
India’s contact tracing app is going open source - jmsflknr
https://techcrunch.com/2020/05/26/aarogya-setu-india-source-code-release/
======
FlyingSnake
For those who're looking for the source code, the repository will be live
tonight at 12:00 IST and will be available at: [https://github.com/nic-
delhi/AarogyaSetu_Android](https://github.com/nic-delhi/AarogyaSetu_Android).

iOS repo will be open-sourced a week later[^1].

[^1]:
[https://twitter.com/SetuAarogya/status/1265281058532016128](https://twitter.com/SetuAarogya/status/1265281058532016128)

~~~
econcon
Who works at 12:00IST in India?

~~~
thawaway1837
A lot of people?

Relevantly, a lot of developers and ops folks who need overlaps with US hours.

------
codegladiator
Wow I never expected this from Indian Govt irrespective of the political
party. And bounty on top of that for security issues is definitely next level.

~~~
bitxbitxbitcoin
Likewise - this is welcome news.

If it's mandatory, it should definitely be open source. Hell, anything that is
funded by taxpayer dollars should be open sourced.

------
carterklein13
Even though I'm sure this won't be perfect, this is still something I hope
other apps follow suit with. I currently use the Citizen app in NYC, but I'm
not necessarily a fan of the contact tracing functionality they're rolling
out. Open-sourcing it would (hopefully) ease some of my concerns... or maybe
aggravate them if I saw some things I didn't like... but at least I'd know how
my data is being used one way or the other.

------
Thaxll
In a similar topic there is a reference server by Google:
[https://github.com/google/exposure-notifications-
server](https://github.com/google/exposure-notifications-server)

------
sseth
I think Android is the most important version - about 95% of mobiles are
covered. So it is good they are doing that first. iOS is about 3-4% and KaiOS
is just 1%, so I think if it takes some more time that's not a huge impact.

------
BrandoElFollito
The French one is opensource as well. There will also be a public bug bounty
soon.

------
Recursing
Github repositories of the Italian ones: [https://github.com/immuni-
app](https://github.com/immuni-app)

------
guiltygods
Finally it would put to rest all the fake news about big brother surveillance
and privacy noise that was around this app.

~~~
moh_maya
No, what would have put all the legitimate concerns to rest would have been:

a) transparency into who the developers are, and what the terms of engagement
are

b) even if they didn't / couldn't open source the code from the get go, a
clear date and target of when they would do so

c) even before the app was launched, a single one page document of the
architecture, the regulations governing data retention, etc (all were released
post facto, after the "fake news" and "privacy noise").

Concerns about the govt collecting massive, potentially identifiable data on
an individual level for an application that they originally mandated everyone
had to use to travel, is not "fake news". Perhaps one may feel such concern
was unwarranted (and I disagree there), but how is that "fake news"?

We may have differences of opinion on the level of trust one can have on
govts, but I'm sure we can agree that transparency and visibility into such
critical decisions is reasonable to demand and expect.

~~~
sbmthakur
Like every other thing, even this was politicized in India. There are people
terming the app as a "surveillance app" without a proper technical
analysis[0].

0\. [https://www.nationalheraldindia.com/india/aarogya-setu-
is-a-...](https://www.nationalheraldindia.com/india/aarogya-setu-is-a-
surveillance-app-will-not-help-those-who-are-most-vulnerable-to-covid-19)

~~~
moh_maya
How does one do proper "technical analysis" without access to the code, or
knowing the architecture? None of those were available when the app was
released. Was the shrill noise over the top? IMO, perhaps; but that does not
detract from the fact that the application was just announced, with mandatory
use if you had to travel (now diluted to encouraged), without any
transparency..

National herald is not an unbiased source; it's clearly anti-current incumbent
govt, but the argument that people were criticizing without "technical
analysis" when no data was provided nor were they (initially) open to even
sharing the code for scrutiny, makes me wonder how one could have assumed the
app did what it said on the tin, except by blindly trusting the govt.

Which, personally, I'm not a fan of. There is a reason the US federal govt is
constrained by the 1st amendment, and not private corps. Govts are unique
entities in our societies, with a monopoly on multiple forms of power, and
their oversight should be held to a higher standard (again, IMO)

~~~
sbmthakur
Well, people have decompiled the Android app. I believe if someone wants to
term the app as a complete sham then they should at least do that.

Note that I am not against criticism of the app. Privacy concerns are full
valid and I also want the app to be open sourced in its entirety.

~~~
moh_maya
Fair point; I think we both probably agree that there was a lot of needless
hysteria. However, the ability to decompile / reverse engineer the app itself
was explicitly disallowed in the app ToS [1]:

“...You agree that you will not tamper with, reverse-engineer or otherwise use
the App for any purpose for which it was not intended including, but not
limited to, accessing information about registered users stored in the App,
identifying or attempting to identify other registered users or gaining or
attempting to gain access to the cloud database of the Service.”

exposing the software engineer / group that did it & published the analysis to
significant harassment & risk.

One could argue that this was for data protection, but it reeks of security
through obscurity, especially the way the clause is worded (including but not
restricted to). Whatever the intentions, the initial roll-out was a disaster
from the transparency / info-sec PoV IMO.

[1] [https://sflc.in/our-concerns-aarogya-setu-app](https://sflc.in/our-
concerns-aarogya-setu-app)

edit: added link to the Software Freedom Law Center India site with details on
the clause prohibiting reverse engineering

------
sbmthakur
A much-needed step. This will improve transparency and should put to rest wild
speculations going around about the app.

[https://www.nationalheraldindia.com/india/aarogya-setu-
is-a-...](https://www.nationalheraldindia.com/india/aarogya-setu-is-a-
surveillance-app-will-not-help-those-who-are-most-vulnerable-to-covid-19)

~~~
kosmischemusik
Unfortunately, until the server-side code is also open-sourced, it would
impossible to say what anyone does with the data stored on a centralized
server.

This is the first step toward making things transparent.

~~~
sbmthakur
Yes. It's just the first step. Considering the downvotes to my comment, looks
like some people want the app to be completely closed-source.

------
plibither8
EDIT: My bad, didn't read correctly!

What's more interesting, and rather disappointing, is that they are going to
open source only the iOS and KaiOS version of the app [1]. I'll be honest, I
had to lookup what KaiOS is. Why not Android?

[1] [https://tech.hindustantimes.com/tech/news/aarogya-setu-s-
and...](https://tech.hindustantimes.com/tech/news/aarogya-setu-s-android-
version-made-open-source-71590501535317.html)

~~~
jegs
All 3 versions are being open sourced. Says so in the article you linked.

