Aarogya Setu - mass outreach or data overreach?

‘Aarogya Setu’, India’s latest weapon to combat the COVID-19 pandemic, may have earned the numero uno status in the mobile application market but has raised key privacy issues in a country that doesn’t have data protection policy. The contact-tracing app, developed in a public-private partnership (PPP) mode, seeks to collect more personal data than what is probably necessary. Experts argue that there are less intrusive alternative ways to generate and monitor public health data.

Since its launch on April 2, the multi-lingual app, available in 11 Indian languages, has garnered nearly one crore downloads and earned praise in a World Bank report.
However, its design has raised concerns among privacy advocates and cyber security experts who argue that the app seeks too much personal information. Other countries, particularly Singapore and Israel, have developed similar apps with no privacy pitfalls.

“These are unprecedented times, requiring unprecedented measures. But, it is important that the app be open-sourced, so that it can be tested for privacy,” said Nikhil Pahwa, digital privacy advocate and founder of Medianama.

Conceived by the government think-tank NITI Aayog, the app has been developed National Informatics Centre (NIC) in collaboration with private developers and volunteers.
Though the government has asserted that the personal data collected by the app was encrypted using state-of-the-art-technology and stays secure in the user’s mobile phone, the privacy activists have pointed out loopholes in terms of data collection, storage and transparency.

“Users have no way of checking if the government has deleted the data. They should have a judicial remedy to hold the government accountable,” says Sidharth Deb of Internet Freedom Foundation (IFF), an advocacy group.

Related News: Aarogya setu beats Pokémon GO, becomes world’s fastest growing app

The other sticking point is that the liability clause exempts the government in the event of unauthorised access and modification of a user’s information.
However, the NITI Aayog CEO Amitabh Kant has assured that the location data would not be used for surveillance. “It is used only for hotspots or where more testing is required. The identity of a COVID-19 person will never be revealed to anyone,” he assures.

How does it function?

When two or more app users meet or cross paths, their phones detect each other through Bluetooth and exchange a pre-generated random unique ID.

Every phone now has a log of every other phone that it has been in close proximity with. At some point in future, if a user tests positive for COVID-19, the system alerts all users (devices) who came in close proximity. It asks them to self-quarantine or, should they develop symptoms, get tested.

The app also tracks users’ movement by collecting GPS coordinates every half-an-hour as well as continuous Bluetooth data about other users in the vicinity.

The user carries out self-assessment test through chatbox on the app. The bot asks gender, age, foreign-travel history, and symptoms. This data is used to identify risk and alert other users if they come across anyone suspected of coronavirus.

For “at-risk” or positive cases, the user’s 30-day log of previous contacts is downloaded to the server, and an alert is sent to each contact. The “at-risk” decision is taken by an algorithm.

If determined to be ‘at risk’, the data is given to health authorities and the user is notified. The location is then used to determine where hotspots might develop. The health authorities will plan the next course of action.

“All communication from the app, whether to another device or server, are secure and anonymised, and cannot be brute-forced, the app has been thoroughly and rigorously tested for security vulnerabilities by leading academic and industry experts,” the Principal Scientific Adviser to the government K Vijayaraghavan said.

Privacy policy

Every 15 minutes, the app collects data about location and the places the user visits. According to the app’s terms of service, personal information and location data are securely stored on the mobile device.

The information is uploaded to a central server only when a user tests positive for COVID-19 or a self-assessment of symptoms indicates the possibility of infection.

While uploading to the server, the information is hashed with a unique, randomly generated device ID (DiD) number, which is used to identify the user in all subsequent app-related activities.

Every phone builds a log of every other phone in its close proximity, thereby creating a social chain of people a user has come in contact with.

Singapore model

Singapore’s TraceTogether app, launched on March 20, requires only the user’s mobile number. In case the user tests positive, the healthcare professional at the testing facility—with the permission of the user—generates a one-time password. Only then are the log files transferred to a central server.

Based on this information, Singapore’s health ministry alerts all users who came in contact with Covid-positive people.

Importantly, TraceTogether doesn’t need or collect location data.

On the other hand, Aarogya Setu seeks data that goes well beyond contact tracing—collecting details from smoking habit to occupation and GPS data.

Key concerns

In its guidelines on using technology to combat COVID-19, the European Commission had advised against processing data on location or movement of individuals. However, Aarogya Setu asks for GPS location even though this has no role in contact-tracing.

There is also a distinct lack of user control. While in the case of TraceTogether, no data is transferred to the central server without an OTP being generated with the user’s consent, the Indian app has no such task.

In addition, while Aarogya Setu claims that the data from the app is deleted in 30 days, it is not clear what will happen to the data already uploaded to the cloud. In TraceTogether, on the other hand, both the device and server data are erased in 21 days.

Aarogya Setu app’s privacy policy says the data collected may be used to generate reports, heat maps, and other visualisations. It has also been reported that the government is looking at the app to influence policy decisions regarding the lockdown.

The policy states that the information is uploaded to a cloud server in “anonymised” and aggregated datasets only for the purpose of generating reports, heat maps and other statistical visualisations. However, the critics argue that it is unclear as to what the government views as ‘anonymised’.

As per the privacy policy, the information will be purged from the phone after 30 days and from the server after 45 days if the user does not test positive for coronavirus during that period. Information about users who test positive will be purged 60 days after they have been declared cured.

However, personal data collected while registering with the app will be retained till the account exists and, thereafter, “as long as required under any law in force for the time being”.

The legal requirement has not been defined. “The government will not use the data gathered by the app for any purpose other than COVID-19 medical examination,” the NITI Ayog CEO said.

Since the privacy policy does not specify which government department owns the data, it remains a property of the central government which is open to use by all agencies, including the police.

There are also fears that the government could significantly expand its surveillance powers by combining the app’s data with existing government databases, many of which are seeded with mobile numbers.

Citing a clause in the privacy policy that allows the government to share personal data with “other necessary and relevant persons” for COVID-19 related medical and administrative interventions, Siddharth Deb said, ”This is against global best practices. The data collected by contact-tracing solutions should be used only for healthcare-related responses to the crisis.”

There is no doubt that when given a choice between privacy and health, people usually choose the latter, particularly in an emergency situation. However, even after the coronavirus storm subsides, the government may continue to use technology tools for mass surveillance.