This is a guest blog by Shikhar.
The Central government has been promoting the Aarogya Setu app to enable contact tracing as a means to control the spread of COVID-19. As per the latest Google Play Store description: “The Aarogya Setu is a mobile application developed by the Government of India to connect essential health services with the people of India in our combined fight against COVID-19.”
It has 10 lakh plus reviews and 10 crore plus downloads to date.
The use of the App was made mandatory by the Government, for government and private sector employees. Noida City administration went to the extent of attracting a jail term of 6 months for non-adherence. However, subsequently the Ministry of Home Affairs (MHA) has softened its stance.
The App is developed by National Informatics Centre (NIC) and Lalitesh Katragadda (former Head, Google India) is at the helm of affairs. The development team stated that at least 50% of penetration is required for the app to be useful. This threshold may vary between urban and rural areas. Considering India’s skewed income distribution and the poor quality of rural infrastructure it will be difficult to ensure coverage in rural areas thus diminishing the effectiveness of the app in detecting cases in the medium term as the pandemic spread increases in rural areas. A key problem is that the information we get is not real time but 2-3 weeks late. The information thus loses its value.
The Aaragya Setu app, in Version 1.0.5 has added a feature to donate to the PM CARES fund and is in the process of adding e-passes for moving around in a lock-down.
Reading the latest description on the App Store, one starts to wonder as to whether the scope of the App is for “contact-tracing” or something else or more?
These steps make it easier to map its trajectory. It is in the process of becoming a delivery device for various government initiatives which may have no relevance to the pandemic by riding on top of a public safety initiative to gain widespread adoption. For instance e-passes will not be effective, unless they are linked with identity proofs and when linked with location information offer perfect trails of not just individuals but also their contacts.
Comparison with Global Benchmarks
China’s COVID App – usage is mandatory by the government.
It has a high level of control to the extent of each person requiring to scan a QR code which instructs whether one can visit a certain place or not. This has evidently worked in containing the spread.
Singapore’s TraceTogether App – usage is voluntary.
Privacy concerns – Zero.
Data can be accessed only by health workers and not shared with law enforcement agencies and others.
However, only 12% of the population has used the app.
Some of the major concerns were:
- GPS location data is collected and stored.
- Demographic data like Name, Gender, Age etc are hashed to a “pseudo static ID”, which are vulnerable to sniffing attacks. Using a “pseudo dynamic ID” is more privacy-preserving as used in Singapore’s TraceTogether app.
- Aarogya Setu app takes “Admin Access” for the Bluetooth settings on your device. This allows the application to take more data than required, posing a security risk.
- The code of the app was made open-source, thereby increasing transparency and building trust. However, a recent commit (fragment of the source code) in the open-source repository, however, reveals that the code in the public domain is very different from the one that is in the device. It shows that there are two versions of the code, one in the public domain and the other that is actually used to build the app, which is not public.
As per a report by Livemint on May 12, 2020, officials stated that 1.4 lakh people had been alerted about a possible risk of infection and 697 potential hotspots were identified using data collected from the App.
However, as the health ministry has not had a press release since May 11, the benefit of the app in the community stage of the app is anybody’s guess.
Use of technology by the government to solve national issues is good. However, as India still does not have a Personal Data Protection law in place, there is a high risk of misuse of data for commercial gains.
Finally, if the intended purpose of the app is beyond the stated purpose, it should explicitly be communicated and the general public be given the option to opt-in or out of the services.