[BigDataSur-COVID] Surveillance in the Time of Coronavirus: The Case of the Indian contact tracing app Aarogya Setu

by Soumyo Das (Center of Information Technology and Public Policy at IIIT Bangalore)

Covid-19 has brought governments across the world to the drawing boards trying to design efficient pandemic containment strategies. In India, while reports suggest that the rise in number of cases has reduced from exponential levels, the spread continues. The government, alongside enforcing a complete lockdown of all human activity in non-essential services and sectors, has considered the use of digital technologies (ICTs) to monitor and control the spread of the virus as an informational and preventive model. In tune with other national governments, including those of Singapore and China, on April 2nd, 2020 the Government of India launched the ‘contact tracing technology’ initiative called ‘Aarogya Setu’. Developed in house, namely by the National Informatics Center of the Ministry of Electronics and Information Technology, the mobile application is available in eleven national languages. As April 25, it has reached 7.5 million registered users.

The application, designed to keep track of the travel and contact history of an individual, can be downloaded by users voluntarily. It registers the personal information of users—including name, age, gender, health status, and recent travel history. Asking users to respond to a series of questions designed to assess if the person is Covid-19 positive, Aarogya Setu generates a Unique Digital Identity for the individual. It also assigns the user a Covid-19 status: low risk, high risk, positive, or negative. It uses Bluetooth and GPS to collect all the other data. The connectivity system (Bluetooth) allows the application to record details of other registered users that the registered individual comes in contact with. The location tracking system (GPS) constantly registers the location of a user in 15-minute intervals. In the initial phase, users’ data are stored locally on their mobile device; however, for those who are assessed to be positive, the data is transferred from the mobile device to a national server for assessment and communication purposes—which raises a number of worries.

Aarogya Setu raises privacy and security concerns

Since the application allows to monitor the contact history and location of registered individuals who test positive, it is supposed to empower the Government to analyze the virus spread in a localized area, and informs individuals who came in contact with the positive individuals about self-isolation and further steps. Two things have to be kept in mind about the application. Firstly, its effectiveness is dependent on the individual practice of self-reporting symptoms in an honest and timely manner. Secondly, it has been designed only for smartphone users, and is furthermore voluntary, thus it can effectively monitor a subset of https://www.news18.com/news/tech/smartphone-users-in-india-crossed-500-million-in-2019-states-report-2479529.html. Therefore, as Jason Say, Senior Director of Government Technology Agency, Singapore, argues, ‘automated contact testing is not a panacea’, and ‘a competent human-in-the-loop system with sufficient capacity’ is a more effective strategy than over-relying on techno-centric solutions.

On top of that, Aarogya Setu comes with its fair share of privacy and security problems. To start with, with no comprehensive legislation in the Indian lawbooks which outlines protection of online privacy for individuals, application users have little to no choice but to agree to privacy policies set by the developers as instructed by the Government of India. While said policy provides a sketchy outline of where and for how long individual data would be retained, the majority of the text offers nothing but a string of vague statements which simply miss out on disclosing who owns and controls access to the data. Specifically, the policy reads that ‘persons carrying out medical and administrative interventions necessary in relation to Covid-19’ can have access to the data. Given that practically all ministries and departments of the Government of India are playing an active role in devising strategies and implementing processes to contain the spread of the virus, policy statements like this evoke ample chances of ‘interdepartmental exchanges of people’s personal information’ based on an analysis of the policy outlined in the application, as denounced by the Internet Freedom Foundation.

Beyond the concerns surrounding undisclosed and vague data use and data protection policies, the fact that individuals are assigned a Unique Digital Identifier number raises concerns of privacy as well. Firstly, given that all individuals are provided with a static identity number, there are concrete chances of identity breach. Moreover, all individuals in India have a national Unique Identity number (the so-called ‘Aadhar Number’) associated with the contact details of the same communication device used for the purpose of Aarogya Setu, with amplified risks of identity & data sharing. For example, these two identities might be leaked, which sounds the alarm bells regarding the potential linkage of biographical information, location and contact history of registered users of Aarogya Setu with that of an individual’s Aadhar number. In the meantime, numerous cases have been recorded of the National Unique Identity system being used to link identity metrics including those of an individual’s financial accounts and social welfare program accounts amongst others (Masiero & Das 2019). The same might happen for individual data collected via Aarogya Setu. Finally, fears have multiplied with intel sources reporting that software already available in the market can bypass the system security and extract sensitive information of an individual.

Voluntary adoption?

While downloading the application is voluntary, certain states has made individual registration on the application a mandatory requirement. For example, in New Delhi, Mr. Surjit K. Singh, Director of National Center for Disease Control, has strongly recommended the Delhi government to allow people to enter the city capital only after they have installed the application, therefore setting the tone for the use of the application for monitoring inter-district & inter-state movement of people. Similarly, the Tamil Nadu state government has urged employees of all higher education institutions in the state to use the application. App-based platforms like Zomato has made Aarogya Setu registration mandatory for food delivery personnel, while IT companies have mandated the same for employees who are reporting to office. Furthermore, both government and private organizations are actively pushing individuals to register on the Aarogya Setu application, and with reports of the government working towards procuring thousands of wristbands to be integrated with the application for greater individual monitoring.

A ‘Bridge to Wellness’

With no documentation being available at the time of writing for Aarogya Setu, organizations such as Internet Freedom Foundation and Software Freedom Law Center have raised concerns that the application is something of a black-box. They have called for more transparency on the algorithmic functioning of an application which is developed and promoted by the Government of India and deals with accessing and databasing the personal details of individuals. Ironically, the very same name of the application, which can be roughly translated as ‘Bridge to Wellness’, points to empowerment and better futures. But what would it take for the app to yield that “wellness” it evokes?

It is time for individuals and action groups in the country to raise demands for a greater transparency regarding the functioning of the application. The government must address the privacy concerns of its citizens. It must provide clarity on who owns the data, where it is stored, who can access and use it, and how—and for how long it will be stored. Unless such concerns are addressed, and effective measures taken at the earliest, Aarogya Setu only promises to cross people over to a world of algorithmic surveillance.

Author’s bio: Soumyo Das is a Research Scholar at the Center of Information Technology and Public Policy at IIIT Bangalore. His research primarily focusses on Information Systems in Organisations, and ICT4D. Soumyo holds an undergraduate degree in the applied sciences, and was formerly associated with a technology consulting firm as a Client Associate.