On April 2, NITI Aayog released the Aarogya Setu app that was made by a team comprising of citizen volunteers and government agencies as a solution for contact tracing and spreading awareness of COVID-19. The cross-platform app, Aarogya Setu, crossed five crore downloads just 13 days later. In short order, it's become one of the fastest downloaded apps in the country, but this has been achieved thanks to a personal appeal from Prime Minister Narendra Modi during his address to the public on Tuesday, April 14 — and a lot of behind the scenes promotion too.
Messages from the Department of Telecom (DoT) come to phones every day asking people to download the app. Campaigns on social media and promotion from startups have also helped, as have circulars to from institutions like the CBSE, which asked faculty, students, and even parents to download the app. Thanks to measures like these, it's hit a stunning 5 crore downloads in under two weeks, but that number also has many people in India worried. Privacy experts have stated concerns about the Aarogya Setu app, and worry that it's going to erode the liberties of the people, and feature creep will see its use stretch beyond contact tracing in the current pandemic caused by coronavirus — something that's already being talked about by the government as well.
Experts say that the Aarogya Setu app falls short of the standard set in Singapore and other countries. The app captures far more data than is absolutely necessary for contact tracing, or providing awareness of COVID-19. However, Gadgets 360 spoke to Arnab Kumar, Program Director, Frontier Technologies for NITI Aayog, who responded to some of these concerns. According to Kumar, the work on the Aarogya Setu app only kicked off March 16th or 17th, days before the official launch of the TraceTogether app from the Singaporean government on March 20.
Although the contact tracing aspect makes the Aarogya Setu app similar to the TraceTogether app, it does have many differences and amongst the major ones is the addition of GPS-based location tracking, alongside using Bluetooth connectivity. Kumar told Gadgets 360 that the purpose for requiring GPS information is to determine the exact location of infected people, to find out new hotspots and the direction of infection.
“We don't use location on an individual basis, we use it on an aggregated basis,” he claimed, adding that the location information captured through the app is pushed to the server only if the user is COVID-19 positive or is at the high risk of infection. However, the app itself does not make clear what data is being collected, where all information is stored, or what policies are in place to remove this data from cloud servers — the initial terms of service did not give any details about the data retention policies or protections, and only added this after some days. Pair that with the lack of well-defined data protection norms in India, and the result is a ticking time bomb — to the point where the Indian Army has directed its personnel not to use Aarogya Setu mobile app in their office premises, operation areas and sensitive locations, according to a report by IANS.
“There can be discriminatory risks in terms of peculiar communities' overall movement or the patterns of people who come from certain socio economic backgrounds,” Sidharth Deb, the Policy and Parliamentary Counsel at Internet Freedom Foundation (IFF), a Delhi-based non-government organisation (NGO) that conducts advocacy on digital rights and liberties, told Gadgets 360. Deb has evaluated the structure of the Aarogya Setu app from the point of privacy and data safety in a developing paper.
Prasanth Sugathan, Legal Director, the Software Freedom Law Centre India (SFLC.in), pointed out that the Aarogya Setu app isn't just capturing aggregated data, but it also does obtain individual data, since it asks users to provide their phone number to register at the very first stage. “The data obtained from an individual's phone would remain linked to the individual's phone number and hence the identity of the individual,” he said. De-anonymisation of aggregated data has long been known to be possible — data re-identification is a big business, and studies have shown that “anonymised” data can never be truly anonymous.
Kumar, from NITI Aayog, told Gadgets 360 that there is a kill switch in the system that purges the data from the user's device in 30 days, and deletes it from the server in 45 days if the individual is not at risk. In case of a person who's at risk, the server deletes this data in 60 days. “We're trying to build a temporary solution to a temporary problem,” he said.
Deb however argued that there is still a discretionary scope that the government could use certain grounds to not delete the datasets it obtained from the app. “The wording of the contract suggests that there is a scope for the government to also have certain grounds on which it does not delete data,” he said. Sugathan mentioned that it isn't clear whether the kill switch works just for the local database that is stored on the user device, or if is also applicable to the remote database. There is also a demand for letting users themselves delete their data from the app once they no longer use it or the pandemic gets over. However, the government doesn't have such plans at this point of time, Kumar said.
No concrete details on open sourcing the code
One of the ways the government can provide clarity on how the Aarogya Setu app works is to open source its code. The Singaporean government did this for its app recently. NITI Aayog's Kumar however only said that there was an intention to open source the code, but it would take some time. “We shouldn't compare our model with what's available in Singapore since they have a total population of five million, whereas we crossed the five million mark in just hours of launching the app. Even then, Singapore took several weeks to open source it,” Kumar told Gadgets 360, although he didn't clarify what the population of the country has to do with publishing its source code.
He added that the current focus of the team is to expand the capabilities of the app instead of paying attention to open source the code.
“Regularly updating the open source code is no different from maintaining a closed source project,” said SFLC.in's Sugathan. “It just takes a minute to update the source code and if they open source the application, then the Indian and world wide developer community would be happy to help.” Deb from the IFF added that while open sourcing the code at this moment might not be possible for the team, there should at least be an open dialogue around the timeline by when the government will release the code for public access. “Open sourcing the code is one of the many ways that they have to engender transparency,” he said.
The listing of the Aarogya Setu app shows that it has been developed by the National Informatics Centre (NIC). However, NITI Aayog's Kumar told Gadgets 360 that the app was developed under a public-private model — with a group of individuals participating “voluntarily” with the government authorities. “While a public-private model could be a workable way to scale such technology, you need to be mindful that when you're using a technology like this,” responded IFF's Deb. “It has been built with the view towards being a temporary system, and like to hold it accountable, you need like an underlying legal framework or something that holds the public-private entity or partnership accountable."
Kumar however said that while the development process involved various entities, the data is controlled entirely by the NIC.
“At the end of the day, while the NIC might be maintaining that infrastructure, the same infrastructure might be linked with other government databases,” said Deb. Additionally, Sugathan of SFLC.in pointed out that since the database of the app is hosted on Google's server, while the app data is hosted on Amazon Web Services (AWS), and it is using Google's Firebase analytics and database solutions on top, it is difficult to say that the user data is only in the hands of the NIC. “Using third party server infrastructure may not be a security risk. But being a Government entity, ideally the data should remain under NIC's infrastructure,” he said.
As of now, the government has established a committee to improve the existing model. But this isn't just to work on the security issues — feature creep, which privacy experts have been warning about since the app launched, is coming, with plans to use “artificial intelligence,” spread information about nearby distribution centres using GPS, and enabling remote healthcare. Kumar confirmed these, and added that the team is working on plans to bring the app to feature phones, interactive voice response (IVR) focussed development, and a KaiOS version for Jio Phone users that has been built for testing.
“This [expansion] is not really consistent with the principle of purpose limitation, which is a key construct within information privacy and people's right to privacy,” Deb of the IFF told Gadgets 360.