On Saturday, after the Centre announced the Aarogya Setu mobile application mandatory for both public and private sector employees, Congress leader Rahul Gandhi on Saturday dubbed it a "sophisticated surveillance system". He raised "serious data security and privacy concerns" related to the application, which was launched in April. "The Aarogya Setu app, is a sophisticated surveillance system, outsourced to a pvt operator, with no institutional oversight—raising serious data security and privacy concerns. Technology can help keep us safe; but fear must not be leveraged to track citizens without their consent," Gandhi wrote on Twitter.
Aarogya Setu continuously collects data on the location of the user and cross-references it with the Central government database to understand whether the user has come into contact with an infected person.
The Centre, on Friday, had announced it mandatory for government and private sector employees to use Aarogya Setu mobile application to bolster the efforts to fight the COVID-19 pandemic, and entrusted the organisational heads with ensuring its 100 per cent coverage. The Union Home Ministry also said the mobile app will be must for people living in COVID-19 containment zones. "Use of Aarogya Setu app shall be made mandatory for all employees, both private and public. It shall be the responsibility of the head of the respective organisations to ensure 100% coverage of this app among the employees," the ministry said.
All central government employees were on Wednesday asked to immediately download the 'Aarogya Setu' mobile application and to come to office when the application shows "safe" status for commuting, an order issued by the personnel ministry said. "Before starting for office, they must review their status on 'Aarogya Setu' and commute only when the app shows 'safe' or 'low risk' status," it said. The officers and staff are advised that in case the app shows a message that he/she has a 'moderate' or 'high risk' calculated on the basis of Bluetooth proximity [recent contact with infected person], he/she should not come to office and self isolate for 14 days or till the status becomes 'safe' or 'low risk', the personnel ministry said.
How does it work?
The application, already downloaded over 50 million times, asks for the name, phone number, profession, gender, age and a list of countries visited in the past 30 days. It asks whether the user wants to be informed if they have crossed paths with someone who has tested COVID-19 positive. The app uses Bluetooth and GPS tracking to provide information. The app also requires you to keep your Bluetooth and GPS Location sharing turned on at all times.
The person's details provided are stored on the application server. When two mobile phones come within the range of the other's Bluetooth, GPS location and digital details of the counterpart are stored locally. If one phone user tests COVID-19 positive, all his details are cross-referenced with the those that he came into close proximity with, pinpointed by digital ID and GPS information.
The application allows users to self-assess their symptoms, and the application compartmentalises them into different groups based on their COVID-19 risk.
Security concerns raised by organisations
Multiple NGOs have raised security concerns over the application. The Internet Freedom Foundation (IFF) said the country lacked a proper data protection law and, in addition, the application would be useless for the low-income non-smartphone users.
"India lacks a comprehensive data protection law, outdated surveillance and interception laws, or any meaningful proposals for meaningful reform. In domains like disaster relief, most apps which are purported as ‘contact tracing’ technologies, they often devolve into systems of movement control and lockdown enforcement," according to IFF.
"Such systems inadvertently discriminate against regions which have fewer concentrations of smartphones. Specifically, it can lead to harmful outcomes for people residing in economically weaker areas. In countries public health systems are already creaking under the looming threat of capacity deficits. If such systems wrongly urge people to pre-emptively take tests then there is a risk that public health systems may be overwhelmed prematurely."
The organisation said the application, unlike some of its international counterparts, "collected multiple data points for personal and sensitive personal information, which increases privacy risks". "Singapore monitors people’s interactions through Bluetooth beacons, MIT does it through GPS, and then there’s India which uses both," according to IFF. "Other apps just collect one data point which is subsequently replaced with a scrubbed device identifier. India’s Aarogya Setu collects multiple data points for personal and sensitive personal information which increases privacy risks."
The organisation also raised concerns as to "why the health ministry is not the major involved player in the application". "In other countries, health authorities are leading the efforts to respond to COVID-19. For example, in Singapore only its health ministry can use these systems or have access to any limited data/interaction which is shared with them. In India, multiple committees have been set up in the context of Aarogya Setu or other technology responses to the coronavirus. But, formal notifications nor press reports have any reference to major involvement of the Ministry of Health and Family Welfare. Instead health authorities are being tertiary institutional players."
Counter points
Founder of food-delivery firm Zomato Deepinder Goyal said that "being on the frontline exposes our delivery partners to catching the infection, and therefore, any customers that they get in touch with for those few handover seconds. "By mandating all its delivery staff to use Aarogya Setu, the idea is to keep individuals as well as authorities informed in case they have crossed paths with someone who has tested positive for coronavirus to prevent further spread," he said in a statement.
Abhishek Singh, CEO of MyGovIndia, the organisation which developed the application, told The Print that the Government of India will use the users’ data only for certain critical purposes such as medical emergencies and that the data will not be used for any other work. “The app will not reveal anyone’s personal details. Information of any Covid-19 patient will not be shared with anyone. User’s data in the app is completely secure. In case of normal people, we delete the data from the server after 30 days. In case of a corona-infected patient, the limit to remove the data is 60 days.”
Hitting out at Rahul Gandhi for calling the Aarogya Setu application a sophisticated surveillance system, the BJP on Saturday said the Congress leader spoke a "new lie" daily and retorted that those who indulged in surveillance all their lives won't know how technology can be leveraged for good. Senior party leader Ravi Shankar Prasad, who is also communications, electronics and information technology minister, rejected Gandhi's charge that the app has been outsourced to a private operator and asserted that it has a robust data security architecture.
"Mr Gandhi, really high time that you stop outsourcing your tweets to your cronies who do not understand India," he tweeted, adding that the app, which the government says is a tool in fighting the coronavirus, is being appreciated globally."
Attacking Gandhi, Prasad said, "Daily a new lie. Aarogya Setu is a powerful companion which protects people. It has a robust data security architecture. Those who indulged in surveillance all their lives, won't know how tech can be leveraged for good!"
BJP spokesperson Sambit Patra took a swipe at Gandhi, saying he refuses to grow up. "He is not only ignorant about the Aarogya Setu App but is also being extremely irresponsible by trying to mislead the people through misinformation and falsities. "The government on multiple occasions has allayed the fears of surveillance and that too scientifically.The said app is technical personal bodyguard to each one to fight COVID-19," Patra said.