Covid-19: Does the Aarogya Setu app violate privacy?

Concerns raised about app having access to location data thus enabling mass surveillance 

Aarogya Setu app

The Aarogya Setu app, launched just a fortnight ago by the government, as a tool to combat the Covid-19 pandemic, has already crossed over 5 crore downloads. However according to media reports, none other than the Indian army has reportedly found reason to be concerned about the app.

It is noteworthy that the army had urged its current and even retired jawaans to download the app. The official handle of the Additional Directorate General of Public Information, IHQ of MoD (Army), had tweeted on April 15, “Serving personnel, #Veterans & families of #IndianArmy advised to use “Aarogya Setu” App for duration of #COVID19.”



Deccan Chronicle reported that the army had urged its jawaans to:

– avoid the app in office premises, operational areas and sensitive locations

– only switch on location services and bluetooth features while visiting public spaces or when they are engaged in managing isolation centers, while on call for COVID-19 related assistance to civil authorities and while out of cantonments or military stations for essential administrative duties

– not disclose service identity including rank and appointment

– ensure that their contact list should not contain any reference to rank, appointment or service

– install antivirus software on their cellphones.

But why is there so much concern about an app owned and operated by the government itself?

What is Aarogya Setu?

Aarogya Setu, which is Sanskrit for Health Bridge, is an app developed by the National e-Governance Division (NeGD) at the Ministry of Electronics and Information Technology (MeitY), and was released in association with the Ministry of Health and Family Welfare (MoHFW).

According to the app description on Google Play, “Aarogya Setu is a mobile application developed by the Government of India to connect essential health services with the people of India in our combined fight against COVID-19. The App is aimed at augmenting the initiatives of the Government of India, particularly the Department of Health, in proactively reaching out to and informing the users of the app regarding risks, best practices and relevant advisories pertaining to the containment of COVID-19.” The app is available on both, Google Playstore and iOS.

On April 14, during his famous Saptapadi address, Prime Minister Narendra Modi had himself urged people to download the app and even tweeted about it.



How does it work?

Basically, the app would allow a user to identify any infected person around them, provided both people have downloaded the app. Also, the infected person should have used the appt to inform the government that they are either infected or are showing symptoms of the infection. The app works by collecting a user’s location data and cross referencing it with the Covid-19 test database of the Indian Council of Medical Research (ICMR). The objective is to help people maintain distance from infected persons, in a bid to curb the spread of the infection. But what it also does is put a virtual bull’s eye on an infected person, making them vulnerable to stigmatization, ostracization or worse.

Privacy concerns about Aarogya Setu

The privacy policy of the app states that the app will store your name, phone number, age, sex, profession and countries visited in the last 30 days on a government server and provide the uses with a unique digital ID (DiD). It further states, “The app continuously collects your location data and stores securely on your mobile device a record of all places you have been at 15 minute intervals. This information will only be uploaded to the Server along with your DiD, (i) if you test positive for COVID-19; and/or (ii) your self-declared symptoms indicate that you are likely to be infected with COVID-19; and/or (iii) the result of the self-assessment test is either YELLOW or ORANGE.” The app therefore, appears to come dangerously close to ringing privacy alarm bells.

Given how a person’s infected status would only show if they upload this information to the app and consequently the government server, the app also therefore, inadvertently discourages people from reporting symptoms or infection status, rendering the entire purpose of the app pointless!

But there are many more concerns, the chief of which is mass surveillance. This kind of surveillance will be difficult to combat as the rampant contact tracing will be justified as being in public interest.

What is ‘contact tracing’?

According to the World Health Organisation (WHO), closely watching contacts after exposure to an infected person will help the contacts to get care and treatment, and will prevent further transmission of the virus. This monitoring process is called contact tracing, which can be broken down into 3 basic steps:

  • Contact identification: Once someone is confirmed as infected with a virus, contacts are identified by asking about the person’s activities and the activities and roles of the people around them since onset of illness. Contacts can be anyone who has been in contact with an infected person: family members, work colleagues, friends, or health care providers.
  • Contact listing: All persons considered to have contact with the infected person should be listed as contacts. Efforts should be made to identify every listed contact and to inform them of their contact status, what it means, the actions that will follow, and the importance of receiving early care if they develop symptoms. Contacts should also be provided with information about prevention of the disease. In some cases, quarantine or isolation is required for high risk contacts, either at home, or in hospital.
  • Contact follow-up: Regular follow-up should be conducted with all contacts to monitor for symptoms and test for signs of infection.

But the Internet Freedom Foundation has raised several red flags with respect to Aarogya Setu and possible misuse of contact tracing for mass surveillance purposes. It says, “With the creation of such systems, come new risks of institutionalisation of mass surveillance. Critically, India lacks a comprehensive data protection law, outdated surveillance and interception laws, or any meaningful proposals for meaningful reform. In domains like disaster relief, most apps which are purported as ‘contact tracing’ technologies, they often devolve into systems of movement control and lockdown enforcement.”

The IFF also warns about the efficacy of such apps saying, “A lot of technology solutions with no demonstrable scientific value to the national response can be passed off as being in the public interest. It leads to poor deployment of public resources and also makes it difficult for crisis responders to discern between “snake oil” and quality technology products. These risks are exacerbated in technology markets since there are no adequate checks and balances in development phases which ensure quality.”

It adds, “Such systems inadvertently discriminate against regions which have fewer concentrations of smartphones. Specifically, it can lead to harmful outcomes for people residing in economically weaker areas. In countries public health systems are already creaking under the looming threat of capacity deficits. If such systems wrongly urge people to pre-emptively take tests then there is a risk that public health systems may be overwhelmed prematurely. It may also exacerbate the risks associated with the harvesting of personal data like health information, and also see the creation of new privacy invasive systems.”

On April 13, 2020 IFF released its working paper called,  Privacy Prescriptions for technology interventions on COVID-19 in India. A significant portion of this working paper is dedicated to the proliferation of experimental contact tracing applications not just in India but across the world. Chapters 5-7 devote significant space in studying the emergent government and non-government practices, standard setting processes and first principles in the space. Chapter 7 of the paper studies three specific models of contact tracing including the Singapore Government’s Trace Together application, MIT’s Private Kit: Safe Paths initiative, and Aarogya Setu. The paper may be read here: 

International concerns about privacy

In Germany, where Angela Merkel’s government is all set to unveil a new app, concerns are already being raised about data privacy and surveillance capitalism. Julian Teicke, head of Berlin-based insurance start-up WeFox and a backer of a German-language app, developed by a group called Gesund Zusammen — or “Healthy Together”, told Financial Times, “Germany has gone through two terror regimes, so the consciousness about data privacy is higher than anywhere in the rest of the world.” He said that for it to work properly, 50 million Germans would have to download the app.

Covid-19 contact tracing apps in Europe must comply with its stringent privacy laws. It has therefore launched the Pan-European Privacy Preserving Proximity Tracing (“PEPP-PT”) project, that comprises more than 130 members across eight European countries, including scientists, technologists, and experts, to create “well-tested proximity tracking technologies” that national authorities can use to create their own COVID-19 apps.  According to their manifesto, these technologies ensure “secure data anonymization” and “cross border interoperability”.  

Meanwhile Apple and Google released a joint statement addressing some of the privacy concerns raised so far. The statement says, “Across the world, governments, and health authorities are working together to find solutions to the COVID‑19 pandemic, to protect people and get society back up and running. Software developers are contributing by crafting technical tools to help combat the virus and save lives. In this spirit of collaboration, Google and Apple are announcing a joint effort to enable the use of Bluetooth technology to help governments and health agencies reduce the spread of the virus, with user privacy and security central to the design.”

Other apps like Aarogya Setu

Interestingly, Aarogya Setu isn’t the only Coronavirus related app. Many others like Corona KavachCowin-20 and Test Yourself Goa and Test Yourself Puducherry have been launched so far. Karnataka’s Quarantine Watch has already received scathing criticism for making it mandatory for infected persons to send periodic selfies. Additionally, Maharashtra, Gujarat and Himachal Pradesh are also said to be developing similar apps.  



Related Articles