Now Mandatory Aarogya Setu App Is Raising Privacy Concerns Among Users

With the extension of the nationwide lockdown, the Indian government has made the use of its COVID 19 tracker - Aarogya Setu app mandatory for private and public sector employees alike. The mandate is now being touted as a complete ignorance of the rising privacy concerns from the app use.

But why? How can an app specifically designed for pandemic prevention act as a privacy concern to the users? There is no straight up answer to this and the fact of the matter is, many of the concerns can only be guessed at as of now.

Let us try to find out these concerns through a series of questions.

Who is to use the app?

First and foremost part of such a risk assessment is to find possible victims. While the Indian government has advised everyone in the country to download and use the app, there are some who have to do so on a mandatory basis.

This includes the workforce in private and public organisations alike. E-commerce industry has pushed for compulsory installation of the app by all on-ground staff, as have food delivery platforms Swiggy and Zomato for their riders.

In addition, the Centre also encouraged the download of Aarogya Setu app by migrant labourers and other stranded people being shifted to their home states.

A similar mandate stands for all the people living in COVID 19 hotspots i.e. a red zone or an orange zone as marked by state and district administrations. In addition, all the up-coming smartphones have been recommended to have the app pre-installed.

The widespread encouragement to use the Aarogya Setu app only makes sense as being a COVID 19 tracing app, it is meant to keep a track of the active cases as well as all those in a possible contact with the virus. This naturally becomes easier as the number of users increases.

Aarogya Setu App

With the new mandate, the use is only intensified, as those found defaulting on this part will be punished, as per the mandate.

"It shall be the responsibility of the head of the respective organisations to ensure 100% coverage of this app among the employees," the advisory said.

What information does it have?

The Aarogya Setu app asks users for their travel history to other countries, contact history with a COVID-19 patient (if any) and for any symptoms present. If anything points out to a possibility of the user being infected by COVID 19, health authorities are notified of the same.

Post sign-up, every user¡¯s account is linked to their mobile number. The app is then able to record the interaction of the user with other users of the app through a combination of GPS and Bluetooth. With a new update, the app also provides information about positive cases in a locality.

Privacy concerns

In a recent statement, the Internet Freedom Foundation (IFF) said "The Aarogya Setu app, which was initially touted as a voluntary measure, has effectively been made mandatory for gig workers and government employees. This is despite failing to adhere to data protection standards and lacking algorithmic accountability."

It further called the app a ¡°privacy minefield", adding that "it does not adhere to principles of minimisation, strict purpose limitation, transparency and accountability".

"The app runs very palpable risks of either expanding in scope or becoming a permanent surveillance architecture," said executive director Apar Gupta.

But why this risk? A simple reasoning would say that India neither has data protection law nor a data protection authority. If or when the government plans to use it for a reason other than the pandemic, there will of course, be little scope for questioning on those grounds.

(Representative Image: Reuters)

Wikileaks founder Edward Snowden warned of the same recently, asking ¡°Do you truly believe that when the first wave, this second wave, the 16th wave of the coronavirus is a long-forgotten memory, that these capabilities will not be kept? That these datasets will not be kept?¡±

And that, unfortunately, is a very probable risk.

Not the only risk

Similar COVID 19 tracing apps are being used in several other nations across the globe. Apple and Google are also collaboratively in the pursuit of a new one. During their efforts, they addressed possible security flaws in the upcoming app.

As per their team of engineers, the app had to be end-to-end encrypted and a passkey for each account was generated to protect the identity of the user. This is a very crucial aspect during such times as many can be a target of online scrutiny and harassment if their identities get revealed by any means.

A similar risk is being carried by the Aarogya Setu app, which will have to be security-proofed for such loopholes too, if any.