Aarogya Setu app downloaded in over 10 crore smartphones, not a single case of security or privacy breach

In just over 40 days of its launch, the Aarogya Setu app that the Government of India notified for contact tracing for managing COVID-19, has crossed more than 10.05 crore downloads. Known as Corona warriors, these individuals through their smartphones have downloaded the mobile app which keeps their specific and pertinent demographic and travel history information in an encrypted form in a server and identifies them with a unique digital ID (DID) and uses the Bluetooth Low Energy (BLE) and Global Positioning System (GPS) locational technologies for communicating under strictly defined protocols which are set in the privacy policy of the app. All aspects of the privacy and security of the app has been widely factored in before it was developed by the National Informatics Centre (NIC) under the Ministry of Electronics and Information Technology, Government of India (MEITY) and the Empowered Group 9 on Technology and Data Management set up by the Central Government under the Disaster Management Act 2005 has also been involved in ensuring that such prudent practices remain at the topmost priority. The app’s efficacy also lay in making this a more optimal tool for alerting at-risk citizens of the precautions to be taken and also facilitate mitigation strategies by the government as also help devise steps to open up the lockdown status in a graded manner

However, some concerns were consistently being flagged around by the Opposition on its privacy and security as they raised over the electronic voting machines and Aadhar systems. A large section of the criticism also refer to similar contact tracing apps being launched in Australia, Germany and now UK which only factor the BLE technology and some delve further to mention about the centralised and decentralised modes of these apps to carry their point. Aarogya Setu has been one of the first such apps, which has factored most of these issues in terms of technology, efficacy and essentiality as also the prudent privacy policies being practised both in terms of existing laws, rules and also citizen’s concerns. Even in situation of a global pandemic afflicting the nation, Right to Life and Right to Privacy has been addressed in the mitigation strategy.

It will be pertinent to dwell on the issues that are being raised in the context of security and privacy while implementing the app. Firstly the privacy policy for the app has been comprehensively defined. The purpose, manner of information collection and its usage, as well as retention and grievance mechanism, have been covered. Secondly, the app collects personal information which falls short of sensitive personal information (SPI) as defined in the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011. Yet in practice, all security measures that apply to SPI has been envisaged as mentioned in the privacy policy. Thirdly the data collected is stored in a secure server hashed with a unique digital ID (DID) which is the only identifier that is transmitted even when two devices come in the Bluetooth range of each other while noting the time and the GPS location of that exchange. Fourthly, location data collected are stored only in the user’s devices and this information will be uploaded on the server only if the user tests COVID-19 positive or indicate symptoms that might lead to being infected. All data transmitted happens in an anonymised and encrypted manner. So far only 13,287 COVID-19 positive of the 10.05 crore users have been uploaded to the server to identify the Bluetooth contacts and alert them. Fifthly, the app has all the reasonable security practices defined and all data, whether in transit or storage in devices or in cloud servers are encrypted and protected. Sixthly, all information collected will be purged from the users’ devices after 30 days and from the server after 45 days for those have not tested positive and after 60 days for those who have tested positive. Finally, all issues and grievances are also quickly addressed by the government-owned national informatics centre (NIC) which is technically responsible for the maintenance of the app.

Around 1.4 lakh Aarogya Setu app users have been alerted via Bluetooth contact tracing about the possible risk of infection due to proximity to infected patients

In all these 40 days of this app being in place, not a single case of security or privacy breach has surfaced nor any security vulnerability identified to cause any data leak. Making the app mandatory for government and private sector employees who are now venturing to work in the relaxed lockdown conditions isn’t a bad practice because physical distancing is still the need of the hour and the app is safe from every angle. Likewise, also making it mandatory for people in the containment zone is an optimal move to ensure no new contact has happened, or any form of risk has been enhanced. On the aspect of the app being a ‘sophisticated surveillance system’ as alluded by the Congress leader Rahul Gandhi, the app has its purpose defined for a limited time frame and functionality makes it confined to the only contact tracing around COVID-19. So the scope of any surveillance raising doesn’t arise.

With the notification of the Aarogya Setu Data Access and Knowledge Sharing Protocol, 2020 by MEITY on May 11, 2020, further clarity has been provided on all aspects of privacy including the sharing of data among the concerned government entities. MEITY has been designated as the agency responsible for the implementation of this Protocol and the app developer NIC will be responsible for the collection, processing and managing response data collected by the Aarogya Setu. Further, any entity with whom response data has been shared by NIC shall use such data strictly for the purpose for which it is shared and such ministry, department of the government, NDMA, SDMAs or public health institution shall process response data in a fair, transparent and non-discriminatory manner. Also, violations of these directions in the Protocol will lead to penalties as per section 51 to 60 of the DMA and other legal provisions as may be applicable. The Empowered Group shall review this Protocol after six months from the date of the notification or even earlier if it deems fit.

It is prudent to understand that this app hasn’t stopped the physical contact tracing by health officials and police but has significantly helped in identifying contacts beyond the doubts of memory, or non-cooperation or even falsifying. Needless to say a nation already confident on the success of two large scale usage of technology in governance projects in Aadhar and EVMs will leave no stone unturned to make this app successful too with all secure solutions, legal compliances and of course citizens’ privacy.