The ambiguity associated with its source code and absence of clarity on the licensing policy and ownership of the app makes Aarogya Setu extremely vulnerable to legal tangles in the coming times. The government must act swiftly in clearing the grey areas
India’s most controversial app – Aarogya Setu – right from the beginning, has been beset by a plethora of issues pertaining to the safety and security of the users’ details. Given the various issues that came to light pertaining to data privacy and transparency, it is equivocal to question the app’s effectiveness and its intent. There was phishing allegation against the app. Some users feared it is a surveillance app, after which the government put the source code of the app on Github making it an Open Source Initiative (OSI) on 26th May, 2020. Does that mean all the transparency, security and privacy issues disappear?
Express Healthcare decided to dig in a little into understanding the prospects of improvement for the app in the coming days and the legal aspects surrounding it.
Understanding Aarogya Setu’s open-source system
Source code is the part of the software that most computer users don’t ever see; it’s the code computer programmers can manipulate to change how a piece of software—a “programme” or an “application” works. Programmers who have access to a computer programme’s source code can improve that programme by adding new features to it or fixing parts that don’t always work correctly. Therefore, an OSI gives immense opportunity for the system to become robust. It stems from the open-source model which decentralises software development models that encourage open collaborations with technology experts to bring in more innovations in the digital system.
Aarogya Setu also has a similar vision. It intends to build new ways of collaborations in order to strengthen the contact-tracing system and expand it to add more services for citizens, health workers and government bodies. Amitabh Kant, CEO, Niti Aayog, says, “Aarogya Setu has been trusted by more than 12.6 crore Indians. While we are committed to bring the adoption of the app to every compatible smartphone and feature phone in India organically, the current level of adoption has generated great insights in fighting COVID-19 precise projections of locality, direction and velocity of the spread of infection. The precision in whom to test combined with where to test more is critical in weeding out this uninvited guest at the earliest. Aarogya Setu has achieved considerable efficacy in contact tracing and identifying emerging hotspots. It has alerted more than 140,000 people so far of a potential moderate and high risk of infection through Bluetooth contacts traced from approximately 45,000 users who have tested positive. Of the 59,000 tested from the set of people assessed as high-risk, more than 15,000 people have tested positive. The efficacy of testing recommended by Aarogya Setu is much higher than any testing protocol anywhere globally.”
Speaking about the continued vision of this initiative, he continues, “Transparency, privacy and security have been the core design principles of Aarogya Setu since its inception. Opening the source code up to the developer community signifies our continued commitment to these principles. Aarogya Setu’s development has been a remarkable example of public-private collaboration. The app was developed and launched in less than three weeks and has been made open source within eight weeks of launch, at a massive scale of more than 100 million users. This is definitely first for any government-led initiative globally. It has been possible because the best of India came together and committed to building a much-needed technology solution to provide precise insights into fighting COVID-19. By releasing and maintaining the source code in the public domain, the vision is to leverage the expertise of top technical brains in our bid to collectively continue developing robust technology solutions to fight this pandemic together.”
However, the security and transparency issue still remains the apple of discord for many.
The problem persists, but there are solutions too…
After the app’s source code was made available to programmers, many tech wizards and computer programmers found it extremely difficult to dissect its source code. Some even alleged that the source code available in the public domain is not the real one, just like the Co-founder of HasGeek, Kiran Jonnalagadda’s twitter thread, that garnered a lot of response on social media. Jonnalagadda wrote, “Aarogya Setu is not open source. What is available in Github is just “some random code to keep the public distracted.” He further wrote that the developers are ignoring reports of serious vulnerabilities. “Actual development is elsewhere in a closed source repo,” his thread alarmed. Like him, there are others who doubt whether the app is truly open source or just a reverse-engineered version on the face of it. Moreover, the problem of making the app mandatory has its own set of legal and ethical dilemmas. Just as Delhi High Court advocate, Arjun Dewan in an article for the Financial Express explained, “The legality of Aarogya Setu will be tested on the parameters laid down by the Hon’ble Supreme Court in KS Puttaswamy’s case, also known as the Aadhar Case. In the said case, the Supreme Court in a unanimous decision of nine judges recognised that the ‘Right to Privacy’ is a fundamental right. There cannot be any doubt that the State has a legitimate interest [one of the parameters] in making this app mandatory [at least in certain circumstances] in order to contain the spread of COVID-19. There is also no doubt that the app does affect a user’s right to privacy.”
However, some cybersecurity experts appreciated the move of making Aarogya Setu open source as this is for the first time such an initiative has been undertaken by the Government.
Rahul Dev, a Delhi-based patent attorney and technology business lawyer, informs, “The COVID-19 pandemic qualifies as an unforeseen situation at a global level and hence it would be apt to state that no government worldwide was prepared to handle this. Various countries are depending upon contact tracing as one of the most effective mechanisms to contain the spread of the pandemic. However, due to the speed at which the disease containment is needed, the existing legal framework is not fully capable to accommodate the use of an app like Aarogya Setu which can have serious implications relating to data protection, the privacy of the user and data security. The general legal implications associated with any open-source platform include the compliance of licensing terms with the local laws. As it is well known, the data protection law is yet to be introduced in India, and hence, in the absence of this law, the Government has to play a proactive role to protect the rights of the citizens. The open-source platforms are strictly governed by the internationally-known standards and it is expected that the Aarogya Setu app will eventually be aligned with such standards completely in coming months.”
Amid all this, some healthcare experts and even some patients seem to be happy with this initiative. Some health tech experts who are currently using the app say that making the Aarogya Setu an OSI will certainly make the contact-tracing system stronger and transparent; while others want to support the government and recommend ideas for improvement.
“It is a wonderful idea and given that it is a government app, people will not have issues in terms of applicability. It captures few data sets and I think its functionality could have been made more purposeful by adding BMI, family history and creating a risk profile of low, medium and high. More importantly, based on the risk, the economy and coronavirus could have been handled in a little planned manner. Like people in the young age group with low risk could be allowed to lead a normal life and work practising physical distancing, compulsory mask and hygiene. This would have saved our economy by 40 per cent given that 65 per cent of Indians are below 35 years of age. Arogya Setu being a fantastic app, its functionality has been used in a ‘limited’ manner and the risk assessment for even ‘low risk’ people is to stay at home. So, it would not be wrong to advise that we need to use the data from this app and start opening the economy. Primarily, people are carriers of the coronavirus and the death rate is low in the young population. Aorgya Setu can be an enabler much beyond just managing COVID. It has wonderful capabilities. I am not concerned much on the other flimsy issues which some people will always oppose,” points out Rajendra Pratap Gupta, Public Policy Expert and Author.
“Contact tracing is an essential part of such situations. Nevertheless, data privacy and protection against misuse must be ensured. The Google Apple API uses only Bluetooth. Moreover, it’s decentralised. Such apps work well only when over 60 per cent of the entire population uses it. So, why not gain people’s trust by switching from static to dynamic ID, not using GPS location, and releasing the correct source code, etc. Complete anonymisation of data collected will go a long way in making the app safer and more used,” adds Dr Suleman Merchant, Former Dean, Sion Hospital, Mumbai.
Similarly, Dr Wasim Ghori, Medical Director and Consultant Diabetologist, Heart and Diabetes Clinics, Mumbai, shares, “For Aarogya Setu to be effective, the app must be installed on as many phones as possible, and users must regularly update their health status so that community interactions can be mapped out. It is a well-known fact that the teledensity in India is skewed, especially in the urban areas as compared to the rural hinterlands. So, while it might be easier to maximise coverage in large urban cities, it will be far more difficult to ensure coverage in rural areas thus diminishing the effectiveness of the app in detecting cases in the medium term as the pandemic spread increases in rural areas. Moreover, India currently ranks number four in terms of COVID-19-positive cases at the time of writing this. Therefore, it becomes more crucial that Aarogya Setu fix its problems of exclusion for effective health monitoring around COVID-19 rather than building more functions like teleMedicine, e- pharmacies and home diagnostics. There is a need for the government to demonstrate the effectiveness of the app to build trust between citizens and frontline health workers.”
Just as some healthcare providers share their suggestions for improvement, Niranjan Ramakrishnan, CHCIO, Group CIO, Leixir Dental Group and Kauvery Hospitals gives a comparison between Aarogya Setu and other manual options. He says, “Instead of finding fault with a standard digital platform, let us really compare the Aarogya Setu app with alternative manual options:
- Voluntary: Whether the use is by choice or mandatory.
- Limited: Are there limitations on how the data get used?
- Data destruction: Whether the data are deleted automatically after a certain amount of time.
- Minimised: Whether only the necessary information is collected.
- Transparent: Whether the app is built on clear and publicly available policies and its design has an open-source code.
- Data Security: Assurance of the security of the data collected
- Contact Tracing: Visibility to the contact tracing to the common citizen and end-user
- Real-time: Access to real-time information.
- Hygiene: As the healthcare worker moves physically across, there are hygiene issues.
He further states, “Thus, any digital system we adopt is bound to have some limitations but compared to the alternative options, we have adopted a much safer and value-based platform,” Ramakrishnan affirms.
Well, these were technical aspects, but the most ignored aspect is the one that most tech geeks fear – the legal tangles.
Unravelling the licensing and ownership issue…
“The most important element of an open-source platform is the type of license associated with such a platform. Open source does not provide complete freedom to everyone to modify or redistribute the source code. Such rights depend upon the license accompanying the open-source platform. Generally, such license terms define the rights associated with the source code of the open platform, which help both the parties, including the owner and the user. Depending upon the jurisdiction, there can exist legal implications defining the aspects of the code that can be shared freely by the owner. For example, European Union Public Licence or EUPL defines a legal framework for open source sharing and innovation across all EU member nations, which may not be explicitly applicable to companies or individuals in India. Additional aspects of open source licensing cover conditions stating whether the source code can be modified or not, or whether the source code can be repurposed for different applications. In addition, the open-source code license also specifies if any additional costs are associated with the code. For example, the code may be available freely, but the executable software resulting from this code may require additional costs to be paid to the code owner,” amplifies Dev.
He further explains the difference between the Aarogya Setu app and the other available open-source platforms. He says, “A major difference between the Aarogya Setu app and other open-source platforms is that the usage of the Aarogya Setu is being encouraged extensively by the Government. This induces a question of critical importance, i.e. does the Aarogya Setu app qualify as a government platform? If yes, then it would lead to a plethora of follow-up questions regarding the ownership of the Aarogya Setu app, development process followed from the beginning, selection of the team of volunteers, maintenance of the app, and other related aspects. On the contrary, if Aarogya Setu app is a private platform, then, in such a case, questions can be raised on the imposition of the app used by the government, airlines, private employers, or on the promotion of the app by public and private entities.”
Now, Niti Aayog has communicated to Express Healthcare that Aarogya Setu has been developed by a committed set of more than 70 volunteers from across the public and private sector. “Opening the source code for the app means broadening the set of contributors who can review and further improve upon the functionalities and features of the app. Developing and maintaining the source code is a huge responsibility, both for team Aarogya Setu and the developer community. The repository shared is the actual production environment. All subsequent product updates will also be made available through this repository. The expectation thus is that we continue building together with the requisite technology intervention against COVID-19,” Kant ratifies.
However, this still does not spell out the ownership aspects of the app. Even with the assurances extended from the Government at the present, it is unlikely that the issue will rest there. It is likely that the same is going to be adjudicated by the Courts. Dev additionally speaks about the challenges that lie ahead.
Legal problems on the cards…
Just as the lawsuits associated with making the app mandatory, there are higher possibilities of litigations associated with hacking and misuse by notorious elements. Who will then take the onus of these crimes?
“Since this app works on the principle of self-reporting instead of a central authority to verify the user submissions, the app is highly prone to be misused by notorious elements of the society. In the absence of security measures to prevent such misuse, the usage of this app presently falls in the grey area as far as the laws and regulations are concerned,” warns Dev.
Having said that, Dev also recommends that to make the app better, the first and foremost step required is to have clarity whether or not the app is a publically-owned resource. If yes, the team managing the maintenance and upgradation of the app should be selected using the legally compliant procedures instead of a team of volunteers, which, as Kant mentioned, is a group of 70 odd people working together. “In addition, rather than waiting for any court to issue an order regarding mandatory usage of this app, the Government should clarify these guidelines in advance in an easy-to-understand format. These basic steps can pave the way forward for a productive and legally compliant contact-tracing tool to contain this pandemic effectively,” Dev sums up.
While the debate continues in the public domain, one thing is obvious that there is a trust deficit which the government will have to address at the earliest. Information on the licensing aspects, ownership, privacy aspects and more have to be clearly documented and made public to ensure that a robust and transparent system is built. There is no doubt that the government’s initiative on making Aarogya Setu app an open-source platform is well received, but the many caveats that exist also send out a clear message on the need to resolve the legal and ethical dilemmas.