With 83 million downloads and a personal push from the Prime Minister himself, the Aarogya Setu app has become the fastest downloaded app on both iOS and Android. The contact tracing app has been designed to enable Indians to verify if they have been in close proximity to someone with COVID19 enabling the government to quickly track and isolate potential patients. COVID19 has already impacted more than 3.5 million people worldwide and in India, the amount of positive cases has gone beyond 40,000. As one welcomes this rapid adoption of technology, history and some technical fundamentals of this app cause massive concerns. In its current form, it is draconian which sets us up for a surveillant future. It is also likely quite in-effective because of the way it has been designed. However, it is also the need of the hour.
What does the app do?
- The moment you download the application, it will ask for GPS access as well as Bluetooth so that it can coalesce the information to triangulate if you have come in contact with any other potential COVID19 positive user who has also installed the app.
- You can set up the phone but inputting your cell phone number and verifying the number using an OTP.
- Once installed, the application seeks to build a basic profile of yours by asking a couple of questions. It asks for your age, gender, name, health status. It also asks for the countries that the user has been to in the past few weeks. The application also asks if the user belongs to any one of the exempted categories of professionals.
- The application will also ask you if you are willing to help in the case of an emergency.
- The application puts forward a self-assessment test which involves questions asking if you have a fever, are you coughing – basically, questions designed to figure out if you are showcasing symptoms of COVID19.
- In case you happen to be a doctor, it will even ask you if you have been in contact with a COVID19 patient.
- Once you’ve set up, the app uses Bluetooth to send out beacons to other phones which are in range and have the Aarogya Setu app installed. If one user has tested positive, it will alert the other user, at the same time, all this information is shared with the government on a centralised server.
- A Gizmodo report states that this app also taps into your contact list and also uses course location data which is derived from WiFi networks.
What’s problematic about this approach?
Privacy and the functional nature of this approach is sketchy at best. The application has already leaked information of its users on YouTube which happened because the app was the collating all the data on a centralised server. Renowned hacker Elliot Alderson has also revealed that he has found serious privacy issues with the Aarogya Setu app which he has disclosed to the government of India. He has given the government a deadline to fix those issues otherwise he will expose the flaws in the app. What’s more concerning is that the privacy of this app is so lax that it is at odds with the COVID19 exposure APIs that Apple and Google have developed together. Those APIs dictate that contact tracing applications don’t do the following:
- Collection of data on a server is a no-no, but rather data should be stored locally in an anonymised way while matching results with a centralised server.
- Applications shouldn’t use GPS as it is invasive in terms of privacy also not accurate in terms of contact tracing. On the Aarogya Setu app, this is taken to another level as it tracks your location through WiFi as well.
- Bluetooth beacons should be manually enabled and should change their encryption ever 20 mins. Because the app keeps the Bluetooth on all the time, it also exposes one’s phone to undue hacks that wouldn’t happen if Bluetooth wasn’t on all the time. Usually, this wouldn’t be much of an issue but now that hackers know there is an app with critical mass that needs Bluetooth to be on all the time, this could become a problem. It also adds up as a battery drain.
- There is no way the app can justify access to the contact list on an Android phone. It has become a common practice for Android apps to do this by default and this app is no different.
- The app also uses a static ID instead of a dynamic one which is being proposed bu Apple and Google’s COVID19 exposure APIs. This problem is exacerbated by the non-revelation of anonymisation protocols being used.
Why is this approach problematic?
There are a couple of issues with this approach. Apart from the government not having the best track record of handling private data of users with care, there is a concern that the Aarogya Setu app is a preamble for a mandatory nationwide surveillance architecture which leverages the extreme scenario caused by the pandemic squashing what privacy activists have been lobbying for years.
The fact that the app uploads information on the centralised server and then “washes its hands” of any responsibility for handling the data as dictated by its privacy terms and conditions is a red alert. On top of this, the use of GPS + WiFi data which is known to be not very accurate in triangulation COVID19 potentials speaks more towards a tracking and surveillance mechanism than something that’s intended to be used for “just” contact tracing.
The pervasive use of Aarogya Setu is mushrooming almost at the rate of COVID19. Citizens are being dictated to use the app if they want to enter a different state, say if you have to go to work from Delhi to Gurgaon, you need the app for a border check. There is chatter, that the app will be central for use for public transit services like the Metro and later, it will also become central to entering Airports and Railway stations once those services become available. Food delivery service Zomato mandated its delivery boys to use the app even before the government advisory came out.
If you think this app which started off a voluntary measure is suddenly becoming more permanent than anyone signed up for, then you bet, things are getting worse. A Buzzfeed report has revealed that many RWAs have mandated their inhabitants to use the app to enter their own houses. Reports are also coming in that MeYTI, the government body for smartphone manufacturers has been mandated to instruct all smartphone makers to preload and embed the Aarogya Setu app in the setup process of new phones. This isn’t only invasive but also goes against the norms that have been outlined by Apple and Google for their respective platforms.
What are privacy experts saying?
Before delving into what privacy experts are saying – it is essential to understand that India has about 500 million mobile internet users of which 400 million users are on smartphones. According to Abhishek Singh of myGov.in app, this app needs about 200 million users for it to work in an effective way – which means the government has not even achieved 50% users that it needs to make this app impactful. More than this, legal and privacy experts, say the government’s move to make this app increasingly compulsory for basics could arguably be illegal.
Firstly, the government’s move to get the app pre-installed on smartphones may be harder than it seems despite the pandemic presenting an extraordinary situation. Apar Gupta, who is the executive director of the Internet Freedom Foundation says, “ Nope, no clear basis in law” for this.
Similarly, Cyberlaw expert Pawan Duggal told the Hindustan Times, “ There is no law passed by the Parliament authorizing the creation and making mandatory of this app which is in contravention of the Information Technology Act, 2000 and Act and rules and regulations. So, while it could be used as an emergency measure (in this case for tracing COVID19 patients), it could open up a Pandora ’s Box of legal challenges for the government,” he said.
Despite, the questions over the legality, most believe that the government will be able to motor along with app because of the extenuating circumstances granted by the pandemic and the enforcement of the national disaster management act.
“It’s a layered system of coercion almost like a “compulsion stack”. Will account for device diversity by technical, legal and social strategies to force adoption. When it achieves a level of product maturity & high user adoption will just be made mandatory by legal compulsion,” said Gupta in a Tweet, pointing towards how smartphone makers will be forced to preload the app. “These apprehensions emerge from the parallels and recent learnings from the Aadhar program. Hope such fears are unrealised,” he added.
Sanchit Vir Gogia, the founder/CEO and chief analyst of Greyhound research believes that there should be a third party body that regulates the privacy of contact tracing apps like Aarogya Setu. “ Most of all, it requires the government to assure its citizens that a Contact Tracing app (a mass monitoring system) comes with an expiry date and that it will never be used as a mass surveillance system,” he says.
He also notes that India, along with the UK and France is one of only three countries to have adopted a centralised system for contact tracing. They are also the only ones to have not adopted the framework that Apple and Google have come up with, yet.
Most experts also argue that since contact tracing applications like Aarogya Setu are dependent on self-certification, the data gathering is likely to not be accurate out of fear of being quarantined and socially ostracized, such levels of invasive data collection don’t make sense. GPS data collection can also become redundant and stale which would add to the inaccuracies of the system.
If contact tracing doesn’t work why is it important
Sanchit Gogia elaborates the importance of contact tracing in tweet succinctly. “ Such apps do give a good handle on “data” to authorities that have been struggling to make a decision given a serious lack of it as we speak. More data not only means contact chains & heat maps but a better ability to predict what’s coming, “ he said.
His argument hinges on the fact that it is humanly impossible to trace all COVID19 patients in a country as large as India with a population of 1.3 billion. He further outlines the fact in an article on the Greyhound website comparing the issues most countries are having with controlling the pandemic against China’s swift success. “ While China’s use of technology to tackle COVID19 sets an example of sorts, it also brings out the limitation other countries have, i.e. mandating citizens to use apps that capture personal data. Government collecting personal data is a sensitive topic, and often seen as an attempt to turn the country into a nanny state,” he states.
In a tweetstorm, he also states that India is particularly vulnerable as we have three strata of society that is handicapped from a technological standpoint as they don’t have access — the elderly who aren’t savvy with technology, the young who may not be compliant and may also not have access and the ones below the poverty line who can’t afford smartphones.
“To be effective, such apps will need to use Bluetooth and cannot solely depend on tower locations. What Apple, Google and the authorities must consider is the need to reduce false positives, given Bluetooth’s inherent weaknesses of range and accuracy. Also, since there are many unknowns in the framework that Google and Apple are co-creating, it requires the governments to architect a system that goes well beyond it, “ argues Gogia stating that inherent deficiencies of current technology used by most contact tracing apps mandate the use of more cutting measures.
India needs more data to tackle this pandemic which is why a mass monitoring architecture may be the need of the hour, however, the Aarogya Setu app would do well to amend itself so that it is more in line with the best privacy practices.
What changes can be made to Aarogya Setu to make it more private?
The TraceTogether app from Singapore is being viewed as a good template for what a contact tracing app should look like. While it is similar to what the Aarogya Setu app does, it has minute differences which make it more palatable to privacy czars.
- Firstly, randomised device ID should be rotated every 15 minutes something that the Trace Together app does. This is also being mandated by the COVID19 exposure APIs that have been co-developed by Apple and Google for iOS and Android.
- The app should also show the signal strength and time of ping which will enable one to figure out proximity in a more realised way. Otherwise, you could be in Bluetooth range but the person could be on a different floor which would generate possibilities for false positives.
- The removal of GPS and WiFi tracking not only does make this app more private, but it also removes layers of data simplifying the contact tracing mechanism.
- The app shouldn’t upload phonebook information to the back-end because that’s something not critical to the contact tracing protocol.
- The government should also open source the Aarogya Setu app along with its backend so that it can be reverse-engineered which will squash all chatter about its privacy issues. Like TraceTogether, the app should also have a detailed policy brief which details the pros and cons and limitations of contact tracing.
At the end of the day, the government should understand that even though it has 83 million users, it has no guarantee that the data accrued from those 83 million users is accurate. If it has to fight this pandemic it has to go the extra mile to make people feel safe about the app so that they start sharing accurate information. The app is only as good as the data it collects which isn’t fully in the hands of the government.