The Aarogya Setu app was launched to aid the Government and front-line workers to control the pandemic but privacy advocates fear that the app is insecure and has breached the private data of citizens. Are these accusations well grounded or have they been raised to create detest towards the government? Let’s find out.
Introduction
The COVID-19 pandemic which originated in China continues to ravage the world and consequently there have been many attempts in the technological arena to reduce the damage unleashed by this “mahamari”. On 2nd April 2020, The National Informatics Center [1] (NIC) under the Ministry of Electronics and Information Technology (MeitY) released the Aarogya Setu app to facilitate contact tracing in India.
What is contact tracing?
Contact tracing, in the context of public health, refers to the process of tracing those people who have come in contact with an infected person. By tracing those infected people and subsequently testing them for an infection, treating them, and tracing their contacts in turn, the public health system of a particular country aims to minimize the spread of a particular infection. This is in effect contact tracing.
So how does this app work in ensuing contact tracing?
The Aarogya Setu app requires both the device’s Bluetooth and location to be switched on at all times, this allows the app to collect GPS and location data, the app initially collects the following basic data: name, age, sex, profession, travel history and phone number at the time of installing it. This data is later linked to a unique device id (DiD) which is stored in a database. When two registered users come within Bluetooth range of each other, their apps will automatically exchange DiDs and record the time and GPS location at which the contact took place. The app also continuously collects your location data while making a record of all the places you have been to at 15 minute intervals and stores it on your mobile device.
Initial reception and how the app has helped
With international organizations like the World Bank praising India’s initiative of developing a contact tracing app more than a week before Apple or Google released their versions, the app stayed in the good books of the general public. Within three days of launch, the app crossed 5 million downloads and crossed 50 million in 13 days. making it the fastest downloaded app in the world. The initial response to the app seemed favorable.
The app requires its users to take regular self-assessment tests and alerts them about local cases in the area. As of 16th June, the Aarogya Setu app has helped discover over 600 hotspots in the country and has alerted 140,000 people of the potential risk of exposure to the virus and front line workers depend on the voluntary data collected by the app to fight the pandemic and take adequate precautions in their line of work. However, the government released app has received a heavy amount of backlash due to privacy and data misuse concerns. It has been accused by the former president of the Congress party, Rahul Gandhi of being a “sophisticated surveillance system”.
What exactly are these concerns?
On May 1st, the government announced that it is mandatory for both private sector and government employees to install the app on their phones. This raised concerns as people felt like their personal data was now at the mercy of the government. The app was also criticized by former supreme court judge, BN Srikrishna who said that the drive to make people use the app was “utterly illegal”. He stated that so far it is not backed by any law and questioned “under what law, government is mandating it on everyone”. Techies and privacy advocates also accused the government of not being transparent due to the fact that the source code for the app was not made public. The source code, if made open, would give developers a clear-cut perspective of whether data fed to the app is secure or not and would eliminate the benefit of doubt.
The privacy policy also never mentions that the data can only be used by the Health Ministry making data accessible to any government ministry which is a cause for concern. Other ministries having access to personal data such as location of COVID patients could prove to be extremely dangerous as private data can easily be sold to third parties if it falls into the hands of corrupt government officials.
Robert Baptiste, a renowned French ethical hacker also cited the app saying that the location feature of the app was deeply flawed, he claimed that the flaws in the app enabled him to see how many people were unwell in Prime minister’s office and the Indian army’s headquarters which can be a serious threat to national security.
If one analyses the privacy policy for the app, he/ she will understand that all the data points mentioned above which is fed to the app will be securely stored on the user’s device itself and will only be uploaded to the server and made accessible to the authorities along with the DiD only
(i) if you test positive for COVID-19; or
(ii) if your self -declared symptoms indicate that you are likely to be infected with COVID-19; or
(iii) if the result of your self- assessment test is either YELLOW / ORANGE.
If one reads further, he/ she will comprehend that it ensures that the data will be used only by the Government Of India and cannot and will not be shared with third parties. Despite assurances, there is an element of doubt regarding this clause as this clause in the privacy policy came far too late.
Aarogya Setu’s privacy policy has been changed thrice in two months. The first policy made absolutely no mention of whether or not third parties can access personal data which was a cause for concern. However, this was rectified in the second policy which mentioned explicitly that data collected will not be shared with third parties. Nevertheless, the delay in the addition of this clause has caused some individuals to speculate as to why this clause never appeared in the initial policy.
Government response
Government officials and the app’s developers were the first ones to come to the defence of the app by stating that the app was designed with the very principle of maintaining ethical privacy practices.
Nonetheless on May 17th, the MHA[2] softened its guidelines making the use of the app voluntary yet encouraged employers to have the app installed on phones which are compatible. Though this move was pro democratic, it did not seem to please the public. Many critics ignored this and continued to criticize the app on other different fronts.
The government finally made the app’s code an open source code due to popular demand on May 26th allowing specialists to take a look into it. This was done to allow the software developer’s community to further develop the source code to achieve higher standards of contact tracing and increase the efficiency of the app as a whole. This garnered both criticism and praise as some cybersecurity experts cited the released source code to be fake. Whereas others have appreciated the move of making the app open source, as this is for the first time such an initiative has been taken up by the government. Robert Baptiste, probably one of the biggest critics of the app, welcomed the move.
Furthermore, the NIC also simultaneously launched the Bug Bounty Program which incentivized researchers finding flaws in the app making the Aarogya Setu a private - public collaboration. The program offers anywhere between rupees 1 - 3 lakhs to anyone who can hack the app.
Arnab Kumar, director of Aarogya Setu and Amitabh Kant, CEO of Niti Aayog have consistently and emphatically stood by the efficacy of the Aarogya Setu app while others out of concern to secure the sanctity of private data, have been trying to disprove the same. The fact of the matter is that if and only if India had better Personal Data Protection laws then the very ethicality of the app or the intent of its creators would never have come to be questioned.
We should also take a minute to ruminate about how the app has helped the government reduce the impact of the virus in the country. Sometimes hard rules and regulations are required to plough through hard times. We can all agree that before the government starts another digitized program, it should tend to the requirement of strong personal data protection laws for it will receive the same criticism it received for the BHIM[3] program, AADHAAR[4] and now the Aarogya Setu, as being an encroachment on privacy and a threat of leak of private data.
Till the crisis subsides, the impetus and the hard work behind the initiative should be appreciated and the app should be considered as a weapon for the fight against COVID-19 protecting scores of our frontline warriors.
REFERENCES
[1] The National Informatics Centre (NIC) is an attached office under the Ministry of Electronics and Information Technology (MeitY) in the Indian government. The NIC provides infrastructure to help support the delivery of government IT services and the delivery of some of the initiatives of Digital India.
[2] The Ministry of Home Affairs (MHA) or Home Ministry is a ministry of the Government of India. As the interior ministry of India, it is mainly responsible for the maintenance of internal security and domestic policy. The Home Ministry is headed by Union Minister of Home Affairs Amit Shah.
[3] BHIM (Bharat Interface for Money) is a Indian mobile payment App developed by the National Payments Corporation of India (NPCI), based on the Unified Payments Interface (UPI). Named after B. R. Ambedkar and launched on 30 December 2016, it is intended to facilitate e-payments directly through banks as part of the 2016 Indian banknote demonetization and drive towards cashless transactions. The app supports all Indian banks which use UPI, which is built over the Immediate Payment Service (IMPS) infrastructure and allows the user to instantly transfer money between bank accounts of any two parties. It can be used on all mobile devices.
[4] . Aadhaar is a 12-digit unique identity number that can be obtained voluntarily by residents or passport holders of India, based on their biometric and demographic data. The data is collected by the Unique Identification Authority of India (UIDAI), a statutory authority established in January 2009 by the government of India, under the jurisdiction of the Ministry of Electronics and Information Technology, following the provisions of the Aadhaar (Targeted Delivery of Financial and other Subsidies, benefits and services) Act, 2016. Aadhaar is the world's largest biometric ID system. Considered a proof of residence and not a proof of citizenship, Aadhaar does not itself grant any rights to domicile in India.
Author: Kaushik Subramanya
Editor: Aditya Sircur
Comments