Aarogya Setu app is released as Free Software, we should respond to this with a statement
Pirate Praveen
Public
Seen by 104
https://www.medianama.com/2020/05/223-aarogya-setu-code-open-sourced/
I'm proposing an audio call tonight at 9 pm to discuss initial outline. Since its a short notice, you can share your inputs here if you are unable to join.
DRAFT STATEMENT, see https://cryptpad.fr/pad/#/2/pad/edit/HFduIwLMDBPARZTThUWZb3jt/ for discussions - mainly drafted by @Akshay with inputs from many.
---
Background:
In a country where there is a stated policy on adoption of Free Software (sometimes called as open source), it is rather surprising that a public application supported, promoted, and partially mandated by the government is not Free Software from the very inception. While the server side source code still remains undisclosed and several unresolved technical questions exist including about reproducibility of builds (to verify the application distributed via Google's play store is really built from the source code published) and whether penetration testing is acceptable, we use the attention brought on transparency to raise larger issues about Aarogya Setu application and government's use of technology in handling the most dreadful pandemic of our times.
The respected CEO of NITI Aayog, Amitabh Kant, during the press conference on 26th May stated that "transparency, privacy, and security" were the core design principles of Aarogya Setu. As a group of people who build software in various domains that respect these very same principles among others, we find Aarogya Setu lacking in all these three principles, despite the claims by the government on the contrary.
Privacy:
The application is described as "privacy-first by design". Without a legal framework for personal data protection like GDPR in Europe, there is no mechanism through which a citizen can upload data to a centralized server and be assured that the data will be handled as explained by the developers. Would there be a legal recourse available to them if it turns out that the data was eventually handled in a different way than what was explained when being uploaded, for example being made accessible to third parties? We find it problematic that everyone's data is connected to a centralized server run by the government, thus putting every citizen vulnerable to government surveillance. We are forced to question whether such large scale surveillance is justified considering the narrow utility of the application.
Transparency:
On the matter of transparency, there are uncertainties regarding the origin, design, running, and continued updation of the platform. It is widely known that various private companies are involved in the development of the platform. Complete transparency would entail disclosure of the extent of such involvement, the processes followed in such public-private collaboration, inlcluding disclosure of tenders or contracts given to private companies for the work they contributed in the app, the guarantees available to the public about strict separation of data from the hands of private collaborators, and also details on procedures which allow more stakeholders, including civil society and rights activists, to shape the further development of the platform.
Privacy vs Released Source Code:
Public forums and mainstream media seems to think releasing source code alone brings transparency, rather it gives a very *false sense of transparency*. Releasing source code alone doesn't guarantee transparency, especially when server-side is involved.
What is the guarantee that the server is running the released source code (if available)?
What is the guarantee that the raw data is not processed by undisclosed tools?
These questions can be answered only when we don't have to blindly trust the govt and instead the claims can be independantly verified by third parties by running the source code on independent servers (decentralized/federated design instead of centralized server in case of Aarogya Setu). In principle, auditing by independent third parties can improve trust in the system, but in practice who is really independent to audit the government?
Security:
In the security world, no organization, no matter how advanced they are, usually proclaims their product or platform to be "secure" while it still hasn't withstood the test of the time. It is understandable that the government would want to give public confidence in using the application, but we feel responsible to point out that it is reasonable to assume that an application hastily built during a pandemic is ripe with security blunders that are waiting to be discovered. Only time will tell how many security vulnerabilities get discovered on the platform and how much damage such vulnerabilities would cause on our citizens.
On an entirely different level, the application is already giving a dangerously large number of citizens a false sense of "security" whereby they feel safe and go about misinterpreting the green indicator given by the application. It is necessary that the pandemic which is a global public health crisis be treated as such and that the response to that be led by time-tested public health measures rather than untested, and unproven technologies.
Next Step:
We are evaluating alternate apps and protocols used across the world right now and will come up with a follow up statement later with our recommendations.
Pirate Praveen Wed 27 May 2020 3:13PM
We can use this pad to draft the statement https://cryptpad.fr/pad/#/2/pad/edit/HFduIwLMDBPARZTThUWZb3jt/ and use https://meet.fsci.in/AarogyaSetuSourceCodeRelease to discuss over audio.
Pirate Praveen Wed 27 May 2020 4:23PM
so we just concluded the call, about 15 people joined the call on such a short notice. We collected important points we should highlight on the pad and want to make a first response tonight and more comprehensive one later that covers contact tracing protocols without privacy violations.
Poll Created Thu 28 May 2020 5:34PM
Publish this statement on Aarogya Setu source code release under Apache License Closed Sun 31 May 2020 6:00PM
Published on the website as https://fsci.in/statements/statement-on-arogya-setu-source-code-release/
Background:
In a country where there is a stated policy on adoption of Free Software (sometimes called as open source), it is rather surprising that a public application supported, promoted, and partially mandated by the government is not Free Software from the very inception. While the server side source code still remains undisclosed and several unresolved technical questions exist including about reproducibility of builds (to verify the application distributed via Google's play store is really built from the source code published) and whether penetration testing is acceptable, we use the attention brought on transparency to raise larger issues about Aarogya Setu application and government's use of technology in handling the most dreadful pandemic of our times.
The respected CEO of NITI Aayog, Amitabh Kant, during the press conference on 26th May stated that "transparency, privacy, and security" were the core design principles of Aarogya Setu. As a group of people who build software in various domains that respect these very same principles among others, we find Aarogya Setu lacking in all these three principles, despite the claims by the government on the contrary.
Privacy:
The application is described as "privacy-first by design". Without a legal framework for personal data protection like GDPR in Europe, there is no mechanism through which a citizen can upload data to a centralized server and be assured that the data will be handled as explained by the developers. Would there be a legal recourse available to them if it turns out that the data was eventually handled in a different way than what was explained when being uploaded, for example being made accessible to third parties? We find it problematic that everyone's data is connected to a centralized server run by the government, thus putting every citizen vulnerable to government surveillance. We are forced to question whether such large scale surveillance is justified considering the narrow utility of the application.
Transparency:
On the matter of transparency, there are uncertainties regarding the origin, design, running, and continued updation of the platform. It is widely known that various private companies are involved in the development of the platform. Complete transparency would entail disclosure of the extent of such involvement, the processes followed in such public-private collaboration, inlcluding disclosure of tenders or contracts given to private companies for the work they contributed in the app, the guarantees available to the public about strict separation of data from the hands of private collaborators, and also details on procedures which allow more stakeholders, including civil society and rights activists, to shape the further development of the platform.
Privacy vs Released Source Code:
Public forums and mainstream media seems to think releasing source code alone brings transparency, rather it gives a very *false sense of transparency*. Releasing source code alone doesn't guarantee transparency, especially when server-side is involved.
What is the guarantee that the server is running the released source code (if available)?
What is the guarantee that the raw data is not processed by undisclosed tools?
These questions can be answered only when we don't have to blindly trust the govt and instead the claims can be independantly verified by third parties by running the source code on independent servers (decentralized/federated design instead of centralized server in case of Aarogya Setu). Since it is a centralized service by design, we also call for independent security and source audit of application running on the government servers to be sure.
Security:
In the security world, no organization, no matter how advanced they are, usually proclaims their product or platform to be "secure" while it still hasn't withstood the test of the time. It is understandable that the government would want to give public confidence in using the application, but we feel responsible to point out that it is reasonable to assume that an application hastily built during a pandemic is ripe with security blunders that are waiting to be discovered. Only time will tell how many security vulnerabilities get discovered on the platform and how much damage such vulnerabilities would cause on our citizens.
On an entirely different level, the application is already giving a dangerously large number of citizens a false sense of "security" whereby they feel safe and go about misinterpreting the green indicator given by the application. It is necessary that the pandemic which is a global public health crisis be treated as such and that the response to that be led by time-tested public health measures rather than untested, and unproven technologies.
Next Step:
We are evaluating alternate apps and protocols used across the world right now and will come up with a follow up statement later with our recommendations.
Corrections:
Questions in Privacy vs Released Source Code section rephrased, thanks to @Gokul Das B
Added "Since it is a centralized service by design, we also call for independent security and source audit of application running on the government servers to be sure." to Privacy vs Released Source Code section requested by @Akhil
Results
| Results | Option | % of points | Voters | |
|---|---|---|---|---|
|
|
Agree | 100.0% | 8 |
|
| Abstain | 0.0% | 0 | ||
| Disagree | 0.0% | 0 | ||
| Block | 0.0% | 0 | ||
| Undecided | 0% | 195 |
|
8 of 203 people have participated (3%)
Pirate Praveen
Thu 28 May 2020 5:36PM
We should get this initial statement out soon and prepare a detailed one after studying alternate protocols and app designs
Deleted User
Thu 28 May 2020 5:43PM
Is it possible to suggest disclosing tenders or contracts given to private companies for the work they contributed in the app? This can go in the transparency section. It already mentions disclosure of process followed in the collaboration.
Will it be possible to send this as a mail to various media organizations?
Akhil
Thu 28 May 2020 6:47PM
The line - "These questions can be answered only when we don't have to blindly trust the govt and instead the claims can be independantly verified by third parties by running the source code on independent servers" will not help in the case of current non federated design running on government servers. We need to also call for independent security and source audit of application running on the government servers to be sure.
Gokul Das B
Thu 28 May 2020 7:57PM
I agree, but suggest changing tone of the 'Privacy vs Release Source Code' to match the rest of the letter.
What is the guarantee that the server is running the released source code (if available)?
What is the guarantee that the raw data is not processed by undisclosed tools?
Also, releasin to be changed to releasing. Everything else looks good.
Pirate Praveen Thu 28 May 2020 5:45PM
@raghukamath yes, I think that is a good point we can add. Sure, we want to share it with as many organizations and individuals as possible. We should let people know we are not satisfied with this release and want to see more.
Pirate Praveen Thu 28 May 2020 7:34PM
@Akhil in principle a third party audit can help, but in practice do you think the govt will let anyone do a real audit (or do you think there will be any company who will dare to do a real audit)? It will be another publicity stunt and false sense of security. Only a change in design can help ensure privacy realistically. Something like https://www.pepp-pt.org/ but we need to study different systems and then come up with recommendations.
Syam G Krishnan · Wed 27 May 2020 2:13PM
Link to src:
https://github.com/nic-delhi/AarogyaSetu_Android/
I would like to join the call, where is it happening?