Aarogya Setu key to making transition into post-lockdown period smooth, prevent loss of lives; doubts about privacy, security unnecessary
Aarogya Setu is also reviewed by other foreign firms who often tend to be critical about indigenous technological efforts of India.
Like many other countries, the Government of India has launched its own Aarogya Setu app for contact tracing and alert users if they come in proximity with a COVID-19 infected person. The app is developed with complete indigenous expertise in partnership between academia, industry and government within a short time.
It has been downloaded by more than 10 crore Indians and has received high ratings on both Google Play Store and App Store. With more Indians using the app it will be easier for health workers and governments to trace the infections in a timely manner and control the pandemic. It is estimated that when the number of app users crosses 25 crore its true potential will be realised.
While everyone appreciates the purpose and need for such an app, some users are wary that the app collects users' location and could be potentially misused as a surveillance tool. Many critics have raised concerns about the use of the app beyond pandemic surveillance and possibly amplified fears of many limiting its widespread adaptation.
Then the questions arise, can highly contagious COVID-19 be fought without any surveillance? Can we trust the app? It is clear that technological solutions involving surveillance are necessary, otherwise it is not feasible to manually trace all the contacts and provide timely healthcare services.
In controlling the pandemic, time is critical and any delay in medical interventions could further lead to a delay in flattening the infection rate and potentially causing more loss of lives and economy. Countries like South Korea and China used sophisticated surveillance systems (video, telecom) to the best possible extent and are successful in controlling the pandemic. The fear of surveillance in today’s time of Google and thousands of applications that track user movement is overblown.
The app privacy states that it collects demographic information (name, age, mobile number, travel history) once at the time of registration and securely stores them. The user is subsequently identified with a Digital ID (DiD). The app collects location data at the time of registration, self-assessment test, and at the time of collecting contact tracing data and securely transmitted to the server and stored there with an additional layer of encryption.
The location information in Aarogya Setu is used to show how many people within a radius of 500, 1,000, 2,000, 5,000, and 10,000 metres have installed the app, how many took self-assessment tests, and how many have been identified to be ‘at risk’. The location information is aggregated to answer ‘HOW MANY’ type questions and at no point reveals information about an individual by answering ‘WHO IS’ type questions.
This is important from a privacy point of view. Also, as a citizen, we have the right to know how safe I am in my locality. As lockdown rules are relaxed people may like to travel to different places for work and it is the onus of the government to make them aware of how they are exposed to the risk of infection at different places. The government can provide such information only if we allow them to collect it.
Location data is also collected by the Aarogya Setu app when it communicates with the nearby Bluetooth devices that also have the app running. However, this location data is stored locally in mobile and is not sent to the server. This data is retrieved from mobile, only when the user tests positive so that all the users who came in close proximity with the user can be traced.
Thus, it is clear that the Aarogya Setu app is not tracking the user live and collecting information necessary to answer HOW MANY type questions. Such type of limited surveillance to collect aggregated information should be accepted as it is serving society at large.
To check the security issues with the app, many ‘ethical hackers’ have put the app to scrutiny. They decompile apk (an executable) of apps and analyse the code threadbare. Though the source code of Aarogya Setu is not made available, analysing the decompiled code largely helps hackers identify vulnerabilities if any.
French ethical hacker who goes by the pseudo name Elliot Alderson did raise some flags about access to some internal files of mobiles running Aargoya Setu claiming millions of Indian users' data is at risk. His claims have been busted by fellow hackers and the government also quickly rebutted his claims.
Alderson ended up acknowledging the fixes and taking potshots at the government. Another Singapore based ethical hacker Frank Liauw, who had earlier code reviewed the TraceTogether app of the Singapore government, appreciated the security features of Aarogya Setu and expressed that data purging methods be made more explicit in the privacy statement. He further acknowledged that all the data is stored within India.
Aarogya Setu is also reviewed by other foreign firms who often tend to be critical about indigenous technological efforts of India. After comparing tracking app of 25 countries, MIT Technology review said that “Aarogya Setu scored positively on the timely deletion of user data and collection of only useful data but failed to score on voluntary use, limitations of data usage, and transparency.”
Further, it said that India’s app is unique in a number of other ways as it offers several other useful features. As per our understanding, the usage of Argogya Setu is voluntary in India and only the people in government services, travellers are asked to install that app as they are very at the high risk of exposure.
Now coming to the data usage and transparency, the government has come with a clear policy on how the data will be used. While the Data Protection Bill is still pending in Parliament, an executive order ‘Aarogya Setu Emergency Data Access and Knowledge Sharing Protocol, 2020’, will be applicable for the next six months and will be taken for review subsequently.
As per the protocol data will be purged after 180 days and if users request it will be purged within 30 days. Further, the protocol lists who all can use the data has made the National Informatics Centre and Ministry of Information and Technology as the agencies responsible for storage, processing, and sharing of data.
Aarogy Setu started as a tracing app to help the authorities contain the spread of COVID-19. Since then many new facilities like telemedicine, e-consultation along with a plethora of informative material related to COVID-19 are being provided on the app.
It has evolved as a one-stop technological solution in India’s fight against COVID-19. With privacy and security issues being continuously addressed, we should trust the app and help the government and health agencies effectively fight the pandemic. As the lock-downs are relaxed and we move back to our regular routine, we need a bridge that helps us make the transition smooth and prevents loss to lives and our economy falling into COVID-19 trench.
Arogya Setu can be that bridge and by widely adopting it we can only make the bridge stronger. We are not safe unless everyone around us is safe and Aarogya Setu can be our strong companion to collectively ensure the safety of our society.
The author is an Assistant Professor in industrial engineering and operations research with IIT Bombay.
A wave of virus cases has washed over the world's most populous nation since Beijing abruptly ended its zero-Covid policy last month
It is expected that the Lunar New Year holiday travel rush – known as Chunyun – can drive a new wave of infections in China, especially in its vulnerable countryside. Last week, Xi Jinping also acknowledged concerns about a COVID-19 spike in rural China
Prime Minister Han Duck-soo said Seoul could consider lifting the restriction on short-term visas for travellers from China before the end of February if the number of COVID infections in China is manageable