Advertisement

A lack of transparency about India’s Covid-tracing app could lead to an unprecedented privacy breach

A member of the internal medical team checks the Aarogya Setu app on the mobile phone of a staff at the entrance of the Ahmedabad One Mall (AFP via Getty Images)
A member of the internal medical team checks the Aarogya Setu app on the mobile phone of a staff at the entrance of the Ahmedabad One Mall (AFP via Getty Images)

The world was not prepared for the fight against Covid-19 but it has been heartening to see many different fields, including healthcare and hospitality, come together to confront this deadly virus. The tech industry has played a vital role, delivering apps to track infected patients, thereby giving everyone else the best possible chance of staying safe.

A different story is emerging in India, however. Almost six months ago, the government launched a promising Covid-19 tracker app called Aarogya Setu. It was publicised as the beacon of hope that would help the country in its battle with coronavirus. Unfortunately, it has not quite worked out like that.

An Indian Right to Information (RTI) activist, Saurav Das, has since filed an appeal with the Central Information Commission (CIC), stating that the official bodies, which should be answerable for the formation of the app, haven’t made public who created it, prompting an even bigger question: where is all the data being stored?

The Aarogya Setu app tracks the movements of individuals via Bluetooth and alerts them if they are within close proximity to anyone infected with Covid-19. So far, more than 160 million people in India have registered their details on the app, and the legislature has made it obligatory for residents to show their green light status prior to boarding a plane or train.

“This app was made voluntary-mandatory,” Das told the Times of India. “It has been downloaded by over 150 million Indians, but the government says it has no idea who developed it. This is a complete abdication of responsibility.” Â

The government was this week served notice by the Central Information Commission for what it called “evasive answers” on who created the app. Soon after, the government and the Ministry of Electronics and IT released a statement on Twitter, claiming “it is clarified that there should be no doubt with regard to the Aarogya Setu app and its role in helping contain the Covid-19 pandemic in India”. The statement also confirmed that the “Aarogya Setu app was launched by the government of India in public-private partnership mode to bring the people of India together”.

So why are many Indian citizens, myself included, still not convinced? Partly because this official public statement was posted as a photograph without a seal or signature by an administration official. Furthermore, it states that “the names of all those associated with the development of the app and management of the app ecosystem at various stages can be found” on Github, a platform for collaboration that lets individuals work together on projects from anywhere.

Even though the government has shared a list of contributors, a prestigious ethical hacker called Elliot Alderson, who has been following up on different debates around Aarogya Setu, said that the app is as yet not open-source. Furthermore, the platform Github itself creates serious security risks even if the developers are following best practices.

There are so many unanswered questions. What are the names of the private partners? (In the contributor’s list, only the names of individuals are mentioned, not the organisations they work for.) How much money was invested by the government and the private sector? What were the terms and conditions of this partnership? What server is the citizens’ data being stored on? Who can access the data?

Since the administration claims that there has always been transparency in the making and the secure nature of this app, they could, surely, have just named key private sector companies, and their CEOs, associated with this great initiative in the official statement. After all, it’s for the betterment of the citizens, right? There shouldn’t be any confusion or opaqueness.

Added to this, my experience of the Aarogya Setu apo has not been pretty at all. I was in close proximity with an infected family member (something I found out about later) for over 15 minutes, and the app didn’t track it or send me any sort of warning. In fact, there was an infected family quarantined in the very building I live in and the app still didn’t send me a warning.

According to a database maintained by the MIT Technology Review, the Aarogya Setu app poses critical dangers to the security of clients compared to similar apps in other countries. Therefore, how can we be certain that our personal information isn’t being stored in a separate cloud server accessed by individuals to whom we never consented to give our details?

Citizens and residents throughout the nation have been placed in a complicated spot, as we don’t have the option of uninstalling the app or erasing our respective records because we won’t be permitted to travel without it.

Our government must provide detailed answers about the real makers of this app, and offer transparency about where our information is being stored and if it’s safe and protected. Otherwise, this might just turn into the biggest privacy breach in the history of India.

Read more

Indian farmers burn effigies of Modi as anger against PM mounts

Modi lays foundation stone for Hindu temple at site of razed mosque

India's coronavirus cases cross 8 million, behind US