India’s contact-tracing app is going open-source

India said it will publicly release the source code of its contact-tracing app, Aarogya Setu, to the relief of privacy and security experts who have been advocating for this ever since the app launched in early April.

Ministry of Electronics and Information Technology Secretary Ajay Prakash Sawhney made the announcement on Tuesday, dubbing the move “opening the heart” of the Aarogya Setu app to allow engineers to inspect and tinker with the code. The app has amassed over 114 million users in less than two months  — an unprecedented scale globally.

The source code of Aarogya Setu’s Android app will be published on GitHub at midnight Tuesday (local time), and code of iOS and KaiOS apps would be released in a “few weeks.” Nearly 98% of the app’s users are on the Android platform. Sawhney said the government will also offer cash prizes of up to $1,325 to security experts for identifying and reporting bugs and vulnerabilities. (Updated at 12:16am IST on May 27: The source code of Aarogya Setu’s Android app is now live.)

Several privacy and security advocates, as well as India’s opposition party, had urged the government to release the code of the app for public auditing after some alleged lapses in the app were found — which New Delhi dismissed as app features at the time.

Sawhney said today’s move should allay people’s concerns with the app. Earlier this month, Sawhney said the government was not open-sourcing Aarogya Setu, as it worried that it would overburden the team, mostly comprising volunteers, that is tasked to develop and maintain it.

The ministry said today that two-thirds of Aarogya Setu users had taken the self-assessment test to evaluate their risk of exposure. More than half a million Indians have been alerted to have made contact with someone who is likely ill with the disease, it said.

The app, which uses both Bluetooth and location data to function, has advised more than 900,000 users to quarantine themselves or get tested for the disease. Almost 24% of them have confirmed to be positive with COVID-19, the ministry said.

“Opening the source code to the developer community signifies our continuing commitment to the principles of transparency and collaboration,” the Ministry of Electronics and Information Technology said in a statement. “Aarogya Setu’s development has been a remarkable example of collaboration between government, industry, academia and citizens.”

Aarogya Setu, unlike the contact-tracing technology developed by smartphone vendors Apple and Google, stores certain data in a centralized server. Privacy experts, including researcher Baptiste Robert, had argued that this approach would result in leakage of sensitive details of several Indians if that server was ever compromised.

“Open-sourcing Aarogya Setu is a unique feat for India. No other government product anywhere in the world has been open-sourced at this scale,” said Amitabh Kant, chief executive of government-run think-tank NITI Aayog, in a press conference today.

New Delhi-based digital advocacy group Software Law and Freedom Centre (SFLC) said it welcomes India’s move to open- source the app. “We are happy that the government has at last agreed to do what we have been asking all long,” it said.

More than 145,300 coronavirus infections (with about 4,100 resultant deaths) have been reported in India to date.