Seamy side of Aarogya Setu app needs patch up for seamless experience

On May 5, 2020, when a noted ethical hacker from France, known by his pseudonym Eliot Anderson, claimed that there was a security issue with the Arogya Setu App officially introduced by the Modi government, the team at the National Informatics Centre (NIC) which developed the app and the scientific advisor to the prime minister went into a tizzy.

The issue assumed political overtones as the hacker in his tweet had endorsed opposition Congress leader Rahul Gandhi’s claim that the app was a sophisticated surveillance tool. However, when the government teams duly contacted the hacker to get to know about the alleged vulnerability, initially the answer he gave turned out to be a damp squib. He said that the app could be used to identify the geographic location of the user.

The government teams responded by saying that this was by design—meaning this is precisely what the app is meant for. The team further assured that the personal data collected from the users are safely stored in a server in a secure, encrypted in an anonymised manner and the safety cannot be breached and the personal data is made available to central agencies only for proactive administration of necessary medical interventions.

Related news: Hacker raises red flag on Aarogya Setu, govt says no security breach

The next day, the hacker pooh-poohed these arguments and promised to come up with more information about the alleged vulnerability of the app on May 7 and even offered to come up with a full-length article on the security loophole. When this piece was being written, the nation was anxiously waiting for this promised information.

With this dramatic sequence, the data security implication of this app has come into national limelight. After all, the Modi government has been going all out to push for the most extensive use of this app. No less than the prime minister himself urged the citizens, in his April 14 address, to download the app and install it in their cell phones. Launched on April 4, the number of downloads of the app had crossed 9 crore in a month, i.e., as on May 5.

Use of this app has been made mandatory for all the employees of the government as well as private companies. Hundred percent use of this app by all in red zones of the pandemic or the hotspots has been made compulsory. All the chief ministers, including those from the opposition as in Kerala, have enthusiastically endorsed this app uncritically and have thrown their weight behind it. Overzealous local administrators in some places like Noida and Uttar Pradesh have even declared a fine of ₹1,000 or jail for not using the app. So any possible security lapse with this app would naturally snowball into a major political issue.

No doubt, at one level, the app can go a long way in dramatically strengthening the COVID-19 containment efforts and can be of great help to the citizens in addressing their related safety concerns. For instance, at the press of a button, if a citizen can get to know the location of all the people who have tested positive for coronavirus within a 10 km radius, that would be a great safety input. You get to know who and which place to avoid.

But when it comes to technology, which is a double-edged sword, all great things also come with a seamy side. They can be misused or even manipulated, including in the case of Arogya Setu.

For instance, the privacy policy of the Arogya Setu app says that personal information related to a registered user like the name, phone number, age, sex, profession and countries visited in the last 30 days is obtained at the time of registration and stored in a server. This is no big deal as much of this information is already available in different public domains, from Aadhaar to voter IDs data. But this is not all. More sensitive personal information is also recorded by this app. For instance, when two registered users, both possessing smart phones, come within the bluetooth range of each other they will share each other’s digital IDs (DiDs) and the time and GPS location of their close encounter would get recorded in their mobile phones and then in the server.

Related news: Aarogya Setu, Zoom, most downloaded apps by Indians during lockdown

In other words, the data on where all you go and who all you meet is recorded every 15 minutes and gets stored in a government database. This monitoring system can alert the authorities automatically whenever you are becoming part of any congregation even while maintaining social distancing etc. This kind of personal information is far more sensitive and can potentially be used to curtail one’s right to privacy and even human rights.

Secondly, you are supposed to periodically update your health data including through a self-assessment test. If needed, the data on your medical history can also be sought. It is liable to be commercially misused if such data are shared with the corporates.

At another level, there is not much transparency about the functionality of this app.

Firstly, the government has not come out with any arguments about the inevitable need for such an app. For example, contact tracing in Kerala is done by panchayats, women’s groups and local healthcare personnel—even without Arogya Setu they did effective containment, not only during the COVID-19 crisis but even during the earlier Nipah virus outbreak in 2018 and the outside world is now talking about the ‘Kerala Model’ in COVID-19 containment.

Collecting and storing all the Arogya Setu data in a government server would be meaningful only if local panchayats and local healthcare administrators can access it as they will be the ones who will do the ultimate health intervention as well as containment. But then such sensitive personal data being accessible to multiple local points itself robs it of data security. Centralising all the data at one set of servers makes it all the more vulnerable as we have seen even Aadhaar data getting hacked in the past.

Further, in how many instances it has been effectively used for contacts tracing or helped in focused testing—i.e., the actual record of use—has not been shared with the public. So it is difficult to evaluate the efficacy of this app.

Secondly, it can screen only those who have already tested positive, but helpless in the case of those who carry the virus but have not yet been tested and identified who outnumber those identified by 1: 3 or more, according to epidemiologists.

Likewise, it can work only in the case of those with smart phones as it is based on bluetooth technology which only smart phones have. Making it mandatory not only for all the government employees but also for all private employees including gig workers like delivery boys and scheme workers like anganwadi-Asha workers without government footing the bill is a bit unfair as many scheme workers and gig workers would have to spend two to three months of their salaries on buying a smart phone.

Related news: Aarogya Setu: Mass outreach or data overreach?

Last but not the least, the Arogya Setu app would work in interface with Arogya Setu Mitra website launched by the government. Through Arogya Setu Mitra, the registered users are supposed to get regular health advisories, and they can ask for home collection of samples for testing and even for home delivery of medicines.

The only thing is that these services are not free and are not rendered by the government agencies. Home testing is done by Dr Lal Pathlabs, SRL Diagnostics, Metropolis, Thyrocare and others and drugs are supplied by ‘1mg’, netmeds.com, MedLife and PharmEasy and so on. To consult doctors, you are to depend on telemedicine services of corporate hospitals like eSanjeevani OPD, Swasth, StepOne, Tata Bridgital Health and Tech Mahindra’s Connectsense Telehealth platform. In other words, the government has put the Arogya Setu App at the service of commercial entities without any regulation of cost or quality of service which is not healthy.

The government should rectify these glitches and come up with more foolproof arrangements for data security to prevent this otherwise useful venture from turning counterproductive.