Amid nation-wide lockdown, the Government of India released their contact tracing app, Aarogya Setu.

Three days past its release, it crossed 5 million downloads. It was ranked the world’s fastest-growing app, overtaking Pokemon Go as it’s users surged to 50 million within 13 days of launch and over 75 million till date.

But what matches the pace of its growth, is the growth of privacy concerns around the app. The app’s initial Privacy Policy had too many issues brought to notice by forums like the Internet Freedom Foundation.

The app’s Privacy Policy was updated sometime later. Still, the new one has some unaddressed issues.

How The App Works?

It takes just basic information like your name, phone number, age, sex, profession, travel history and whether or not you are smoker to register to the Aarogya Setu app.

You’ll be asked some questions for the self-assessment test for COVID-19 infection.

All collected data will be uploaded to servers of Government Of India, where they will be encrypted with a unique digital ID called your DiD.

The app also takes your phone’s location and Bluetooth access.

When you meet someone (say X), you bring your phone within the Bluetooth range of X’s phone.

If both the phones have Aarogya Setu installed and working, they will automatically exchange DiDs and record the exact GPS location and the time of the meet.

This means your unique identification number (DiD) will be stored in the person’s phone (here, X’s phone). Though, he can not see or use it.

Now, in case, X tests positive for COVID-19, information including all the places he visited and the saved DiDs of all the people he met will be uploaded to the Government Servers.

This will help the government to:

• Notify, test and maybe quarantine everyone he met.
• Sanitise the places he went to.
• Test people of the neighbourhood he lives in.

That means you’ll be notified if someone you have crossed path with previously has been tested positive for COVID19.

More Of A Surveillance?

The self-assessment test in the app will search for symptoms to figure out the probability of you being infected with the coronavirus infection.

Based on this, you’ll be graded into colours:

• Yellow or Orange means you have a higher risk of getting infected with the Novel Coronavirus.
• Green means you have relatively less probability of being so.

The app keeps tracking your location every fifteen minutes. It also keeps a record of everyone’s DiD you met.

But the Privacy Policy of the app states this information will only be uploaded to the servers if:

• You test positive for COVID19
• Your self-declared symptoms indicate you’re likely to be infected with the virus
• The result of your self-assessment test is either YELLOW or ORANGE.

The information will be kept securely on your phone if you are not unwell or if the result of your self-assessment test is GREEN.

If your results stay GREEN for 30 days, the following data collected in the past 30 days will be deleted from the phone:

• The places you visited & location collected every 15 minutes.
• The DiDs of people you met.
• Results of the self-assessment tests.

Fundamental Rights Are Endangered.

Journalism site, The Hindu, reports that in China a similar app was started as a voluntary service for informing users of their potential exposure to infected persons, but it soon began to be used as an e-pass for allowing access to public transport.

Situations seem similar in India, where the Aarogya Setu app shows a tab titled “E-pass coming soon”.

The app, which is based on voluntary consent, can thus violate the fundamental rights if it is used an E-pass required for moving around.

Individuals will be forced to download and use the app to be allowed to use basic amenities. Citizens will be bound to give up their fundamental rights of privacy to use government benefits.

Aadhar was too initiated as an optional programme to provide government benefits to citizens based on their voluntary consent. But was made compulsory for even private services such as banking and mobile phone registrations.

The App Once Exposed Location Data Of Users To YouTube

The app noted, “When a user filled a self-assessment in the app, and then immediately scrolled down to the YouTube iframe, a referral header containing latitude-longitude information with no other personal identifier was visible to Google”.

Though, this was fixed on 26 April.

Bill Gates Praises Aarogya Setu

Bill Gates wrote in a letter, “I’m glad (Indian) government is fully utilising its exceptional digital capabilities in its COVID-19 response and has launched the Aarogya Setu digital app for coronavirus tracking, contact tracing, and to connect people to health services.”

But he also had previously praised India’s Aadhar, which many experts believe, doesn’t respect privacy.

Contact Tracing Around The Globe

Australia: Keeping Privacy Safe

The Australian contact tracing app named COVIDSafe works in a fashion quite similar to the Indian one. But the app is more privacy-focused. Unlike Aarogya Setu, the app uses only Bluetooth, not GPS. It is completely voluntary and it will be illegal to force anyone to download it. Additionally, Australia “will make it illegal for non-health officials to access data collected on smartphone software to trace the spread of the coronavirus,” according to Reuters.

Israel: A Pretext To Enhance Powers Of The PM

In Israel, Prime Minister Benjamin Netanyahu’s government issued emergency measures allowing the State to track citizens’ cellphone data to curb the disease. Consequently, the PM has been accused of using the pandemic as a pretext to enhance his powers. (From LA Times)

In March, millions of Iranians were reportedly pinged by the government on their smartphones, urging citizens to download an app claiming it could determine if the users or their loved ones were infected by the coronavirus. Millions did so, giving away swath of personal data.

Taiwan: To Check If The Quarantined Aren’t Out

Taiwan government introduced a digital fence to enforce the quarantine of people required to stay home. These people must have their mobile devices switched on thereby allowing the government to keep an eye on them.

According to Reuters, similar conditions are in Hongkong and Singapore:

In Hongkong, location-tracking wristbands are given to those put under quarantine.In Singapore, the government uses text messages to contact people, who must click on a link to prove they are at home.

China: Show Colour Codes To Go Out

Chinese Government has partnered with internet giants Alibaba and Tencent to assign citizens a colour code denoting their health status, which in turn grants them access to subways, restaurants and more.

Users have also reported being erroneously colour-coded and are unable to contact app providers to change their status.

South Korea: Preventing People From Possible COVID Exposure

In South Korea, people are notified with SMSes each time a new coronavirus case is discovered. Websites and apps show a detailed hour-by-hour timeline of where the affected person had travelled. Those quarantined were forced to download an app to ensure they didn’t go out without permission.

First Published at Theciva