28 government covid apps not open source, cannot be checked for vulnerabilities

Privacy concerns abound as independent developers cannot study the code

Hyderabad: There has been an explosion of mobile apps since the covid-19 crisis began in the country.

Apart from Aarogya Setu, the Centre and state governments are using at least 28 mobile applications to tackle the covid-19 pandemic.

These apps have varied purposes — some disseminate information on cases, deaths and so on to users while others are used by officials to track people under quarantine.

There is one common aspect to all of them: None of them is open-sourced.

One of the most famous apps is the Centre’s Aarogya Setu, which collects users’ Bluetooth and location data to track their whereabouts and alert them if they come in contact with a covid-19 positive patient. The app, which has been controversial given privacy concerns, has been downloaded by over 7.5 crore people.

Open source software (OSS) is often preferred for public utilities since they allow for transparency. Users can access the code and know exactly what the product is supposed to do with their data.

In 2015, the Centre had released the ‘Policy on Adoption of Open Source Software for Government of India, which required it to encourage the use of such software in all government institutions.

The Software Law Freedom Centre (SFLC), in a report, analysed these covid apps on privacy, terms of conditions and permissions required. The report noted that many of the apps did not even have terms of service or privacy policy documents like West Bengal’s ‘covid-19 West Bengal Government’ and Arunachal Pradesh’s ‘COVID CARE’.

Though many apps had privacy policies, they were cookie-cutter documents created out of an automated tool. “[These auto-generated documents] lack clauses that cover important aspects such as data retention and purpose limitation for the processing of data collected,” the SFLC report read.

Perhaps most of these answers could be found through an OSS model.

Prashanth Sugathan, volunteer legal director at SFLC, said that OSS would allow the developer community to study the code and point out vulnerabilities. “Another advantage is that such software products are reusable. If two states have the same requirement from a software, they can use the same app. This would allow for better cooperation,” he said. He added that having an OSS would improve the trust the general public has in it.

Ranjith Raj, a Hyderabad-based security researcher and member of Sweccha, a group that promotes the use of OSS, said it was essential for government apps to be opensource. “The privacy of an app is impossible to review without the source code being available. We can’t be sure about what’s being tracked, and what’s secure. While the governments assure us the apps are not surveillance tools, keeping the source code hidden leaves much to be desired,” he said.

( Source : deccan chronicle )
Next Story