To curb the spread of the Coronavirus, Governments all over the world have resorted to actions that have potentially infringed upon the rights of individuals. In India, Aarogya Setu has sparked a debate on privacy.
“Big Brother is Watching You” just got a whole lot really, according to some privacy experts, when the Government of India rolled out ‘Aarogya Setu’, an application that aims to inform the people of their risk of contracting the Coronavirus and educate them on the best practices and medical advisories pertaining to the COVID-19 Pandemic.
However, the app has not exactly gone down well with certain people who argue that the system by which the app uses contact tracing and shares details with the government essentially makes it a ‘surveillance system’. Congress politician Rahul Gandhi too tweeted in this regard, and his theory was ‘proved’ by French ethical hacker, Elliot Anderson. Through this article, I am going to analyse whether or not these claims hold weight, and whether the application is truly worth it.
The first concern would be that downloading the app gives the Indian Government access to your location and personal data at all times. However, that is untrue. Firstly, the application replaces all your data with a Device Identification Number on sign-up, and this DiD becomes the basis of all future interactions. It is this DiD that is used to interact with other phones when they come in range with each other and calculate your health risk and communicate it to the server. It is only when the risk of infection to a person is too high that the personal information is reconciled with the DiD to alert the individual.
The Privacy Policy for the application, along with its Data Access protocol, explicitly states the purposes for which the data can be used and limits the possibility for misuse. One major concern remains in the fact that the data is shared not only with the Health Ministry but with any related ministry at the central or state level that is involved in addressing the pandemic, but a case could be made against the same looking at the various actors involved in the COVID response. Another concern comes from the fact that DiDs that do not change can lead to privacy issues, but the Government is currently addressing this by creating a dynamic ID that generates multiple times and offers more security.
Hacker Elliott Anderson tweeted about certain ‘risks’ which included data of the users being at risk and local files being accessed. However, various people proficient with coding have come out to deny these claims, arguing that Elliott ran basic scripts to access the data stored on his own device and portrayed it as a security issue when it isn’t. Adding to it, the creators of the app themselves chose to engage with the hacker and clarified their response to his claims. It has been by and large proved that these claims held no weight at all and should be disregarded. An important point to be noted is that this is the same person who claimed that he hacked TRAI Chairman RS Sharma’s information based on his Aadhar Number. However, it was later found that the information he ‘hacked’ was available in the public domain already and could be easily found through search engines. As Michael Scott would say “Fool me once, strike one. But fool me twice, strike three.”
More importantly, the rules and privacy policy clearly specify the duration for which the data can be stored. The application deletes all personal data 30 days from collection, and the servers purge the information after 45-60 days, depending on whether or not a particular person tested positive for the virus. This contact and location data can in any case not be retained beyond 180 days and the demographic data is deleted within six months, provided the pandemic does not extend beyond that period. Thus, the possibility of the government retaining or sharing this data for other purposes does not exist.
Contact Tracing is a difficult, labour intensive process and often leaves out people in the way it’s been conventionally done. For example, a person goes to the market to buy vegetables and meets someone they do not know who later turns out to be positive for the virus. At that point in time, it becomes almost impossible for health officials to trace who was at xyz vegetable vendor at 11:00 hours on a day. This is where the app steps in, even if the person doesn’t know the person who contracted the virus, they will be notified of the risk and be asked to take steps accordingly, thus making the contact-tracing process not only less difficult but also more comprehensive.
A case is made that apps like these cannot be put to use by people who don’t have smartphones. It’s important to note that the app isn’t a replacement for contact tracing, it is an assistance mechanism. A lack of accessibility by the entire population cannot count as an argument for the ones who can access it to not be asked to install it and use it. Even if one person can self-isolate and reduce the spread of the virus due to the app, it means tens or hundreds of others who they would have come in contact with are saved. Every single life saved is a major victory for the application. In fact, until now, the app has been used to notify 1.4 lakh people of potential exposure to the virus and asked them to take necessary precautions. Even if one percent of those, i.e., 1400 people test positive for the virus later but had taken precautions to contain its spread thanks to the notifications issued, it’s a win not only for the app but for the country.
It is a moral obligation of every citizen to try and ensure that we try and reduce the spread of the virus as much as possible and take whatever steps necessary. Aarogya Setu, with its benefits, is a huge step, and all of us who can download it should make sure that we do.
Of course, the government needs to do better in two regards. Firstly, the government must implement Aarogya Setu only through law. If an action threatens to hinder a fundamental right (such as the Right to Privacy here), it needs to be implemented through legislation that limits potential government misuse. While in the status quo, it is understandable why the app is being pushed so strongly, there are better ways to do it, especially in the absence of a Data Protection law in the country.
Secondly, app security is a major issue. Thus, the app should be made open source so that developers can check it for bugs and potential security issues, and thus make it safer and easier to use for everyone.
The Aarogya Setu app is not perfect, but there can be no denying that it can be of huge help in the fight against COVID-19. The government has actually taken measures to ensure that user privacy is respected to the extent possible, which is a welcome change from its actions from the past. Given how crucial it is, it is imperative that we download the application as a measure to not only safeguard our own health but that of others around us too.
Featured Image Credit: Flipboard
Khush Vardhan Dembla