After mulling over open-sourcing its contact tracing app Aarogya Setu, the government has decided to publicly release the source code for the Android version.

Since the app launched in early April, micro-blogging sites like Twitter have been abuzz with demands from privacy advocates and security experts to open source the code of the app.

What do critics want?

One of the most vocal and popular critics of the app, Elliot Alderson shared a message exclusively to CNBC-TV18 a few weeks earlier which said, “I really have no hard feelings, this is not something personal and I think they tried to do their best in this story. Creating and maintaining an app with this number of users is extremely complicated and I know that. However, they should be more transparent. A lot of countries open source their code, they should do it immediately. Even the server-side code. In order to improve the security of their app, they should have a bug bounty in place. A lot of very skilled Indian security lovers will be happy to help them”

Broader transparency and accountability, were the bone of contention for all critics of the Aarogya Setu app and this move by the government is a huge step in that direction.

Why Android only?

The source code will be published on GitHub at midnight on Tuesday. Currently, 98 percent of Aarogya Setu users own an Android device, hence the government is starting with Android open source code first. However, Ajay Kumar Sawhney, Secretary, Ministry of Electronics and Information Technology (MeitY) at a press conference said the iOS and kaiOS source code will be released in a few days. It is important to note that the source code for the back-end infrastructure will be available in the next few weeks, which in English translates to, researchers being able to access and audit the code.

Bug bounty programme

Keeping this mind, Dr. Neeta Verma, Director General, NIC announced a bug-bounty programme for the app. She said, “We have introduced a bug-bounty program and have introduced it in three categories. There is a Rs 1 lakh cash prize for identifying any vulnerability and also a bounty for you to suggest any kind of improvements”

But the big question remains, was open-sourcing the app always a part of them and what took the government so long to do this? Speaking to CNBC-TV18, Lalitesh Katragadda, one of the volunteers from Team Aarogya Setu said, “Yes, it was always the plan. The work needed was large and there were significantly higher priority features the people needed. Open-sourcing a platform with this level of usage is a very rare event and corporations take years to do it. So it really was not that long at all.”

Niti Aayog said Amitabh Kant highlighted, “Aarogya Setu is bigger than all COVID19 apps across the world with 115 million users in just 8 weeks.” He added, “Releasing a source code of a rapidly evolving product is a challenging task. With this move, all subsequent updates will be made available in this repository”