28 government covid software not open source, can't be checked for vulnerabilities

There's been an explosion of mobile programs because the covid-19 crisis began in the country.

Aside from Aarogya Setu, the Centre and state governments are employing at least 28 mobile applications to tackle the covid-19 pandemic.

These software have varied purposes - some disseminate information on cases, deaths etc to users while some are being used by officials to track persons under quarantine.

There is one common aspect to all or any of them: Do not require is open-sourced.

Just about the most famous apps may be the Centre’s Aarogya Setu, which collects users’ Bluetooth and location data to track their whereabouts and alert them if indeed they are exposed to a covid-19 positive patient. The app, which includes been controversial given privacy concerns, has been downloaded by over 7.5 crore people.

Open source software (OSS) is often preferred for public utilities given that they enable transparency. Users can access the code and know specifically what the product is meant regarding their data.

In 2015, the Centre had released the ‘Policy on Adoption of Open Source Software for Government of India, which required it to encourage the use of such software in all government institutions.

THE PROGRAM Law Freedom Centre (SFLC), in a written report, analysed these covid programs on privacy, terms of conditions and permissions required. The report noted that lots of of the apps didn't even have terms of service or online privacy policy documents like West Bengal’s ‘covid-19 West Bengal Government’ and Arunachal Pradesh’s ‘COVID CARE’.

Though many programs had privacy policies, they were cookie-cutter documents created out of an automated tool. “[These auto-generated documents] lack clauses that cover important aspects such as data retention and purpose limitation for the processing of data collected,” the SFLC report read.

Perhaps most of these answers could be found via an OSS model.

Prashanth Sugathan, volunteer legal director at SFLC, said that OSS allows the developer community to study the code and point out vulnerabilities. “Another advantage is that such software products are reusable. If two states have the same requirement from a software, they are able to utilize the same app. This might enable better cooperation,” he said. He added that having an OSS would enhance the trust everyone has in it.

Ranjith Raj, a Hyderabad-based security researcher and person in Sweccha, an organization that promotes the utilization of OSS, said it was essential for government software to be opensource. “The privacy of an app is impossible to examine without the source code being available. We can’t be certain about what’s being tracked, and what’s secure. As the governments assure us the software are not surveillance tools, keeping the source code hidden leaves much to be desired,” he said.