Covid-19: Why widespread use of Aarogya Setu needed

Accurate and timely data might be our best bet in the battle against this pandemic. As a next step, India could tie the app to a secure and centralised database that includes end-to-end analysis of potentially infected people—from early symptoms to recovery. Also, to increase adoption, we can increase the number of languages the app caters to.

By Alok Gupta & TV Ramachandran
The hyperconnected world we live in fuelled the unfortunate spread of the coronavirus and exposed several weaknesses in public welfare systems of all nations. To India’s credit, we responded quickly with effective actions to delay the spread and reduce the amplitude of the hit. Ironically, the very same global hyperconnectedness, but when applied to our communication, was one of the main reasons we could respond with swift measures, mitigate the virus’s spread, and learn about different treatment methods.

Accurate and timely data about potentially infected areas and hotspots proved invaluable during these past few months. On the last day of Lockdown 3.0, there were reportedly 5,049 new cases of Covid-19 and an additional 152 deaths, taking the total tally to 95,698 cases and 3,025 deaths. Each life lost is tragic, but the lockdown with social distancing measures and the use of data to contain hotspots helped avert widespread devastation in our country of billions.

On April 2, 2020, the Ministry of Electronics and Information Technology (MeitY) launched Aarogya Setu, a Covid-19 contact tracing app, mandatory for those employed in private and public offices. The app provides the ability to identify and analyse a person’s risk of a Covid-19 infection, alert them early, and offer medical support and resources. Additionally, the data is useful for the government to identify emerging hotspots.

Data might prove to be our best bet in the battle against this global pandemic, and in particular a contact tracing app such as the one proven effective in South Korea. The United Kingdom’s NHS just launched its own app, and France and the United States will follow shortly. Even the World Health Organisation (WHO) is working on its own app for resource-strapped countries to track and handle the spread of this coronavirus effectively.

The Aarogya Setu app requires users to submit their geodata and utilises Bluetooth to connect to other registered users on the network. It then analyses whether the user has come in contact with any person who tested positive for the virus, and directs them towards the appropriate medical intervention. Based on its terms of service, it is intended to “notify, trace, and suitably support” registered users and their potential Covid-19 infection risk. Inarguably, all these are essential pieces of information for the common man.

There were concerns from the general public, privacy rights advocates, security analysts, lawyers, an ethical hacker based in France, and recently Justice BN Srikrishna (one of the architects of the draft Data Protection Bill) raised questions about the app’s policies on the collection, storage, security, transmission, and its effects on the data privacy of Indian citizens. Concerns were also raised around the app not being made open source and available to public review, and the potential of the data falling into the hands of hackers and used for nefarious reasons. Very recently, researchers at the reputed institute MIT ranked the app a 2 out of 5, but positive on the fact that it deletes user data in a timely fashion, and collects only relevant information to tracking Covid-19.

The Union minister for Communications, Electronics & IT and Law & Justice, Ravi Shankar Prasad, stated that general data would be deleted within 30 days, and data related to infected people removed within 45-60 days. He further asserted that the app was “absolutely robust, safe, and secure.” Furthermore, the government indicates that the user-generated data is stored in each individual’s mobile phone, and only a digitally generated ID is sent to the NIC servers in an encrypted fashion. On May 11, the government introduced data processing guidelines for Aarogya Setu and added clauses that include potential imprisonment for people found misusing the data. Data also cannot be stored beyond 180 days, and any individual can petition for their data to be deleted, and it will have to be erased within 30 days of the original date of request. These assurances may allay some of the concerns surrounding the app.
How else can the government quell fears and help people embrace the app?

As a next step, even with over 100 million downloads the government is actively trying to recruit more participants. Keeping in mind that only 24% of Indians have access to smartphone technology (Pew data), there is a toll-free IVR-based 1921 call-in-number. Even if the smartphone numbers were higher, there would still be almost half our population which would not be covered. Additionally, users with older versions of the OS, Bluetooth malfunctioning and unreliability issues will cause much lesser data to be collected than would be required for effective assessment. India needs to consider alternative technology like the US and France. With assistance from our telcos, we need ways to trace infection risk for all individuals—not just those with advanced smartphone technology.

Perhaps one way to increase adoption is to increase the number of languages the app caters to, considering the diversity in our nation. The government must take utmost precautions in securing our data and ensure sensitive information does not land in the hands of unauthorised players who may misuse it. Releasing the source code for Aarogya Setu, just like the UK’s NHS did, may also help alleviate security concerns and increase adoption. Offering proof and openness to scrutiny about permanently deleted data in the defined timeframe may also reassure users and further boost the app’s usage during this crisis. This will come in handy when collaborating with other nations, the WHO, and other organisations.

With the data of crores of Indians at their fingertips, it would be beneficial if anonymised and sanitised versions of the data were used for advanced predictive analytics. In the age of machine learning and deep learning, vast amounts of data are crunched regularly to make better predictions for the future. In this case, we could perhaps predict the next hotspots with better accuracy, how best to prevent getting infected, and learn more about which treatment works best for a particular type of patient.

The Indian Council of Medical Research (ICMR) is handling Covid-19 patient and clinical information across the country. As a next step, India could tie the app to a secure and centralised database, administered by the Department of Telecommunications that includes end-to-end analysis of potentially infected people—from early symptoms to recovery. This will offer great insights into battling this insidious virus.

The central government is actively working on addressing any security concerns raised by Indians. These measures are required since this will increase usage of the app—which then improves the app’s effectiveness. There must also be a strong drive to develop technology that helps non-smartphone users participate in contact tracing. This initiative could get ramped up together with telcos.

It is time to focus on how the app can be made more relevant down the line. Telcos have a wide-ranging, world-class network, and are the best source of robust data which has to be leveraged to truly realise the app’s potential. Use-cases can evolve from the current tracking of infected users and the projected tracing to sophisticated ones like geofencing, assessing population at risk through mobility models, and post-lockdown planning. Enhancing the app’s ease-of-use, increasing the user base, and analysing the resulting aggregated, anonymised data will help Indians and the world overcome the Covid-19 crisis. We are not safe until everyone adopts and uses it—a public interest essential.

Gupta is MD, Pyramid Cyber Security & Forensic Ltd, and Ramachandran is president, Broadband India Forum. Views are personal