NITI Aayog defends Aarogya Setu against criticism from privacy groups
There has been a significant push from all government agencies to download the app and as is the case with any tracker app, questions have been raised about surveillance and privacy
NITI Aayog's Aarogya Setu was launched on April 2. Made by a team of citizen volunteers and government agencies to track and contain the spread of Covid-19 via contact tracing, the app crossed five crore downloads in just 13 days. In fact, it has become one of the fastest downloaded apps in the country.
Messages from government agencies, social media campaigns, institutional circulars and even a push from the prime minister himself has gone a long way in hitting the five crore download score in less than two weeks. However, this five crore download figure has a lot of people worried, especially the privacy experts.
Privacy experts have pointed out that the tracker is going to erode people's liberties especially when its use will be stretched beyond just contact tracing. The government has been considering using the app for other purposes as well, including the possibility of using it as a pass over the lockdown.
According to experts, the Aarogya Setu app falls short of the standards set by other tracker apps being used in other countries and it captures far more data than is necessary for contact tracing or for providing Covid-19 awareness.
According to Arnab Kumar, Program Director, Frontier Technologies for NITI Aayog, the reason Aarogya Setu needs GPS information is because it needs to determine the exact location of infected people to find new hotspots and direction of infection. Aarogya Setu is very similar to the TraceTogether app that Singapore is using, but with one major difference - Aarogya Setu needs GPS location data besides Bluetooth connectivity.
"We don't use location on an individual basis, we use it on an aggregated basis," Kumar said.
He added that the location information captured on the app is sent to the server only if the user is Covid-19 positive or at high risk of infection. However, the Aarogya Setu app does not make it clear what data is being collected, what is stored, what policies are in place to remove this data from cloud servers etc. Initial terms of service did not furnish any details about data retention policies or protection and information was added later.
This, added with the lack of well-defined data protection norms in the country has raised ample doubt. In fact, the Indian Army has asked its personnel to not use the Aarogya Setu app on their office premises, operation areas and in sensitive locations, according to reports.
"There can be discriminatory risks in terms of peculiar communities' overall movement or the patterns of people who come from certain socio economic backgrounds," said Sidharth Deb from the Policy and Parliamentary Counsel at Internet Freedom Foundation (IFF), a Delhi-based non-government organisation (NGO) that conducts advocacy on digital rights and liberties.
Deb has evaluated the structure of the Aarogya Setu app from the point of privacy and data safety in a developing paper, you can read it here.
Prasanth Sugathan, Legal Director at the Software Freedom Law Centre India (SFLC.in), "pointed out that the Aarogya Setu app isn't just capturing aggregated data, but it also does obtain individual data, since it asks users to provide their phone number to register at the very first stage".
"The data obtained from an individual's phone would remain linked to the individual's phone number and hence the identity of the individual," Sugathan said.
De-anonymisation of aggregated data is possible, in fact, reidentification of data is big business and studies have shown that anonymised data is never truly anonymous.
Kumar said that there is a 'kill switch' in the system that purges the data from an user's device in 30 days and from the server in 45 days if the user is not at risk. However, if the user is at risk, the server deletes the data in 60 days.
"We're trying to build a temporary solution to a temporary problem," Kumar said.
However, Deb pointed out that there is still scope that the government could not delete datasets collected from the app on certain grounds.
"The wording of the contract suggests that there is a scope for the government to also have certain grounds on which it does not delete data," he said.
Sugathan is of the opinion that it is not clear if the kill switch works "just for the local database that is stored on the user device or if it is also applicable to the remote database". There is also a demand for letting users delete their own data from the app once they stop using it or once the pandemic is over. For now, Kumar said, the government has no such plans for offering any such option.
One of the ways the Indian government can provide clarity on how Aarogya Setu works is to open source its code. The Singaporean government did this for TraceTogether recently. Kumar said that there is a plan to open source Aarogya Setu's code but it will take time.
"We shouldn't compare our model with what's available in Singapore since they have a total population of five million, whereas we crossed the five million mark in just hours of launching the app. Even then, Singapore took several weeks to open source it," Kumar said. However, he did not explain what the population of the country has to do with publishing the source code of an app.
Kumar added that the "current focus of the team is to expand the capabilities of the app instead of paying attention to open source the code".
"Regularly updating the open source code is no different from maintaining a closed source project," said SFLC.in's Sugathan.
"It just takes a minute to update the source code and if they open source the application, then the Indian and world wide developer community would be happy to help." Deb from the IFF added. He also pointed out that while open sourcing the code might not be possible right now, there should at least be a dialogue about a timeline for when it can happen.
"Open sourcing the code is one of the many ways that they have to engender transparency," he said.
Arogya Setu app listing shows that it has been developed by the National Informatics Centre (NIC). However, Kumar said that the app has been developed as a public-private model with a group of individuals participating "voluntarily" with government authorities.
"While a public-private model could be a workable way to scale such technology, you need to be mindful that when you're using a technology like this," said Deb.
"It has been built with the view towards being a temporary system, and like to hold it accountable, you need an underlying legal framework or something that holds the public-private entity or partnership accountable," he added.
Kumar said that while the development process involved public and private entities, the data is controlled entirely by NIC.
"At the end of the day, while the NIC might be maintaining that infrastructure, the same infrastructure might be linked with other government databases," said Deb.
Sugathan pointed out though that the database of the app is hosted on the Google server, while the app data is hosted on Amazon Web Services (AWS) and is using Google's Firebase analytics and database solutions on top. In a case like this, it is difficult to say that the user data is only in the hands of the NIC.
"Using third party server infrastructure may not be a security risk. But being a government entity, ideally the data should remain under NIC's infrastructure," he said.
For now, the government has established a committee to improve the existing model. But "this isn't just to work on the security issues — feature creep, which privacy experts have been warning about since the app launched, is coming, with plans to use 'artificial intelligence', spread information about nearby distribution centres using GPS, and enabling remote healthcare".
Kumar confirmed this and added that the team is "working on plans to bring the app to feature phones, interactive voice response (IVR) focussed development, and a KaiOS version for Jio Phone users that has been built for testing".
"This [expansion] is not really consistent with the principle of purpose limitation, which is a key construct within information privacy and people's right to privacy," Deb said.