The Aarogya Setu app remains, purportedly, a big part of India’s multi-pronged approach to tackling the coronavirus pandemic. Developed by National Informatics Centre (NIC), the government has been pushing aggressively for its adoption. According to the current lockdown guidelines, the app is compulsory for all employees, public or private, with the employer having the liability to ensure 100% usage. But what is the purpose of the Aarogya Setu?
What does the app do?
Contact tracing is one of the most important protocols during a pandemic. By tracing where a potentially or really infected person has been and who he has met, the infection can be effectively tracked and isolated. Aarogya Setu does that. It uses the phone’s GPS and Bluetooth systems to keep track of the places the user visits, as well as any other users he comes into close proximity of. Then, his risk of infection is calculated from the data; especially if he came close to any potentially infected person.
Many countries have adopted the use of such an application. Singapore and South Korea were early starters. To list, Poland, Iceland and Australia have also adopted this strategy. The five major government-backed ones are present in India, Poland, Iceland, Australia, and Singapore.
These apps differ vastly in the permissions they seek. The Aarogya Setu, at 9 permissions, is the second-lowest, only greater than Australia, which takes 6. The greatest number is sought by Iceland’s Rakning C-19. These permissions are of course influenced by the purpose and the data they intend to collect. For example, Poland’s Home Quarantine app also requires the user to periodically upload a geotagged selfie to prove they are at home.
Aarogya Setu Permissions
The permissions required by Aarogya Setu are-
1. Approximate Location – Your phone’s rough location, denoted by a circle of a few hundred metres.
2. Precise Location – Your phone’s exact location, as a dot on a map.
3. Receive Data from the Internet – Allows the app to receive information through the Internet.
4. View Network Connections – See what networks the device can access.
5. Bluetooth Device Pairing – Allows the app to pair through Bluetooth.
6. Bluetooth Settings Access – Allows the app to access Bluetooth settings.
7. Full Network Access – Allows the app to access the currently connected network.
8. Run at Startup – Allows the app to run automatically upon boot.
9. Prevent Device from Sleeping – Allows the app to prevent the device from idling to utilize full CPU power.
How does it work?
The app demands that the user registers before starting to use it. It collects your name, phone number, age, sex, profession, and list of countries visited in the previous thirty days. A government server stores this information with a unique ID. This UID is user-specific and will also be used to identify any subsequent information uploaded.
The location details of the user are also collected and uploaded during registration. For the app to work, GPS and Bluetooth must be kept on at all times. Whenever two registered users come within Bluetooth range, the two devices exchange their UIDs and record the time and location of the contact. This information remains stored locally on the device. With such an app, the government remains informed about where you are, who you meet at all times.
The app continuously collects the user’s location, creating fifteen-minute long records of location periodically. The app runs self-assessment test, after taking which the user stands marked Green, Orange or Yellow; denoting the risk of infection. Thus, when a registered user comes in contact with any person tested positive, he is alerted, and the exchanged data is uploaded to the government server.
“… all personal information collected. at the time of registration will be retained for as long as your account remains in existence and for such period thereafter as required under any law for the time being in force …”
The app, however, will delete any information not uploaded to the server in 30 days. In a major departure from the other apps, Aarogya Setu provides no mechanism for the deletion of personal data. This has led to some privacy advocates raising red flags against the app, claiming it takes away control over their data.
An ethical hacker also recently demonstrated two flaws in the app. One, now fixed, allowed the app’s internal database to be accessed from outside. The second corresponds to changing location and detection radius to any conceivable location to find out the infected. Thus, an attacker could find out potentially sick person at any place where the app remains in use, including government offices; rather a privacy issue that needs redressal. The app, in its actual form, does not allow any user to view a list of those infected around them.
In practicality, with the Arogya Setu App, the government would be in possession of your name, phone number, age, sex, profession; as well as your location at all times; with no mechanism for the deletion of personal data even after you delete the App. Though most critics admit that one may sacrifice privacy in these extraordinary situations, they also argue that this opens up the road to massive internal State surveillance.
As per the current counts, more than 75 million Indians have downloaded the Aarogya Setu app. However, experts argue that the measure won’t be effective unless the critical mass of users is hit. At least 50% of Indians have to have Aarogya Setu for best results. The app started out as a voluntary exercise, but as the government pushes it more and more to hit the required number of users, the equation may change. The government’s drive is understandable, but privacy advocates fear that the measures may become draconian if forced down people’s throats.
Whether the app will be successful or not remains to be seen, but the conclusion is this; the concept of a contact tracing app is nothing novel. It has been a proven factor in reducing infection rates in various countries. In this view, the introduction and aggressive campaigning are not deserving of surprise. Here, adequate public vigilance plays a key role and an oversight to ensure that the government puts the data to good use. The latter raises a lot of eyebrows. In the near future, Aarogya Setu may turn into a ‘pass card’ for entry into public places; as a way to establish no COVID infection; that is an eventuality we have to be ready for, as this pandemic hits its peak in India. Taking all of this into account, one cannot help but contemplate a resemblance, however passing, to the Orwellian State of 1984.