Aarogya Setu not ‘open source’ in real sense, claim cybersecurity activists, say server code must be made public

On 26 May, NITI Aayog CEO Amitabh Kant announced in a press conference that the Aarogya Setu app would be made open-source from the midnight of 27 May. However, over two weeks on, some cybersecurity activists have questioned whether this has actually taken place, and have termed the government’s claim as half-truth.
The Union government has stated that it has released the source code for the COVID-19 contact tracing on GitHub , a source code sharing platform. As on 12 June, there were 134 pull requests to the code and 257 issues had been flagged on the platform. A pull request is recorded when a user on the platform downloads code from the repository.

However, Akshay Dinesh, a medical professional and coder, said that the source code that has been made public is on a separate repository from the one that has been used for the current version of the app.
Speaking with Firstpost , Dinesh said, “The government did not state that the code that it made public was a snapshot from a repository that was private. They did not give any reason for doing so either. In my opinion, this shows a complete lack of transparency. So, to call the Aarogya Setu app open source is a half-truth, and, in effect, a lie.”
He further noted, “The Android app’s source code has been put in the public domain, but the code of the website it loads within the app (web.swaraksha.gov.in/ncv19) is nowhere to be seen. Even a snapshot of the code has not been made available.”
The government’s decision to make the source code of the app came after sustained criticism from various quarters. One of these sources of criticism was a review by the  Masachusetts Institute of Technology (MIT), which gave the app only one out of five stars. The app was only given a positive rating on the point of ‘data destruction', while it failed to meet the MIT’s criteria on limitations on usage of data, minimisation of data, transparency and being voluntary in nature.
According to Anivar Aravind, a Bengaluru-based software engineer and public interest technologist, the announcement on making Aarogya Setu ‘open source’ appears to be an attempt to counter criticism from quarters such as the MIT. However, he, too, is not convinced by the government’s claims.
Speaking with Firstpost , Aravind said, “A major concern with Aarogya Setu is that it collects more information than perhaps any other such contact tracing app. In this context, for there to be actual transparency, the server code has to be made public, not just the client-side code. Until this happens, the government’s claims of having brought in transparency remain suspect. Open sourcing Aarogya Setu is not an act of charity, but is something that must be done according to existing policies.”
The policy that Aravind referred to was the Union Ministry of Communication and Information Technology’s ‘Policy on Adoption of Open Source Software for Government of India’,...