Aarogya Setu: Why India's Covid-19 contact tracing app is controversial

BBC Technology 14 May 2020 11:56
By Andrew Clarance BBC News, Delhi
The Aarogya Setu appImage copyright Getty Images

India's Covid-19 contact tracing app has been downloaded 100 million times, according to the information technology ministry, despite fears over privacy.

The app - Aarogya Setu, which means "bridge to health" in Sanskrit - was launched just six weeks ago.

India has made it mandatory for government and private sector employees to download it.

But users and experts in India and around the world say the app raises huge data security concerns.

How does it work?

Using a phone's Bluetooth and location data, Aarogya Setu lets users know if they have been near a person with Covid-19 by scanning a database of known cases of infection.

The data is then shared with the government.

"If you've met someone in the last two weeks who has tested positive, the app calculates your risk of infection based on how recent it was and proximity, and recommends measures," Abhishek Singh, CEO of MyGov at India's IT ministry which built the app, told the BBC.

Is it mandatory to download the app?

Noida, a suburb of the capital, Delhi, has made it compulsory for all residents to have the app, saying they can be jailed for six months for not complying.

But the government directive is being questioned by some.

In an interview with The Indian Express newspaper, former Supreme Court judge BN Srikrishna said the drive to make people use the app was "utterly illegal".

MIT Technology Review's Covid Tracing Tracker lists 25 contact tracing apps from countries around the globe - and there are concerns about some of them too.

"Forcing people to install an app doesn't make a success story. It just means that repression works," says French ethical hacker Robert Baptiste, who goes by the name Elliot Alderson.

Aarogya Setu stores location data and requires constant access to the phone's Bluetooth which, experts say, makes it invasive from a security and privacy viewpoint.

"Aarogya Setu retains the flexibility to do just that, or to ensure compliance of legal orders and so on," says the Internet Freedom Foundation, a digital rights and liberties advocacy group in Delhi.

The app builders, however, insist that at no point does it reveal a user's identity.

The big issue with the app is that it tracks location, which globally has been deemed unnecessary, says Nikhil Pahwa, editor of internet watchdog Medianama.

He is also worried by the Bluetooth function on the app.

What are the concerns over privacy?

The Software Freedom Law Centre, a consortium of lawyers, technology experts and students, says it is problematic as it means the government can share the data with "practically anyone it wants".

Mr Singh says when you register, the app assigns you a unique "anonymised" device ID. All interactions with the government server from your device are done through this ID only and no personal information is exchanged after registration.

Mr Alderson has said there are flaws in the app which make it possible to know who is sick anywhere in India.

Aarogya Setu denied any such privacy breach in a statement.

Critics have repeatedly warned that the scheme puts personal information at risk and have criticised government efforts to compulsorily link it to bank accounts and mobile phone numbers.

India's Supreme Court ruled in 2018 that the controversial Aadhaar scheme was constitutional and did not violate the right to privacy.

Unlike the UK's Covid-19 tracing app, Aarogya Setu is not open source, which means that it cannot be audited for security flaws by independent coders and researchers.

Mr Singh said "all applications are made open source ultimately and the same is applicable to Aarogya Setu also".

To register, users have to give their name, gender, travel history, telephone number and location.

According to a Buzzfeed report, an Indian software engineer had hacked the app to bypass the registration page, and even stopped the app from gathering data through GPS and Bluetooth.

"The privacy conscious are likely to do this. Those who don't want to be forced to give their data to the government will look for and find workarounds. It could be by using a modified app or a screenshot, people will find ways," Mr Pahwa says.

Continue reading original article...


IndiaMyGovinformation technology ministryAbhishek SinghPrime Minster Narendra Modi
You may also like