New Delhi: The Narendra Modi government made its contact-tracing app Aarogya Setu voluntary on 17 May, weeks after several privacy experts raised questions over the app which the administration is using extensively in its battle against the Covid-19 pandemic.
Even as Aarogya Setu joins government-backed Covid contact tracing apps from other countries that can be used voluntarily, its software source code remains private, meaning the code that created the app is not available for public scrutiny.
This is unlike other such apps from some major countries.
The Modi government has no immediate plans to make the code open source either. In an 11 May interview, IT secretary Ajay Prakash Sawhney told Business Standard, “If I open up my source code, and say, some 50,000 people start criticizing it, raising issues every day, we will have to spend too much time in reacting to those. We might do that for all in due course, but right now we are planning to open it up to some of the top cybersecurity experts in the country.”
As privacy questions persist over the app, ThePrint compares Aarogya Setu and five other contact-tracing apps backed by governments in the UK, Australia, Singapore, Israel and China on five criteria.
Tech policy think-tank The Dialogue has encouraged the Modi government to make the source code for Aarogya Setu public.
“The app needs to be transparent and verifiable. It is important that to popularise it among the masses, the application be open source,” it says.
The UK, Australia, Singapore and Israel have open-source apps. The details about China are not available.
“Difference between open source and reverse engineering is that open source gives legitimate access to the source code used to build app, where as reverse engineering is breaking down, analysing app using third party tools and trying to guess what the source code might be,” said Atul Kabra, co-founder of cybersecurity firm PolyLogyx.
The less data an app collects, the better it is considered for a user’s privacy. In its critical comments on Aarogya Setu, Internet Freedom Foundation said, “…data collection needs to be necessary and proportionate with regard to the purpose for which it is being collected.”
India’s Aarogya Setu leans towards collecting more data than other government-backed apps on this list, with the exception of Australia and China. See chart.
GPS and Bluetooth usage
Aarogya Setu uses both GPS (global positioning system) and bluetooth tech for contact tracing.
There are privacy concerns over a contact-tracing system using GPS to track locations where users may have come into contact with each other. It is primarily due to this that US internet giants Apple and Google will reportedly not allow location tracking or use of GPS data in the contact tracing tool they are building together for any government that may wish to use it.
Instead, this tool will use bluetooth technology to detect users encountering each other.
Existing contact tracing apps from Singapore, Australia, and the UK also use only the bluetooth tech. However, these apps are not using the tool which Apple and Google are making.
In contact tracing, bluetooth tech is not used to track location but to detect nearby devices which have the same contact tracing system installed. A phone with bluetooth switched on emits signals that other phones with bluetooth switched on can detect. Two such phones will exchange information like date and duration of the encounter and will be stored on each other’s phones at the back-end (not accessible to the user). This information is typically linked to a user ID generated by the contact tracing app and helps the government server keep track of which user device uploaded what information.
Bluetooth is considered more accurate than GPS, which may incorrectly show all users in a congested area as users that have encountered each other.
However bluetooth also has a weak point in contact tracing, specifically in iPhones. In iPhones, if an app is not actively running on the screen but is only operating in the background, then the app can’t use the bluetooth tech to effectively scan for nearby devices, rendering contact tracing ineffective.
In this list, Israel is the only other country that uses GPS. China is using the infrastructure of pre-existing apps like Alipay and WeChat.
Centralised data storage?
Non-profit organisations working on digital rights and privacy say decentralised storage, where data collected from contact tracing apps remain on each user’s phone, is better over a central government database where all users’ data can be stored (centralised storage).
Except China, for which information isn’t available, all the countries on this list have centralised storage.
These countries require users, typically people who are Covid-positive or at the risk of turning Covid-positive, to allow the app to send information logged at the back-end of their phone to the government server. This may include information about other users they may have encountered in recent weeks.
Data storage duration, and access
Amid privacy concerns, data deletion as soon as possible, and access to only a minimal and most essential number of authorities is preferred.
Information isn’t available on the other two.
An 11 May Ministry of Information and Technology protocol for Aarogya Setu said the data after undergoing “hard anonymisation” can be used for research purposes, indicating that the data may still be available in some form. It said the stipulated data retention clause is not applicable to anonymised data.
Internet Freedom Foundation, which analysed the protocol, said, “There is no policy for destroying contact, location and self assessment data based on a user request… The total failure to consider user-request based destruction of such data amounts to retaining personal data without consent and is a clear breach of the right to privacy.”
Subscribe to our YouTube channel.