In response to the Covid-19 pandemic, the governments of Kerala, Karnataka, Punjab and Tamil Nadu, the Ministry of Electronics and Information Technology (MeitY) and the National Informatics Centre (NIC) have released various mobile apps. Most of them are meant for one or more of these purposes:
- Ensure compliance with quarantine rules
- Provide information about symptoms and healthcare, and updates about the outbreak
- Tracing of confirmed and at-risk cases
- Tracing contact history with confirmed and at-risk cases
A slew of mobile apps and other Internet-based interventions have been released by governments and private entities around the world. Google’s Android application store (Google Play) took down several Coronavirus infection tracker apps over the past month for violating its policy against “apps that lack reasonable sensitivity towards or capitalise on a natural disaster, atrocity, conflict, death, or other tragic event”. The Apple App Store also shuttered several such apps while citing a similar policy. Both app stores have allowed only infection tracker apps approved by governments or healthcare organisations/ companies.
Key issues: Technical glitches, usability and privacy
A preliminary review of the apps that I conducted based on publicly available information such as the app store listing and government orders raises two major concerns:
- Technical and usability issues that prevent quarantined users and the rest of the public from meaningfully using the apps
- Privacy of apps users as well as those identified as at-risk and/ or quarantined.
(It is unclear from studying publicly available information regarding these apps if complementary and alternative means are being used to trace home-quarantined persons who do not own a smartphone or an Internet connection/ mobile Internet plan.)
The current milieu encourages people to distrust and/ or discipline each other: while public services are being stretched thin while simultaneously trying to control the spread of an epidemic and manage a lockdown of the entire country, some individuals are flouting rules for quarantine and safety. While desperate times understandably call for desperate measures, many of these mobile phone-based interventions raise concerns about the privacy of users and that of persons directly affected by the novel coronavirus, overboard surveillance, and eventually, “function creep”.
In the absence of a law for the protection of personal data and informational privacy, what happens of personally identifiable information (PII) collected and/ or published by these apps? Who would have access to information gathered for the purpose? For how long will it be stored and where? When will it be deleted, if at all? What safeguards exist to prevent abuse and leaks of this information? Would the use of PII be limited for the purpose of tracing, preventing and mitigating coronavirus cases?
Leaks and abuse of photos and PII such as home addresses have already happened in some parts of the country. In case the app has been developed by a third-party, for example, a contractor with the government, what would be the rules applicable on the contractor for ownership and handling of PII, preventing its abuse, unauthorised access, and data breaches?
Persons who violate quarantine rules face punitive actions under the Epidemic Diseases Act, 1897, a law far older than the Internet.
The government orders that I could find have mandated the use of these apps. However, there is no publicly available information about what happens in case of technical failure of an app or if a person gets erroneously reported by the app as breaking the rules (in technical terms, a “false positive” report). On the other hand, technical issues with the apps and their allied systems, or trivial situations such as poor Internet connectivity could mean that persons who indeed break the rules do not get flagged (a “false negative” report).
Here is the list of the apps reviewed:
- Aarogya Setu (National Informatics Centre)
- Quarantine Watch (Government of Karnataka)
- Corona Watch (Government of Karnataka)
- Corona Kavach (Ministry of Electronics and Information Technology – MeitY)
- COVID-19 Quarantine Monitor Tamil Nadu (Tamil Nadu Police Department)
- GCC- Corona Monitoring (Greater Chennai Corporation)
- Cobuddy – Covid-19 Tool (FaceTagR, Tamil Nadu)
- COVA Punjab (Government of Punjab)
- Mahakavach (Maharashtra State Innovation Society)
- COVID 19 Feedback (Ministry of Electronics and Information Technology-MeitY)
- GoK-Direct Kerala (Government of Kerala)
- KSP Clear Pass Checker (Vivish Technologies, Karnataka)
- Covid Care Kerala (Kannur District administration, Government of Kerala)
- Other apps mentioned in the news and unlisted apps
Aarogya Setu (National Informatics Centre)
https://play.google.com/store/apps/details?id=nic.goi.aarogyasetu&hl=en (Google Play) and https://apps.apple.com/in/app/aarogyasetu/id1505825357 (Apple App Store)This app uses an always-on Bluetooth connection for contact-tracing over a period of a few weeks, which is a community-driven method of tracking the infection, somewhat similar to the Trace Together app launched by the Singapore Government. The use of this app is currently voluntary. Users need to register with their mobile number before they can start using the app.
Permissions: It seeks a limited number of permissions — the user’s location (via GPS and via the mobile network/ internet), Bluetooth and Internet connectivity, all of which would be necessary for contact tracing to take place.
- Users’ location information will be purged every 30 days
- If a user deletes their account, all their information will deleted after 30 days
- Personal information collected via the app will not be used for purposes other than those mentioned in the policy
- Data collected and communicated by the app is encrypted.
While these features are laudable, legal experts have raised some concerns about its privacy aspects. In light of these concerns, it may be worthwhile to conduct an independent audit of the app.
Quarantine Watch (Government of Karnataka)
Based on information from a press release issued by the Minister of Medical Education, all home-quarantined persons in Karnataka necessarily have to upload their selfies every hour via the Quarantine Watch Android app to show that they are indeed at home. The order also contains invasive instructions that determine the sleeping hours of these persons. The selfie taken via the app is meant to capture the location, that is, GPS coordinates of the user and a timestamp. This circuitous and protracted method of ensuring compliance would be effective only if the administration uses fast, large-scale automated processes to extract GPS coordinates and timestamps from thousands of selfies every day and verify if the location and photo indeed match the official records. Nevertheless, it leaves a few questions:
- It is technically possible to falsify the metadata such as the timestamp and GPS coordinates in photos, defeating the purpose of such testing.
- GPS accuracy can vary, sometimes to radiuses of up to 1 kilometre, especially in places with shaky Internet connections. What happens in the case of inaccurate GPS metadata being logged by the phone/ app?
The order does not state what would happen in the case of users whose sleep times do not match the window of 10 pm to 7 am. Curiously, the app has been uploaded to the app store by the Revenue Department, which is not the government body responsible for public health or safety in the state.
Only home-quarantined persons who have been registered in the official database are allowed to set up a user account on this app via their respective mobile numbers. Reviews posted on the app store indicate that users are experiencing technical issues with the app and they do not have access to adequate and necessary information for using it properly.
Corona Watch (Government of Karnataka)
The app, developed by the Karnataka State Remote Sensing Applications Centre (KSRAC) for the public to view the location of home-quarantined persons, report violators of quarantine rules, trace the movement of persons affected by coronavirus in their vicinity, among other things. Corona Watch draws its map-based information from the portal https://kgis.ksrsac.in/covid, which displays home addresses, international travel history and quarantine dates of at-risk and afflicted individuals.
In the last week of March, the government had published lists with names and home addresses of about 19,000 residents of Bengaluru who had been home-quarantined. The government stated that it released the lists after observing that quarantined persons were breaking rules and stepping outdoors. It also encouraged citizens to acquaint themselves with the list so that such violators could be found and reported. Src: Bangalore Mirror, Medianama.com
Permissions: It asks for a host of user permissions, some of which may not be necessary for the app to function, such as
- Device ID (enables the app owner to uniquely identify devices that have installed the app; allows the app to ascertain if a phone call is being made or received and the phone number the call is connected to)
- WiFi connections made by the device (active and inactive connections both)
- Phone status and identity.
Using such identity permissions, it is technically possible to read one of more of these identifiers: IMEI number (uniquely assigned to every mobile handset), IMSI number (uniquely identifies every SIM card) and a 64-bit unique ID that Google assigns to every Android handset.
Corona Kavach (Ministry of Electronics and Information Technology – MeitY)
This app has not been reviewed because it had been taken off the Google Play store at the time of writing. The description accompanying the beta version app on the Play Store read, “This app has been made in public interest to give information and capture the outbreak of Corona Virus. The data will be used to conduct analysis and provide information about the active COVID 19 cases in India. The app also has additional features to track your breathing capacity and a survey form to keep a self check.” (Source: Google webcache)
The API of the beta version is available at the website of the National Centre for Geo-Informatics.
Note: This app has now been replaced by Aarogya Setu.
COVID-19 Quarantine Monitor Tamil Nadu (Tamil Nadu Police Department)
This app monitors the location of home-quarantined persons in Tamil Nadu. Only those who have been registered in the official database of quarantined persons in Tamil Nadu are allowed to sign up for a user account. The app also allows the users to update their symptoms such as “cough”, “fever”, “tiredness” and “breathing difficulty”, possibly so that the police and the state health department could be notified.
The app has been developed by one Pixxon AI Solutions Private Limited, a Chennai-based company that describes itself as “artificial Intelligence solutions provider for video surveillance”. The company has been responding to user reviews on Play Store, and the contact email address listed with the app belongs to it.
GCC- Corona Monitoring (Greater Chennai Corporation)
Users’ reviews on the app store indicate that the locations of users within Chennai are not being supported by the app.
Cobuddy – Covid-19 Tool (FaceTagR, Tamil Nadu)
The police department of Thiruvallur district in Tamil Nadu has deployed this quarantine monitoring app, which is based on FaceTagR, a proprietary face recognition system. The system and its accompanying services are offered by the Chennai-based startup NotionTag Technologies. Four days after its launch, this Android-only application was suspended by the Google Play Store presumably because its description did not explicitly state that it was used or endorsed by the police. It was subsequently restored.
Permissions: The app requests for a host of permissions from its users, some of which seem prima facie unnecessary for an app meant to ensure that quarantined persons do not leave their homes:
- WiFi connection information (enables the app owner to view a list of WiFi connections made by the device, both active and inactive)
- Device ID and call information (enables the app owner to uniquely identify devices that have installed the app; allows the app to ascertain if a phone call is being made or received and the phone number the call is connected to)
- Access checkin properties (a permission not meant for use by third-party apps)
COVA Punjab (Government of Punjab)
https://play.google.com/store/apps/details?id=in.gov.punjab.cova (Google Play store) and https://apps.apple.com/us/app/cova-punjab/id1501977319 (Apple app store)
Corona Virus Alert (COVA) is an app that provides medical information, coronavirus-related statistics and updates, travelling instructions, locations and contact information of public hospitals in Punjab, notifications of government orders, a questionnaire for self-screening of symptoms, geolocations of home-quarantined persons, reporting of unlawful assemblies, and a feature to request delivery of groceries in the time of lockdown. This app does not provide contact-tracing functionality at the time of writing. The app requires users to register an account with an Indian mobile number before they can start using it. Interestingly, the chief minister of Punjab tweeted that the app has been implemented in two provinces in Canada.
Mahakavach (Nashik Municipal Corporation)
Going by its description, Mahakavach is meant for contact tracing and location monitoring of Covid-19 affected persons in Nashik district in Maharashtra. Its users are supposed to log their “selfie attendance” (a feature for home-quarantined users to upload a selfie as proof of their location), and update “quarantine status for better adherence” and the results of their coronavirus tests. Only authorised users are allowed to use the app by setting up an account via their mobile numbers on the directions of doctors and healthcare workers. It apparently alerts relevant personnel if home-quarantined users step out of their location.
The app has been jointly developed by as many as six entities:
- National Health Authority
- Maharashtra State Innovation Society, an agency of the Maharashtra government
- Nashik District Innovation Council, an agency supported by the MHRD, Government of India
- Nashik Municipal Corporation
- Digital Impact Square (DISQ), a technological “innovation hub” of sorts initiated by the non-profit arm of Tata Consultancy Services, a private corporation
- Kumbhathon Foundation, another “innovation hub” associated with DISQ and the Smart Cities endeavour of the Indian Government.
It is unclear which of these entities are responsible for securing the information collected and stored by this app and ensuring privacy safeguards for users’ sensitive and personal information, or what the processes would be for exchange and storage of citizens’ information between different agencies of the government and non-governmental entities.
COVID 19 Feedback (Ministry of Electronics and Information Technology-MeitY)
The app is meant for the sole purpose of obtaining feedback from citizens who have undergone coronavirus testing. The brief feedback form on the app asks users to provide four pieces of information: name, email address, mobile number and the text of the feedback.
Permissions: The app seeks different sets of permissions on the mobile device, not all of which seem to be necessary to collect such feedback. Some of the permissions are for:
- Contacts stored on the device
- Google accounts associated with the device
- Changing the audio settings on the device
- WiFi connections made by the device (both active and inactive)
- Controlling device vibration
- Access to memory storage, photos, media and files
GoK-Direct Kerala (Government of Kerala)
https://play.google.com/store/apps/details?id=com.qkopy.prdkerala (Google Play Store) and https://apps.apple.com/in/app/gok-direct/id1502436125 (Apple App Store)
This app released by the Department of Information and Public Relations of the Government of Kerala provides medical information, statistics, updates and notifications published by the government and the World Health Organisation. The app supports English, Malayalam and a few other Indian languages. The government partnered with Qkopy, a mobile app developed in the state that describes itself as “ensuring online safety, [mobile] number privacy and controlling fake news”.
KSP Clear Pass Checker (Vivish Technologies, Karnataka)
An app for use by police personnel in Bengaluru to verify individuals and service providers who hold curfew passes for their movement during the lockdown. The app has been developed by Vivish Technologies, a start-up in Karnataka better known as MyGate. The arrangement ran into privacy concerns for mandating that those who request a pass provide their Aadhaar card details.**
- MyGate has since fixed the link and the policy is available at the link.
- A complementary app – KSP Clear Pass app is meant for citizens to apply for passes. MyGate has said Aadhaar numbers are not required for applications from citizens and that any government-issued photo id will work.
Covid Care Kerala (Kannur District administration, Government of Kerala)
The app, developed by the National Informatics Centre, provides counselling services for quarantined/ afflicted persons, information about community kitchens for migrant workers, information about home delivery of groceries and food, and “geotagging of quarantined persons” in the district, among other things.
Other apps mentioned in the news:
- An unnamed quarantine app jointly developed by 70 different startups.
- CoWin 20 developed by NITI Aayog. However, this app has now been replaced by Aarogya Setu.
- The Covid Alert Tracking System has been reportedly planned by the Andhra Pradesh government to keep track of approximately 25,000 home-quarantined people. This is a geofencing system that tracks the location of the mobile phone as gathered by mobile phone towers. While the full details of this deployment are not publicly available, it is worth noting that accuracy of cell tower triangulation methods is limited in the context of ensuring that someone is staying put at home. Location data, as gathered by three different mobile towers forming a triangle, tends to be accurate up to 1.9 square kilometres. That is, the mobile device could be anywhere in an area of up to 1.9 square kilometres (Reference). Accuracy would reduce further if fewer towers were referenced. Poor network coverage will also affect the traceability of persons.
These apps have not been published on Google Play or Apple App Store. Instead, users are required to install them after downloading the installation file (called APK or IPA) from a government website.
SMC Covid-19 Tracker, Surat Municipal Corporation, Gujarat
Home-quarantined persons in Surat have been asked to use this app to:
- Send their GPS location every hour from 9 am to 9 pm for the entire duration of quarantine.
- Fill out and submit a questionnaire about their symptoms twice a day along with their selfies.