In the continuing combat against the existing pandemic, contact tracing apps are proving to be an effective tool helping to limit the spread of the contagion. Governments and health bodies across the globe have been launching such apps to assist health officials track down individual and community exposure. So far, around 45 covid-19 contact-tracing apps have been launched worldwide in over 25 countries. The surge of such apps has also invited significant controversies around the privacy infringements of citizens and data security, questioning the cyber-hygiene practices that are being adopted in data collection and data utilisation by these apps.

Aarogya Setu: India’s Contact Tracing App

On April 2, India launched its official contact tracing app – Aarogya Setu. The app has witnessed steady downloads since its launch reaching to 115 million downloads by 26^th May, making it the most downloaded contact tracing app in the world (and the seventh most downloaded app worldwide in April). It is available in 12 languages across both android and iOS platforms. According to the Indian government, the app has successfully predicted 3,000 coronavirus hotspots at a sub-post office level and alerted more than 140,000 users about possible infections. It is mandatory to install this app if you have to use the recently opened airline services in India. Employees of few private organisations and public sector units have been compulsory asked to use the app while entering the office premises.

How does the app work?

Around 70% of the contact tracing apps run on a centralised system which effectively means that the location and the data processed by the app is funnelled into a centrally run database maintained by the government or a local health body. India’s app also functions on this centralised system and requires continuous access to location history through Bluetooth and GPS. The entire data collected via the app is stored and managed on the government servers. MIT recently downgraded the rating of the app (1 out of 5) as the app does not follow the principle of ‘data minimalization’ – meaning that it collects far more data points from the user than actually required for contact tracing. The data that the Aarogya Setu app collects is divided into four categories—demographic, self-assessment, contact and location. The collected information includes person’s name, mobile number, age, gender, profession, travel history, locations of individuals around you etc. The app can constantly access your location.

Privacy Infringement Concerns

Ever since its launch, the Aarogya Setu app has faced constant ire by privacy advocates and cybersecurity experts for privacy and transparency issues. Some have alleged that this app can be used in future for mass surveillance to control and monitor the movements of the population. The concerns also stem from the fact that India lacks robust data protection laws and the established frameworks that regulate the collection, storage, and use of the collected public health data. In the recent past, multiple cases of unauthorised data breaches and subsequent data leaks have appeared in India, which makes it hard to trust government’s claim of data security through this app.

On the other hand, the developer of the app claims that the app is safe, secure and the data collected is encrypted. Indian government recently made the app open-source making it open for developers and experts to find vulnerabilities in the app. The Government has also announced a bug bounty program to allow security researchers win an award of INR 400,000 by highlighting any issues and flaws within the app. This will increase the transparency and help in building trust.

Watch this second episode of ‘India Health Talk’, focusing on the privacy issues around the Arogya Setu and potential trade-offs to arrest the spread of novel coronavirus.