Source code of Aarogyasetu App is now open for review and collaboration. We should publish our response to it.
Pirate Praveen
Public
Seen by 66
It is better than it being proprietary, but Aarogya Sethu's issues are much deeper.
For a network service that depends on a server for its normal operation, in addition to client software used to connect to the server being Free Software, we need server software which manages the data and access also need to be Free Software and federated (allow independently run servers to interoperate), to be truly able to enjoy the freedom to modify the software for our needs (remove features that are harmful to the users).
The main issue here is privacy and surveillance which can't be fixed if everyone is connecting to central server run by the govt. Without a legal framework for personal data protection like GDPR in Europe, we cannot effectively control access to our personal data by govt and third parties.
It could still be useful to other countries, in that sense it is a good move, but for Indian citizens, the core issues remain.
Please share your thoughts. Who all can join an audio call tonight at 9 pm (we can have one more call later after we have a good draft statement)?
DRAFT STATEMENT, see https://cryptpad.fr/pad/#/2/pad/edit/HFduIwLMDBPARZTThUWZb3jt/ for initial discussions and https://pad.disroot.org/p/05-28-2020-arogyasetu for statement adapted by @piratekp
---
Source code for Arogya setu android app has been released and this is a statement regarding it from Indian Pirates (https://pirates.org.in).
Public Money, Public Code:
We have often asked why is it that software built using tax payer's money not released as free software? Governments often forget that they are here to make our life easier and not to rule us, not to make our lives harder. The MLAs and MPs we elect are supposed to be lawmakers who need to make our lives easier rather than make laws that make our lives a living hell. The way aarogya setu was initially made mandatory needs to be seen in this context. So is an unplanned demonitisation or an unplanned lockdown with no regard to the livelihood of the citizens affected.
"Public money, public code" is a policy that aligns with Pirate politics. 167 issues and 86 pull requests have been added to the android repository by the Free Software community as of 28-05-2020. This shows that the community is here to support a Free Software initiative by the government. However if the government is ready to utilise this support is yet to be seen.
Track record of this government:
Though publishing the source code is in the right direction, we are skeptical that this is a publicity stunt, knowing the track record of this government. All talk and no action. This government has wasted a lot of time in denial mode regarding covid-19. Denial, minimization, blame, redefinition, violence, victimisation etc are the patterns we find from this government[1]. We take this opportunity to remind that this is not the expected behaviour in a democracy.
There is still unanswered questions regarding motives and requirement for this app. Was this app built because of requirements from National Institute of Epidemiology? or the health ministry? or was this built just to waste public money?. Is the app any useful in reducing covid-19 spread? What about the population that do not have a smartphone?[2]
Privacy, Technical notes and Next Steps:
Even though the android code is published, the server code isn't released yet. This brings about ambiguity regarding our data collected in the name of this pandemic crisis. There is no yet clear process regarding access control to our data. Who has access, is access audited or logged is not clear. There is also no clarity on when will the data be deleted after the pandemic is under control[3].
Since this is an early stage to give a detailed response, we will come back with a detailed statement when someone can independently audit the source code to verify the claims made by the government about what data is shared by the app with the government. We will also need to verify the source code released is really the same source code used to build the app distributed via Google's play store. The code published now has no reproducible build[4][5] option, meaning, we have to blindly trust the government, as we cannot verify if the same code is used for play store version.
ref:
1. https://www.youtube.com/watch?v=mm86rAW1Bw8 (or https://yewtu.be/watch?v=mm86rAW1Bw8 for better privacy)
2. https://www.statista.com/statistics/257048/smartphone-user-penetration-in-india/
3. https://github.com/nic-delhi/AarogyaSetu_Android/issues/3
Pirate Bady Mon 1 Jun 2020 8:12PM
i've clarified my stance.
Akshay Tue 2 Jun 2020 3:09AM
This panel isn't wrong per se. Although we may not know everything about this particular virus, we know that viruses can spread from B to C even before B is symptomatic.
There is some context to be laid though.
The kind of "staying one step ahead" described here can only happen if B gets tested, gets detected positive, that information is stored in the database, and then disseminated to people who have had contact with B (including C) and C understands what is asked of them and quarantines themselves.
So, the things that need to happen on the ground are
people should get themselves tested early
people should be given tests even with just a couple of symptoms for a day
tests should rapidly return results and be accurately tagged to the individual that tested positive (and their ID in the surveillance system)
contact tracing solution should be able to pick up the real contacts. (Remember what Kerala government used to do - it published roadmap, timings, flight number, etc and considered whoever could have come in contact to be careful. That's the kind of work that contact tracing apps should help in). If there are too many false positives, people lose trust in the app quickly. If there are too many false negatives, we are putting people in great danger by giving false sense of security.
contacts notified through the app should be able to trust the notification given and self-quarantine themselves (or get tested)
All of this should happen in India.
Pirate Praveen Tue 2 Jun 2020 9:44AM
Thanks, we can publish it now. I have included your suggestions.
Pirate Praveen Tue 2 Jun 2020 9:45AM
Thanks for the detailed response. We can include all of these in the follow up statement.
Pirate Bady Tue 2 Jun 2020 3:58PM
statement published at https://pirates.org.in/statements/arogya-setu-source-release
Pirate Praveen · Mon 1 Jun 2020 8:06PM
On second thoughts, let's publish this now as follow up statement also can delay things more. If you change your vote, then we can publish.