Summary

Aarogya Setu, India's contact tracing app, has raised privacy concerns due to its rapid adoption, data collection practices, and potential use as a surveillance tool, despite its intended purpose to mitigate the spread of COVID-19.

Abstract

The Indian government's Aarogya Setu app, designed for contact tracing during the COVID-19 pandemic, has seen a swift uptake with over 50 million users within 13 days of its launch. However, its effectiveness in curbing the virus's spread is overshadowed by significant privacy concerns. The app collects personal data, including location and Bluetooth interactions, and has faced criticism for its initial privacy policy and subsequent updates that fail to fully address privacy issues. While the app promises to notify users of potential exposure to COVID-19, the potential for government surveillance is a concern, especially as the app could become mandatory for accessing public services, similar to the trajectory of India's Aadhar system. The app's privacy policy states that data will only be uploaded to government servers under certain conditions, but the extent of data collection and the possibility of it being used for purposes beyond health concerns have been questioned.

Opinions

The Internet Freedom Foundation and other forums have highlighted issues with the app's privacy policy.
The app's use of both GPS and Bluetooth for contact tracing has raised concerns about the extent of personal data collection.
There is skepticism about the app's role in protecting public health versus its potential use as a tool for government surveillance, especially given the "E-pass coming soon" tab in the app.
The requirement to download the app to access basic amenities may infringe on citizens' fundamental rights to privacy.
Bill Gates has praised Aarogya Setu, but his endorsement is viewed with caution due to his previous support for India's Aadhar system, which has also faced privacy concerns.
Comparisons with contact tracing apps in other countries like Australia's COVIDSafe highlight a more privacy-focused approach, using only Bluetooth and ensuring voluntary participation without legal repercussions.
The app's accidental exposure of user location data to YouTube through referral headers has been noted as a privacy breach, although it was reportedly fixed.
The use of similar apps in countries like Israel and China has been criticized for expanding government surveillance and control under the guise of public health measures.

Theciva

India’s Contact Tracing Done Right? Maybe Not.

Aarogya Setu And your privacy don’t go hand in hand.

Photo by Fusion Medical Animation on Unsplash

Amid nation-wide lockdown, the Government of India released their contact tracing app, Aarogya Setu.

Three days past its release, it crossed 5 million downloads. It was ranked the world’s fastest-growing app, overtaking Pokemon Go as it’s users surged to 50 million within 13 days of launch and over 75 million till date.

But what matches the pace of its growth, is the growth of privacy concerns around the app. The app’s initial Privacy Policy had too many issues brought to notice by forums like the Internet Freedom Foundation.

The app’s Privacy Policy was updated sometime later. Still, the new one has some unaddressed issues.

How The App Works?

It takes just basic information like your name, phone number, age, sex, profession, travel history and whether or not you’re smoker to register to the Aarogya Setu app.

You’ll be asked some questions for the self-assessment test for COVID-19 infection.

All collected data will be uploaded to servers of Government Of India, where they will be encrypted with a unique digital ID called your DiD.

The app also takes your phone’s location and Bluetooth access.

When you meet someone (say X), you bring your phone within the Bluetooth range of X’s phone.

If both the phones have Aarogya Setu installed and working, they will automatically exchange DiDs and record the exact GPS location and the time of the meet.

This means your unique identification number (DiD) will be stored in the person’s phone (here, X’s phone). Though, he can not see or use it.

Now, in case, X tests positive for COVID-19, information including all the places he visited and the saved DiDs of all the people he met will be uploaded to the Government Servers.

This will help the government to:

Notify, test and maybe quarantine everyone he met.
Sanitize the places he went to.
Test people of the neighbourhood he lives in.

That means you’ll be notified if someone you have crossed path with previously has been tested positive for COVID19.

More Of A Surveillance?

The self-assessment test in the app will search for symptoms to figure out the probability of you being infected with the coronavirus infection.

Based on this, you’ll be graded into colours:

Yellow or Orange means you have a higher risk of getting infected with the Novel Coronavirus.
Green means you have relatively less probability of being so.

The app keeps tracking your location every fifteen minutes. It also keeps a record of everyone’s DiD you met.

But the Privacy Policy of the app states this information will only be uploaded to the servers if:

You test positive for COVID19
Your self-declared symptoms indicate you’re likely to be infected with the virus
The result of your self-assessment test is either YELLOW or ORANGE.

The information will be kept securely on your phone if you are not unwell or if the result of your self-assessment test is GREEN.

If your results stay GREEN for 30 days, the following data collected in the past 30 days will be deleted from the phone:

The places you visited & location collected every 15 minutes.
The DiDs of people you met.
Results of the self-assessment tests.

Fundamental Rights Are Endangered.

Journalism site, The Hindu, reports that in China a similar app was started as a voluntary service for informing users of their potential exposure to infected persons, but it soon began to be used as an e-pass for allowing access to public transport.

Situations seem similar in India, where the Aarogya Setu app shows a tab titled “E-pass coming soon”.

The app, which is based on voluntary consent, can thus violate the fundamental rights if it is used an E-pass required for moving around.

Individuals will be forced to download and use the app to be allowed to use basic amenities. Citizens will be bound to give up their fundamental rights of privacy to use government benefits.

Aadhar was too initiated as an optional programme to provide government benefits to citizens based on their voluntary consent. But was made compulsory for even private services such as banking and mobile phone registrations.

The App Once Exposed Location Data Of Users To YouTube

The app noted, “When a user filled a self-assessment in the app, and then immediately scrolled down to the YouTube iframe, a referral header containing latitude-longitude information with no other personal identifier was visible to Google”.

Though, this was fixed on 26 April.

Bill Gates Praises Aarogya Setu

Bill Gates wrote in a letter, “I’m glad (Indian) government is fully utilising its exceptional digital capabilities in its COVID-19 response and has launched the Aarogya Setu digital app for coronavirus tracking, contact tracing, and to connect people to health services.”

But he also had previously praised India’s Aadhar, which many experts believe, doesn’t respect privacy.

Contact Tracing Around The Globe

Australia: Keeping Privacy Safe

The Australian contact tracing app named COVIDSafe works in a fashion quite similar to the Indian one. But the app is more privacy-focused. Unlike Aarogya Setu, the app uses only Bluetooth, not GPS. It is completely voluntary and it will be illegal to force anyone to download it. Additionally, Australia “will make it illegal for non-health officials to access data collected on smartphone software to trace the spread of the coronavirus,” according to Reuters.

Israel: A Pretext To Enhance Powers Of The PM

In Israel, Prime Minister Benjamin Netanyahu’s government issued emergency measures allowing the State to track citizens’ cellphone data to curb the disease. Consequently, the PM has been accused of using the pandemic as a pretext to enhance his powers. (From LA Times)

In March, millions of Iranians were reportedly pinged by the government on their smartphones, urging citizens to download an app claiming it could determine if the users or their loved ones were infected by the coronavirus. Millions did so, giving away swath of personal data.

Taiwan: To Check If The Quarantined Aren’t Out

Taiwan government introduced a digital fence to enforce the quarantine of people required to stay home. These people must have their mobile devices switched on thereby allowing the government to keep an eye on them.

According to Reuters, similar conditions are in Hongkong and Singapore:

In Hongkong, location-tracking wristbands are given to those put under quarantine.
In Singapore, the government uses text messages to contact people, who must click on a link to prove they are at home.

China: Show Colour Codes To Go Out

Chinese Government has partnered with internet giants Alibaba and Tencent to assign citizens a colour code denoting their health status, which in turn grants them access to subways, restaurants and more.

Users have also reported being erroneously colour-coded and are unable to contact app providers to change their status.

South Korea: Preventing People From Possible COVID Exposure

In South Korea, people are notified with SMSes each time a new coronavirus case is discovered. Websites and apps show a detailed hour-by-hour timeline of where the affected person had travelled. Those quarantined were forced to download an app to ensure they didn’t go out without permission.

Follow my publication Theciva for more.

The Deceptively Easy Trick To Keep Your Eyes Off Your Phone

Why’d you open Gmail when Instagram is more attractive?

medium.com

What Dark Mode Does To Your Eyes And Your Phone?

And why pirates wear that eye patch on one eye?

medium.com

How To Ignore Emails Without Getting Caught?

Your emails are being monitored and your privacy disregarded. Here's how to stop this.

medium.com