Allow surveillance or else…

- June 12, 2020
| By : Sashikala VP |

Like the Chinese app Zoom which allows breach of data security, the Aarogya Setu app is causing concern among internet privacy watchdogs At first, it seemed as if the Zoom app, which boasted of 300 million daily users, was a good way to keep in touch for large swathes of the world’s population under lockdown. […]

Tracking people's location and coronavirus outbreak: crowd of people keeping a safe distance and being located by a tracker app

Like the Chinese app Zoom which allows breach of data security, the Aarogya Setu app is causing concern among internet privacy watchdogs

At first, it seemed as if the Zoom app, which boasted of 300 million daily users, was a good way to keep in touch for large swathes of the world’s population under lockdown. But soon came the news that that user information was vulnerable to security breaches.

The reports were chilling. Accounts were being sold over the dark web and the app itself was sending data it collected to Facebook, a leak which has now reportedly been plugged. Many ordinary people had to re-think their way of dealing with physical distancing. The Ministry of Home Affairs itself stepped in to warn Indians that the video-conferencing app is not safe.

However, the dangers come from other apps too. Another app which is supposed to help with the medical aspects of the pandemic, has many concerned about privacy and data security. The catch is, the app is a product of the government – the Aarogya Setu app, for contact tracing.

The app store shows it has over 100 million downloads. This quick popularity was probably due to Prime Minister Narendra Modi pushing for its use during a televised address in April. Since then many government directives have made it mandatory under the Disaster Management Act, 2005 (DMA). A violation is punishable with two years imprisonment under Section 51 of the Act and IPC Section 188, under which up to six months imprisonment can be awarded.

A Parliamentary panel on Information Technology headed by MP Shashi Tharoor was scheduled to hold a meeting on 10 June but it was postponed to 17 June. When the panel meets officials of the information and technology ministry will be briefed on Aarogya Setu app-related issues of data security and privacy of citizens.

This Covid-19 tracking app has been made mandatory by the government for all public and private sector employees. Going a step further, all those taking a flight or a train journey are also mandated to download the app. In addition, Uttar Pradesh has imposed the app on anyone who enters or resides in Noida and Greater Noida.

Other strictures require the installation of the app for all residents living in containment zones; even an educational institution like IIT Kharagpur has imposed its use.

The mandatory use of the app is the problem that first needs to be tackled, believes Anivar Aravind, a public interest technologist working at the intersection of technology, politics and digital rights.


VIRUS AROUND: Screenshots of the Aarogya Setu app showing number of positive cases around a kilometer radius to the user, and total number of cases in India as of June 10 // SCREENSHOTS: DEV

He has approached the Karnataka High Court with a PIL petition seeking direction that the app be made voluntary and cannot be mandated for accessing any government service or facility such as rail and air travel. “As of now Aarogya Setu is a surveillance device collecting your social graph and location information and sending it to a government server. At the same time the app is also serving a private interest, for example you can go to Aarogya Setu Mitr directly through the app. This helps in customer acquisition for a lot of private companies through the government app”, Aravind points out.

Mitr is a private-public venture offering online consultation from the Tata group, Tech Mahindra and Swasth – a collaboration by 1mg, Practo, CureFit, Apollo Hospitals, Medanta, Manipal Hospitals and Columbia Asia Hospital.

One of the people who have had to mandatorily download the app is a MedTech industry professional, Dev. Fortunately for him, he says, he has a separate work phone, so downloading the app was not much trouble. “Else I wouldn’t know what to do. I don’t want to pollute my personal phone and also I don’t like that surveillance can be done on us by the government”, he says.

Dev opens the app almost every day to get information on any infected persons close by. The problem with the app, he feels, is its inaccuracy, “it doesn’t tell me if an infected person is in my sector, it will say these many persons are infected 1 km away. Or it will show that 2,000 people around this area are using the app, I don’t need to know that.”

The Internet Freedom Foundation flags the Aarogya Setu app as it “collects sensitive health and location data of millions of Indians”, which most importantly, has been launched “without any governing legislative framework.”

It backs its concern with MIT Tech Review’s Tracker, which found that India is the only democratic country which has made use of Covid-19 surveillance apps mandatory. It says the other countries which made such apps mandatory are China and Turkey. In Turkey, only confirmed Covid-19 patients have to mandatorily download the app.

Aravind points to emerging protocols like Decentralised Privacy Preserving Proximity Tracing which is in discussion as it will primarily work on less information. “But India is collecting too much information, maybe even the highest amount. And even so, contact tracing is not proven yet to be helpful. These apps are collecting information but are unable to show their efficacy or accuracy. Such apps are questioned all over the world based upon the absence of data privacy laws…In turn we (India) are the least open, and are even having discussions about expanding its scope to e-passes and national health stack.”

Even the Noida Metro Rail Corporation (NMRC) has said that once its operations begin, those who want to avail its services would have to download the Aarogya Setu app. While the Delhi Metro Rail Corporation (DMRC) has made no such announcement yet, such a mandatory directive would not be surprising.

Many are perturbed that an app which should be downloaded voluntarily is being imposed. An app which will access all your information, including location and have it open to any sort of misuse, be it surveillance by the state or for private entities’ gain. Aravind believes the app essentially collects data, which, “automatically becomes an immunity passport, restricting one’s movement, and any other rights… this (the app) is primarily the most draconian expansion of the state into your personal device”, he warns.