App meant to track suspected coronavirus cases lets the government track citizen movements, store information in perpetuity, and share the information with any other agency for any other purpose.
Aarogya Setu, a Government of India app to track the real-time movements of citizens to determine if they have been in the proximity of COVID-19 patients, vastly expands the surveillance capabilities of the state with few explicit safeguards warned privacy experts and cybersecurity analysts.
An analysis of the app by Defensive Lab Agency, a Paris-based cybersecurity consultancy, offers disturbing insights: The app gathers a user’s identity, tracks their movement in realtime, and also continuously checks if other people who have downloaded the app are in the proximity of the user.
This allows Aarogya Setu to create a social graph of a user by tracking everyone they have been close to. Combining this data with existing government databases — many of which are already seeded with the mobile numbers of citizens — can significantly expand the government’s powers of surveillance, privacy experts said.
Worse, Aarogya Setu’s user agreement states that the data can be used in the future for purposes other than epidemic control if there is a legal requirement. The app’s privacy policy says the personal information harvested by Aargoya Setu will not be shared with “third parties”, but makes clear that this data may be shared with as many agencies as the government sees fit.
When a person registers on the Aarogya Setu app, they upload their name, phone number, age, sex, profession, travel history, and smoking history. The data is encrypted and transferred to a server.
The government assigns a unique identifier to the phone, and when two registered phones are near each other, they exchange unique identifiers, which are stored on government servers. If a person is found be infected with the novel coronavirus, all the people they were near in the past, as identified through their unique ids generated by Aarogya Setu, are notified.
There is little clarity on who can access the data, and how long it will stay on government servers, experts said. Although the privacy policy states the data will only live in “anonymised, aggregated databases,” it is possible to re-identify people, said Frederike Kaltheuner, an independent Mozilla Tech Policy fellow.
Aarogya Setu’s privacy policy states that data will be deleted after 30 days from the phone, but the information collected by the app could exist in perpetuity on the government’s servers, said Jyothi Panday, a security researcher at the Telecom Center of Excellence at Indian Institute of Management, Ahmedabad. The policy states that other than COVID-19 response, the information could be used “to comply with a legal requirement.”
India does not have a data protection law, so people cannot hold app developers accountable for privacy violations.
It is also unclear which government agency is overseeing the database and data collection.
The concern of privacy activists is that the government could, under the guise of a pandemic and in the absence of a data protection law, expand its powers of surveillance. For instance, surveillance company Staqu, which supplies a number of state governments and police authorities with facial surveillance technology, has developed a way to identify people who aren’t wearing masks or respecting the COVID-19 lockdown, according to an interview in YourStory. The company could use the pandemic to expand its network, Panday said.
“I think the bigger concern is, is this going to open the floodgates of mass surveillance later on,” said Pallavi Bedi, policy officer at the Center for Internet and Society.
Other than Aarogya Setu, there are more than 20 apps developed by various states to track and quarantine COVID-19 patients. Punjab’s COVA app, which was also analyzed by Defense Lab, as well as Aarogya Setu both use Google analytics for analysis, but it is unclear who is receiving the data to improve the apps.
Contact tracing apps need to be deployed at scale in order to work properly. Enough people need to be online so there aren’t gaps in phone-based surveillance. For this, public trust is key, and it needs to be rooted in transparency, according to a study published in Science.
One way to ensure transparency is to have a transparent and auditable algorithm, the study states. Some nations, such as Singapore and Israel, have posted the app source code in online repositories for independent audit. Researchers can look at the data points being collected and transferred.
In contrast, India’s app is opaque and its source code is not publicly available. The government has also not revealed which companies were involved in developing the app, though the privacy policy states that information will not be transferred to third parties.
Excerpts from the Articel, originally published in huffpost.
