Aarogya Setu App for COVID-19 helping Action Plan
India is settling into an extended coronavirus lockdown, the government needs to ensure it fervently pursues contact tracing.
Prime Minister Narendra Modi government launched the Aarogya Setu mobile app on April 2. The app meant to alert users whenever they come in contact with a COVID-19 positive patient. It also tells what measures citizen need to take in case infection happens. But cybersecurity experts worry that Aarogya Setu can violate its users’ privacy . It can be used as a surveillance tool in the hands of the government.
Aarogya Setu Dashboard
Aarogya Setu App appears to be inconsistent with privacy-first efforts which are being considered by technologists and governments. The efforts are made to evaluates Aarogya Setu App on various privacy and safety parameters against two similar apps specific to COVID-19 like TraceTogether app from the Singapore government, and Massachusetts Institute of Technology’s Private Kit.
Prime Minister Modi recommended that citizens should download this app while announcing an extension of the national lockdown. Government agencies and various departments have been spreading awareness about Aarogya Setu. It is doing so through different social media gateways.
One reason for this awareness campaign is that the app can successfully undertake contact tracing for COVID-19. But for this, at least 50% of India’s population needs to download Aarogya Setu app. It is proving to be a big challenge. Only 500 million people in India out of 1.3 billion citizens have smartphones. The privacy concerns are still at the bottom of issues with Aarogya Setu App.
Intents and Purposes
Purpose limitation predefines the end to which data collected will use, is a crucial factor in privacy agreements. The language used in Aarogya Setu’s privacy agreement leaves it open for the government to repurpose this data for its other government agencies.
Aarogya Setu Terms of Service
Like Singapore’s Trace Together explicitly states that the country’s health ministry will only use the data collected through the app. The committee that designed lacks any representation from the ministry of health and family welfare and any other independent involvement of persons with a medical or epidemiological background.
Locked Out
Unlike Private Kit or Trace Together, the Indian government has not released information about the source code of the Aarogya Setu app. The information we have about the app is its frontend and pedestrian service and privacy policy.
It prevents ethical hackers to identify security threats in the app. It makes it more vulnerable to malicious attacks. TraceTogether and Private Kit’s source codes are available on GitHub. Both has its own frequently asked questions section and detailed videos on how data is collected and used but Aarogya Setu has nothing to show.
On downloading the app, it walks you through the information it will provide you. The user has to enter their mobile number, verified with OTP. The user enters name, age, gender, profession, travel history, and any known contact with a COVID patient.
The app directs the user to a dashboard that consists of the necessary information about COVID-19, including hygiene and social distancing protocols. It also has details to donate to PM-Cares.
Future iterations will see the app do more than just contact tracing and act. But it will instead act as a central information source.
Extensive Information
Aarogya Setu App also asks its users to provide both Bluetooth and location services access. It, in effect, is meant to help the app identify contact traces of a COVID-19 positive patient. It happens through data sharing between devices with the app when they are in each other’s proximity. The initial questionnaire in Aarogya Setu tries to determine whether the user is an at-risk.
Terms and Conditions
Terms and conditions do not specify what information is precisely shared if person’s smartphone comes in the proximity to the device of COVID patient. For apps that hailed for their privacy metrics, such information is first obfuscated and then anonymized before being shared. It is not explicitly specified by Aarogya Setu.
The app is also more invasive. Other apps collect one data point, which replaced with the scrubbed device identifier. India’s Aarogya Setu is supposed to collect multiple data points for personal and sensitive personal information that increases privacy risks.
Aarogya Setu warns users that they deny permission to GPS and Bluetooth, and it could lead to a false assessment of the COVID situation. Alarmingly, it asks users to have device in their possession at all times. The exchange of accessories could lead to the app reporting false positives.
No end to Doubts
The data collected by Aarogya Setu App is stored both on the device and on central servers. While the terms of service claims that time-stamped records of user contact will get deleted in 30 days, but not to anonymized and aggregated data sets. It means that encrypted user data on its servers could last beyond the purposes of tracing coronavirus.
This is the first step towards permanent government architectures. The privacy policy leaves it open-ended by suggesting that user data can be held longer for purposes and may lawfully be used as and when required under any other law for the time being in force. This does not suggest intent on the part of the government to destroy these systems. As a result, there is a risk the personal information of users may be held for the duration of public health crisis and beyond.
Day after Prime Minister Narendra Modi urged every Indian to install the Aarogya Setu app in his address to the nation, India’s official contact tracing app rolled out its fifth version on Wednesday. The new update gives us the first glimpse of how the app could use as an electronic travel pass in the post-coronavirus world.
E-Pass and COVID Update
The latest update introduces two critical features namely e-pass, COVID Update. The e-pass feature has got into the app with a “coming soon” disclaimer. This suggests tha it will still take some time for it to become functional.
When fully operational, the e-pass feature will act as a filter for individuals visiting public places. The app will have three colors Green, Orange, and Red, based on the health and contact matrix of an individual. The e-pass feature in the app, seemingly based on a mechanism created in China.
Based on the successful travel model, the Green Status will indicate a risk-free individual who can use public transport and visit public places. At the same time, a person with the Orange Status will advise to avoid gatherings and to maintain physical distance while being allowed to move for necessary work. Persons with Red Status will strongly encourage self-quarantine.
COVID cases and Smartphones
In the coming days, through this app, we can restrict the infection through asymptomatic cases by alerting the recent and past contacts of a positive COVID case. A feature version of Aarogya Setu will also be rolled out soon for non-smartphone users. The second new feature in the app is the COVID Updates feature, which gives the statistics of the total number of confirmed, recovered, and deceased across the country with data from users’ place of residence on top of the chart.
This data is likely to reflect the intensity of cases in a local area. It will give users a sense of risk level in their neighborhood. As of now, the data limited to the state-wise distribution of cases. The app currently has more than five crore active users.
Working under PM Office
The Prime Minister’s Office has constituted a high-level committee comprising of technical leaders and government officials to upgrade Aarogya Setu app. India’s official contract tracing app is meant to help fight the COVID crisis. The committee has begun meeting 3-4 times a week, and the PMO is also involved. The app launched on April 2 is helping users in checking their contact with a COVID infected person. PM Narendra Modi and members of cabinet have been regularly asking citizens to download Aarogya Setu app.
Members of the High Level Committee
Principal Scientific Advisor, Vijay Raghavan has been leading the committee on the App. The members include officials and tech leaders. TRAI chairman R.S. Sharma, IT secretary Ajay Sawhney, Tata Group chairperson N Chandrasekaran, Telecom secretary Anshu Prakash, , Mahindra Group chairman Anand Mahindra, IIT Madras professor V Kamakoti, Tech Mahindra Group CEO CP Gurnani, and Google Maps India’s Lalitesh Katragadda are its members.
The committee set up by PMO aims to trace and restrict the movement of patients and those who are under quarantine using AI and GPS. The updated app also informs the needy about daily needs distribution centers in their locality. The remote healthcare facility can also be made available on the app.
Aarogya Setu App has hit 5 Crore Users in 13 Days
The committee has also be working to make the app available not just on smartphones but on all types of phones. Aarogya Setu has seen over five crore downloads within two weeks of launch. This App has been promoted by the government aggressively as the means to fight the spread of COVID-19.