Amid concerns over privacy of data being collected by its coronavirus contact tracing app, the government on Tuesday said it was open sourcing Aarogya Setu — a long-standing demand by privacy and security experts.
The government has also launched a Bug Bounty programme wherein financial rewards will be given to security researchers for finding any vulnerability in the application or suggesting improvements to the source code.
With open sourcing, developers can look at the code of the application, suggest improvements and also use it to develop similar products.
“With the release of the source code in the public domain, we are looking to expanding collaboration and to leverage the expertise of top technical brains amongst the talented youth and citizens of our nation and to collectively build a robust and secure technology solution to help support the work of frontline health workers in fighting this pandemic together,” the government said.
While the source code for the Android version of the application will be available for review on GitHub, the iOS version of the application will be released as open source within the next two weeks, the Ministry of Electronics and IT said in a statement.
Almost 98% of over 11.4 crore users of Aarogya Setu users are on Android platform.
“...the step will have a positive impact on the privacy of Indian users. This will improve transparency on how the data is used, improve security by minimising bugs and empower experts to improve the app via public contributions,” said Udbhav Tiwari, Policy Adviser, Mozilla Corporation.
The bug bounty programme will be open to Indian and foreign nationals, but only Indians will be eligible for rewards offered under the scheme. Anyone who points out a security vulnerability in the app source code will be eligible for a reward of up to ₹3 lakh, and up to ₹1 lakh for pointing out a suggestion or improvement in the source code.
Aarogya Setu’s Bug Bounty Programme has been prepared with the goal to partner with security researchers and Indian developer community to test the security effectiveness of the app and to enhance its security and build user’s trust, the government said.
Welcoming the move, Mishi Choudhary, technology lawyer, said, “The Government of India has an amazing policy on adoption of Open Source software that encourages formal adoption and use of open source software in government organisations. We will be verifying that all code is open source and global best practices are followed.”
She added that the government must also ensure that the mandatory nature of the app should be addressed. It should only be voluntary and not create classes of citizens based on their having an app or not.