Moneycontrol: National: Wednesday, 06 October 2021.
India's vaccination platform Co-WIN, developed using open source software, has become a topic of debate again. This time, it is about whether the platform is open source, with the government and the public taking opposing views on the issue.
Moneycontrol spoke to industry experts and the technology community to understand why the platform should be made open source, the delay in making the code public, and how making it public can improve the transparency and accountability of the platform.
Open source and Co-WIN
Co-WIN, which is owned by the Ministry of Health and Family Welfare, was developed using open-source software. This type of software allows users to modify the source code and distribute it. Co-WIN went live in January 2021 for frontline workers and by May 1 it was accessible to everyone, when vaccination was opened up for all those over 18 years.
In an email response to Moneycontrol, RS Sharma, CEO, National Health Authority, said: “The ownership of the Co-WIN platform is with the Ministry of Health and Family Welfare (MoHFW) and not with National Health Authority (NHA) or United Nations Development Programme (UNDP). The platform has been developed jointly by the MoHFW and the National e-Governance Division (NeGD) of MeitY. NHA CEO (RS Sharma) guided the whole process as Chair of the Empowered Group on Vaccine Administration for Covid-19 (EGVAC). The necessary resources have been mobilised by MoHFW through GAVI. UNDP has acted as a facilitator and that too more on the implementation side.”
Currently, the MoHFW and Ministry of External Affairs (MEA) are in talks with several countries to take CoWIN global. Moneycontrol has learnt that Trigyn Technologies is one of the companies that will be roped in for the implementation of CoWIN in other countries.
The government said that India is a part of the WHO Covid Technology Access Pool initiative (WHO C-TAP), which aims to improve healthcare access. “Co-WIN technology will be shared with other countries through an MoU. The destination country will decide the technical agency through which they might implement Co-WIN,” Sharma said.
During multiple media interactions, including the latest one with Moneycontrol, Sharma, who heads Co-WIN, said that the government has open-sourced CoWIN for a global rollout. “We had on the 5th of July convened a CoWIN global conclave, where 147 countries participated. Many ministers from these countries participated. Thereafter, we open-sourced the whole thing,” said Sharma, in a recent interview with Moneycontrol.
He added that the MEA is taking the CoWIN global rollout forward. “We have made the entire thing ready so that it is ready to be deployed by capacity building, open-sourcing, documentation, and legal agreements,” he had said.
Co-WIN is not open source
To clarify whether Co-WIN is open source or not, Srinivas Kodali, an independent researcher at the Freedom Software Movement of India, filed a Right to Information query, where he wanted clarity on two aspects on Co-WIN from the Department of Health and Family Welfare.
1. Has the department made Co-WIN open source?
2. Provide the entire source code of Co-WIN as defined in section 2(f) of the RTI Act.
In response to the RTI query, the government said that Co-WIN technology was developed using open source and its source code is only available to authorised partners, contrary to the very definition of what open source is.
Open source as the name implies, is open. It means that the code is publicly accessible and hence anyone can edit and modify, and distribute it.
Kodali pointed out that when Co-WIN’s source code is not accessible by the public, it becomes closed-source, contradicting Sharma’s statement. Moneycontrol sent a detailed questionnaire to the department on why the government claims Co-WIN is open source and asked if there is any intention to make it public.
What is the government saying?
Sharma said Co-WIN is an open and API based platform. This is a fair statement. The APIs that the government has made open can be used by companies and individuals to create applications. “We have a well-defined API policy. Many of our APIs are public APIs and are available for use on API-Setu,” the government said in response.
For instance, when Co-WIN was opened for vaccine booking, multiple individuals used Co-WIN APIs to create applications that would alert people whenever appointments opened up. A Bengaluru-based public policy expert, who requested anonymity, said that APIs can be used by companies to get an employee’s vaccine status by creating similar applications.
Offering APIs to the public does make the platform open, but not open-source, says Saurav (name changed), a Bengaluru-based technology professional and active member of the open-source community. For instance, large technology companies like Facebook, Google and Twitter have made APIs available for developers. Saurav explained that Twitter APIs can be used to automate retweets, block tweets and also post tweets on Twitter when certain conditions are satisfied. “Does this make Twitter open source? No,” Saurav said.
This is applicable for Co-WIN as well. Sharma, in his response, said that the Co-WIN source code is accessible only by authorized partners and not the public. “Some of the APIs, especially those related to recording of vaccination data, are private APIs for whom any prospective partners or organizations have to demonstrate compatibility with Co-WIN protocols and have to make commitments to strictly adhere to the Privacy Policy and Terms of Use of Co-WIN. The source code too is accessible to the authorized partners or any organisations which agree to the limits & conditions for using the code in public interest and agree to not commercially exploit the code,” the statement said.
The source code of CoWIN, Sharma said, has been placed on www.openforge.gov.in and updated regularly with each new release. Open forge is an initiative of the Ministry of Electronics & IT to promote sharing and reuse the source code of e-governance applications, the statement added. Two sources Moneycontrol spoke to said that the Open forge is not accessible for public use.
Is being open-source a big deal?
Making the code public has three key advantages. One, it will make it accessible to the wider public for scrutiny. This would make it easier to understand the data that is being collected and where it is being used. It would also reveal how many services, government and private, will have access to the data. This brings in the much-needed transparency and accountability to ensure citizens’ privacy is protected.
Two, this will also bring in trust that the government is walking the talk, instead of raising suspicion. “Right now, we don’t know what they are doing with the data. There could be no compromise on our privacy as they are saying. But we just don’t know and it only raises suspicions,” pointed out open source enthusiast Umesh (name changed), a Bengaluru-based technology professional.
A case in point is the creation of unique health IDs without user consent. Karthik Srinivasan, a communications strategy consultant, was surprised when he noticed that he had a Unique Health ID in his vaccine certification. “I don't recall ever having consented to seeking a unique health ID, after understanding the details of why I need one. What am I missing here?” he asked on Twitter.
His health ID was created when he had registered for vaccination on Co-WIN using Aadhaar as his identity proof. Srinivasan is not alone, for there are 12.6 crore people who had Unique Health IDs created as of October 4, 2021.
While Co-WIN’s terms and conditions imply that using Aadhaar gives implicit consent to create health IDs, there is no clarity on the issue. If the code was open source, it would make it much easier to understand why these IDs were created.
The third part is security. On June 10, Data Leak Market said that vaccination data of 150 million Indians from Co-WIN were available for sale for $800. While the government and security professionals denied the data breach, it stands to show the importance of security when dealing with sensitive health data. If there are any security lapses in the code, the government and open source community can collectively address the issue.
The need of the hour
However the Bengaluru-based public policy expert cited earlier said that just making the code open source might not be enough to make changes. “A citizen does not care if Co-WIN is open source or not. What he cares about is why his health ID was created and where it will be used,” the expert said.
“The debate should be about how the government makes decisions and not if it should be open source or not. We also need a personal data protection law, which unfortunately has not seen the light of the day yet,” the expert added.
India's vaccination platform Co-WIN, developed using open source software, has become a topic of debate again. This time, it is about whether the platform is open source, with the government and the public taking opposing views on the issue.
Moneycontrol spoke to industry experts and the technology community to understand why the platform should be made open source, the delay in making the code public, and how making it public can improve the transparency and accountability of the platform.
Open source and Co-WIN
Co-WIN, which is owned by the Ministry of Health and Family Welfare, was developed using open-source software. This type of software allows users to modify the source code and distribute it. Co-WIN went live in January 2021 for frontline workers and by May 1 it was accessible to everyone, when vaccination was opened up for all those over 18 years.
In an email response to Moneycontrol, RS Sharma, CEO, National Health Authority, said: “The ownership of the Co-WIN platform is with the Ministry of Health and Family Welfare (MoHFW) and not with National Health Authority (NHA) or United Nations Development Programme (UNDP). The platform has been developed jointly by the MoHFW and the National e-Governance Division (NeGD) of MeitY. NHA CEO (RS Sharma) guided the whole process as Chair of the Empowered Group on Vaccine Administration for Covid-19 (EGVAC). The necessary resources have been mobilised by MoHFW through GAVI. UNDP has acted as a facilitator and that too more on the implementation side.”
Currently, the MoHFW and Ministry of External Affairs (MEA) are in talks with several countries to take CoWIN global. Moneycontrol has learnt that Trigyn Technologies is one of the companies that will be roped in for the implementation of CoWIN in other countries.
The government said that India is a part of the WHO Covid Technology Access Pool initiative (WHO C-TAP), which aims to improve healthcare access. “Co-WIN technology will be shared with other countries through an MoU. The destination country will decide the technical agency through which they might implement Co-WIN,” Sharma said.
During multiple media interactions, including the latest one with Moneycontrol, Sharma, who heads Co-WIN, said that the government has open-sourced CoWIN for a global rollout. “We had on the 5th of July convened a CoWIN global conclave, where 147 countries participated. Many ministers from these countries participated. Thereafter, we open-sourced the whole thing,” said Sharma, in a recent interview with Moneycontrol.
He added that the MEA is taking the CoWIN global rollout forward. “We have made the entire thing ready so that it is ready to be deployed by capacity building, open-sourcing, documentation, and legal agreements,” he had said.
Co-WIN is not open source
To clarify whether Co-WIN is open source or not, Srinivas Kodali, an independent researcher at the Freedom Software Movement of India, filed a Right to Information query, where he wanted clarity on two aspects on Co-WIN from the Department of Health and Family Welfare.
1. Has the department made Co-WIN open source?
2. Provide the entire source code of Co-WIN as defined in section 2(f) of the RTI Act.
In response to the RTI query, the government said that Co-WIN technology was developed using open source and its source code is only available to authorised partners, contrary to the very definition of what open source is.
Open source as the name implies, is open. It means that the code is publicly accessible and hence anyone can edit and modify, and distribute it.
Kodali pointed out that when Co-WIN’s source code is not accessible by the public, it becomes closed-source, contradicting Sharma’s statement. Moneycontrol sent a detailed questionnaire to the department on why the government claims Co-WIN is open source and asked if there is any intention to make it public.
What is the government saying?
Sharma said Co-WIN is an open and API based platform. This is a fair statement. The APIs that the government has made open can be used by companies and individuals to create applications. “We have a well-defined API policy. Many of our APIs are public APIs and are available for use on API-Setu,” the government said in response.
For instance, when Co-WIN was opened for vaccine booking, multiple individuals used Co-WIN APIs to create applications that would alert people whenever appointments opened up. A Bengaluru-based public policy expert, who requested anonymity, said that APIs can be used by companies to get an employee’s vaccine status by creating similar applications.
Offering APIs to the public does make the platform open, but not open-source, says Saurav (name changed), a Bengaluru-based technology professional and active member of the open-source community. For instance, large technology companies like Facebook, Google and Twitter have made APIs available for developers. Saurav explained that Twitter APIs can be used to automate retweets, block tweets and also post tweets on Twitter when certain conditions are satisfied. “Does this make Twitter open source? No,” Saurav said.
This is applicable for Co-WIN as well. Sharma, in his response, said that the Co-WIN source code is accessible only by authorized partners and not the public. “Some of the APIs, especially those related to recording of vaccination data, are private APIs for whom any prospective partners or organizations have to demonstrate compatibility with Co-WIN protocols and have to make commitments to strictly adhere to the Privacy Policy and Terms of Use of Co-WIN. The source code too is accessible to the authorized partners or any organisations which agree to the limits & conditions for using the code in public interest and agree to not commercially exploit the code,” the statement said.
The source code of CoWIN, Sharma said, has been placed on www.openforge.gov.in and updated regularly with each new release. Open forge is an initiative of the Ministry of Electronics & IT to promote sharing and reuse the source code of e-governance applications, the statement added. Two sources Moneycontrol spoke to said that the Open forge is not accessible for public use.
Is being open-source a big deal?
Making the code public has three key advantages. One, it will make it accessible to the wider public for scrutiny. This would make it easier to understand the data that is being collected and where it is being used. It would also reveal how many services, government and private, will have access to the data. This brings in the much-needed transparency and accountability to ensure citizens’ privacy is protected.
Two, this will also bring in trust that the government is walking the talk, instead of raising suspicion. “Right now, we don’t know what they are doing with the data. There could be no compromise on our privacy as they are saying. But we just don’t know and it only raises suspicions,” pointed out open source enthusiast Umesh (name changed), a Bengaluru-based technology professional.
A case in point is the creation of unique health IDs without user consent. Karthik Srinivasan, a communications strategy consultant, was surprised when he noticed that he had a Unique Health ID in his vaccine certification. “I don't recall ever having consented to seeking a unique health ID, after understanding the details of why I need one. What am I missing here?” he asked on Twitter.
His health ID was created when he had registered for vaccination on Co-WIN using Aadhaar as his identity proof. Srinivasan is not alone, for there are 12.6 crore people who had Unique Health IDs created as of October 4, 2021.
While Co-WIN’s terms and conditions imply that using Aadhaar gives implicit consent to create health IDs, there is no clarity on the issue. If the code was open source, it would make it much easier to understand why these IDs were created.
The third part is security. On June 10, Data Leak Market said that vaccination data of 150 million Indians from Co-WIN were available for sale for $800. While the government and security professionals denied the data breach, it stands to show the importance of security when dealing with sensitive health data. If there are any security lapses in the code, the government and open source community can collectively address the issue.
The need of the hour
However the Bengaluru-based public policy expert cited earlier said that just making the code open source might not be enough to make changes. “A citizen does not care if Co-WIN is open source or not. What he cares about is why his health ID was created and where it will be used,” the expert said.
“The debate should be about how the government makes decisions and not if it should be open source or not. We also need a personal data protection law, which unfortunately has not seen the light of the day yet,” the expert added.
.JPG)
.JPG)
