India like most other countries in the world is tackling the coronavirus crisis by imposing and recently extending lockdown. And in its efforts to convey information, the Modi government has come up with a new smartphone app called Aarogya Setu. This translates to bridging healthcare in Hindi. It’s present purpose is to provide information on the coronavirus crisis in India and tell its user if they have come in contact with someone carrying the virus. The app was launched back on April 2 and recently claimed that it has been downloaded over 50 million times within 13 days of launch. This means that the app broke the record held by Pokemon GO. Also Read - Aarogya Setu app reaches 50 million users in just 13 days; beats record set by Pokemon Go
But behind the positive intents and purposes of the app, it seems like it is riddled with security concerns. Delhi based privacy focused group the IFF or Internet Freedom Federation have raised red flags about the security concerns with the Aarogya Setu app. The app apparently fails to comply with the global privacy standards in its report. According to Sidharth Deb, policy and parliamentary counsel at Internet Freedom Foundation, the app is a potential surveillance tool in the hands of the government. Also Read - Government launches Coronavirus tracker app called ‘Aarogya Setu’: Here is how it works
“As such, the Aarogya Setu application appears to clearly be inconsistent with privacy-first efforts which are being considered by technologists and governments,” he writes. The IFF has compared the Aarogya Setu app to two other such Covid-19 tracking apps in term of safety parameters. These are the TraceTogether app from the Singapore government, and Massachusetts Institute of Technology’s Private Kit: Safe Paths project.
Too much information needed
The Aarogya Setu app asks its users to provide access to both Bluetooth and location services. The app goes on to warn users that if these permissions are denied, it could lead to a false assessment of a Covid-19 situation. A warning like this to an already perturbed person without the knowledge of the security issue would temp them to provide that permission. It also warns users to keep the devices on their person at all times. It also warns that an exchange of devices could mean a false report.
The whole purpose of the Bluetooth is to track if the smartphone of a Covid-19 positive person comes in range. Even in that case, it is not clear what kind of information will be shared between the two smartphones. According to IIT-Madras Professor V Kamakoti, it is estimated that “at least 50 percent of the population needs to register to make the app effective”. The problem with this is that there are hardly that number of smartphones held by the Indian population. Even if the app were to become effective, the elephant in the room still remains, which are the security concerns.
The IFF paper by Deb asks the question, “How will switching devices lead to a conclusion that someone is falsely identified as Covid-19 positive? Does this mean that people are categorized as Covid-19 positive based on the data collected by the application itself, instead of a formal test result to confirm a positive diagnosis? If this is indeed the case, there is a need to strongly commence dialogue to roll back the application and fine tune the entire process.”
Privacy agreement and source code
In terms of transparency of the app, the other two cases cited by the IFF paper have their source codes publicly available on GitHub. This enables ethical hackers to identify security concerns in the app and convey them to the developers. But the developers of the Aarogya Setu app have done none of this, which poses even bigger questions.
Once a user launches the Aarogya Setu app they are prompted to provide their mobile phone number, verified with a one-time password. Following this the user is asked to enter their name, age, gender, profession, travel history, and known contact with a coronavirus patient. After providing all this information they are provided with a basic dashboard that provides base information and hygiene and social distancing protocols. There’s is also the feature to donate to the PM Cares fund which has been newly formed by the Modi government.
The data on the Aarogya Setu app is stored on the device as well as the central servers of the app. The terms and services of the app mentions that the data will be deleted after 30 days of recording it. But this only refers to the contact details of the user and not the anonymised or the aggregated data sets that the user may have been part of. This data could survive the present use for this app on its central servers.
“This clearly does not suggest intent on the part of the government to destroy these systems. As a result there is a risk the personal information of users may be held for the duration of this public health crisis and beyond,” Deb wrote.
The government agencies have been pushing this app since its launch. According to reports the HRD and Rail Ministries have apparently sent out advisories urging students, teachers and employees, and their family members, to download the app.
Various social media influencers have been reached out to as well in order to promote the app. One such social media influencer on Instagram shared a screenshot of a mail they received from a third party platform called VU Roll with BGR India. The mail clearly specifies that they will not be paid for promoting the app.
The mail among other things reads, “There are no fees or charges in the promotion of Aarogya Setu app as it is a complete social awareness activity requested by the government.” Prime Minister Narendra Modi himself promoted the app despite the many security concerns while prolonging the lockdown till May 3. The internet Freedom Foundation has put out an explainer on the app as well educating people about the risks and how the app could be improved. The Aarogya Setu app has been developed by the Niti Aayog and is available in 11 major languages. And it’s not just the IFF, but there was an early analysis of the app by the Defensive Lab Agency which also raised red flags.