It took just 13 days for Aarogya Setu — the contact tracing app developed by India to combat the COVID-19 pandemic — to amass 50 million users. The app currently stands with more than 9 crore downloads.
Designed by National Informatics Centre (NIC), Ministry of Electronics and Information Technology (MEITY), the app was formally launched by PM Narendra Modi on April 2nd. It is available in 12 languages and can be downloaded by iOS and Android users. With 4.5 stars rating on Google play, the current version of the app is 1.1.1. According to reports, the app has alerted 1.4 lakh users around the country about their risk of contracting COVID-19, based on their proximity to infected persons.
Are these fears well-founded? Is it possible to introduce changes or regulation that can enable Aarogya Setu to play the critical role that it does in the present crisis, without compromising on the user’s privacy?
A quick round-up of developments so far, including the latest data access and knowledge sharing protocol released by the government:
Why was the app designed and how does it work?
The concept of Aarogya Setu was based on mass surveillance methods adopted by other nations in the wake of the COVID-19 crisis. Countries like South Korea tapped into the GPS data of mobile phones and cars to carry out effective contact tracing for its citizens.
Aarogya Setu is also a GPS and Bluetooth based app that alerts users who may have come in contact with people who later test positive for COVID-19. The app is capable of telling the user how many positive cases are likely present in a radius of 500 mtr, 1 km, 2 km, 5 km and 10 km of the user.
The app has been made mandatory to be downloaded by the private and public sector employees and those who are living in the containment zones.
What were the major objections to the app?
The main cause of concern amongst groups studying the app has been that the data can be used beyond its stated purposes. Secondly, civil society also raised concerns regarding the time period for which the data will be stored and utilized by the government authorities. Activists suggested that data should be deleted once the pandemic is over. It cannot be stored permanently, which they feared that the government might end up doing!
Concerns have also been raised regarding information collection. The app collects way more data than many other similar apps developed by Singapore and MIT for instance. And, the app states that the data will stay locally on the device but at the same time it makes clear that if need arises, it can be put on a cloud server too.
Soon after the app was launched various privacy rights groups, cybersecurity and IT experts raised concerns over the data security framework of the app. Internet Freedom Foundation (IFF) raised a set of detailed concerns in their working paper:
“With the creation of such systems, come new risks of scope creep and new institutionalisation of mass surveillance. This becomes more important in India which lacks a comprehensive data protection law, outdated surveillance and interception laws, or any meaningful proposals for meaningful reform.”Internet Freedom Foundation
Congress leader Rahul Gandhi also raised a red flag on May 2nd when he claimed that Aarogya Setu was just a “sophisticated surveillance system” and added that it raised “serious data security and privacy concerns”.
There seemed to be some technical issues with the app too…?
The controversy was further intensified when ethical hacker, who goes by the pseudonym Elliot Alderson, went public about data breach and other technical loopholes in the mobile app. He has also been critical of project Aadhar introduced by the GoI and raised several security issues with the it’s security framework.
Coming back to Aarogya Setu, he openly invited Indian government authorities to get in touch with him and improve on the data safety features of the app. In his article, he highlighted several technical loopholes that the app has. The primary ones were as follows:
- Internal files can be hacked – the issue was fixed later on!
On April 3rd (two days after the app was launched), the hacker was able to hack the internal files and local database in just one click. This issue with the app was found by the hacker on the earlier version of the app – 1.0.1. On May 4, he tried again, this time the earlier issue was fixed by the app developers and the version was upgraded to 1.1.1 (current version of the app). But another serious issue surfaced this time.
- Data can be accessed by anybody from anywhere
The app gives the option to look out for positive COVID-19 cases within 500 mtr, 1 km, 2 km, 5 km and 10 km of radius of the user. When the user clicks any one of the distance options, his location (longitude and latitude options) and distance is sent.
The hacker tried modifying the distance and location and checked if the app still worked. He changed the distance to 100 kms and location to Mumbai, and it worked. This meant that the user can know who is infected anywhere in India, in the area of his choice.
To highlight the technical vulnerability of the app, the hacker revealed the data of infected/unwell persons in institutions of national importance. He shared that five people felt unwell at PMO, two people were unwell at the Indian Army Headquarters, one person was infected in the Indian Parliament and three people at the Home Affairs Office.
Within 49 minutes of his tweet inviting Indian authorities to contact him, NIC and the Indian Computer Emergency Response Team got in touch with the hacker and he shared the technical report with them. Few hours later, Aarogya Setu released an official statement, claiming that the app was robust and all the issues highlighted by hacker are not true.
For battling the COVID-19 infection, several nations ramped up their digital surveillance capacities and designed mobile apps for contact tracing. But these apps were different from Aarogya Setu on various parameters.
Singapore – Trace Together App
Consider, for instance, Singapore’s TraceTogether App. The app used only Bluetooth technology unlike Aarogya Setu which uses both the Bluetooth and GPS technologies. Also, the government made it voluntary for citizens of Singapore to download it, while in India it is mandated.
The other striking feature of this app is that the data is stored locally on the user’s device. Users are under obligation to share the information with the Health Ministry of Singapore when requests are made during contact tracing investigations. If they don’t, they could be prosecuted under Singapore’s Infectious Disease Act.
Moreover, the Singapore government decided to open up the source code (a compilation of codes that enable a programme to run on computer or any other device) of the TraceTogether App which can be accessed by the global counterparts. The same demand was made by the ethical hacker with respect to Aarogya Setu. #OpenSourceAarogyaSetu also trended on twitter.
Israel – HaMagen App
Similarly, the Israeli Government has developed an app called HaMagen for the purposes of contract tracing and surveillance. The app is again based on a voluntary model. The data is stored on the user’s local device, avoiding any centralized storage. The government has made the source code public on Github.
What was the official response to the above allegations?
The government in its official response has said that there is no security breach in the coronavirus tracking app Aarogya Setu. The government claimed that they are allotting a unique randomized anonymous device ID for the purposes of communication between the devices and Aarogya Setu app.
The government in its response also said that data for non-risk users is deleted in 45 days and for discharged or cured patients, in 60 days.
Location data is being used only in case a user has tested positive, so as to map the places visited by him/her and carry out sanitization and extensive testing in those places to prevent further spread. The government also assured the people that the data is not being used “publicly” and will only be used for the purpose of “administering COVID-19 health interventions”.
In a recent move, on May 11 2020, MEITY released a Data Access and Knowledge Sharing Protocol 2020, that says that personal data collected must be permanently deleted after a maximum of 180 days. The protocol also avers that any data being used from the Aarogya Setu shall be strictly for planning health interventions only. The protocol has been designed by the government to give some kind of legal standing to the app.
The protocol makes NIC solely responsible for the collection, management and processing of the data. It asks the developer (i.e. NIC) to keep all the data on the local device and if uploaded on the server, it has to be for health responses only.
Several such provisions have been included in the protocol, trying to address the concerns raised by experts, the community of ethical hackers and data rights advocates.
So, according to the new protocol, what data does the app collect and who can access it?
The app is capable of storing different datasets like user’s travel history, contact details, health records, infection status and user location. Earlier, nobody was responsible for handling and management of data. Recently, as per the new protocols NIC has been made responsible for the management, handling and processing of the data.
The new protocols say that data collected can be shared with any government department or ministry, including the Ministry of Health and Family Welfare, Government of India, Departments of Health of the State/Union Territory Governments/local governments, NDMA, SDMAs, such other Ministries and Departments of the Government of India and State Governments and other public health institutions of the Government of India, state Governments and local governments.
However, data will be shared with parties in ‘de-identified form’, and only when it is necessary to assist in the formulation or implementation of a critical health response. De-identified form means that the individual cannot be personally identified through such data.
A user can request for his demographic data to be deleted; this includes his name, mobile number, age, gender, profession and travel history. Such data collected by NIC will be retained for as long as this latest protocol remains in force (not beyond 180 days, ordinarily), or for a maximum of 30 days from the date of request (for deletion) by the user, whichever is earlier.
The data may be made available to Indian universities and research institutions / research entities registered in India, but after it has undergone hard anonymisation. ‘Hard anonymisation’ refers to a series of technical processes which ensure that the respondent/user cannot be identified from the data through any means reasonably likely to be used for identification.
Have the new protocols addressed all the concerns regarding the app?
IFF has suggested a few steps that should be taken by the government to make the use of Aarogya Setu safe for citizens. Voluntary use of the app is the primary suggestion put forward by the organization. The new protocol does not recognize the voluntary downloading of the app by a user. This move to make it mandatory has attracted severe criticism from various experts, one of the latest to join voices being former Supreme Court judge B N Srikrishna.
Like others before him, Justice Srikrishna has also questioned how the government can make it compulsory for any citizen to download the app, when there is no law to back it. Incidentally, the former judge is the head of the panel that created the first draft for India’s data protection law, that is pending in Parliament
Local and device centric storage and encryption of data are a few other suggestions that had been put forward by the Internet watchdog, IFF. As per the new protocol, too, data will be stored locally and on the user’s device only. However, an exception has been placed which allows the government to put data on the central server.
Another Delhi based tech & policy think tank, The Dialogue, has suggested independent auditing of the data, providing source code publicly, reduction of time frame for storage of data to 21 days (as per the new protocol, it is 180 days).