Aarogya Setu: Lack of data privacy laws, transparent policies make app worrisome, say MIT researchers

Aarogya Setu has become one of the most downloaded apps in the country in a span of two weeks of its **launch** with 90 million downloads. And one of the reasons of its popularity is because Prime Minister Narendra Modi urged 1.3 billion people of the country to use it. While the app was suggested to be voluntary at the time of launch, lately many private and public organisations made it  mandatory for their employees to install the app. The app has faced a lot of flak for its potential privacy and security flaws. Recently, French hacker **Elliot Alderson also raised concerns about the app's privacy** . Now,  MIT University has reviewed the Aarogya Setu app to understand how effective is the app, is it safe to use, and how it compares to other contact tracing apps that are being used in different parts of the world. As opposed to the ongoing practice of threats to arrest and fine in the country for people who don’t have the Aarogya Setu app installed on their phone, the review suggests that the policy of the app says it is voluntary to use. The MIT also claims that India is the only democratic nation in the world that has made it mandatory for the citizens to use the app. (Also read: Aarogya Setu: Whether we like it or not, the app is here to stay, but it's still riddled with privacy issues that need strong answers )  [caption id=“attachment_8221151” align=“alignnone” width=“1024”] Aarogya Setu app on iOS[/caption]

#Lockdown3 guidelines (contd...)#lockdownextension #IndiaFightsCOVID19 pic.twitter.com/5JyPm1RAtm

— PIB - Ministry of Home Affairs (@PIBHomeAffairs) May 1, 2020

The app requires Bluetooth and GPS to function. For those who don’t know it yet, Aarogya Setu not only makes the user aware if they have come in contact with a COVID-19 patient, but it also offers access to telemedicine, an e-pharmacy, and diagnostic services. Using the app also doesn’t count in daily mobile data usage. All these all-in-one features gives it an upper hand over the “exposure settings” **made by Google and Apple** that only uses Bluetooth for contact tracing.

Contact tracing explained in under 3-minutes

Apple and Google are working on a contact tracing tool; the Indian government has a contact tracing app called Aarogya Setu. But what does contact tracing mean and how does it work? pic.twitter.com/Ia8tggdKnS

— Firstpost (@firstpost) April 24, 2020

The review suggests the most worrisome part of the app is we don’t know who has access to the database, and they don’t have any transparent policy. And on top of it, India does not have National data privacy law. (Also read:  Workers sign petition urging govt to issue advisory clarifying that 'Aarogya Setu' app isn't mandatory ) As per the head of this project, Arnab Kumar, the app was built to the standards of a draft data privacy bill that is currently in the country’s parliament, and says access to the data it collects is strictly controlled." The app is not open source and because of that many critics have raised their eyebrows. Kumar says that it will happen down the line but did not confirm any expected date. The review further reveals that since the app is not open source, its code and methods can’t easily be reviewed by third parties, and there is no public sunset clause stating when the app will cease to be mandatory. Although, Kumar has confirmed that data of sick individuals are deleted in 60 days and for healthy people in 30 days.