In India, Mandatory COVID App Raises Privacy and Data-Theft Issues

By Aishwarya Jagani

The government of India last month took several steps to allay some privacy fears over its official COVID-19 contact-tracing app, Aarogya Setu.

The app’s terms of service now says the government will accept “limited liability” for data collected by the app, which had not been the case. The device also is now open-sourced, allowing independent coders and researchers to check for security flaws.

But Aarogya Setu, announced in April by the Ministry of Electronics and Information Technology, still remains under fire: The device is mandatory for many Indian citizens, as well as for central government employees and those traveling by air or train.

“Is it not concerning that the app has been rolled out in violation of the law of the land and is then made mandatory?” Rajeev Gowda, a member of the Indian Parliament, posed to Digital Privacy News. “What is the legal framework?

“We have no answers,” he said. “And until we do, it is an overreach to make the app mandatory.”

Ministry officials did not immediately respond to requests for comment from Digital Privacy News, though one of the app’s makers last month called it “most secure.”

In addition, a court challenge by opposition leaders pushed Prime Minister Narendra Modi’s government to roll back the mandatory requirement for private-sector workers.

“What is the legal framework? We have no answers.”

Rajeev Gowda, Indian Parliament member.

How It Works

Aarogya Setu, which means “bridge to health” in Hindi, incorporates Bluetooth and GPS technology to alert users if they are in close proximity to or have come into contact with confirmed carriers of COVID-19.

The app also collects names, cellphone numbers, ages, gender specifics, professions and details on countries visited in the last 30 days.

It only uploads data to government servers after a person tests positive for coronavirus. The app stores data every 15 minutes — and officials are not clear about what happens to data not uploaded to servers. 

Troubled From Outset

Aarogya Setu was launched April 2 and since has been plagued by privacy issues.

Within a month, a French ethical hacker, Robert Baptiste (Elliot Anderson), exposed huge security gaps after he breached the app and released data on at-risk individuals in specific homes, including Modi’s official residence.

Baptiste tweeted May 5: “Yesterday: 5 people felt unwell at the PMO office, 2 unwell at the Indian Army headquarters, 1 infected people at the Indian Parliament, 3 infected at the home office.” 

“There is a very strong possibility of the use and abuse of this particular data.

Mira Swaminathan, Centre for Internet and Society.

But Modi’s government fired back the next day, also on Twitter: “No personal information of any user has been proven to be at risk by this ethical hacker.

“We are continuously testing and upgrading our systems,” the post continued. “Team Aarogya Setu assures everyone that no data or security breach has been identified.”

Anderson retorted: “There’s nothing to see here.”

Other Problems

Aarogya Setu also has been attacked for collecting huge amounts of data, for lacking clarity on who has access to it and for having no clear security or encryption layers.

While other contact-tracing apps often collect one or two data points, for instance, Aarogya Setu collects multiple points. These include demographic information, names and professions — leading to increased privacy risks, experts say.

Ajay Sahni, one of the makers of the app, however, has called Aarogya Setu “most secure.”

He said at a May 11 news conference: “There is no possibility of surveillance or misuse of the app.”

But Mira Swaminathan, of the Centre for Internet and Society in Bangalore, countered to Digital Privacy News: “There is a very strong possibility of the use and abuse of this particular data.

“This data has the potential to reach markets wherein third parties can use it for anything from advertising to leaking of such information, which would further lead to a toxic system of surveillance.”

Referencing the French attack, Swaminathan added: “One feature of the app, designed to let users check if there are infected people nearby, instead allows users to spoof their GPS location and learn how many people reported themselves as infected within any (three-tenths of a mile) radius.

In sparse areas, she said, hackers could stage a “‘triangulation attack’ and figure out the diagnosis of the users of that area.”

Silent on Security Practices

Gowda attacked the app’s privacy policy, telling Digital Privacy News that it had “vague terminology” such that the data collected can be shared with “other ministries and departments of the central and state governments.”

“This is a classic example of the app privacy policy stating less and hiding more.”

Pavan Duggal, cyber law expert, New Delhi.

Pavan Duggal, a cyber law expert in New Delhi, said Aarogya Setu also lacked specifics on compliance with India’s Information Technology Act of 2000. 

“If you are processing or handling sensitive data, you are required to implement and maintain reasonable security practices and procedures,” he told Digital Privacy News.

“When you look at the terms and services of this app, there is no clarity of how it has in place the compliance pertaining to reasonable security practices and procedures.

“It is completely silent on that,” Duggal said.

Who Has Access?

Aarogya Setu’s privacy policy does not specify which government agencies will have access to the app’s data.

“I believe this data could potentially be accessed by governmental agencies,” Duggal said. “Because there are no checks and balances.

“Chances of potential misuse are relatively high.”

The Indian government, however, said last month that information could be shared — and that all the government agencies granted access must use it only for the purpose for which it had been designated, and it must be deleted it after 180 days.

Still, Duggal said, “This is a classic example of the app privacy policy stating less and hiding more.”

Mandatory Registration

But perhaps the biggest controversy surrounding Aarogya Setu is how Modi’s government required domestic-flight travelers to download the app once air travel resumed on May 21 after a two-month lockdown.

“All departing passengers must compulsorily be registered with the Aarogya Setu app on their mobiles,” the Indian Airports Authority announced, adding that registrations would be verified by the Central Industrial Security Force and airport staff “at the entry gate.”

When Aarogya Setu was launched in April, Modi’s government quickly assured citizens that downloading would be “entirely voluntary.”

Now, the app also is now required of people working in central government offices, train travelers — and those living in COVID containment zones.

In fact, a New Delhi suburb threatened fines and jail terms last month for those who did not download the device.

The backlash was swift. Retired India Supreme Court Justice B.N. Srikrishna called the mandate “utterly illegal.”

“Under what law do you mandate it on anyone?” he posed to local journalists. “So far, it is not backed by any law.”

“I personally don’t find this app to be very effective.”

Ritesh Bhatia, cybercrime specialist, Mumbai.

Opposition leaders challenged the directive last month in the Kerala High Court, leading Modi’s government to back down on the requirement for private-sector employees.

Questions of Value

Some experts questioned Aarogya Setu’s effectiveness to Digital Privacy News.

“I personally don’t find this app to be very effective,” said Ritesh Bhatia, a cybercrime specialist in Mumbai. “Soon after flights opened up, a minimum of eight people were found infected on two different aircraft.

“How did the app help?”

Bhatia noted that only about 8% of India’s citizens had downloaded the app — 75 million downloads in total — and many tended to keep their Bluetooth and GPS features turned off. 

“If the app isn’t serving its purpose, why make it compulsory?”

Aishwarya Jagani is a writer based in Mumbai, India.

Sources (external links):