Aarogya Setu app is released as Free Software, we should respond to this with a statement
https://www.medianama.com/2020/05/223-aarogya-setu-code-open-sourced/
I'm proposing an audio call tonight at 9 pm to discuss initial outline. Since its a short notice, you can share your inputs here if you are unable to join.
DRAFT STATEMENT, see https://cryptpad.fr/pad/#/2/pad/edit/HFduIwLMDBPARZTThUWZb3jt/ for discussions - mainly drafted by @Akshay with inputs from many.
---
Background:
In a country where there is a stated policy on adoption of Free Software (sometimes called as open source), it is rather surprising that a public application supported, promoted, and partially mandated by the government is not Free Software from the very inception. While the server side source code still remains undisclosed and several unresolved technical questions exist including about reproducibility of builds (to verify the application distributed via Google's play store is really built from the source code published) and whether penetration testing is acceptable, we use the attention brought on transparency to raise larger issues about Aarogya Setu application and government's use of technology in handling the most dreadful pandemic of our times.
The respected CEO of NITI Aayog, Amitabh Kant, during the press conference on 26th May stated that "transparency, privacy, and security" were the core design principles of Aarogya Setu. As a group of people who build software in various domains that respect these very same principles among others, we find Aarogya Setu lacking in all these three principles, despite the claims by the government on the contrary.
Privacy:
The application is described as "privacy-first by design". Without a legal framework for personal data protection like GDPR in Europe, there is no mechanism through which a citizen can upload data to a centralized server and be assured that the data will be handled as explained by the developers. Would there be a legal recourse available to them if it turns out that the data was eventually handled in a different way than what was explained when being uploaded, for example being made accessible to third parties? We find it problematic that everyone's data is connected to a centralized server run by the government, thus putting every citizen vulnerable to government surveillance. We are forced to question whether such large scale surveillance is justified considering the narrow utility of the application.
Transparency:
On the matter of transparency, there are uncertainties regarding the origin, design, running, and continued updation of the platform. It is widely known that various private companies are involved in the development of the platform. Complete transparency would entail disclosure of the extent of such involvement, the processes followed in such public-private collaboration, inlcluding disclosure of tenders or contracts given to private companies for the work they contributed in the app, the guarantees available to the public about strict separation of data from the hands of private collaborators, and also details on procedures which allow more stakeholders, including civil society and rights activists, to shape the further development of the platform.
Privacy vs Released Source Code:
Public forums and mainstream media seems to think releasing source code alone brings transparency, rather it gives a very *false sense of transparency*. Releasing source code alone doesn't guarantee transparency, especially when server-side is involved.
What is the guarantee that the server is running the released source code (if available)?
What is the guarantee that the raw data is not processed by undisclosed tools?
These questions can be answered only when we don't have to blindly trust the govt and instead the claims can be independantly verified by third parties by running the source code on independent servers (decentralized/federated design instead of centralized server in case of Aarogya Setu). In principle, auditing by independent third parties can improve trust in the system, but in practice who is really independent to audit the government?
Security:
In the security world, no organization, no matter how advanced they are, usually proclaims their product or platform to be "secure" while it still hasn't withstood the test of the time. It is understandable that the government would want to give public confidence in using the application, but we feel responsible to point out that it is reasonable to assume that an application hastily built during a pandemic is ripe with security blunders that are waiting to be discovered. Only time will tell how many security vulnerabilities get discovered on the platform and how much damage such vulnerabilities would cause on our citizens.
On an entirely different level, the application is already giving a dangerously large number of citizens a false sense of "security" whereby they feel safe and go about misinterpreting the green indicator given by the application. It is necessary that the pandemic which is a global public health crisis be treated as such and that the response to that be led by time-tested public health measures rather than untested, and unproven technologies.
Next Step:
We are evaluating alternate apps and protocols used across the world right now and will come up with a follow up statement later with our recommendations.
Pirate Praveen Thu 28 May 2020 8:08PM
@Raju Devidas can you share the comparative study of contact tracing apps done by SFLC India?
Aboobacker MK Fri 29 May 2020 6:08AM
We don't have a legal framework like GDPR in effect for India, And the open source policy wasn't followed well so far. So open sourcing client side code is really a an appreciatable thing, while many concerns remain, we shouldn't be undermining this development
Akshay Fri 29 May 2020 7:32AM
Are we undermining that development?
Aboobacker MK Fri 29 May 2020 8:14AM
Felt like that from the tone of this document
Pirate Praveen Fri 29 May 2020 10:58AM
Basically mainstream media is celebrating it as a victory in itself, but it is only a small step, if we don't remind people, who will? Still suggest what changes to current draft will make you happy and we can consider it. FSF India also has statement, which I think is softer, so we can be a bit more critical (to represent diversity of opinion within the community) http://fsf.org.in/news/arogya-sethu/
pirate king Fri 29 May 2020 1:08PM
Praise the govt effort - but caution the community against looking at this as a "victory"
One of the points in the cryptpad
Pirate Praveen Fri 29 May 2020 2:02PM
Suggest different phrasing or if whole sections need change, mention it. We can still consider the changes before we publish on our website.
Pirate Praveen Fri 29 May 2020 2:58PM
@Akhil added demand for server audit and created a corrections section at bottom to track changes to original text. Also loomio itself tracks changes to proposal text.
Akhil Fri 29 May 2020 5:01PM
Thank you @Pirate Praveen for making the changes for security and source audit of the application running in the central servers once the server code is released.
I asked that for transparency, in addition to federated design demand, not because I am happy with the current state of data collected. Even though it might be necessary to have a dataset when fighting a pandemic, both the amount of data and nonanonymity of it concerns me.
Anonymization of the user when app starts collecting data with collection of data points only corresponding to the anonymized entry, trust framework for federation ( since those who are going to be part of federation are going to handle sensitive data points) are other personal wishlists of mine.
Akshay Fri 29 May 2020 3:54PM
I've been trying to change everywhere but there are too many copies I'm unable to track everything. The "epidemic" in the paragraph about security is a mistake I made. It should be "pandemic".
Akhil Fri 29 May 2020 5:00PM
Changed epidemic to pandemic in the above proposal post.
Pirate Praveen Fri 29 May 2020 5:08PM
Now we can keep the proposal text as the final version and edit it here itself as big/quick changes are not likely.
Anivar Aravind Sun 31 May 2020 10:42AM
Along with free and opensource code release, enabling Civic participation in code base and open development and governance should be a demand
Pirate Praveen Sun 31 May 2020 6:37PM
I think we can include it in a follow up statement as things we learned after they released source code.
Pirate Praveen Sun 31 May 2020 7:11PM
Material for the follow up statement https://ethz.ch/en/news-and-events/eth-news/news/2020/05/swiss-covid-app.html and https://ncase.me/contact-tracing/
UK, France using centralized apps, Italy and Germany switched to decentralized app.
So PEPP-PT was pushing for centralized approach and DP-3T for decentralized approach.
Pirate Praveen · Thu 28 May 2020 8:07PM
@Gokul Das B thanks, fixed. @Akhil added a line about independent audit.