India Releases Back-End Code of Covid-Tracing App
New Delhi — The Indian government has released the back-end code of the country’s Covid-19 contact-tracing app to address concerns of privacy violation and data protection.
Experts claim it is not enough.
The app, Aarogya Setu, which requires the use of Bluetooth and GPS, was released on April 2. Developed through a public-private partnership by the National Informatics Centre in the Ministry of Electronics and Information Technology, the app records details of the registered user’s contacts and informs the user if any of the contacts has tested positive for Covid-19. If that is the case, “you are immediately informed and proactive medical intervention is arranged for you,” the app’s website states.
The Electronics Ministry released the “source code” on May 26 on Github. It also published a list of 72 contributors to the app, including academics, technology experts and private parties.
“The source code published in May didn’t resemble the then-existing Android version on the Play Store,” said Prasanna Venkadesh, president of the Free Software Foundation Tamil Nadu, a nonprofit formed in 2008 as a part of the Free Software Movement of India.
The back-end code, released on Nov 20, is now available on OpenForge, a government platform set up in 2015 to promote sharing and reuse of e-governance application source code.
“By opening the source code, the government wants to encourage collaborative development between government departments/agencies and private organizations, citizens and developers to spur the creation of innovative e-governance applications and services,” the Ministry of Electronics and Information Technology said in a press release.
Privacy advocates and tech experts say the government has released unrelated and inadequate information.
The back-end code, which stores data, is inaccessible to users; front-end code is what users interact with directly.
Prasanth Sugathan, legal director at the Software Freedom Law Center in New York, said the code that has been released allows users to download it, but not contribute to it, defeating the purpose of “open-sourcing.”
Neither the Ministry of Electronics and Technology nor the National e-Governance Division responded to email questions from Zenger News.
The government on April 29 made it compulsory for all its employees to download the app.
“Aarogya Setu is a simple, secure and powerful app which ensures that you and your family members are free from the danger of Covid-19,” tweeted Ravi Shankar Prasad, India’s minister for electronics and information technology.
Several private companies such as food-delivery apps Zomato and Swiggy have also made it compulsory for employees.
Some analysts and opposition political leaders have criticized the app, claiming inaccurate results, unwarranted collection of personal data, and violations of citizens’ right to privacy.
An ethical hacker from France, Elliot Alderson, in May claimed to have detected a security issue with the Aarogya Setu app and informed the Indian government about it. The government denied that the app had been hacked.
Rahul Gandhi, a senior leader of the opposition Indian National Congress party, also criticized the app.
“The Arogya Setu app is a sophisticated surveillance system, outsourced to a pvt [private] operator, with no institutional oversight — raising serious data security and privacy concerns,” he tweeted on May 2.
“The lack of transparency and access to the entire source code, involvement of private players, mandating the application, inaccuracy — there are a whole lot of issues that are troubling,” said Sugathan. “What private organizations do with the data is unclear. The government has laid down certain protocols, but who’s keeping a check anyway?
“In a country where there are data breaches every other day, how do you trust the security systems put in place by your employer? Also, what if volumes of health data are deliberately getting outsourced to an interested third-party, say an insurance company?”
India records 375 cyber attacks and detects 400,000 malware every day, National Cybersecurity Coordinator Rajesh Pant reported on Nov. 16.
Several activists have filed queries under India’s Right to Information (RTI) Act. In an application in August, activist Saurav Das requested information about the creation of the app. After receiving what he described as inadequate information, he approached the Central Information Commission (CIC), which oversees RTI applications.
In a hearing on Oct 26, the CIC summoned officers from the Ministry of Electronics and Information Technology, the e-Governance Division, and the National Informatics Centre and asked them to explain why they should not be penalized for obstructing access to information. They were supposed to provide answers by Nov. 24. Subsequent orders have not been made public.
India is one of 50 countries using a Covid-tracing app, according to the MIT Technology Review. Only 16 of the countries, including India, use location data.
India is also introducing a new law, the Personal Data Protection Bill, 2019, aimed at increasing security. The proposed law has not yet been ratified by parliament.
(Edited by Siddharthya Roy and Judith Isacoff)