Aarogya app: Why it raises privacy worries
The “National Directives for Covid-19 Management” issued by the Union home ministry on Friday have made the use of the Aarogya Setu mobile app “mandatory for all employees, both private and public” and people living in the containment zones for two weeks from Monday onwards.
Punishment ranging from six months’ to two years’ imprisonment has been prescribed for those among the targeted population who fail to download the app.
A primer on the app and the concerns its being made mandatory has raised:
What is Aarogya Setu?
Aarogya Setu, developed by the National Informatics Centre and launched on April 2, is an improvised version of the Corona Kavach app developed in March by the Union ministries of electronics and information technology, and health and family welfare.
Available in 12 languages, Aarogya Setu uses Bluetooth and a mobile phone’s global positioning system to let users and governments know a person has come in contact with a coronavirus patient.
How does it work?
On registration, a user enters personal details including their name, age, gender, phone number, profession and countries visited in the last 30 days. The app rates the risk perception according to the answers one gives on a self-assessment form about one’s health and exposure to potential coronavirus patients.
When a coronavirus patient who has truthfully filled in the self-assessment form comes within 10 metres of any other user, both get a notification warning them.
Has something like this worked elsewhere?
At least 27 countries have such apps, and at least 10 of them have government sanction. Officials say the low mortality rate in Singapore and South Korea is partially attributed to the success of their contact-tracing apps.
That China has so far been able to avert a second wave of the infection may be related to its use of a similar app.
Even before the home ministry’s order, Prasar Bharati, the Central Armed Police Forces, Zomato and Urban Company had directed their employees and contractual staff to download the app. Government employees have been asked to step out for work only if the app shows them as “low risk”.
What are the problems?
The app requires a user to keep their Bluetooth and GPS on.
Two users on different floors of the same building can be shown as contacts, according to news website Medianama.
Once you register, you cannot deregister. Uninstalling the app does not deregister your account.
Permissions the app requires include preventing the phone from going into sleep mode to conserve battery.
The app’s success depends on the honesty with which the user fills in the self-assessment form.
News agency ANI has reported that the army has cautioned its personnel against downloading an app with a similar sounding name as it is suspected to be a malicious app linked to Pakistan’s espionage services.
What are the privacy concerns?
In a representation to Prime Minister Narendra Modi on Saturday, 45 civil society groups said: “In the absence of a legislative guarantee containing a sunset clause, sensitive personal data about health and movement of gig (casual) workers collected by the Aarogya Setu app could be misused for profiling and mass surveillance even after the Covid-19 outbreak is over.”
They added that the app deviated from international best practices on several counts. These include:
⚫ Its being made mandatory;
⚫ Collection of too much personal data;
⚫ A lack of information on how the data would be kept anonymous;
⚫ The lack of liability on the government for misidentifying a patient, which can lead to loss of income and mobility;
⚫ The possibility of use for non-Covid health research;
⚫ The possibility of use by law-enforcement agencies.
The push to make the app mandatory for a section of the people apparently stems from the requirement that at least half the population use the app to make it effective.
In 2017, India had an estimated 46.2 crore smart phones. The country’s population is currently estimated to be almost 138 crore. Of these 8.3 crore had downloaded the app till Saturday.
A feature phone variant may be released soon, which will expand the pool of potential users to 50 crore.
The Internet Freedom Foundation said: “The order further indicates criminal penalties for non-compliance in Paragraph No. 16 that states, ‘Any person violating these lockdown measures and the National Directives for Covid-19 Management will be liable to be proceeded against as per the provision of Section 51 to 60 of the Disaster Management Act, 2005, besides legal action under Section 188 of the IPC and other legal provisions as applicable’. The specific provision that may be attracted for prosecution under the Disaster Management Act, 2005, is Section 51(b) that provides for a maximum punishment of up to 1 year for disobedience, and 2 years when such actions may lead to a loss of life. The penalty for conviction under Section 188 of the IPC extends to 6 months’ imprisonment.”
Rahul Gandhi had tweeted: “The Arogya Setu app is a sophisticated surveillance system, outsourced to a private operator, with no institutional oversight — raising serious data security & privacy concerns. Technology can help keep us safe; but fear must not be leveraged to track citizens without their consent.”
BJP leader Ravi Shankar Prasad, who is also Union minister for communications, electronics and information technology, denied that the app had been outsourced to a private operator. He asserted that it has a “robust data security architecture”.
Are the rest of the data in the phone safe?
Nikhil Pahwa, one of India’s pioneers in digital rights and founder of MediaNama, a digital and telecom policy news website, said: “Theoretically, the data we generate using our phones, such as location data, or our SMS history, call history, apart from who we have been close to, are at risk depending on what kind of data the government chooses to collect from our phones as the scope of Aarogya Setu expands.
“Another problem is that if there is a data leak or a misuse of data, users at present can’t hold anyone liable, because a data controller or data fiduciary has not been defined.”
Asked about Prasad’s denial of Rahul’s allegations about the app, Pahwa replied: “The minister ignores the fact that there is no institutional oversight: Aarogya Setu is not backed by law, and there is no institution managing the data. Aarogya Setu is a surveillance app, and it collects highly personal data: your location data and who you have been in close proximity with.”
On the safety of the data on a phone that installs the app, Alagunambi Welkin, a free software movement activist and general secretary of the Chennai-based Union of IT and IT-enabled Services Employees, said: “I worry more about the curated data stored in a centralised server. We are living in the age of data, where the value of corporates who have access to a large sum of data weighs more than the oil conglomerates. We have also seen how elections in both our own country and others like the US have made use of citizens’ data to push their political agenda.
“When millions of citizens’ data are stored in a centralised infrastructure and all a citizen can do is just blindly ‘trust’ it won’t be misused, (it could be) proved false. When (WikiLeaks founder) Julian Assange, (American whistleblower Edward) Snowden and WikiLeaks exposed such violations, we should not be making the same mistake of trusting the authority when the benefits of violating it in favour of the authority is high.”
Welkin added: “Ideally, the government should adhere to its open source policy and have the mobile application source code (made) accessible to the public. India is the world’s IT hub, we have 41 million employees capable of verifying it.
“All curated data should be accessed only via a blockchain-enabled system where every access to data is recorded with enough meta data (about) which authority (is) accessing it, for what, on whose approval, for how long, etc — and that should be made transparently available to the public in real time. These aspects can be a starting point for creating trust in authorities where profit and benefit for (those in) power overrides trust and benefits for the people.”
On Prasad’s tweets, he said: “In the name of innovation and Digital India and the $3-trillion digital opportunity vision of the ministry of electronics and information technology, state e-governance and IT departments created various applications which were prepared by private companies. Most of them lack privacy first design, and the authorities do not worry much about ensuring privacy.... Like any government, the Congress as well initiated surveillance programmes like the Central Monitoring System, DRDO Netra, etc.
“Fast-forwarding a data protection act, as strong as the General Data Protection Regulation of the European Union and high on the fine amount for violators, can save us from future cyber security disasters.”