The Government of India has been aggressively pushing the adoption of a new app called ‘Arogya Setu’ which aims to act as a precautionary measure against COVID-19 outbreak. However, there have now arrived some concerns related to the app’s privacy measures.
The app has been made available both on Google Play and Apple App Store and has already crossed 10 million downloads.
This app aims to keep its users informed about crossing paths with someone who might have tested positive for the coronavirus. The app tracks a user via Bluetooth and location-generated social graph, which is then able to show if the user has had any interaction with anyone who has tested positive for the virus.
Arogya Setu also has a self-testing feature wherein the user is made to answer a number of questions based upon which he/she is suggested if they might have potential COVID-19 symptoms or not. If the app predicts that a user does show the symptoms of COVID-19 then the information is passed on to a government server which then is supposed to help the government start the isolation procedure.
Arogya Setu: An ‘Unhealthy’ App For Privacy?
The New Delhi-based IFF (Internet Freedom Foundation), in a detailed report and analysis on contact tracing apps, has recently raised some serious concerns about the app’s collection of information, purpose limitation, data storage, transparency and accountability.
The Internet Freedom Foundation aka IFF is an Indian non-governmental organisation that conducts advocacy on digital rights and liberties and their concerns have come amid the Indian Government’s claim that the Arogya Setu App has been designed with a “privacy-by-design” approach.
The report points out the fact that there is no specification when it comes to which department or ministry or officials will be able to access the data collected by the app.
Sidharth Deb who is the IFF’s parliamentary and policy counsel along with being the author of the report, in a statement has said that “the disclosed purpose for the app is vague enough for the government to repurpose it or expand its scope.”
He also mentioned that the involvement of the health ministry when it comes to the creation of this app has been minimal which stands in stark contrast with that of the Google-Apple announcement to create a similar app together with the public healthcare authorities.
IFF’s report has also raised concern about the Aarogya Setu’s use of data location data via GPS trails in addition to that of using Bluetooth. According to the foundation, this heavily deviates from global standards related to privacy as apps are restricted to only Bluetooth-based technology to match devices without revealing the exact location.
It has been pointed out by the report that this framework has been sternly suggested by the Massachusetts Institute of Technology (MIT) and has been implemented in the case of the TraceTogether app of Singapore which performs the same functions as that of the Arogya Setu App.
Siddharth Deb has further added that the GPS trail feature wouldn’t apply indoors such as in mass transit situations lie the metro or trains and therefore Bluetooth is a more sensible and preferred choice from the standpoint of usability as well as privacy.
Lastly, the report added the fact that there are also chances of misidentification aka a false-positive if the device is switched or is shared among two or more people. It has been shown by the report how the algorithm-based predictive model which the Arogya Setu app is currently using to determine if a user has come in contact with a COVID-19 positive patient is completely deviating from how a contact tracing app usually works.
It is quite alarming that these concerns that have been raised about the Arogya Setu app came in at a point of time when people have already installed it in droves. Therefore, the Indian Government should definitely try to resolve and mitigate this issue as soon as possible. We will keep you posted on future developments.