:00IST?
It’s most likely automated. Not like a leader has to press the green button on that at that time! Nevertheless, there would be significant number of services in a country of billion people requiring 24X7 uptime!!
Support guys and some devs who work with American firms.
I guess, PM of India.
A much-needed step. This will improve transparency and should put to rest wild speculations going around about the app.

https://www.nationalheraldindia.com/india/aarogya-setu-is-a-...

Unfortunately, until the server-side code is also open-sourced, it would impossible to say what anyone does with the data stored on a centralized server.

This is the first step toward making things transparent.

Yes. It's just the first step. Considering the downvotes to my comment, looks like some people want the app to be completely closed-source.
The French one is opensource as well. There will also be a public bug bounty soon.
I think Android is the most important version - about 95% of mobiles are covered. So it is good they are doing that first. iOS is about 3-4% and KaiOS is just 1%, so I think if it takes some more time that's not a huge impact.