The government has attempted to address widespread privacy concerns about the Aarogya Setu app by releasing an executive order that details some knowledge-sharing protocols. While this is an improvement on the initial opacity, it is still not enough to address all concerns. The contact-tracing app has gone through several controversies, as downloads approach the 100-million mark. One concern is that it will be exclusionary if it is made mandatory for travel on all modes of public transport, as seems the case. It cannot be run except on a smartphone and almost by definition, mobile subscribers from lower-income groups don’t possess smartphones.
The knowledge-sharing protocol says data will be shared with a plethora of government institutions, including sundry state governments, and it may be shared if “necessary” with third parties. It will be provided anonymised to third parties outside government — this could be universities and research institutions, and laboratories conducting studies of the virus. The data will be held for a maximum of 180 days unless the period for app usage is extended. After that it will be deleted. Private data pertaining to individuals will be destroyed after 30 days if they are not infected, and in 60 days if they have recovered from infection.
There are many disturbing gaps in the protocol as released. First of all, 30 days of location data is enough to give a blueprint of any user’s lifestyle. Second, there is no clear list of third parties that could be given data access and it is not clearly delineated what circumstances could lead to such data being shared. The anonymisation process has also not been detailed. It is easy to reverse anonymised data unless some very stringent procedures are followed. Hence, assurance of anonymisation does not bring as much comfort as it should.
The app is not open-source, which means that it is still not clear if it has bugs. That there are some bugs has already been demonstrated. Within 24 hours of release, at least two “white-hat” hackers had broken the code. The first revealed data leaks, which made it possible for users to pinpoint locations of persons marked red, and also those who claimed to feel unwell in government institutions such as the Prime Minister’s Office and Ministry of Home Affairs. The second hacker demonstrated that the app could be disabled or bypassed to show green signals. The app collects data way more than similar ones developed by Singapore, Israel, and the MIT. While much of the data collected by Aarogya stays on the device, it can be uploaded to a cloud server too if the government chooses. The security of cloud servers involved is unclear.
Singapore and Israel
are among many governments that have released contact-tracing apps, while Apple and Google are also developing similar apps. The differences are not in favour of Aarogya. Most governments have made such apps voluntary instead of mandatory. Singapore and Israel
have both released source codes for their respective apps, which makes it possible for independent researchers to rapidly pinpoint bugs. The Singapore app uses only Bluetooth technology, which helps identify proximity to a "red user" without revealing the user locations, unlike Aarogya, which pinpoints user locations with GPS. All data is stored on the user's handset and made available to the Singapore government only upon specific request.
Given the lack of a specific personal data protection law, it was incumbent on the government to make the app open-source and voluntary. This is especially true, given the difficulty of low-income groups in acquiring smartphones. The knowledge-sharing protocols offer some comfort but seem insufficient. The government needs to be more open about source-code and it needs to reduce the data the app collects by default. The app was designed for a specific purpose. Global best practices indicate that it collects far more data than required for that purpose and it is also unclear how efficacious it actually is. A review of the app and more detail on the data sharing would be welcome.