Daily US Times: According to India’s information technology ministry, the country’s Covid-19 contact tracing ‘Aarogya Setu’ app has been downloaded 100 million times, despite fears over privacy.
The app – Aarogya Setu, which means “bridge to health” in Sanskrit – was launched just six weeks ago and the government made it mandatory for the private sector and government employees to download it.
But experts and users in India and across the world say the app raises huge data security concerns.
How does it work?
Using a phone’s location data and Bluetooth, the Aarogya Setu app lets its users know if they have been near a person with Covid-19 by scanning a database of known cases of infection.
The data is then shared with the government.
Abhishek Singh, CEO of MyGov at India’s IT ministry which built the Aarogya Setu app, said: “If you’ve met someone in the last two weeks who have tested positive, the app calculates your risk of infection based on how recent it was and proximity, and recommends measures.”
While your name and number won’t be made public, the Aarogya Setu app does collect this information, as well as your travel history, gender, and whether you’re a smoker.
Is it mandatory to download the Aarogya Setu app?
Indian Prime Minister Narendra Modi has tweeted in support of the Aarogya Setu app urging everyone to download it.
It has been made mandatory for all government and private sector employees and citizens living in containment zones.
Noida, a suburb of the capital, Delhi, has made it compulsory for all residents to download the Aarogya Setu app. Authorities warned people can be jailed for six months for not complying.
Food delivery start-ups such as Swiggy and Zomato have also made it mandatory for all staff.
But the government directive became controversial and is being questioned by some. Former Supreme Court judge BN Srikrishna said in an interview with The Indian Express newspaper that the drive to make people use the Aarogya Setu app was “utterly illegal”.
“Under what law do you mandate it? So far it is not backed by any law,” he said.
MIT Technology Review’s Covid Tracing Tracker lists 25 contact tracing apps from countries around the globe – and there are concerns about some of them too.
French ethical hacker Robert Baptiste said: “Forcing people to install an Aarogya Setu app doesn’t make a success story. It just means that repression works.”
What are the main concerns about India’s Aarogya Setu app?
Aarogya Setu requires constant access to the phone’s Bluetooth. Experts say this makes it invasive from a security and privacy viewpoint. The Aarogya Setu app also stores location data.
For example, in Singapore, the TraceTogether Aarogya Setu app can be used only by its health ministry to access data. It assures citizens that the data is to be used strictly for disease control and will not be shared with law enforcement agencies for enforcing lockdowns and quarantine.
Internet Freedom Foundation, a digital rights and liberties advocacy group in Delhi, said: “Aarogya Setu retains the flexibility to do just that, or to ensure compliance of legal orders and so on.”
However, the app builders insist that at no point does it reveal a user’s identity.
Mr Singh of MyGov said: “Your data is not going to be used for any other purpose. No third party has access to it.”
Nikhil Pahwa, the editor of internet watchdog Medianama, says the big issue with the Aarogya Setu app is that it tracks location, which globally has been deemed unnecessary.
He said: “Any app that tracks who you have been in contact with and your location at all times is a clear violation of privacy.”
He is also worried by the Bluetooth function on the app, saying “If I’m on the third floor and you are on the fourth floor, it will show that we have met, even though we are on different floors, given that Bluetooth travels through walls. This shows ‘false positives’ or incorrect data.”
What are the concerns over privacy?
At first, the app will collect the user’s data, and then the authorities have to upload the collected information to a government-owned and operated “server”.
The government will “provide data to persons carrying out medical and administrative interventions necessary in relation to Covid-19”.
MyGov says “the app has been built with privacy as a core principle” and the processing of risk assessment and contact tracing is done in an “anonymised manner”.