Wow I never expected this from Indian Govt irrespective of the political party. And bounty on top of that for security issues is definitely next level.
What's more interesting, and rather disappointing, is that they are going to open source only the iOS and KaiOS version of the app [1]. I'll be honest, I had to lookup what KaiOS is. Why not Android?
No, what would have put all the legitimate concerns to rest would have been:
a) transparency into who the developers are, and what the terms of engagement are
b) even if they didn't / couldn't open source the code from the get go, a clear date and target of when they would do so
c) even before the app was launched, a single one page document of the architecture, the regulations governing data retention, etc (all were released post facto, after the "fake news" and "privacy noise").
Concerns about the govt collecting massive, potentially identifiable data on an individual level for an application that they originally mandated everyone had to use to travel, is not "fake news". Perhaps one may feel such concern was unwarranted (and I disagree there), but how is that "fake news"?
We may have differences of opinion on the level of trust one can have on govts, but I'm sure we can agree that transparency and visibility into such critical decisions is reasonable to demand and expect.
You're spot on. I've seen a lot of folks talk about how the government rushed into putting out the app without having an open consultation with technologists. Rather, a closed-door discussion with a vague set of "industry players".
Nonetheless, this is the first step the government has taken. Let's hope continued pressure will result in audits and better protocols in the future.
> Concerns about the govt collecting massive, potentially identifiable data on an individual level for an application that they originally mandated everyone had to use to travel, is not "fake news". Perhaps one may feel such concern was unwarranted (and I disagree there), but how is that "fake news"?
I'm not the OP but from what I've heard there's a mix of genuine concerns and conspiracy theories about this (as often happens), and its quite hard for a layperson to understand what to believe. I read the OP as saying "finally, we get to see what's really happening and can thus determine if the concerns for data privacy are legitimate and put the conspiracy theories to rest"
Like every other thing, even this was politicized in India. There are people terming the app as a "surveillance app" without a proper technical analysis[0].
How does one do proper "technical analysis" without access to the code, or knowing the architecture? None of those were available when the app was released. Was the shrill noise over the top? IMO, perhaps; but that does not detract from the fact that the application was just announced, with mandatory use if you had to travel (now diluted to encouraged), without any transparency..
National herald is not an unbiased source; it's clearly anti-current incumbent govt, but the argument that people were criticizing without "technical analysis" when no data was provided nor were they (initially) open to even sharing the code for scrutiny, makes me wonder how one could have assumed the app did what it said on the tin, except by blindly trusting the govt.
Which, personally, I'm not a fan of. There is a reason the US federal govt is constrained by the 1st amendment, and not private corps. Govts are unique entities in our societies, with a monopoly on multiple forms of power, and their oversight should be held to a higher standard (again, IMO)
Fair point; I think we both probably agree that there was a lot of needless hysteria. However, the ability to decompile / reverse engineer the app itself was explicitly disallowed in the app ToS [1]:
“...You agree that you will not tamper with, reverse-engineer or otherwise use the App for any purpose for which it was not intended including, but not limited to, accessing information about registered users stored in the App, identifying or attempting to identify other registered users or gaining or attempting to gain access to the cloud database of the Service.”
exposing the software engineer / group that did it & published the analysis to significant harassment & risk.
One could argue that this was for data protection, but it reeks of security through obscurity, especially the way the clause is worded (including but not restricted to). Whatever the intentions, the initial roll-out was a disaster from the transparency / info-sec PoV IMO.
How would it put to rest when multiple govt agencies continuously leak private information? The data is still stored in the app. Only the source has been published now. It can be vetted for security but not the server code
sorry I meant a centralized server. Storing it in device is not a problem. But when they have already published private details (Aadhar) of millions of people without any sort of care, its really worrying
apparently on the darkweb, etc [1], among other leaks [2,3]. To be fair, the issue doesn't appear to be with the aadhaar database itself but the many agencies that use / store the data but do not protect it properly. Poor to non-existent data handling practices, limited understanding of privacy risks at the end user level..
Aadhaar has been transformational; but I hope we don't go down the path of the US SSN: one of the simplest vectors for massive identity theft in the US. I don't think we will, but it does appear that there are significant teething issues that could be better addressed if the powers that be were more willing to acknowledge shortcomings instead of saying the data is protected by 13 feet walls. [4]
Thanks for the links. I am aware about the leaks and understand that the loophole isn't exactly fixed. I was concerned that it's actually published on some site and can be readily accessed by anyone.
I really despise how the term "fake news" can now liberally be applied to any dialog that challenges the status quo. There are legitimate conversations that should happen around broad surveillance, shutting that down because some actors derail the topic with wild unsubstantiated claims is just wrong.
With such a huge signal/noise ratio for information these days it seems we are rapidly heading toward people not thinking for themselves and deferring to 'approved' sources of information. All the 'fake news' will be taken down, this will include dissent obviously.
I worry for the future.
People accept contact tracing and don't see how this is exactly what the Chinese govt. have been doing for a number of years, something we used to reject as authoritarian and against western ideals. It's astonishing what we have lost in such a small period of time.
Any policy made today will almost certainly be carried indefinitely forward, the the "new normal". Another term that horrifies and depresses me.
The privacy angle is a total distraction. The intent of these "exposure notification" apps is to tell you that you have been exposed. Six degrees from Kevin Bacon means everyone gets a notification, everyone lives in fear. Fear is the most powerful tool for control.
Even though I'm sure this won't be perfect, this is still something I hope other apps follow suit with. I currently use the Citizen app in NYC, but I'm not necessarily a fan of the contact tracing functionality they're rolling out. Open-sourcing it would (hopefully) ease some of my concerns... or maybe aggravate them if I saw some things I didn't like... but at least I'd know how my data is being used one way or the other.
It’s most likely automated. Not like a leader has to press the green button on that at that time! Nevertheless, there would be significant number of services in a country of billion people requiring 24X7 uptime!!
Unfortunately, until the server-side code is also open-sourced, it would impossible to say what anyone does with the data stored on a centralized server.
This is the first step toward making things transparent.
I think Android is the most important version - about 95% of mobiles are covered. So it is good they are doing that first. iOS is about 3-4% and KaiOS is just 1%, so I think if it takes some more time that's not a huge impact.
46 comments
[ 2.7 ms ] story [ 119 ms ] threadIf it's mandatory, it should definitely be open source. Hell, anything that is funded by taxpayer dollars should be open sourced.
What's more interesting, and rather disappointing, is that they are going to open source only the iOS and KaiOS version of the app [1]. I'll be honest, I had to lookup what KaiOS is. Why not Android?
[1] https://tech.hindustantimes.com/tech/news/aarogya-setu-s-and...
> The government today made the Android version of Aarogya Setu open source
The techcrunch link also said android version is being made opensource.
a) transparency into who the developers are, and what the terms of engagement are
b) even if they didn't / couldn't open source the code from the get go, a clear date and target of when they would do so
c) even before the app was launched, a single one page document of the architecture, the regulations governing data retention, etc (all were released post facto, after the "fake news" and "privacy noise").
Concerns about the govt collecting massive, potentially identifiable data on an individual level for an application that they originally mandated everyone had to use to travel, is not "fake news". Perhaps one may feel such concern was unwarranted (and I disagree there), but how is that "fake news"?
We may have differences of opinion on the level of trust one can have on govts, but I'm sure we can agree that transparency and visibility into such critical decisions is reasonable to demand and expect.
Nonetheless, this is the first step the government has taken. Let's hope continued pressure will result in audits and better protocols in the future.
I'm not the OP but from what I've heard there's a mix of genuine concerns and conspiracy theories about this (as often happens), and its quite hard for a layperson to understand what to believe. I read the OP as saying "finally, we get to see what's really happening and can thus determine if the concerns for data privacy are legitimate and put the conspiracy theories to rest"
0. https://www.nationalheraldindia.com/india/aarogya-setu-is-a-...
National herald is not an unbiased source; it's clearly anti-current incumbent govt, but the argument that people were criticizing without "technical analysis" when no data was provided nor were they (initially) open to even sharing the code for scrutiny, makes me wonder how one could have assumed the app did what it said on the tin, except by blindly trusting the govt.
Which, personally, I'm not a fan of. There is a reason the US federal govt is constrained by the 1st amendment, and not private corps. Govts are unique entities in our societies, with a monopoly on multiple forms of power, and their oversight should be held to a higher standard (again, IMO)
Note that I am not against criticism of the app. Privacy concerns are full valid and I also want the app to be open sourced in its entirety.
“...You agree that you will not tamper with, reverse-engineer or otherwise use the App for any purpose for which it was not intended including, but not limited to, accessing information about registered users stored in the App, identifying or attempting to identify other registered users or gaining or attempting to gain access to the cloud database of the Service.”
exposing the software engineer / group that did it & published the analysis to significant harassment & risk.
One could argue that this was for data protection, but it reeks of security through obscurity, especially the way the clause is worded (including but not restricted to). Whatever the intentions, the initial roll-out was a disaster from the transparency / info-sec PoV IMO.
[1] https://sflc.in/our-concerns-aarogya-setu-app
edit: added link to the Software Freedom Law Center India site with details on the clause prohibiting reverse engineering
There was no fake news. The topic was debated, discussed, in the public domain.
What's the issue with the data being stored in the app?
Aadhaar has been transformational; but I hope we don't go down the path of the US SSN: one of the simplest vectors for massive identity theft in the US. I don't think we will, but it does appear that there are significant teething issues that could be better addressed if the powers that be were more willing to acknowledge shortcomings instead of saying the data is protected by 13 feet walls. [4]
[1] https://www.moneylife.in/article/aadhaar-data-breach-largest...
[2] https://www.thehindu.com/sci-tech/technology/major-aadhaar-d...
[3] https://techcrunch.com/2019/01/31/aadhaar-data-leak/
[4] https://www.news18.com/news/india/aadhaar-data-protected-by-...
With such a huge signal/noise ratio for information these days it seems we are rapidly heading toward people not thinking for themselves and deferring to 'approved' sources of information. All the 'fake news' will be taken down, this will include dissent obviously.
I worry for the future.
People accept contact tracing and don't see how this is exactly what the Chinese govt. have been doing for a number of years, something we used to reject as authoritarian and against western ideals. It's astonishing what we have lost in such a small period of time.
Any policy made today will almost certainly be carried indefinitely forward, the the "new normal". Another term that horrifies and depresses me.
iOS repo will be open-sourced a week later[^1].
[^1]: https://twitter.com/SetuAarogya/status/1265281058532016128
Relevantly, a lot of developers and ops folks who need overlaps with US hours.
EDIT: and now the fork's gone too. :D
Did they accidentally publish and someone took a fork?
It also popped up in my GitHub search results as well:
https://twitter.com/Abhas9/status/1265337350755741698
https://www.nationalheraldindia.com/india/aarogya-setu-is-a-...
This is the first step toward making things transparent.