The AarogyaSetu app by NITI Aayog was made available for download to the public on 2nd April, 2020. It has been developed by NIC eGov Mobile Apps along with government agencies for tracking and curtailing the proliferation of Covid-19 cases by using contact tracing. The application surpassed five crore downloads in merely 13 days.
In the battle against the Corona pandemic, the tracking application renders support in 11 languages for warning the users who might have crossed paths with any person who could test positive for Covid-19. It uses the data provided by users, along with the usage of Bluetooth as well as social graph generated location. This is quite a lot similar to the detection of traffic jams as done by Google Maps based on the location provided. It also incorporates features such as self assessment test, a list comprising helpline numbers across the nation and a Twitter feed displaying latest tweets made by the Ministry of Health. It allows users to modulate the radius of search of cases beginning from 500m up to 10km as per their requirement. The contact tracing app also provides information on positive cases of Coronavirus in the state of the resident as well as over the entire country.
After launching the app a prompt is displayed requiring the user’s mobile number for authentication. It is succeeded by a security and privacy disclaimer that enlists all the data that will be gathered and utilised. Next the app request access to the location of the user’s device followed by enabling Bluetooth connectivity. Then the app requires GPS and Bluetooth to be switched on constantly for it to work.Ancillary information regarding Covid-19 and precautionary measures to be taken is provided by the application.
The questions put before the users during the self assessment test entail basic information such as full name, age, sex and countries travelled to in the last 30 days as well as professional details. However, under personal details, journalists and media personnel are not included regardless of the fact that they come under the high risk category.
To impart services to feature phones and landline users, the government launched the AarogyaSetu Interactive Voice Response System (IVRS). It offers support to the public in 11 regional languages just as the mobile application does. A feature phone user or landline user will have to leave a missed call by dialing the number ‘1921’. Subsequently, the users will receive a call-back requesting input regarding their health. The enquiry made through this service is somewhat aligned to the pattern of questions asked to the users of the app. Based on the responses provided by the person, an SMS will be sent indicating the status of their health and alerts will be given about their health getting better or worse.
The government arranged for the collection of information provided by the citizens so that the input can be made part of the app’s database. The data so gathered is analysed in order to send alerts about the measures that are required to be taken for ensuring the user’s safety and well-being.
It is of utter significance that this requirement of collecting data should not bring a never lasting change in our approach towards privacy. The application’s functioning goes a few steps beyond the majority of similar tools created around the globe. It keeps a record of locations that the user has visited rather than simply discerning whose proximity they were in. Apart from this, another concern originates from the character of computer programmes. Certain hacking techniques have displayed capabilities of reverse engineering such databases to extricate information that was meant to be kept confidential.
The Internet Freedom Foundation or IFF has compared the AarogyaSetu app with Singapore’s ‘Trace Together’ app and MIT’s ‘Private Kits: Safe Paths’ app. The IFF has stated that, “Other apps just collect one data point which is subsequently replaced with a scrubbed device identifier. India’s AarogyaSetu app collects multiple data points for personal and sensitive personal information, which increases privacy risks.”
Another domain of concern is that the unique digital identity in the AarogyaSetu app is not a dynamic number. This aggravates the probability of identity breaches. Constantly changing digital identification keys used by Google&Apple in their joint contact tracing technology would be a better approach.
Another concern that has been brought up is that the health ministry is not significantly involved in the development of the application. The health authorities of other countries over the world are on the frontier for making efforts to respond to COVID-19. Let us consider Singapore for an example, only the health ministry can use contact tracing systems or access limited data which is shared with them. Whereas, in India several committees have been set up in connection to the AarogyaSetu app. However, neither formal notifications nor press reports have displayed any allusion to a considerable involvement of the Ministry of Health and Family Welfare. Instead health authorities are playing an insignificant role.
It has been stated by India’s Ministry of Home Affairs (MHA) that all private and public sector employees who have to go to workplaces shall download the app. The head of all the organisations have been made responsible to ensure 100% coverage of this app among the employees. After this announcement Zomato and Urban Company, formerly known as ‘UrbanClap’ have made all their employees install the app. Nevertheless, after this proclamation, Congress leader Rahul Gandhi dubbed it as a "serious data security and privacy concern”. Subsequently, Robert Baptiste, a French security researcher reported security and privacy issues with the app.
For catering to the issues that arose, the Ministry of Electronics and Information Technology (MeitY) has released a notification involving a set of data access and information sharing protocols for the contact tracing app while keeping in view the questions raised about its privacy.The protocol specifies with lucidity the purpose of collection of information and lays down a timeframe for erasing the data after the purpose has been served. The policy provides for the possibility of sharing the data with other branches of the government such as the Ministry of Health and Family Welfare and state health departments. Consequently, to avoid misuse of the data, certain safeguards have been put in place. For example, the National Informatics Centre or NIC has been assigned the responsibility to keep a track of sharing of the data, to the “extent reasonable”. On violation of norms, penalties will be imposed under the Disaster Management Act, 2005 as per Sections 51 to 60 that contain penalties involving jail sentence of one or two years and a fine that has not been quantified.
An upcoming feature of the AarogyaSetu app, the ‘e-pass’ could play a crucial role in facilitating travel in India. The Indian government is working on the app in order to facilitate services for interstate travel. This came as a consequence of the Indian Railways making it compulsory for all train passengers to have the app installed on their phones. Government agencies have come up with an idea that for travelling interstate, the e-pass would be confirmed upon self certification from the app.
Baptiste under the pen name, ‘Elliot Alderson’ claimed on Medium post that the Indian government responded within a short span of 49 minutes. However, the concerns were not properly addressed as he wrote in his post that the prompt response made him happy and it is good that some of the issues were fixed but the denial and lies from the government need to stop.
The app is tangled with issues involving privacy and data security and it will remain in function for a long period, hence, those issues need to be untangled. Consequently, the India government must seriously ruminate over designing such a legal framework of the app that balances disease containment and privacy.
citations VenkatAnanth, AarogyaSetu's not all that healthy for a person's privacy,The Economic Times,April 15,2020 (https://www.economictimes.com/defaultinterstitial.cmd).  Marcia Sekhose,ArogyaSetu app on privacy issue: Read full statement here,Hindustan Times,May 06, 2020 (https://www.google.com/amp/s/tech.hindustantimescom/amp/tech/news/aarogya-setu-app-on-privacy-issue-read-full-statement-here-story-BO6fghjFNrZ6dUvsYayqgI.html).
Elliot Alderson,AarogyaSetu: The story of a failure,Medium Post,May 6,2020 (https://www.medium.com/@fs0c131y/aarogya-setu-the-story-of-a-failure-3a190a18e34)
Nishant Chandra & Parinita
B.A.LLB (hons.) student,
Chanakya National Law Universit,
Patna, Bihar, India.