Jury is still out on privacy concerns in Aarogya Setu

After Singapore and the UK, the Indian government has open-sourced Aarogya Setu, one of the fastest growing contact tracing apps in the world. Mint analyses how it works and the concerns around it

After Singapore and the UK, the Indian government has open-sourced Aarogya Setu, one of the fastest growing contact tracing apps in the world. But since the launch of the app, it has seen its fair share of controversy. Mint analyses how it works and the concerns around it.

What are the concerns surrounding the app?

Contact tracing apps such as Aarogya Setu require continuous access to location history and Bluetooth. This, combined with the fact that they run on government servers, theoretically makes them tools that a government can use to track and monitor individuals. However, the Indian government has reiterated that data from this app is used only for health purposes and its covid-19-related efforts. Privacy advocates, experts and hackers have expressed their scepticism about this, although there is no proof yet that the government is using this data for surveillance purposes.

What data does the app take from you?

The data that the app collects is divided into four categories—demographic, self assessment, contact and location. Together, they include information such as a person’s name, mobile number, age, gender, profession, travel history, individuals they have been in close proximity with, how long they were close to each other, location where this contact happened and the distance between those individuals. Additionally, as the app can access your location continuously, it knows where you have been at any given time and date. That doesn’t necessarily mean the same can be accessed by others.

When does it upload data to the government servers?

The app’s privacy policy says personal data is uploaded on the servers when you sign up and take the self-assessment, and every time you take the assessment after that. The data gets a unique ID (DiD), the only identifier for users. When two users come in contact, their phones get this DiD and data from this event gets uploaded only if one of them tests positive for covid-19.

What is open-sourcing and does it matter?

Open-sourcing the code is akin to looking under the hood of a car. The government has published the Android version’s code on Github, a code repository for anyone to see and use. Developers, coders, hackers and others can find flaws, loopholes that could leak data and figure out what data is accessed. They can submit any bugs to the government for a ₹1 lakh reward. The code shows how the app interacts with a user, not what is done on the server side. Experts say it is never open-sourcing without server side open-sourcing.

Who uses the app and how has it helped?

At present, the app has seen more than 115 million downloads. The government said it has helped predict 3,000 virus hotspots at a sub-post office level. With 25000 users of the app who tested positive, the government could contact trace over 400,000 people. Of these, 140,000 were found to be moderate and high risk.

Subscribe to newsletters

* Enter a valid email
* Thank you for subscribing to our newsletter.