Aarogya Setu: Whether we like it or not, the app is here to stay, but it’s still riddled with privacy issues that need strong answers
As we begin the seventh week of lockdown, the rate of COVID-19 infections just doesn’t seem to be slowing down. Every day, the graph just looks like a trekker ascending Mount Everest, with the summit nowhere in sight. With a majority of the 1.3 billion people confined to their homes and under lockdown, things don’t look like they will change any time soon. The government announced new measures from 3 May onwards regarding new changes in the recently defined red, orange, and green zones.
One way that the government of India hopes to keep a track of the COVID-19 trends is via its Aarogya Setu app. Launched on 2 April, and developed by the National Informatics Centre (NIC), the Aarogya Setu app crossed 90 million downloads as of 4 May, according to NITI Aayog CEO Amitabh Kant. Prime Minister Narendra Modi had himself appealed to the citizens to download this app in his address to the nation.
Aarogya Setu 101
It is safe to assume that most of us have heard of the Aarogya Setu app, as it has been in the news for all sorts of reasons, good and bad. But for those of you who have taken a hiatus from news to maintain your sanity, the Aarogya Setu app is a contact tracing app that uses your smartphone’s GPS and Bluetooth and alerts you if you have been in contact with a COVID-19 positive patient as you go about your life.
Before we go on, if you want a lowdown on what contact tracing means, Nandini has explained it quite well in this video.
Contact tracing explained in under 3-minutes
Apple and Google are working on a contact tracing tool; the Indian government has a contact tracing app called Aarogya Setu. But what does contact tracing mean and how does it work? pic.twitter.com/Ia8tggdKnS
— Firstpost (@firstpost) April 24, 2020
Contact tracing is a physical method of tracking down infected people, then finding everyone who has been near them and encouraging those people to stay home until it is clear they are not sick. Given the shortage of medical professionals and the rapid growth of COVID-19 cases, a lot of countries are switching to mobile phone-based contact tracing. To give an overview, the smartphones which you carry on you all the time will have an app that communicates with surrounding phones and create a log of virtual IDs. If you test positive, then everyone in the log of virtual IDs on your device would be informed. Ideally, this will be limited to the region where you encountered the infected person. Now let’s see how this method is implemented in the Aarogya Setu app.
After getting the right permissions during app download, it poses a bunch of questions to you during the registration phase. The app is available in 11 languages and requires you to enter details such as your name, gender, age, location, mobile phone number, and whether you’ve travelled to any foreign country in the last 30 days. You are also requested to enable your Bluetooth and GPS for tracking to be enabled. If anyone has been in your proximity, your phone will store the anonymous Bluetooth digital ID generated by that device (provided the Aarogya Setu app is installed on that phone as well) and your phone’s ID will be stored on the devices around you. Additionally, every 15 minutes, the latitude and longitude of the user are stored on the device.
Apart from information packed PDFs about COVID-19, the app also has a feature called ‘Self Assessment’, which lets you take an online test determine if there’s a chance you’ve been exposed. You have to answer a bunch of questions and basis the guidelines from the Indian Council for Medical Research (ICMR), the app lets you know your risk level. Every time you take a self-assessment test, your location data is sent to a central government server managed by the NIC.
On 2 May, the government made downloading of the app mandatory for all its employees and has requested private organisations to ensure all their employees also have the Aarogya Setu app on their phones. “It shall be the responsibility of the head of the respective organisations to ensure 100 percent coverage of this app among the employees,” the ministry said. This mandate attracted a lot of flak from privacy activists.
Advantages of contact tracing apps
Countries such as Taiwan, Singapore, and South Korea have used contact tracing apps in their fight to stop the spread of Coronavirus. There is no hard evidence on whether these contact-tracing apps by themselves have been effective in containing the spread. But the apps in Singapore and Taiwan have been open to scrutiny by the public. In fact, in Taiwan, hactivists, developers, and citizens worked with the government to develop newer functionality and it has been both, a bottom up as well as a top down approach. In Singapore’s case, the TraceTogether app only needs your mobile number and does not need anything else, and its use is voluntary.
We need to understand that Taiwan and South Korea — the two countries apart from China that have managed to flatten the curve quickly — have had SARS and MERS outbreaks before, so their health authorities are equipped to handle virus outbreaks, or at least have the right systems in place. An Indian example of that would be the state of Kerala, which had the right systems in place after the state was affected by the Nipah virus and has been impressive in containing the spread of Coronavirus as compared to the rest of the country.
Contact tracing apps are a measure over and above the on-ground responses.
To put things in context, we need as many users of contact tracing apps as there are WhatsApp users in the country.
“If you ask me whether any Bluetooth contact tracing system deployed or under development, anywhere in the world, is ready to replace manual contact tracing, I will say without qualification that the answer is, ‘no’. Not now and, even with the benefit of AI/ML and — God forbid — blockchain, not for the foreseeable future,” said Jason Bay, the product lead on Singapore’s TraceTogether app in a Medium post.
Are contact-tracing apps effective? According to an Oxford study, contact tracing can be highly effective if around 60 percent of the population is actively using the apps. That’s a huge number of people. To put things in context, we need as many users of contact tracing apps as there are WhatsApp users in the country. Getting to that kind of voluntary app adoption takes years. Considering there are around 500 million smartphone users in India, and Aarogya Setu app has reached a base of 90 million, that still constitutes around 18 percent users. What about feature phone users who cannot download the Aarogya Setu app? We will discuss that later in the article.
Although the government order mandates the download of the Aarogya Setu app, I spoke to around 15 friends who work in the private sector and have yet to come across anyone who has heard from their management about downloading the app. But there are cases such as Zomato chief Devinder Goyal mandating the use of this app amongst his employees.
Today, we’ve started mandating each of our delivery partners to install and use @SetuAarogya. The idea is to keep individuals as well as the authorities informed in case they have crossed paths with someone who has tested positive for coronavirus – to prevent further spread.[6/n] pic.twitter.com/tTok9LyTBA
— Deepinder Goyal (@deepigoyal) April 22, 2020
For now, general inertia aside, the major deterrents are the privacy issues being raised about the Aarogya Setu app.
The fact that the app is made by the government, which doesn’t really have the best track record for privacy — one just has to look at how Aadhaar has been misused — has raised a lot of concerns. The act of making the download mandatory for the whole smartphone using population is another thorny issue. Let’s take a look at each of the concerns.
Assuming everyone owns a smartphone is wrong
Internet Freedom Foundation (IFF), one of the leading think tanks on digital privacy, claims that in the absence of a comprehensive data protection law, the chances of misusing a ‘contact tracing’ app for systems that control people’s movement are high. It has also sent a representation to the government against the Aarogya Setu app.
One of the arguments IFF makes against mandating the download of the Aarogya Setu app is that it will result in discrimination against certain regions that have fewer concentration of smartphones. “Specifically, it can lead to harmful outcomes for people residing in economically weaker areas,” says IFF. Come to think of it, there’s data to back this claim.
While the smartphone user base in India may have crossed 500 million users, IDC says that there are still around 550 million feature phone users, and around 45 percent of feature phone users have a device under Rs 1,000. The Aarogya Setu app will not work on these feature phones — so what then happens to that portion of the populace? We have seen discrimination against some people who were being denied entry into a pharmacy because they didn’t have the Aarogya Setu app on their smartphones.
What would happen to people who don’t have a smartphone to begin with?
MyGov, which is the government arm behind the Aarogya Setu app, has plans to include non-smartphone users as well. MyGov CEO Abhishek Singh in an interview with HT has confirmed that the government is working on developing a KaiOS version of the Aarogya Setu app for the close to 110 million JioPhone users. For those on feature phones, the government has started an IVRS call service for the number 1921.
“Those with feature phones can give a missed call on this number. We will then call them back and go through the same questions that are asked in the Aarogya Setu app. Based on the responses the caller will get information on his health condition,” said Singh.
On what basis is the government mandating the download of the Aarogya Setu app?
Enforcing the download of an app without any legal basis is another area for concern.
According to privacy laws expert Asheeta Regidi, there is no law that expressly allows a government to mandate the downloading of an app.
“The Ministry of Home Affairs order which mandates the use of Aarogya Setu has been issued under the Disaster Management Act, 2005. Section 6(2) and Section 35 grant the National Disaster Management Authority and the Central government broad powers to lay out ‘policies’ and take ‘all such measures deemed necessary’ to manage the disaster. The use of this power to mandate the download of an app is similar to the use of Section144 CrPC to issue internet shutdown orders. The issues that arise are also thus similar,” said Regidi in an email interaction with Tech2.
Transparency is missing
“There are already reports which confirm that this server is being linked with other government datasets. Such linking increases risks of permanent systems of mass surveillance,” claims an IFF report.
“The laws in use today like the IT Act/DMA, were enacted 15-20 years ago, and do not envisage the ways in which technology can be used today. Activities like open sourcing, white-hat hacking, etc. also fall into a legally grey area. Given that the app is supposedly voluntary and for the public benefit, there is no reason why the government should not invite public participation in ensuring its security, particularly as it can entail a mass invasion of people’s rights,” says Regidi.
Data minimisation is questionable
As explained earlier, the number of details you have to fill in before you can start using the app include many personally identifiable pieces of information. IFF compared Arogya Setu with Singapore’s Trace Together and MIT’s Private Kits: Safe Paths.
According to IFF, “Other apps just collect one data point which is subsequently replaced with a scrubbed device identifier. India’s Aarogya Setu collects multiple data points for personal and sensitive personal information, which increases privacy risks.”
While there is no set definition of what comprises minimum data, there has to be justification for every piece of information being used. According to Regidi, with respect to the Aarogya Setu app, the purposes its enlists are quite broad:
- use of anonymised and aggregated data for generating reports and heat maps
- to provide persons carrying out medical interventions with the info they need on you to do their job
- use of the information to calculate the probability of your being infected with the disease, among others
“Collection of sensitive data like health data needs to meet the purpose limitation principle first, and then meet the criteria of data minimisation. The absence of a law here is a big concern,” opines Regidi.
The code isn’t open to the public
One of the major objections by a lot of privacy activists is the fact that the source code is not open to scrutiny as the government hasn’t opened it to the public. Prasanth Sugathan of SFLC.in, a privacy think tank that has done a detailed analysis of every version of the Aarogya Setu app, feels his team’s findings were limited because reverse engineering the app isn’t allowed. As the app’s source code isn’t known, SFLC was able to do an analysis only using the app’s front end and from the client-side.
“If the government makes the source code open and lets people know what happens at the server-side, that information will be quite useful. I don’t see any reason to hide the source code, because you are not helping the security in any manner by doing that. If there are any vulnerabilities, developers can flag them and it will help you patch them quicker,” said Sugathan in a phone interaction with tech2.
But, according to the government there is a reason behind not making the app’s source code known. According to MyGov’s Singh, the app was developed in two weeks, so there are changes being made to the code regularly as the team is getting new user insights. Unless the app is stable, Singh said releasing the source code would not help much as there would always be someone raising false alarms. He also mentioned that it could lead to the app’s misuse by non-state actors.
How long is data held in the NIC servers?
The duration of holding the data in NIC servers depends on the cases. Singh claims that data is sent to the servers only if an app user tests positive for COVID-19, and that at all other times, data is always on the user’s device.
At the time of registration, data sent to the servers includes name, phone number, age, sex, profession and countries visited in the last 30 days. Location details are also uploaded to the server. This data will be hashed with a unique digital ID (DiD) which is pushed to the app on your phone. Any app related transaction or queries will be associated with this DiD. This data will remain as long as your account remains in existence and “for such period thereafter as required under any law for the time being in force,” a statement that is as vague as possible and doesn’t instill much confidence.
Apart from this, there are three instances when data exchange happens.
- When two registered users come in contact, anonymised Bluetooth data will be stored on both phones.
- Every time you complete a self-assessment test, your location data along with DiD will be uploaded to the NIC server.
- The app is constantly collecting your location data every 15 mins and stores it locally on your device. This information log will be uploaded to NIC servers along with your DiD only if you test positive for COVID-19 or if your self-declared symptoms indicate that you are likely to be infected or if your self-assessment test result is either Yellow or Orange. If the self-assessment returns Green, then no data is sent to the servers.
Data in all three cases will be present on the mobile phone for 30 days at the very least. If you have not tested positive for COVID-19 then the data is flushed after 45 days. If you have tested positive for COVID-19, then the data will be purged 60 days after you have been cured. But what happens if someone testing positive for COVID-19 deletes the app? Moreover, does deleting the app from your device purge the data or does that need to be done separately? There is no clarity on this.
“According to Section 43A of the IT Act, the primary data protection provision in India, applies to sensitive personal data collected by a body corporate. While this can include governmental bodies (the UIDAI is a body corporate), the Aarogya Setu app merely mentions the ‘Government of India’ without specifying the department/body. It is thus unclear if Section 43 applies here, or who can be held liable for any breach of data,” says Regidi.
But all things considered, Section 43A and the IT SPDI rules do contain provisions requiring deletion of data once its purpose is accomplished. However, it does not provide persons with a right to such information. This does, however, form a part of the upcoming Personal Data Protection Bill, according to Regidi.
What if I don’t want to use the app? What are the ramifications?
While there hasn’t been a nation-wide punishment announced if you don’t download the Aarogya Setu app, in Noida things are different. Those of you who are living in Noida and Greater Noida are likely to be fined (Rs 1,000) or jailed (6 months) if they do not have the Aarogya Setu app on your phone.
“All those with smartphones who do not have the application can be booked under Section 188 of the IPC. After that, a judicial magistrate will either decide if the person will be tried, fined, or left with a warning,” said Akhilesh Kumar, DCP Law, and Order to Indian Express.
This even applies to those who are coming into Noida. But there is no clarity on how those who aren’t using smartphones are to comply with this order. The Noida Police order isn’t in line with the government order which only mandates public and private sector employees to have the app downloaded. The Noida Police order seems to go much beyond that and even involves cops calling residents to check if they have downloaded the app in containment zones.
The IFF has legally challenged this order by the Noida Police. According to the filing, the main grounds for challenge include arguments that the order is contrary to law, contrary to fact and violates privacy and personal liberty.
How can the situation be improved?
So far, only Noida has taken the extreme step of announcing measures against those who don’t download the app. But as lockdowns start lifting (hopefully after 17 May), there will be an increasing push to get private organisations to mandate use of the app. The government has also floated the idea of allowing this app to be used an e-Pass in the post-lockdown phase, so there could be an increased push for everyone to have this app installed.
Bottom line: We may have to live with this app eventually.
How then do you convince those who are still wary about using the app?
“The best way to allay fears is to go for technologies which are privacy-first, then try to open-source the app and make people understand what the app does, and finally, be clear on a sunset clause — How long are you going to keep the information? This not just includes the information collected when you are using the app, but also your personal information. Since we don’t have a data protection law, there should be assurances from the tech side as well as the legal side. This should not be the start of a surveillance regime as such,” said Sugathan.
Addressing the issue of whether Aarogya Setu could become a surveillance app, Singh said that that wasn’t the objective. He claimed that data on only 0.5 percent of the app’s users is sent to the central servers, which is because the data is only sent when certain conditions are met. Moreover, according to Singh, there will be a limited time within which the pandemic will be contained, post which there won’t be any need for the app.
“Anyone who thinks this is a surveillance tool is wrong. Only the data of those who are suspected to be tested positive are sent to the servers with the objective of alerting those with whom you have come in contact in the last 14 days… It also helps us keep track of the places the suspected patient has visited,” said Singh, stating that even before anyone starts using the app, an informed consent is taken. According to Singh, using this app is the only way we can help flatten the curve and reduce the number of cases.
“We can’t always be under lockdown. So when we are opening up, and we realise that the cases may still continue to rise, how do you ensure that you reduce the impact of the virus? So this app becomes an important technological tool to limit this pandemic to only those who are affected,” said Singh.
Unlike in the past, this time around, the government has engaged with French security researcher Baptiste Robert who goes by the moniker @fs0c131ty after he reported issues with the Aarogya Setu app. While Baptiste in his Medium post claims that the government responded within 49 mins, the govt doesn’t properly address the concerns he raised.
A security issue has been found in your app. The privacy of 90 million Indians is at stake. Can you contact me in private?
PS: @RahulGandhi was right
— Elliot Alderson (@fs0c131y) May 5, 2020
Aarogya Setu’s Twitter handle had released a statement addressing Baptiste’s objections and Singh in the interview with HT assured that every claim made by any ethical hacker would be taken seriously and worked upon.
— Aarogya Setu (@SetuAarogya) May 5, 2020
Is this the only way forward when it comes to digital contact tracing? Thankfully, no.
In the next part of this two-part series we will look at how contact tracing apps are working around the world and how the Google-Apple’s ‘decentralised’ approach is different from that used by the Aarogya Setu app.