Statement on Aarogya Setu App Source Code release

June 2, 2020

Source code for Arogya setu android app has been released and this is a statement regarding it from Indian Pirates (https://pirates.org.in).

We appreciate the government in taking this small step in the right direction, but we want to emphasize that, this falls short of what is expected from a government constitutionally bound to upholding rights of the people.

Public Money, Public Code:

We have often asked why is it that software built using tax payer's money not released as free software? Governments often forget that they are here to make our life easier and not to rule us, not to make our lives harder. The MLAs and MPs we elect are supposed to be lawmakers who need to make our lives easier rather than make laws that make our lives a living hell. The way aarogya setu was initially made mandatory needs to be seen in this context. So is an unplanned demonitisation or an unplanned lockdown with no regard to the livelihood of the citizens affected.

"Public money, public code" is a policy that aligns with Pirate politics. 167 issues and 86 pull requests have been added to the android repository by the Free Software community as of 28-05-2020 i.e. within 48 hours since the source has been published. This shows that the community is here to support a Free Software initiative by the government. However if the government is ready to utilise this support is yet to be seen.

Track record of this government:

Though publishing the source code is in the right direction, we are skeptical that this is a publicity stunt, knowing the track record of this government. All talk and no action. This government has wasted a lot of time in denial mode regarding covid-19. Denial, minimization, blame, redefinition, violence, victimisation etc are the patterns we find from this government[1]. We take this opportunity to remind that this is not the expected behaviour in a democracy. We also want to remind people that it is the same government who argued in Supreme Court that there is no right to privacy, a claim later rejected by the Supreme Court in its landmark judgment Justice K.S. Puttaswamy (Retd.) v. Union of India.

There is still unanswered questions regarding motives and requirement for this app. Any evidence that the initiative came from National Institute of Epidemiology (NIE), or the ministry of health or the National Disaster Management Authority (NDMA is yet to be seen. In case of such ambiguity, we speculate that the initiative could have been from a certain think-tank who wants to put their stack in every industry possible. In that case isn't it a wastage of public money to build something which none of these institutions has requested for? How helpful is the Arogya Setu app in reducing COVID-19 spread? How is the usefulness of this app measured quantitatively and what mathematical model is followed for the same? What about the population that do not have a smartphone?[2] Are there any extra measures taken to ensure their protection?

Privacy, Technical notes and Next Steps:

Even though the android code is published, the server code isn't released yet. This brings about ambiguity regarding our data collected in the name of this pandemic crisis. There is no yet clear process regarding access control to our data. Who has access, is access audited or logged is not clear. There is also no clarity on when will the data be deleted after the pandemic is under control[3].

Since this is an early stage to give a detailed response, we will come back with a detailed statement when someone can independently audit the source code to verify the claims made by the government about what data is shared by the app with the government. We will also need to verify the source code released is really the same source code used to build the app distributed via Google's play store. The code published now has no reproducible build[4][5] option, meaning, we have to blindly trust the government, as we cannot verify if the same code is used for play store version.