JOIN USDH Deciphers | Is Aarogya Setu app effective? Should I worry about my privacy?
The government's decision to make the download of Aarogya Setu app mandatory for all residents of containment zones as well as public and private sector employees has raised serious privacy and surveillance concerns. Critics say users' personal data is prone to misuse by government agencies and private corporations. And since it primarily works by tracking the user's location, there are high chances of the leakage of this important data. The government itself acknowledged that the app's Android version had leaked users' longitude and latitude to a YouTube server.
We do not know if there are more loopholes in the app. And the government has only fuelled suspicions by ignoring demands to make the app's security code open so that individual software developers could scrutinise it for bugs and suggest fixes. Here's the lowdown on what the app does and how, whether it's effective and do we need to worry:
Let's start with the basics. What is Aarogya Setu and how does it work?
Aarogya Setu (health bridge) is a mobile phone app that traces the contacts of a person infected with the novel coronavirus. It uses Bluetooth to determine if a user came in contact with an infected person (within a distance of 10 metres). And it uses the GPS to find out where all a person went every 15 minutes (it accesses the precise location in the foreground and the approximate location in the background).
Developed by the National Informatics Centre, Ministry of Electronics and Information Technology, the app is available in 11 languages.
At the time of registration, users have to give their name, phone number, age, sex, profession and countries visited in the last 30 days using a chatbot (it's possible to lie to it). All this information is stored on a government server and hashed with a unique digital ID (DiD).
The app will then assess your health (based on what you tell it) and give you a risk score. If you are at risk for Covid-19 or test positive, your health information will be stored on the server. The authorities may contact you to quarantine you and provide you with medical interventions. At the same time, the app will alert all the people who came in contact with you by using Bluetooth and GPS.
Is the app effective? Does it really help in checking the spread of Covid-19?
The app will alert a user only if s/he comes in contact with an infected person who has also downloaded the app and has both Bluetooth and GPS turned on in their phone. It won't work if you meet an infected person who doesn't have a mobile phone or uses a basic phone. It also won't work if the user tested positive before downloading the app.
The only way the app will work to its potential is when at least 20 crore people download it (the current downloads stand at nine crores). Given the size of our country's population (138 crores), even the 20-crore figure is grossly inadequate. But above all, the key to winning the battle against the coronavirus is testing millions of people per day. We're doing only 95,000 tests daily.
If the app's effectiveness is debatable, why make it mandatory?
This is what everyone seems to be asking. Contact-tracing apps exist in developed countries, too, but they aren't mandatory because no one is sure of their effectiveness and there are also privacy concerns. At best, it's an experiment that may as well fail. But the zeal with which the government has pushed it (the prime minister himself asked citizens to download it) has made some people suspicious about the intentions behind it.
Tell me about the app's privacy policy.
All the personal information collected from a user will be retained as long as the account exists (which could be forever). All the information about the people that you met while using the app, your health assessment and location history will be retained on the phone for 30 days. At the end of this period, the information will be uploaded to the server and purged from the app. The information will be purged from the server within 45 days if you do not test positive. This period will be 60 days if you test positive.
If all my data is purged after 60 days, why should I worry?
There are genuine concerns about the leakage and misuse of this data. While the government says all the data is encrypted, some hackers have already breached it. French security researcher, Baptiste Robert (aka Elliot Alderson), claimed he was able to modify the app to pinpoint the location of the infected users. The Aarogya Setu team responded by saying the app is foolproof. Alderson said not all of his concerns were addressed and claimed that he could access details of infected users. He even said five people in the Prime Minister's Office had reported unwell.