With Aarogya Setu deemed as a compulsory app in the third leg of the Covid-19 lockdown in India, debates have been raised about the app and its privacy credentials. Taking this on, the Internet Freedom Foundation (IFF) has submitted a joint representation to the Prime Minister’s Office, urging the government of India to review its decision of making the app a compulsory installation on all phones. The representation has been signed by 45 organisations and 104 individuals, all of whom urge the government to not establish the Aarogya Setu installation mandate for the sake of preventing a wrong precedent.
The IFF is a digital liberties organisation, which primarily works to preserve fundamental rights such as privacy and freedom of speech on the internet, and works as a watchdog against company activities and government orders. Soon after the introduction of the Aarogya Setu app, IFF conducted an exhaustive review of the app, exploring how much of a user’s privacy is compromised by Aarogya Setu.
IFF’s paper also explored non-surveillance contact tracing options, and looked through the app’s privacy and data usage guidelines to understand if the Indian government could have a better way of implementing contact tracing. With sources suggesting that Aarogya Setu will also be made mandatory to set up before setting up a new smartphone, it is important to understand the privacy implications of the app, against which IFF’s new joint representation aims to seek solace.
Not enough privacy assurances
Deb further states that the Aarogya Setu app presently offers “sub-optimal transparency”, and lacks self-imposed limits that would assure people that apps such as these are only temporary.
The issue of accountability
Another big reason why the IFF is moving against the mandatory order on the Aarogya Setu app is the sheer lack of proper accountability in terms of handling the service and its gathered data. Deb offers a four-part explanation for this. He says:
Challenging the discourse on this, the government of India's digital adoption division, MyGov, has tweeted details about how it accounts for safety and privacy of users downloading Aarogya Setu. In a thread of tweets, a MyGov spokesperson has said:
The app requires you to enter your mobile number and certain personal information at the time of registration. All this information submitted is securely encrypted and stored on the server. On registration, the app assigns you a unique, anonymised, randomly generated device ID. The linking of device ID to mobile number is one time, and is securely encrypted and stored in a server. All future interactions from device to server is done through device ID only. No personal information is exchanged post the registration. Thus, all processing of contact tracing and risk assessment is done in an anonymised manner. When you come in proximity of other people with this app installed, it stores encrypted information of this interaction in a secure manner on your mobile only. Information of your social interactions is NOT sent to the server in most cases, except when you have come in contact with someone who has later been diagnosed high risk or your self-assessment categorises you at risk. Government of India will use your information ONLY for administering necessary medical interventions. Your data is NOT going to be used for any other purpose. No third party has access to data.
Alternate routes for the Govt
Deb affirms that the Indian government does have available, open source models that can be adopted while establishing a private contact tracing procedure. These options include the likes of PEPP-PT (Pan-European Privacy-Preserving Proximity Tracing), which is being advocated by EU officials against Apple and Google’s proprietary, decentralised approach. The latter is also found in an alternate option, DP3T (Decentralized Privacy-Preserving Proximity Tracing), which is being advocated by blockchain companies.