Aarogya Setu: The Facts You Must Know Before You Download The App

Released in April 2020, Aarogya Setu—India’s COVID-19 contact tracking app, has over 100 million downloads. Developed by the National Informatics Centre, Ministry of Electronics and Information Technology via “public-private partnership”, the app is meant to be a digital tool to battle the pandemic. Opinions differ, though on whether the app is indeed a powerful tool to supplement manual tracking of those who may be affected with COVID-19 or serves to strengthen state surveillance.

But, with the MIT Technology Review’s COVID tracing tracker singling out India as being the only democracy in the world to make the app mandatory for its billion-strong population, and giving it a rating of two stars out of five, there are legitimate concerns about data safety, privacy and transparency. The central government now says that it is not mandatory, but it is compulsory at several places.

How it works

Aarogya Setu employs smartphone technologies such as Bluetooth and GPS to enable users to know if they have been in contact with a COVID-19 patient, by scanning the Indian Council of Medical Research (ICMR)’s database of known cases of the disease. The app does this by keeping a record of its users it detected nearby, using Bluetooth, and by keeping a GPS log of all the places that the device had been at 15-minute intervals.

Aarogya Setu has four sections—Your Status, Media, COVID Updates and e-Pass and is available in 11 Indian languages. Upon installing the app, a user is required to fill in their name, number, gender, travel history and smoking habits. They are also required to take a health survey, and if the self-assessment hints at any COVID-19 symptoms, the data is uploaded to the servers; until then the records are stored on the phone. The app provides information on how to self-isolate and access to telemedicine, an e-pharmacy and diagnostic services, the helpline number 1075 and a PM CARES Fund section for donations. The appalso gives each user a colour-coded badge showing infection risk.To make compliance easier, the app has been whitelisted by all Indian telecom companies, so that its use does not exhaust a user’s mobile data limits.

For a large section of the Indian population that lack access to smartphones, the government has launched Aarogya Setu IVRS for feature phones and landlines. Under this service, users will be able to receive their health status via SMS, bygiving a missed call to the registered number.

Areas of concern

Aarogya Setu sits firmly in line with India’s chequered history of imposing a ‘voluntary mandatory’ policy on government technology. The official line is that installation of the app is voluntary, the line between voluntary and mandatory was earlier blurred as all public sector employees and private companies were mandated to use it. And if you are a resident of Greater Noida and Noida, not downloading the application will invite a fine of Rs 1000 or jail time of 6 months.

The app raised an alarm among data privacy experts, civil rights advocacy groups and ethical hackers; with over 40 civil society organizations writing to the Prime Minister’s Office expressing concern against the mandatory use of this digital tool. The new guidelines released by the Ministry of Home Affairs on May 17, have opted for a seemingly lenient approach. The guidelines have been amended to state that private employers should on a “best effort basis” ensure that employees install theapp.It also mentions that district authorities “may advise” individuals to install the app. But, the app continues to be mandatory for train travel and is expected to be compulsory for air travel, when operations start.

With India lacking data privacy legislation, the users of the app have to depend on the privacy policy offered by the government, with no route for legal redressal for any breach. The app doesn’t come with a sunset clause, which translates into a fear of the government turning the tech into a mass surveillance and profiling device even after the pandemic.

The lack of information regarding processes and techniques followed by the government for aggregation and anonymization of the data collected by the app further leads to transparency concerns. The source code for Aarogya Setu, unlike other contact tracing apps hasn’t been made publicly available, which would have allowed scrutiny from third-party experts and lead to greater transparency and helped mitigating security concerns. Another technical faultline in the app is that the unique digital identity assigned to each user is a static number—instead of constantly changing digital identification keys—which makes identity breaches easier.

In its current form, the app does not allow its users to de-register or delete their accounts. To prevent movement tracking, the app deletes a user’s location data from their phone in 30 days from its date of collection, in 45 days from the server if the user tested negative and 60 days from government servers in case of those who have been cured of COVID-19. The app’s privacy policy states that upon cancellation of registration by a user, their information will be deleted after 30 days. But since the app does not provide an option to cancel registration or de-register, it’s unclear whether uninstalling the app means deregistration.

The personal data collected by the app can be shared by the government with “other necessary and relevant persons” for “necessary medical and administrative interventions.” This vaguely-worded privacy policy ensures that there is no prohibition levied on the sharing of personal data with third parties, or a clear mandate as to which government departments are allowed access to this data. Added to this, is the glaring accountability deficit in case of misidentification of a person’s COVID status, which require the individual to self-isolate and lead to restrictions in movement and could potentially affect their income. The app’s terms of service exempt the government of any liability in case of false positives.

The success of contact tracing apps depends on the large numbers of the population installing it, which explains the government’s insistence to use the app. But even if one were to set aside the security concerns, the ability of the app as a successful enabler of medical measures to tackle the pandemic is questionable, with smartphone penetration numbers being what they are in India. According to a 2019 report by Pew Research Centre, it stands at a mere 24 per cent. Also, there is a large question mark about the reliability of the information obtained through health surveys that depend on self-assessment, previously established through research. With a pandemic that has re-defined what the normal way of life is, it is not surprising that civic sentiment may veer towards putting data privacy concerns at the backseat in light of a an unprecedented health emergency. But democratic governments need to work at ensuring that citizens’ civil liberties are in tandem with all COVID measures, digital or otherwise.