In just 41 days of its launch, the Aarogya Setu app that the Central government notified for contact tracing for managing Covid-19, has crossed more than 10 crore downloads. Set up under the recommendations of the Empowered Group on Technology and Data Management by the Centre, under the Disaster Management Act, 2005, the app was developed by the National Informatics Centre (NIC) under the Ministry of Electronics and Information Technology (MEITY) and uses Bluetooth Low Energy (BLE) and Global Positioning System (GPS) locational technologies for communicating under strictly defined protocols which are detailed in the privacy policy of the app. Known as ‘Corona Warriors’, these individuals have downloaded the app on their smartphones, which keeps their specific and pertinent demographic and travel history information in an encrypted form on a server and identifies them with a unique digital ID (DID).
The app’s efficacy lies in making this a more optimal tool for alerting citizens at risk of the precautions to be taken and also facilitate mitigation strategies by the government.
However, some concerns were constantly being flagged — around privacy and security — and indicated a pattern that was also seen in the opposition to the electronic voting machines (EVMs) and Aadhaar systems, both of which have been beacons for the country to the global community in terms of large, successful technology-based deployments. Much of this criticism centres around the comparison to similar contact-tracing apps being launched in Germany, Singapore, Australia, South Korea and the UK, and also the widely publicised apps by Google and Apple. The ‘only BLE technology’ versus the ‘BLE plus GPS technology’ approach is debated widely. A few also delve further to mention the need for a decentralised over a centralised approach to collect, manage and store data of these apps to carry their point. Some have also raised the need for an app with so many features, when Parliament is deliberating on the provisions of the Data Protection Bill to serve the interest of citizens' privacy.
A French hacker has alleged some security issues with the software code, which in no way compromises the data in storage and usage, nor can make any kind of inference that a compromise has happened. On the aspect of the app being a ‘sophisticated surveillance system’ as alluded by Congress leader Rahul Gandhi, the app clearly has its purpose defined for a limited timeframe, and functionality makes it confined only to contact-tracing around Covid-19. Therefore, the scope of any surveillance ecosystem emerging doesn’t arise.
Lastly, some activists have also questioned if the app can be made mandatory for certain sections or groups for maintaining it on their smartphones unless the app is built on open source.
The moot point is that Aarogya Setu has been one of the first apps of its kind which has factored most of these issues in terms of technology and their efficacy. It has essentiality, and has placed them in the context of a prudent privacy regime that is being practised both in terms of existing laws and rules, and also citizen’s concerns. Also, reasonable security practices are in place, which form the basis of the requirements of the IT Act.
Even in a situation of a global pandemic afflicting the nation, fundamental rights to life and privacy have both been adhered to in the mitigation strategy, and more specifically in the app. BLE technology approach is a necessary parameter but not sufficient in the Indian context.
It will be pertinent to address some of these issues in the context of security and privacy while implementing the app. Firstly, the privacy policy for the app has been comprehensively defined. The specific purpose and manner of the information collection, and its usage, as well as retention and grievance mechanism, have been clearly stated.
The app collects personal information, which can be considered very close to ‘sensitive personal information’ (SPI) as defined in the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011. In essence, all yardsticks that apply to SPI has been envisaged as mentioned in the privacy policy.
The information collected is stored on a secure server hashed with a unique digital ID (DID), which is the only identifier that is transmitted even when two devices come in the Bluetooth range of each other, while noting the time and the GPS location of that exchange.
The location data collected is stored only on the user’s devices and the information is uploaded on the server only if the user tests coronavirus-positive or indicates symptoms that she or he might be infected. All such data is transmitted in an anonymised and encrypted manner. So far, only a little over 13,000 coronavirus-positive users have been uploaded on to the server to identify their Bluetooth contacts and alert them.
The app also has all the reasonable security practices defined. All data — whether in transit or storage on devices or on cloud servers — are encrypted and protected.
All information collected will be purged from the users’ devices after 30 days, and from the server after 45 days, for those who have not tested positive, and after 60 days for those who have tested positive. All data will be deleted after 180 days from the date of collection. So the scope of any surveillance tool remaining perpetually in the system doesn’t arise.
Finally, all issues and grievances (if any) are also quickly being addressed by the NIC, which is technically responsible for the maintenance of the app.
On May 11, 2020 — exactly 40 days since the app was launched — MEITY notified The Aarogya Setu Data Access and Knowledge Sharing Protocol, 2020, that extensively covers all aspects of privacy, including the methods of sharing of data among the concerned government entities. MEITY has been designated as the agency responsible for the implementation of this protocol. The app developer — NIC — will be responsible for the collection, processing and managing response data collected by Aarogya Setu. NIC shall document the sharing of any data and maintain a list of the entities with whom data has been shared.
Further, any entity with which NIC has shared any response data, will have to strictly use it for the purpose assigned. The various ministries, departments, notified agencies and public health institutions shall process the response data in a fair, transparent and non-discriminatory manner. Any violations of these directions in the protocol will lead to penalties, arrests (as defined under Sections 51 to 60 of the DMA) and other legal provisions, as may be applicable. The Empowered Group on Technology and Data Management shall review this protocol after six months from the date of the notification, or even earlier if it deems fit, based on the impact of the pandemic.
The fact remains that till date, not a single case of security or privacy breach has surfaced nor has any security vulnerability been identified to cause any data breach from any quarters. It is prudent to understand that this app hasn’t stopped the physical contact-tracing by health officials and police. However, it has helped a lot in identifying contacts beyond the doubts of memory, or non-cooperation, or even falsification of information.
Needless to say, the coronavirus is going to remain for some time and people have to start living with it. In that context, the Aarogya Setu app will be an important avenue for ensuring physical distancing and its enforcement.