India announced today, that it will be open sourcing ‘Aarogya Setu’, one of the first large scale contact tracing apps that was released to contain the spread of COVID-19. The announcement was made by Ajay Prakash Sawhney, secretary in the ministry of electronics and information technology on Tuesday.
The source code of the Android app will be released on GitHub at midnight tonight. There, engineers and programmers will be able to view the entire code of the app, and point out any security or privacy loopholes that they may find. In fact, Sawhney has said that the government is ready to offer cash prizes of up to $1,325 to security experts for identifying and reporting bugs and vulnerabilities in the code of Aarogya Setu.
Aarogya Setu’s twitter handle also posted a couple of pictures on Twitter, and explained that the iOS version of the application will be released as open source within the next two weeks and the server code will be released subsequently. However, seeing that 98% of the app’s users are on Android, the delay doesn’t hurt all that much.
— Aarogya Setu (@SetuAarogya) May 26, 2020
The Ministry said in a statement “Opening the source code to the developer community signifies our continuing commitment to the principles of transparency and collaboration. Aarogya Setu’s development has been a remarkable example of collaboration between Government, Industry, Academia and citizens”
The Ministry states that the app has over 114 million users as of 26th May. Out of the 114 million registered users, two thirds have taken the self assessment test to evaluate their risk of exposure to COVID 19. So far, the app has helped identify about 500,000 Bluetooth contacts. Those found at risk of infection, have been advised to quarantine themselves, caution and testing. So far, the app has alerted 900,000 such users. Among these 900,000 , 24% were found COVID 19 positive.
The app also helps in the identification of “hotspots”, which are areas that are at risk of high infection rates. So far, the app has identified 3,500 hotspots across the country at sub post office level.
“The precision achieved by this unique combination of Bluetooth based contact tracing and identification of hotspots may hold the key to effectively breaking the chain of infection, flattening the curve and saving lives,” the Ministry said. “With the release of the source code in the public domain, we are looking to expanding collaboration and to leverage the expertise of top technical brains amongst the talented youth and citizens of our nation”, the ministry added.
The app, which differs from the contact tracing tool launched by Google and Apple much later, was in the center of a slew of privacy related accusations. Unlike the technology proposed by Google and Apple, Aarogya Setu accessed not only bluetooth services of a device, but also the location of a user, and stored it in datacenters. Security experts like Robert Baptiste, who goes by the name of Elliot Alderson on Twitter, expressed grave concern over this, and asked the government to open source the application.