Source code of Aarogyasetu App is now open for review and collaboration. We should publish our response to it.
Pirate Praveen
Public
Seen by 66
It is better than it being proprietary, but Aarogya Sethu's issues are much deeper.
For a network service that depends on a server for its normal operation, in addition to client software used to connect to the server being Free Software, we need server software which manages the data and access also need to be Free Software and federated (allow independently run servers to interoperate), to be truly able to enjoy the freedom to modify the software for our needs (remove features that are harmful to the users).
The main issue here is privacy and surveillance which can't be fixed if everyone is connecting to central server run by the govt. Without a legal framework for personal data protection like GDPR in Europe, we cannot effectively control access to our personal data by govt and third parties.
It could still be useful to other countries, in that sense it is a good move, but for Indian citizens, the core issues remain.
Please share your thoughts. Who all can join an audio call tonight at 9 pm (we can have one more call later after we have a good draft statement)?
DRAFT STATEMENT, see https://cryptpad.fr/pad/#/2/pad/edit/HFduIwLMDBPARZTThUWZb3jt/ for initial discussions and https://pad.disroot.org/p/05-28-2020-arogyasetu for statement adapted by @piratekp
---
Source code for Arogya setu android app has been released and this is a statement regarding it from Indian Pirates (https://pirates.org.in).
Public Money, Public Code:
We have often asked why is it that software built using tax payer's money not released as free software? Governments often forget that they are here to make our life easier and not to rule us, not to make our lives harder. The MLAs and MPs we elect are supposed to be lawmakers who need to make our lives easier rather than make laws that make our lives a living hell. The way aarogya setu was initially made mandatory needs to be seen in this context. So is an unplanned demonitisation or an unplanned lockdown with no regard to the livelihood of the citizens affected.
"Public money, public code" is a policy that aligns with Pirate politics. 167 issues and 86 pull requests have been added to the android repository by the Free Software community as of 28-05-2020. This shows that the community is here to support a Free Software initiative by the government. However if the government is ready to utilise this support is yet to be seen.
Track record of this government:
Though publishing the source code is in the right direction, we are skeptical that this is a publicity stunt, knowing the track record of this government. All talk and no action. This government has wasted a lot of time in denial mode regarding covid-19. Denial, minimization, blame, redefinition, violence, victimisation etc are the patterns we find from this government[1]. We take this opportunity to remind that this is not the expected behaviour in a democracy.
There is still unanswered questions regarding motives and requirement for this app. Was this app built because of requirements from National Institute of Epidemiology? or the health ministry? or was this built just to waste public money?. Is the app any useful in reducing covid-19 spread? What about the population that do not have a smartphone?[2]
Privacy, Technical notes and Next Steps:
Even though the android code is published, the server code isn't released yet. This brings about ambiguity regarding our data collected in the name of this pandemic crisis. There is no yet clear process regarding access control to our data. Who has access, is access audited or logged is not clear. There is also no clarity on when will the data be deleted after the pandemic is under control[3].
Since this is an early stage to give a detailed response, we will come back with a detailed statement when someone can independently audit the source code to verify the claims made by the government about what data is shared by the app with the government. We will also need to verify the source code released is really the same source code used to build the app distributed via Google's play store. The code published now has no reproducible build[4][5] option, meaning, we have to blindly trust the government, as we cannot verify if the same code is used for play store version.
ref:
1. https://www.youtube.com/watch?v=mm86rAW1Bw8 (or https://yewtu.be/watch?v=mm86rAW1Bw8 for better privacy)
2. https://www.statista.com/statistics/257048/smartphone-user-penetration-in-india/
3. https://github.com/nic-delhi/AarogyaSetu_Android/issues/3
Pirate Bady
Mon 1 Jun 2020 8:10PM
consider changing the part "was this built just to waste public money" to the following:
"There is yet to be seen any evidence that the initiative came from NIE, or the ministry of health or the NDMA. In case of such ambiguity, we speculate that the initiative could have been from a certain think-tank who wants to put their stack in every industry possible. In that case isn't it a wastage of public money to build something which none of these ministries has requested for?"
Pirate Bady Sun 31 May 2020 8:58PM
IMHO it'd be better to start the statement with a positive note. even if the govt is only doing their duty by publishing the source code, i suggest that we should appreciate the move and encourage to keep following this path. anyway that's optional and i won't insist much on it.
my main issue is with the questions raised in the 'Track record of this government' section. for eg. consider the following question:
was this built just to waste public money?
this sounds more like mudslinging. we already see that a lot in the current politics, but that's not something we should be promoting. so i suggest to remove this question. if we can show that this app is not useful with the help of enough evidences then a better approach will be explaining it with the help of references.
Was this app built because of requirements from National Institute of Epidemiology? or the health ministry?
what are we actually trying to question here? it's ambiguous, so pls elaborate this question.
Is the app any useful in reducing covid-19 spread?
they already claim that arogya setu keeps you safe and you can find it here at https://www.aarogyasetu.gov.in. so there's no point in asking the same again. what we need instead is to ask for a quantitative analysis of the usefulness of this app and the the mathematical model that is used for the same. without transparency in the model there's no way we can verify the claims made by the govt. so i suggest to rephrase this question as follows:
How helpful is the Arogya Setu app in reducing COVID-19 spread? How is the usefulness of this app measured quantitatively and what mathematical model is followed for the same?
What about the population that do not have a smartphone?
we don't have to take 'all or nothing' approach here, even if we don't mean that this may sound like it. better add the following to it:
Are there any extra measures taken to ensure their protection?
167 issues and 86 pull requests have been added to the android repository by the Free Software community as of 28-05-2020
for additional impact i suggest to add the following to it:
i.e. within 48 hours since the source has been published.
Pirate Praveen Mon 1 Jun 2020 10:45AM
I have modified the proposal with your inputs, please check if you are comfortable now.
Pirate Bady Mon 1 Jun 2020 8:03PM
thanks. but the question "was this built just to waste public money" is still there as it is. i suggest to add @piratekp's explanation for this question to the statement.
i.e. replace the following:
Was this app built because of requirements from National Institute of Epidemiology? or the health ministry? or was this built just to waste public money?.
with this:
There is yet to be seen any evidence that the initiative came from NIE, or the ministry of health or the NDMA. In case of such ambiguity, we speculate that the initiative could have been from a certain think-tank who wants to put their stack in every industry possible. In that case isn't it a wastage of public money to build something which none of these ministries has requested for?
Pirate Bady Sun 31 May 2020 9:15PM
the second reference link in the statement, i.e. https://www.statista.com/statistics/257048/smartphone-user-penetration-in-india, is asking to sign up for premium account to view the statistics.
pirate king Mon 1 Jun 2020 5:21AM
@Pirate Bady The statements you have objections have been in the draft as place holders:
https://pad.disroot.org/p/05-28-2020-arogyasetu/timeslider#1830
Context: Just because there is a claim on arogya setu site that it keeps you safe, doesn't mean its right. I haven't seen any hard evidence that a tracing app can keep you safe. Agenda has always been to give examples of Korea and Singapore to highlight the effectiveness of a tracing app. But unfortunately, that doesn't prove that a tracing app is effective.
The initiative for arogya setu app has to be questioned. This is because there is yet to be seen any evidence that the initiative came from NIE, or the ministry of health or the NDMA. In case of such ambiguity, I speculate that the initiative could have been from a certain thinktank who wants to put their stack in every industry possible. In that case, does it make sense to waste public money to build something which none of these ministries has requested for? Isn't it valid to ask why this was built? And regarding how this initiative was pushed down people's throat with no regard to livelihood is criminal.
There is a lot of ambiguity and doubts around this initiative and as a politically aligned organisation, isn't it, our responsibility to put out these questions in the open to be answered. If these questions are not asked, is anyone liable or willing to answer them? We have also mentioned that when there is more clarity, we would come out with a detailed statement. This current statement is about the current situation and lack of clarity that we are in.
Regarding opening with a positive note. IMO there is nothing to be positive about this, yet we have lauded publishing the code and we have stated the facts as it is about speculation regarding if the govt will accept merge requests and support or not.
@Akshay had kind of confirmed the case behind this in his tweets that there is not much hope in this direction.
Pirate Praveen Mon 1 Jun 2020 10:50AM
Thanks for the clarifications. I have made some changes, see if you are okay with it. Also since we did not publish an early statement, I think we can include recommendation for choosing DP-3T protocol which preserves privacy by storing only anonymous data in the server and already accepted by Switzerland, Germany and Italy. https://codema.in/d/vhoA0lCM/aarogya-setu-app-is-released-as-free-software-we-should-respond-to-this-with-a-statement/33
Pirate Praveen Mon 1 Jun 2020 2:42PM
https://ncase.me/contact-tracing/panels/panel0002.png?v=4 explains the need for a contact tracing app. @Akshay can you validate this?
Pirate Bady Mon 1 Jun 2020 7:51PM
@piratekp i agree with everything you said. i'm not against the content of the questions, my issue is with the way they're phrased. i understand that those questions were actually placeholders and i'm only asking to improve on them. improve the tone and add more context. i'm okay with how @Pirate Praveen has incorporated the changes.
Pirate Praveen · Sun 31 May 2020 7:16PM
I have reopened the proposal since @Pirate Bady objected to some part of it.