Do We Need Aarogya Setu?
As COVID-19 pandemic has swept the globe over the last few
months, governments across the world have had to absorb a flood of information from
a 360°
window, probably 24 hours a day, and have taken series of decisions to protect
their nations’ populations from the dreaded infection.
Among the many progressively enforced measures have been
restrictions on travel, socialising, commuting, maintaining personal hygiene,
and finally lockdowns in many countries. India was the first country to impose
a nationwide lockdown, which has been extended twice, with some relaxation in
rules being introduced in the second
and third
lockdowns.
Even before the pandemic hit India, Government of India (GoI)
has been severely attacked across the political spectrum and beyond for having let
the economy go into a tailspin. Irrespective of whether the attacks were
exaggerated or accurate, everyone will agree that the lockdown has dealt a body
blow to the economy, even as one needs to acknowledge that there was no
other choice before GoI.
Governments have also realised that the novel coronavirus (NCoV)
isn’t leaving us any time soon. Even the official
stand in India of late has been that “we have to learn to live with the
virus”. However, the fear of the spread of NCoV is still real, just as it is dynamic
(with countless members of the unorganised workforce heading to their villages
and towns).
The question before decisionmakers, especially in countries like
India has been – forceful protection of masses leading to widespread
unemployment, starvation, social unrest and over a period, susceptibility to more
common infections, or easing restrictions so that large sections of India’s workforce
can go back to earning and feeding themselves and their families,? Governments have
no choice but to revive the economy by allowing small, medium and large businesses
to resume in phases. It’s also inevitable that movement restrictions will need
to be lifted further.
To manage the resulting threat of COVID-19 spreading, among
the measures introduced by GoI is Aarogya Setu, the contact
tracing (among other features) mobile app.
What do such apps do?
On installation, as part of registration, Aarogya Setu asks
users to enter personal details such as name, phone number, age and gender,
besides asking simple questions on how one is feeling, to assess if there are
any symptoms of COVID-19. This information, stored on a server, is hashed with
a unique digital id (DiD) that is pushed to the user’s app. The DiD thereafter is
used to identify the user in all the app-related transactions. At the time of registration,
location details are also captured and uploaded to the server.
In addition, it asks the user to keep Bluetooth on. When two
users come within Bluetooth range of each other, their apps automatically
exchange DiDs and record the time and GPS location at which the contact took
place. The information collected from one user’s app is securely stored on
the mobile of the other user and is not accessible by them. If one of the two users
tests positive for COVID-19, the DiD information of contacted users on the
infected user’s mobile is securely uploaded from latter’s mobile to the server.
This will give a view of each person who must be reached out to as a possible
case for COVID-19.
Each time a user completes a self-assessment on the app, their
location data will be uploaded to the server.
At 15 min intervals, the app also collects a user’s location
data and stores it securely on their mobile device, uploading to the server only
if self-declared symptoms indicate that a user is likely to be infected with
COVID-19; and/or if the result of the self-assessment on the app is either
YELLOW or ORANGE; and/or a user actually test positive for the infection.
Among others democracies, Australia, Singapore and
Israel too have introduced contact tracing apps during this time of crisis.
In contact tracing apps, the two solution options can be a centralised model (user
and contact information collected stored on servers, as in Aarogya Setu) or
decentralised model (data stored only on user mobiles and alerts sent to user
contacts’ once a user tests positive). India, Australia and Singapore are using
the centralised solution, which Israel is using the decentralised one.
Data Retention in Aarogya Setu
According to Terms of Use of the app, personal
information such as name, mobile number, age and gender will be retained on government
servers, while the others related to location and contacts’ details collected
via Bluetooth will be retained on a user’s phone only for 30 days, then purged
if they haven’t been uploaded on the server already. If the details have
already been uploaded and if the contacts do not test positive, the details will
be deleted from the server 45 days after they were uploaded. For users having tested
positive, data will be deleted from the server 60 days after their infection has
been cured. If a person chooses to deregister from the app, the data will be
deleted from the server 30 days later.
What are the concerns?
Several countries have introduced contact tracing during
this time of crisis, and perhaps each one has had someone or the other raising
privacy or data security concerns. Aarogya Setu has been called a “Sophisticated
surveillance system outsourced to a pvt
operator, with no institutional oversight”. According to the app’s terms of use, the data
storage will be “on a server operated and managed by the Government of India”. In
addition, the terms of use also mention the storage will be secure. The data
retention and purging rules too have been stated in the same document. It is up
to an individual to decide whether they want to believe GoI’s terms of use or
not. Meanwhile, an MIT-based
assessment has stated that “Aarogya Setu scored positively on the timely
deletion of user data and collection of only useful data”.
Another view is
that the decentralised
solution should have been selected, by which governments do not get
oversight at all on any aspect of user information other than basic data on
every registered user. Contact details are downloaded on phones, analysis done
on phones and any alerts sent directly to those users. One scenario for using
this solution is where governments are incapable of managing the data securely,
or unwilling to do so. This is not the case in India.
Another important
factor for selecting the decentralised solution would be when users receiving alerts
have a sufficiently high level of awareness and responsibility to contact
authorities, even as they begin to take all possible precautions from that
moment onwards. It’s unrealistic to think every Indian receiving the alert will
not ignore it or know what to do to not spread the infection further and will
know who to contact. COVIDSafe, Australia’s contact
tracing app follows the centralised model with authorities
calling the exposed people.
Yet another
concern is that the DiD created in the present solution is static, which is
less secure than a dynamically generated one. GoI has stated they will switch to
the latter, although its implementation date has not been declared.
Another concern
has been that Aarogya Setu is not an open source app. While bugs and
vulnerabilities can be identified quickly in open source apps, they can also be
exploited quickly. While GoI is straining on multiple fronts to contain the
spread and to manage consequences of the lockdown, should it invite another challenge?
Finally, one
hacker earlier this month declared he had hacked into the app’s server and was
able to view “medical data of 90 million Indians”. In their wisdom sections of
Indian media have described him as an ethical hacker. One wonders what is
ethical about publicly stating having hacked into the system intended to help
manage a crisis, and then threatening a nation’s government. However, it’s more
important to understand if the concerns he’s raised are real and if they are,
what GoI is doing about it. According to one
statement by the hacker, the flaws were “fixed silently”. Good move, if true.
He also mentioned that “an attacker can know who is infected anywhere in India, in the area of his
choice”. This was the app’s managing team’s response
on Twitter to the hacker’s claims.
So, should one install Aarogya Setu?
The app was launched on 02-Apr and less than three weeks
later there was a report
that it’s been successful in controlling the spread. How they arrived at
this conclusion is not clear, since no supporting analysis has been provided. There
was also no GoI statement during this period on the effectiveness of the app. It
had 6.7
crore users on that date (about 5% of India’s population). One would think its
effectiveness can be assessed over a much longer period and with a much larger
user base.
An additional factor is that contact tracing apps aren’t
working as effectively on iPhones. However, given the limited popularity
of iPhones in India, this should not be a major concern.
Approximately 10 crore (100 million) people have downloaded
the app so far. Those voicing concerns over assumed misuse of data by GoI should
look up how many Indians have a digital footprint over various social media
platforms, where personal attributes including current location are voluntarily
splattered by users. In addition, there are dozens of apps installed on phones,
which access data such as location, browsing history and details of our contacts.
These apps are used either for our convenience or recreation, and are generally
retained long term on devices. By contrast, Aarogya Setu is intended to protect
us and others from an infection, and does
not need to be retained on devices after the infection is no longer the problem
it is today. It also seeks much less personal information than users pump into social
media platforms. If GoI desires anyone’s personal information, they can ask
social media companies to provide it. Is using this app temporarily exposing us
any more before the government that we already may be?
Well researched article Vikram!
ReplyDeleteBrings out a factual picture of Aarogya setu app. It also clears lot of common misconceptions about the app.
ReplyDeleteThank you so much for your comments. Warm regards.
DeleteThanks Vikram Ji for sharing. Very well reaserched and balanced one.
ReplyDeleteThank you so much, Prafulla ji. Warm regards.
Delete