codema.in
Wed 27 May 2020 12:20PM

Source code of Aarogyasetu App is now open for review and collaboration. We should publish our response to it.

PP Pirate Praveen Public Seen by 66

https://www.financialexpress.com/industry/technology/government-of-india-just-made-aarogya-setu-app-open-source-here-is-what-it-means/1971446/

It is better than it being proprietary, but Aarogya Sethu's issues are much deeper.

For a network service that depends on a server for its normal operation, in addition to client software used to connect to the server being Free Software, we need server software which manages the data and access also need to be Free Software and federated (allow independently run servers to interoperate), to be truly able to enjoy the freedom to modify the software for our needs (remove features that are harmful to the users).

The main issue here is privacy and surveillance which can't be fixed if everyone is connecting to central server run by the govt. Without a legal framework for personal data protection like GDPR in Europe, we cannot effectively control access to our personal data by govt and third parties.

It could still be useful to other countries, in that sense it is a good move, but for Indian citizens, the core issues remain.

Please share your thoughts. Who all can join an audio call tonight at 9 pm (we can have one more call later after we have a good draft statement)?

DRAFT STATEMENT, see https://cryptpad.fr/pad/#/2/pad/edit/HFduIwLMDBPARZTThUWZb3jt/ for initial discussions and https://pad.disroot.org/p/05-28-2020-arogyasetu for statement adapted by @piratekp

---

Source code for Arogya setu android app has been released and this is a statement regarding it from Indian Pirates (https://pirates.org.in).

Public Money, Public Code:

We have often asked why is it that software built using tax payer's money not released as free software?  Governments often forget that they are here to make our life easier and not to rule us, not to make our lives harder. The MLAs and MPs we elect are supposed to be lawmakers who need to make our lives easier rather than make laws that make our lives a living hell. The way aarogya setu was initially made mandatory needs to be seen in this context. So is an unplanned demonitisation or an unplanned lockdown with no regard to the livelihood of the citizens affected.

"Public money, public code" is a policy that aligns with Pirate politics. 167 issues and 86 pull requests have been added to the android repository by the Free Software community as of 28-05-2020. This shows that the community is here to support a Free Software initiative by the government. However if the government is ready to utilise this support is yet to be seen.

Track record of this government:

Though publishing the source code is in the right direction, we are skeptical that this is a publicity stunt, knowing the track record of this government. All talk and no action. This government has wasted a lot of time in denial mode regarding covid-19.  Denial, minimization, blame, redefinition, violence, victimisation etc are the patterns we find from this government[1]. We take this opportunity to remind that this is not the expected behaviour in a democracy.

There is still unanswered questions regarding motives and requirement for this app. Was this app built because of requirements from National Institute of Epidemiology? or the health ministry? or was this built just to waste public money?. Is the app any useful in reducing covid-19 spread? What about the population that do not have a smartphone?[2]

Privacy, Technical notes and Next Steps:

Even though the android code is published, the server code isn't released yet. This brings about ambiguity regarding our data collected in the name of this pandemic crisis. There is no yet clear process regarding access control to our data. Who has access, is access audited or logged is not clear. There is also no clarity on when will the data be deleted after the pandemic is under control[3].

Since this is an early stage to give a detailed response, we will come back with a detailed statement when someone can independently audit the source code to verify the claims made by the government about what data is shared by the app with the government. We will also need to verify the source code released is really the same source code used to build the app distributed via Google's play store. The code published now has no reproducible build[4][5] option, meaning, we have to blindly trust the government, as we cannot verify if the same code is used for play store version.


ref:

    1. https://www.youtube.com/watch?v=mm86rAW1Bw8 (or https://yewtu.be/watch?v=mm86rAW1Bw8 for better privacy)

    2. https://www.statista.com/statistics/257048/smartphone-user-penetration-in-india/

    3. https://github.com/nic-delhi/AarogyaSetu_Android/issues/3

    4. https://core.telegram.org/reproducible-builds

   5. https://reproducible-builds.org/

PP

Pirate Praveen Wed 27 May 2020 12:23PM

We should use this opportunity to demand all government funded software should be released as Free Software (similar to demands by Public Money, Public Code campaign by FSF Europe https://publiccode.eu/openletter/ may be even launch publiccode.in campaign after talking to FSF Europe)

PP

Pirate Praveen Wed 27 May 2020 3:13PM

We can use this pad to draft the statement https://cryptpad.fr/pad/#/2/pad/edit/HFduIwLMDBPARZTThUWZb3jt/ and use https://meet.fsci.in/AarogyaSetuSourceCodeRelease to discuss over audio.

PP

Pirate Praveen Wed 27 May 2020 4:23PM

so we just concluded the call, about 15 people joined the call on such a short notice. We collected important points we should highlight on the pad and want to make a first response tonight and more comprehensive one later that covers contact tracing protocols without privacy violations.

PP

Pirate Praveen Wed 27 May 2020 7:43PM

We should probably take only parts of it and focus on some aspect.

PP

Poll Created Thu 28 May 2020 2:24PM

Publish this statement on Aarogya Setu App Source Code release our website Closed Tue 2 Jun 2020 9:42AM

Outcome
by Pirate Praveen Tue 2 Jun 2020 9:43AM

With all suggestions incorporated, we can publish it now.

Source code for Arogya setu android app has been released and this is a statement regarding it from Indian Pirates (https://pirates.org.in).

We appreciate the government in taking this small step in the right direction, but we want to emphasize that, this falls short of what is expected from a government constitutionally bound to upholding rights of the people.

Public Money, Public Code:

We have often asked why is it that software built using tax payer's money not released as free software?  Governments often forget that they are here to make our life easier and not to rule us, not to make our lives harder. The MLAs and MPs we elect are supposed to be lawmakers who need to make our lives easier rather than make laws that make our lives a living hell. The way aarogya setu was initially made mandatory needs to be seen in this context. So is an unplanned demonitisation or an unplanned lockdown with no regard to the livelihood of the citizens affected.

"Public money, public code" is a policy that aligns with Pirate politics. 167 issues and 86 pull requests have been added to the android repository by the Free Software community as of 28-05-2020 i.e. within 48 hours since the source has been published. This shows that the community is here to support a Free Software initiative by the government. However if the government is ready to utilise this support is yet to be seen.

Track record of this government:

Though publishing the source code is in the right direction, we are skeptical that this is a publicity stunt, knowing the track record of this government. All talk and no action. This government has wasted a lot of time in denial mode regarding covid-19.  Denial, minimization, blame, redefinition, violence, victimisation etc are the patterns we find from this government[1]. We take this opportunity to remind that this is not the expected behaviour in a democracy. We also want to remind people that it is the same government who argued in Supreme Court that there is no right to privacy, a claim later rejected by the Supreme Court in its landmark judgment Justice K.S. Puttaswamy (Retd.) v. Union of India.

There is still unanswered questions regarding motives and requirement for this app. Any evidence that the initiative came from National Institute of Epidemiology (NIE), or the ministry of health or the National Disaster Management Authority (NDMA is yet to be seen. In case of such ambiguity, we speculate that the initiative could have been from a certain think-tank who wants to put their stack in every industry possible. In that case isn't it a wastage of public money to build something which none of these institutions has requested for? How helpful is the Arogya Setu app in reducing COVID-19 spread? How is the usefulness of this app measured quantitatively and what mathematical model is followed for the same? What about the population that do not have a smartphone?[2] Are there any extra measures taken to ensure their protection?

Privacy, Technical notes and Next Steps:

Even though the android code is published, the server code isn't released yet. This brings about ambiguity regarding our data collected in the name of this pandemic crisis. There is no yet clear process regarding access control to our data. Who has access, is access audited or logged is not clear. There is also no clarity on when will the data be deleted after the pandemic is under control[3].

Since this is an early stage to give a detailed response, we will come back with a detailed statement when someone can independently audit the source code to verify the claims made by the government about what data is shared by the app with the government. We will also need to verify the source code released is really the same source code used to build the app distributed via Google's play store. The code published now has no reproducible build[4][5] option, meaning, we have to blindly trust the government, as we cannot verify if the same code is used for play store version.


ref:

    1. https://www.youtube.com/watch?v=mm86rAW1Bw8 (or https://yewtu.be/watch?v=mm86rAW1Bw8 for better privacy)

    2. https://www.statista.com/statistics/257048/smartphone-user-penetration-in-india/

    3. https://github.com/nic-delhi/AarogyaSetu_Android/issues/3

    4. https://core.telegram.org/reproducible-builds

   5. https://reproducible-builds.org/

Edits:

June 1:

  1. Suggestion by @Pirate Bady to start with an appreciation, so added, "We appreciate the government in taking this small step in the right direction, but we want to emphasize that, this falls short of what is expected from a government committed to upholding constitutional rights of the people.

  2. @Pirate Praveen Added the following to Trackrecord of this government, "We also want to remind people that it is the same government who argued in Supreme Court that there is no right to privacy, a claim later rejected by the Supreme Court in its landmark judgment Justice K.S. Puttaswamy (Retd.) v. Union of India."

  3. Suggestion by @Pirate Bady: Added following to Public Money, Public Code section "i.e. within 48 hours since the source has been published."

  4. Suggestion by @Pirate Bady : Replace "Is the app really useful" with "How helpful is the Arogya Setu app in reducing COVID-19 spread? How is the usefulness of this app measured quantitatively and what mathematical model is followed for the same?"

  5. Suggestion by @Pirate Bady: Add "Are there any extra measures taken to ensure their protection?" to "What about the population that do not have a smartphone?"

  6. Clarifications from @piratekp: Added "The initiative could have been from a certain think tank who wants to put their stack in every industry possible" to "was this built just to waste public money?"

June 2:

  1. Suggestion by @Pirate Bady: Clarified unanswered sections part to "Any evidence that the initiative came from National Institute of Epidemiology (NIE), or the ministry of health or the National Disaster Management Authority (NDMA is yet to be seen. In case of such ambiguity, we speculate that the initiative could have been from a certain think-tank who wants to put their stack in every industry possible. In that case isn't it a wastage of public money to build something which none of these institutions has requested for?"

Results

Results Option % of points Voters
Agree 100.0% 6 HS TMB PV MJS PB PP
Abstain 0.0% 0  
Disagree 0.0% 0  
Block 0.0% 0  
Undecided 0% 163 V DU AS MK SK NV BC FGP AR AK AG AKS RD J KAK SK S MKT NAJ PS

6 of 169 people have participated (3%)

PP

Pirate Praveen
Agree
Thu 28 May 2020 2:27PM

We need one initial statement soon and a follow up statement after some one audits the source code and we study different approaches to contact tracing

MJS

michael john sinclair.
Agree
Thu 28 May 2020 3:46PM

Opensoure is the Pirate way^^ if it is possible.

TMB

Tanzeem Mohammad Basheer
Agree
Thu 28 May 2020 5:07PM

Need to push further to have GDPR like laws in India.

PB

Pirate Bady
Disagree
Sun 31 May 2020 9:07PM

since there's restriction in posting long comment on proposals i've added my comment here.

Load More