Science & Technology

COVID-19: Experts raise privacy concerns about Aarogya Setu app

Prime Minister Modi had asked Indians to register on the app in the fight against coronavirus

 
By Akshit Sangomla
Published: Tuesday 14 April 2020
Photo: Aarogya Setu's Twitter Handle

Divij Joshi’s quote and designation has been updated on April 27, 2020. The article was oroginally published on April 14.

Experts have raised concerns about individual privacy with regards to the app Aarogya Setu, that has been cited by Prime Minister Narendra Modi as a tool to fight the novel coronavirus disease (COVID-19) pandemic.

Modi urged people to download the app to contribute to the fight against the COVID-19 pandemic during his address to the nation on April 14, 2020. He also asked people to encourage others to do the same.

The app was launched on April 2 by the Union government and already has over 10 million downloads.

At the outset, the app seems useful as it tells a person if s/he is at risk of contracting COVID-19 by taking a simple test. The app just needs the person’s GPS location and bluetooth to be switched on.

However, experts have pointed out a lot of issues with the privacy policy of the app. The first is with the language.

For instance, there is a line in the policy document which says, “Such personal information stored in the cloud may also be shared with such other necessary and relevant persons as may be required in order to carry out necessary medical and administrative interventions.”

“Privacy policies according to the General Data Protection Regulation (GDPR) guidelines should not use the word ‘may’ as it leads to allowance of discretion to the maker of the app. The GDPR guidelines were formulated by the European Union but are followed by countries all over the world, including India,” Mira Swaminathan, policy officer at The Centre for Internet and Society, a Delhi and Bengaluru-based think tank, said.

“The usage of the word ‘may’ gives the creator and implementer of the app the means to do whatever they want with the data. The word ‘should’ should be used instead of may,” she added.

There is not much information about what exact data will be collected, how long it will be stored, what use will it be put to or how transparent will data sharing with private entities be.

The ‘Terms of use’ document of Aarogya Setu also states that the Indian government will not be liable if “any unauthorised access to the user’s information or modification thereof.”

Moreover, the user of the app can access the terms of use document only after registering on the app and not before.

“GDPR and other guidelines ask you to follow certain principles, especially regarding language and certainty about what will happen to the collected data,” Swaminathan said.

Aarogya Setu is inspired by another similar app being used in Singapore called ‘Trace Together’, that was launched on March 21 and was developed by GovTech, a public sector company of the Singapore government.

There are two major differences in the two apps: The first is that Trace Together uses only bluetooth for contract tracing while Aarogya Setu also uses GPS location. The second difference is in the two apps’ privacy policies.

In Trace Together, the developers clearly state that they store limited data and do not collect unnecessary information about the users of the app.

“For example, if I come to know that my neighbour has COVID-19, how much of that person’s details are there in my smartphone is not known for Aarogya Setu while this is known for Trace Together,” Swaminathan said.

“This information is limited. Further it does not give out any personal information about the other people to the user,” she added.

Another issue with the Aarogya Setu app’s privacy policy is that even though it says that data will anonymised to be stored with the government for further usage if necessary, it does not mention the technique used for the process.

Anonymisation of data is done to ensure that when the data is used for research purposes, identities of the people from whom the data has been collected, do not get revealed.

“Data anonymisation is not a perfect solution for data protection, as sensitive personal data can often be de-anonymised and misused Policies and decisions based on ‘big data’ collected from smartphone apps can exhibit biases and flawed or unscientific assumptions, which can have terrible repercussions on public health,” Divij Joshi, lawyer and a Mozilla technology policy fellow, said.

To top it all, the government is not liable to the user of the app in case the information gets leaked or is used for an unauthorised purpose. This is clearly stated in the ‘Terms of Use’ of the app.

There are similar issues related to privacy around other quarantine monitoring, health tracking, diagnosis and CoVID-19 related apps being deployed by state governments as well.

Many of them don’t even have privacy policies and Terms of Use in place that could lead to grave violations of individual privacy in this time of a pandemic.

Subscribe to Weekly Newsletter :
Related Stories

Comments are moderated and will be published only after the site moderator’s approval. Please use a genuine email ID and provide your name. Selected comments may also be used in the ‘Letters’ section of the Down To Earth print edition.