Aarogya Setu: Govt must take responsibility for protection of personal information collected

Published: May 14, 2020 12:45:18 AM

Similar to the TraceTogether and StopCovid apps deployed by Singapore and France respectively, Aarogya Setu is of immense use to both users and health authorities in containing the spread of the virus.

The government would do well to create nationwide Covid call centres to build human-in-the-loop to assist Aarogya Setu users.The government would do well to create nationwide Covid call centres to build human-in-the-loop to assist Aarogya Setu users.

By V Sridhar

There is a controversy over the deployment and use of Aarogya Setu app released by the Centre for contact tracing and tracking of Covid-19 infected individuals. Similar to the TraceTogether and StopCovid apps deployed by Singapore and France respectively, Aarogya Setu is of immense use to both users and health authorities in containing the spread of the virus. But, does it have any serious privacy implications?

The app has over 90 million downloads; it is user-friendly, and provides information regarding those who have self-evaluated themselves and/or have tested Covid positive in and around one’s location. The terms of use clearly state what information is collected, including the device information of contacts near the BlueTooth (BT) range (~2-10 metres), how it is stored, and how it is communicated to the government server for contact tracing if and when a user tests positive for Covid. The privacy policy also states that the personal information is secured using Digital Identifier (DID), which is generated using one’s registration information—and hence in pseudo-anonymised form—both in transit and storage.

There are a couple of causes of concern. First, is the security of the exchange of contact information when devices are in BT range. During the exchange, the communication between the devices may be hacked, leading to false information and alerts. Realising this, BlueTrace, the BT protocol based in the reference protocol OpenTrace, has been modified to generate dynamic and temporary DIDs every 15 minutes instead of the static DIDs used in Aarogya Setu. BlueTrace is available on GitHub, and should be incorporated in Aarogya Setu to prevent man-in-the-middle and other related security attacks.

Second, is the continuous collection of GPS location information of the mobile device. The privacy policy states that this information will be sent to the server in encrypted form when the device user tests positive for the disease, or shows to be high-risk in self-assessment. Further, this information is used by authorities to map out possible infection clusters and mobilise testing accordingly. Neither TraceTogether nor StopCovid use GPS due to users’ sheer weariness about location tracking. There is also fear of geo-tracking information stored in government servers being hacked or decrypted since it is only pseudo-anonymised, and of individuals possibly being re-identified. Moreover, there is uncertainty about the movements of individuals potentially being used for purposes other than those intended. Though the policy clearly specifies “purpose limitation”, it doesn’t satisfy the “data minimisation” principle as set out in many privacy regulations, including EU-GDPR. Location information at the time of registration is important to trace the individual’s primary location in case of outbreak, but continuous tracking can be avoided by having “human-in-the-loop” instead of relying only on algorithms to trace the travel of infected individuals. For example, in Singapore, when an individual is tested positive, healthcare and other workers conduct extensive interviews with them to obtain their travel history. The government would do well to create nationwide Covid call centres to build human-in-the-loop to assist Aarogya Setu users.

As an alternative to GPS tracking, the Centre can request the location data of infected individuals from telcos under existing provisions of the Indian Telegraph Act and IT Intermediary Guidelines. This can be made available from telcos’ network Operational Support Systems databases, using International Mobile Subscriber ID, in a pseudo-anonymised form. While making such requests, the Centre should keep the individual in the loop, maintaining transparency. Along with reducing fears of surveillance, this might increase the uptake of the app, which still hasn’t touched a quarter of India’s approximately 500 million smartphone users.
Third, is what the privacy scholar Daniel Solove of George Washington University Law School calls “decisional interference”—the government’s incursion into the data subject’s personal decisions. By mandating Aarogya Setu for all forms of travel, the government is seen as intruding into the privacy of individuals. The PM’s assertions on the app helps individuals, society, and the nation must be backed up by the app’s terms of use and privacy policy, too. The Centre should revise the “limitations of liability” clause and take responsibility for protection of personal information collected and used by the app. More so, when the app is being mandated much like Aadhaar!

Keeping the privacy skeptics aside, Aarogya Setu is a great initiative that shall set the standards for all SAARC countries in this time of crisis, sans the limitations mentioned above.

The author is Professor, IIIT Bangalore. Views are personal

Get live Stock Prices from BSE, NSE, US Market and latest NAV, portfolio of Mutual Funds, calculate your tax by Income Tax Calculator, know market’s Top Gainers, Top Losers & Best Equity Funds. Like us on Facebook and follow us on Twitter.

Financial Express is now on Telegram. Click here to join our channel and stay updated with the latest Biz news and updates.

Next Stories
1Covid-19 lessons for school education
2Coronavirus crisis and Central Asia’s diverse responses
3Twitter comes up trumps, or does it?