Chennai, TAMIL NADU— Aarogya Setu, a Government of India app to track the real-time movements of citizens to determine if they have been in the proximity of COVID-19 patients, vastly expands the surveillance capabilities of the state with few explicit safeguards warned privacy experts and cybersecurity analysts.
An analysis of the app by Defensive Lab Agency, a Paris-based cybersecurity consultancy, offers disturbing insights: The app gathers a user’s identity, tracks their movement in realtime, and also continuously checks if other people who have downloaded the app are in the proximity of the user.
This allows Aarogya Setu to create a social graph of a user by tracking everyone they have been close to. Combining this data with existing government databases — many of which are already seeded with the mobile numbers of citizens — can significantly expand the government’s powers of surveillance, privacy experts said.
“Such personal information may also be shared with such other necessary and relevant persons as may be required in order to carry out necessary medical and administrative interventions,” the policy states.
Aarogya Setu has been downloaded over 10 million times since it was released last week, largely due to a concerted push by various government ministries. On April 3, for instance, the Ministry of Human Resource Development asked schools to tell parents of students, and their family members to download the app. On April 6, Prime Minister Narendra Modi asked BJP workers to download the app.
“It’s a threat to our constitutional rights,” said Mira Swaminathan, programme officer at the Center for Internet and Society. “When the right to privacy is at risk, the right to freedom of speech and expression is at risk.”
Many countries have developed apps to help enforce social distancing during the COVID-19 pandemic, with varying levels of privacy guarantees. Social distancing is presently the only way to slow down viral transmission while waiting for a vaccine.
While apps can help identify and rapidly quarantine infected individuals, some nations have been better than the others at ensuring the privacy of users. Singapore’s contact tracing app, for example, states clearly that the app doesn’t collect data beyond the bare minimum needed for contact tracing.
Aarogya Setu offers no such assurances.
Every Step You Take
When a person registers on the Aarogya Setu app, they upload their name, phone number, age, sex, profession, travel history, and smoking history. The data is encrypted and transferred to a server.
The government assigns a unique identifier to the phone, and when two registered phones are near each other, they exchange unique identifiers, which are stored on government servers. If a person is found be infected with the novel coronavirus, all the people they were near in the past, as identified through their unique ids generated by Aarogya Setu, are notified.
India does not have a data protection law, so people cannot hold app developers accountable for privacy violations.
It is also unclear which government agency is overseeing the database and data collection.
“Who is the nodal ministry that will be organizing and coordinating this data and then sharing it further with other government agencies?” she said.
The concern of privacy activists is that the government could, under the guise of a pandemic and in the absence of a data protection law, expand its powers of surveillance. For instance, surveillance company Staqu, which supplies a number of state governments and police authorities with facial surveillance technology, has developed a way to identify people who aren’t wearing masks or respecting the COVID-19 lockdown, according to an interview in YourStory. The company could use the pandemic to expand its network, Panday said.
“I think the bigger concern is, is this going to open the floodgates of mass surveillance later on,” said Pallavi Bedi, policy officer at the Center for Internet and Society.
Other than Aarogya Setu, there are more than 20 apps developed by various states to track and quarantine COVID-19 patients. Punjab’s COVA app, which was also analyzed by Defense Lab, as well as Aarogya Setu both use Google analytics for analysis, but it is unclear who is receiving the data to improve the apps.
Lack of transparency
Contact tracing apps need to be deployed at scale in order to work properly. Enough people need to be online so there aren’t gaps in phone-based surveillance. For this, public trust is key, and it needs to be rooted in transparency, according to a study published in Science.
One way to ensure transparency is to have a transparent and auditable algorithm, the study states. Some nations, such as Singapore and Israel, have posted the app source code in online repositories for independent audit. Researchers can look at the data points being collected and transferred.
The government has since set up a committee that includes industry to adjudicate on privacy concerns that have been raised, according to the Economic Times.
Ultimately, it will be difficult to deploy the app at scale in India, where there were about 462-million smartphone users in 2017, according to PricewaterhouseCoopers. That leaves hundreds of millions of people outside the network.
K Vijayraghavan, Principal Scientific Adviser to the Government of India, told YourStory that a feature phone version of the app would soon be available. To have such a version, the government would need mass access to the data of roughly 500 million Indians from telecom operators, Panday said. The chairman of the Telecom Regulatory Authority is on the app development committee.
“This is the perfect scope for expanding surveillance,” Panday said. “The grounds for expanding surveillance are here at this moment.”
HuffPost India has written to Vijayraghavan and will update this article when he respond.
A previous version of this article incorrectly stated that Aarogya Setu could access a user’s phonebook without permission. That is not the case. The article has been updated, and the error is regretted.