Virus tracing app raises privacy concerns in India

An Indian man uses Aarogya Setu app on his mobile phone in New Delhi, India. (AP)

NEW DELHI — As India enters an extended coronavirus lockdown, the government is actively pursuing contact tracing to help control infections. At the heart of the effort in the country of 1.3 billion people is a government-run smartphone app that critics say endangers civil liberties in how it uses location services and centralizes data collection.

In April, India launched the Aarogya Setu app, which helps people identify whether they have been near someone who tested positive for the virus. Since then, the app has been downloaded more than 90 million times in a country with a smartphone user base of about 500 million. To popularize it, a campaign featuring Bollywood celebrities was launched.

But the monitoring technology, which uses GPS and Bluetooth, has prompted a raft of questions about privacy, security and potential data breaches — and whether it gives the government snooping powers.

“Aarogya Setu is a form of surveillance and inflicts tangible privacy injury,” said Apar Gupta, executive director of the Internet Freedom Foundation.

On Wednesday, Ravi Shankar Prasad, a senior minister, said the app was “robust” in terms of privacy protection and data security. The government also said no data or security breach had been identified with the app after a French security researcher exposed a flaw he said could allow virus carriers to be pinpointed.

Mobile tracing apps to help contain infections have already been developed in the U.S., China, Singapore, Australia and many European countries. Other countries are scrambling to deploy their own smartphone tools and tech giants Apple and Google have jointly devised a software solution designed to preserve user privacy and avoid the kind of amassing of user data on centralized servers done by India.

But India’s approach is most alarming, in a country lacking a data privacy law, because sweeping orders have made the app mandatory for many.

The government requires the Aarogya Setu app be used by all workers, both private and public, and by members of the military. Installation of the app is also mandatory in regions declared as containment zones. Stranded Indians abroad who wish to be repatriated also need to install it on their mobile phones before entering the country.

Now, the police are stepping in.

In Noida, a burgeoning satellite town half an hour’s drive from New Delhi, police have made it a punishable offense if people don’t use the app.

App users must answer questions posed by a chatbot about whether they have any COVID-19 symptoms, pre-existing health conditions and about their travel history. Those suspected of being infected are contacted by health authorities, who track cases in a database.

Millions of Indians, many oblivious of any privacy concerns, have enthusiastically downloaded the app at Prime Minister Narendra Modi’s urging. Some businesses have said their employees cannot work without the app.

“It will be very good if almost everyone uses it,” said Umesh Ram, a food delivery rider.

But some are cautious.

Satish Kumar Rastogi, an electrician, recently deleted the app from his phone. “Imagine if I put wrong details by mistake, then it will give wrong information about me,” Rastogi said.

The government has not said if it plans to impose fines on people who don’t install the app, but hopes that if infections are tracked with the help of the app, more people will be able to resume at least part of their normal routines. India is the hardest-hit country in South Asia, with over 56,000 confirmed coronavirus cases and more than 1,800 deaths.

Critics fear the database could be breached by hackers and the monitoring technology used to collect personal information and exert social control. The app is vague about which government departments will have access.

Abhishek Singh, the chief executive of MyGovIndia, which developed Aarogya Setu, said the app “will not reveal anyone’s personal details” and the “data in the app is completely secure.”

But French security researcher, Baptiste Robert, said in a blog post Wednesday that he was able to modify the app to pinpoint the location of infected users. Writing under his online pseudonym Elliot Alderman, he said he was able to spoof his location in order to look anywhere in India for infected users.

Privacy rights organisations are urging the government to make the app’s source code public to increase transparency.

The monitoring technology is also opposed by the main opposition Congress party. Last week its leader, Rahul Gandhi, called the app “a sophisticated surveillance system.”

India is not new to privacy violations and data breaches. In 2018, a controversial billion-member biometric database called “Aadhaar” was breached, putting the identity details of more than 1 billion citizens at risk.

Similar cases of data breaches have been reported during the pandemic.

Many Indian states published quarantine lists on their official websites which included names of people who were suspected of being virus carriers. The app, experts say, presents similar concerns but on a much larger scale.

Apart from the privacy concerns, there is little evidence that the app will be effective without widespread virus testing, which India lacks. India is testing around 75,000 samples daily. Health experts say this number is not enough.

A recent study by epidemiologists at Oxford University estimated that 60% of the population in any given area need to use a contact tracing technology, combined with other measures such as broader testing and the quarantining of vulnerable people, for the app to be able to contain the virus.

“India has to couple contact tracing technology with far more broader testing. Testing is the primary solution to halt the infection spread,” said Dr. Anant Bhan, a public health and bioethics expert.

Read more...