India’s coronavirus app falls short on protecting user privacy

More than 50 million people have downloaded India’s coronavirus contact tracing app in its first 13 days since its launch. Amitabh Kant, chief executive officer at a government think tank Niti Aayog, hailed this as a record, compared to major apps and technologies.

“Telephone took 75 years to reach 50 milion users, radio 38 yrs,television 13 yrs,Internet 4 yrs, Facebook 19 months, Pokemon Go 19 days. AarogyaSetu, India’s app to fight COVID-19 has reached 50 mn users in just 13 days-fastest ever globally for an App Salute the spirit of India!” he tweeted.

But the tracking application Aarogya Setu—which roughly translates as “bridge to healthcare” from Hindu—has caused concern. In a research paper, experts from the Internet Freedom Foundation (IFF), the country’s non-governmental organization advocating digital rights and liberties, said the effort could pose a massive risk to users’ personal privacy.

“Aarogya Setu application appears to clearly be inconsistent with privacy-first efforts which are being considered by technologists and governments,” said Sidharth Deb, policy and parliamentary counsel at Internet Freedom Foundation.

The experts highlighted the vagueness of Aarogya Setu’s privacy agreement. While many similar apps clearly state that data they receive will be used strictly to help fight the coronavirus, India’s app reportedly leaves it open for the government to repurpose the data for its other agencies.

“To protect people’s right to privacy, countries (including Singapore) say that contact tracing will be used strictly for disease control and cannot be used to enforce lockdowns or quarantines. Aarogya Setu retains the flexibility to do just that, or to ensure [compliance with] legal orders and so on,” the IFF’s paper explained.

The code is not open source

Aarogya Setu’s code is not open source, which means that even white hat hackers will have a hard time detecting potential security loopholes in the app, making it even more susceptible to malicious actors.

“The only information we have of the app is its frontend and its rather pedestrian terms of service and privacy policy. Other projects release as much information as possible in pursuit of transparency,” the IFF continued.

Data leaks could be sensitive, especially since Aarogya Setu requires users to enter and verify their mobile phone number, as well as relatively detailed personal information such as name, age, gender, profession, travel history and any known contacts with a coronavirus patient. The app also asks its users to grant it access to both Bluetooth and location services—similar to Apple and Google’s recently announced initiative.

After registration is complete, the app opens a dashboard with basic information about the coronavirus, including hygiene and social distancing protocols.

Aarogya Setu also contains detailed instructions on how users can donate funds to PM-Cares, prime minister Narendra Modi’s coronavirus-specific relief fund.

While the app is supposed to help its users identify contacts with people tested positive for the coronavirus, it’s not specified in its terms and condition exactly what information will be shared when a smartphone will come in contact with an “infected” device.

Aarogya Setu is more invasive than most of its peers

“Other apps just collect one data point which is subsequently replaced with a scrubbed device identifier. India’s Aarogya Setu collects multiple data points for personal and sensitive personal information which increases privacy risks,” the IFF wrote.

At the same time, the app’s terms of service promise that all records of user contacts will be deleted in 30 days. Yet, Aarogya Setu’s privacy policy is worded in a way that suggests that data could potentially be held longer for purposes “for which the information may lawfully be used or is otherwise required under any other law for the time being in force,” the IFF added.

The Foundation also highlighted that the committee that designed the app “lacks any representation from the ministry of health and family welfare, or any independent involvement of persons with a medical or epidemiological background.”

“This is a first step towards permanent government architectures,” it added.