India’s Contact Tracing App Is a Bridge Too Far

Chinmayi Arun is a resident fellow of Yale Law School’s Information Society Project and was founder director of National Law University Delhi’s Centre for Communication Governance.

India introduced its COVID-19 contact tracing app, Aarogya Setu, on April 2, 2020. By July, it had been downloaded 127.6 million times from the Apple and Google Play app stores. The app is controversial: there are concerns about the Indian government’s partnership with private sector in its development, the design and functionality of the app, and the lack of legal and policy safeguards in place to prevent the abuse of user data.

Questionable Origins

The design and development process of Aarogya Setu was opaque and involved the private sector in ways that are not entirely transparent. The app uses a peculiar public-private model: it is government-owned and was developed under the aegis of the Ministry of Electronics and Information Technology’s National Informatics Centre. However, tech industry volunteers have participated in managing the development of the app, leading to ambiguity about design decisions that were possibly made by employees of companies with conflicts of interest, such as a desire to access user data through the app.

Privacy-Violating Design

Aarogya Setu collects "demographic" data [PDF] including age, gender, phone number, and travel history, which is stored on the app’s central server. The app also collects users’ GPS co-ordinates every thirty minutes and continuously accesses Bluetooth data about nearby users, and stores this data in encrypted form on users’ phones. If a person is flagged as at-risk by the app’s self-assessment or confirmed to be positive, a thirty-day log of their contacts is uploaded to a centralized server and alerts are sent to everyone they came into contact with. This data is also shared with health authorities. In addition, the app displays warnings to users about virus hotspots and offers advice on how to avoid infection, demonstrating some of the ways that user data and the app itself are being leveraged beyond the scope of contact tracing. Most recently, Aarogya Setu has set up an Open API Services portal through which third party apps can check a user’s health status “with [the user’s] consent”.

Not everyone has a smartphone in India, so people with feature phones or landlines have been asked to use the Aarogya Setu Interactive Voice Response System, a toll-free service through which users are called back and asked questions about their health. Their responses are presumably stored centrally, like data collected by the app.

The centralized storage of data and use of the app for surveillance is a design choice. In contrast, there are contact-tracing apps that only notify users if they are at risk and leave it to them to self-report. If the Indian government was concerned about being able to monitor the number of infected people in particular areas in the interest of allocating resources efficiently, it could have designed a system that flagged trends without identifying individuals.

Law and Policy

A broad constitutional right to privacy exists in India, but the granular rules necessary to implement this right are yet to be enacted. Aarogya Setu’s collection and handling of data is governed by executive orders and policies, instead of a legal framework. This means that there is little accountability for government or private sector misuse of this data for purposes that have little to do with the pandemic.

Specifically, the Indian government’s Aarogya Setu Data Access and Knowledge Sharing Protocol 2020 [PDF] details government policy on data pertaining to infected individuals, people who have come into contact with them, and those at a high risk of being infected. Personal data collected through Aarogya Setu can be shared with Indian government ministries, public health institutions, and, after anonymization, universities and research institutions for academic research. So far, there is no requirement that this research needs to be non-profit or in the public interest. Therefore, private companies may be able to access anonymized data from Aarogya Setu if they can make the case that they are using it for academic research.

While downloading and using Aarogya Setu is not mandatory, citizens have effectively been made to use the app on several occasions. For example, they have been pushed to install it by residential associations and private service providers, such as gyms. Aarogya Setu is also required for entry into certain courts and was originally made mandatory for rail and air travel, although the government later clarified that this is no longer the case. Most tellingly, the app was, until recently, mandatory for government employees, and the government has recommended that private employers encourage their employees to use it.

Response to Criticism

In response to widespread criticism of Aarogya Setu, the Indian government has made some changes to increase transparency and assure people that their data will be used in limited ways. For example, after accusations that the app was exposing sensitive health data, the government announced the release of its source code to allay concerns by permitting public verification of the security and integrity of the app. However, this effort at transparency has been called “open-washing” by some; several activists say that the source code made available on GitHub is not the version of Aarogya Setu currently in use and the server side code has not been updated for weeks.

Recently, users have been given the option to delete their Aarogya Setu account. However, it is unclear whether deletion of their account will erase the user’s data from government servers, or if the government will hold this data until the user follows the special procedure for requesting its deletion.

Conclusion 

Instead of focusing on a simple and strategic response to cope with the COVID-19 pandemic, the Indian government brainstormed with profit-driven private sector employees and designed a contact tracing app with little care for transparency, accountability, or privacy. Although public criticism has enabled some changes, the fundamental problems of Aarogya Setu and the risk of companies gaining access to its data remain. As the COVID-19 pandemic shows no sign of abating, future iterations of contact tracing apps in India and abroad should learn from these mistakes in order to avoid them.