‘Aarogya Setu’ the contact tracing mobile app of India and its controversies

Government of India introduced a new app called ‘Aarogya Setu’ to track to the real-time movements of citizens to identify if they are near COVID-19 patients, thus offers better surveillance for the government but unfortunately comes with some privacy warnings from cybersecurity experts and analysts.

What is the controversy about Aarogya Setu app?

A Paris-based cybersecurity consultancy analyzed the app, and shared some interesting findings. As per the consultancy’s insights, the app gathers citizens identity, tracks their moves in real time and if another citizen has downloaded the app, it uses the same to measure proximity of another user present near you. With these data a social graph of the users can be created, and further comparing the same with the existing government databases, like mobile numbers, more surveillance power is added to the state, said the experts.

Moreover, on a separate topic, the user agreement of the app states the data obtained can be used for any other purposes out of this epidemic if there is a need for legal requirements. Albeit the privacy policy stating that the data will not be shared with any other third parties, it also makes clear that the government can share the same with agencies that the government sees qualified.

The app has been downloaded over 10 million times since its launch. Its quite certain the government organizations, the ministers, and other high-level executives have also downloaded this app as per the government guidelines. Mira Swaminathan, program officer at the Center for Internet and Society said that the app is a threat to Indian citizen’s constitutional rights. Also added that, when there is a risk to privacy, then there is a risk to freedom of speech and expression too.

It is also to be noted that, many organizations have developed apps to facilitate social distancing during this pandemic, but better privacy policies. Singapore for instance doesn’t collect any unwanted data, and ensures only the required information for contact tracing is collected.

How does Aatogya Setu app work?

As soon as a person registers on the Aarogya Setu app, they need to update their name, phone number, travel history, sex, age, and smoking history. This data is then transferred to the server with encryption. Then a unique identifier is allocated to that phone, and if in case two people in a family use the app, then the unique identifiers is shared among them. These identifiers are stored in the government’s servers. If a person who had the unique identifiers is infected by COVID-19, then that person and the other persons the individual came in contact with, can be traced and quarantined.

Though the privacy policy claims that the data collected is stored only in an anonymized manner, Frederike Kaltheuner, an Mozilla Tech Policy fellow stated, it is possible to re-identify users from the anonymized database. The collected data will be deleted in 30 days from the phone but could exist in the servers for eternity, said Jyothei Panday, a security researcher at the Telecom Center of Excellence at IIM, Ahmedabad. In the worst case, it is also uncertain about the agency that handles the servers and databases.

Surveillance has already doubled up, as a surveillance company Staqu, that is supplying the government with facial surveillance technology, has developed a tech to identify people who isn’t respecting the lockdown and not wearing the masks, as mentioned in an interview at Yourstory. And not only Aarogya Setu, but also several other apps developed by various states like COVA app from Punjab, and these apps are using Google analytics to analyze the data that is being received but not sure of the entity that is managing and storing these data.

Need more transparency

Public trust is the key to the efficiency of these contact tracing apps. People need to feel secure and safe, to share their personal details to the government knowing that their data is in safe hands. The best way to establish trust is by keeping a transparent algorithm. Countries like Singapore and Israel, have kept their source code publicly available for independent audits. 

On the contradictory, the Indian app ‘Aarogya Setu’ hasn’t disclosed details of its source code or the agency involved in the development of the app, which is opaque and concerning. 

Though the app is facilitating contact tracing, mass surveillance isn’t a positive move in a democratic country like India. Better transparency and revised privacy policy can be the light bringer for the Aarogya Setu app.

Subscribe to our newsletter for daily alerts on cyber events, you can also follow us on Facebook, Linkedin, Instagram, Twitter and Reddit.