Governments across the world have been working to deploy contact tracing apps in order to curb the spread of Covid-19. But many experts have raised concerns how such applications can potentially breach the privacy of citizens. Privacy concerns could be real, and personal data collection could be problematic. This may prevent a lot of people installing it.
So, while governments are not going to stop their efforts of deploying such applications, there are proposals being made to make contact tracing apps open-source. Some countries have already done that to serve as a way to reassure the public of any data mishandling.
For example, countries such as Singapore have actually moved away from centralised systems to more open and decentralised systems to maintain the privacy of citizens. The contact tracing software, which is open-source, can be verified by citizens.
In Singapore, the government has released the protocol reference documents, and reference implementation for apps such as TraceTogether, which similar to Aarogya Sets is based on a Bluetooth protocol. Singapore’s Trace Together app under the GPL-3.0 open-source licence is available on Github.
As part of the innovation, a digital contact tracing protocol, BlueTrace, was developed, with an open-source reference implementation, OpenTrace. It has since been regarded for appropriation by many other countries, including New Zealand, and Australia.
Making Aarogya Setu Open-Source
So, should the Indian government also follow this route and make Aarogya Setu open-source? Experts say this can help maintain privacy, transparency of code, and how data is being used.
According to media reports, the government may also soon do that. Arnab Kumar, programme director, Niti Aayog, said in a media report that the government is looking to make it open-source.
Being open-source can bring to light many vulnerabilities in the code. Despite not being open-source, Elliot Alderson, an ethical hacker on Twitter claimed he had revealed a security issue with Aarogya Setu, saying the data privacy of 90 million Indians was at stake.
The developers behind Aarogya Setu thanked the ethical hacker for engaging with the team. Now, imagine thousands of researchers and developers working on the application to ensure millions of data belonging to Indian citizens remains secure. And that could only happen if the application were made open-source.
Benefits Of Open-Source In The Context Of Contact Tracing
There have been times when there security flaws or vulnerabilities have been found across contact tracing applications. If the contact tracing application like Arogya Setu is made open-source, this may lead to a step towards ensuring the application does not misuse data, as well as have extra eyeballs from thousands of developers, technology companies and privacy activists.
One of the other benefits of open-source is that it gives away to a decentralised design allowing for a cooperative framework where multiple entities can contribute to and improve on software vulnerabilities. It also ensures that malicious entities do not misuse the software or find a way to gain access to data, or build a backdoor via the application. This way, open-source security researchers and bug bounty hunters can test the application to discover and report all bugs and vulnerabilities.
Also, being open-source also helps in bringing in more innovation cycles and closing the gaps in software more quickly. As software and systems are open-source, it can be audited from multiple parties making the code more robust and maintaining transparency. This is something that the Indian government can implement with their contact tracing application.
Open-source platforms like GitHub makes it easier to report vulnerabilities and having the right patches made quickly. In fact, with new features on GitHub, the platform makes keeping track of vulnerability and automating the patching. Open-source would also help build the right standards and technical specifications for contact tracing applications.