In addition to a country-wide lockdown, India is has been experimenting with technology that will help them control the spread of COVID-19. On April 2, the government launched its COVD-19 mobile tracking app, Aarogya Setu. The app, which alerts users when they are within six feet of a person infected with the coronavirus, is creating major concerns about potential digital security issues.
Arogya Setu App – Stay informed with the latest updates on the fight against COVID-19.
The Government has launched a Bluetooth based ‘Aarogya Setu’ app to strengthen the fight against COVID-19.
— Gujarat Information (@InfoGujarat) April 4, 2020
Aarogya Setu users sign up using their mobile phone number and can add personal details as well as past travel history. A feature allows users to perform a self-assessment if they suspect they might be infected with the virus. It also alerts government authorities if a person’s tracked details — such as recent travel to any country with high infection rate or medical symptoms — draw suspicion. The app was developed by the National Informatics Centre under the Ministry of Electronics and Information Technology (MeitY) who claim that data they collect will only be shared with government agencies. Google Play store has already registered more than one million installations of the app.
During the launch of Aargogya Setu, Neeta Verma, General Director of the National Informatics Centre (NIC) said:
[…] the app will enable people to assist themselves [from] the risks of catching coronavirus infections. The risk score is calculated based on their interactions with others using cutting edge Bluetooth technology, algorithms and artificial intelligence. Citizen privacy is taken into account while designing the app. Personal data collected stays secure on the phone until it is needed for medical intervention.
In a series of tweets, Krishnaswamy Vijay Raghavan, principal scientific adviser to the Indian government, says the app will let citizens know if they accidentally come in contact with infected people around them. In one of the tweets, he also advised the users to keep the phone Bluetooth turned on and “always” share their location:
How does it work? Install the App, switch on Bluetooth, set location sharing to “Always”. The App detects other devices with Aarogya Setu installed that have come in the Bluetooth / GPS proximity of your phone. Aarogya Setu is available on both iOS and Android.
— Principal Scientific Adviser, Govt. of India (@PrinSciAdvGoI) April 2, 2020
Raghavan also assures that the collected data is encrypted with “state-of-the-art” technology but, so far, there are few details available about the encryption standards followed.
Users like Vijaita Singh also find the requirement to keep Bluetooth turned on all the time “jarring”.
I downloaded the Arogya App yesterday, it informs about any COVID positive patient near you. But for that the bluetooth has to be kept on at all times. Jarring feature. pic.twitter.com/FfnLSg2xlE
— vijaita singh (@vijaita) April 3, 2020
Prasanna S., a lawyer and author of internet rights issues, questions the lack of clarity around the data being collected and retained both in the app and on the server:
[..]There isn’t enough information available on what data will be collected, how long will it be stored and what uses it will be put to. If the data gets shared with the government of India, what the government can use it for needs to be specified. Otherwise, it will be a violation of the notice and consent principles. [..]
Concerns over data breaches are not unfounded as India has been accused of being unable to protect personal information found in its biometric database, Aadhaar. Aarogya Setu is also only one of 11 official apps that the federal and provincial governments have launched to fight COVID-19. Another app, Corona Kavach, has also drawn criticism over privacy issues. In an article on the Hindu, journalist Suhasini Haidar wrote:
The government’s efforts to monitor people advised quarantine for the novel coronavirus ran into privacy issues on Friday, after the database of hundreds of passengers who returned from “coronavirus affected countries” was leaked online and shared by social media groups. In addition, the government defended its newly launched pilot or beta version of a mobile phone application called “Corona Kavach” which uses the data of confirmed coronavirus patients to alert subscribers when they are in close proximity.
Haidar also notes that WhatsApp and Facebook groups were able to share information that included the names, passport numbers, flight details, mobile phone numbers and addresses of 722 passengers who arrived in New Delhi on March 9 and March 20.
When many of the recent government approaches in India blur the line between scientific approaches to fight COVID-19 and the protection of individual rights, the rushed use of technology troubling. Privacy expert Apar Gupta told India Today:
As India does not have a pre-existing data protection law and there is a lack of statutory protection in place there is also a further problem given that these specific applications on the Play Store itself do not link to applicable privacy policies.
India is one of many countries using technology to help stymie the spread of the virus. Joseph Cannataci, United Nations special rapporteur on the right to privacy, expressed concerns on how countries are enforcing strict surveillance and other measures during the pandemic that are dangerous to individual freedom.
The digital rights group Electronic Frontier Foundation is one of many to point out that governments around the world that are advocating for “dragnet” location-based surveillance technology have not shown any significant ability to fight the pandemic using this technology.