Aarogya Setu: Building a Wooden Bridge Won't Take Us to a Safer Future

It's perfectly possible for a contact tracing app to help us fight COVID-19 while taking our right to privacy seriously. That is what we should demand.

In the past few weeks, we have all been forced to add new words to our vocabulary — lockdown, coronavirus, flattening the curve, PPE, contact tracing and Aarogya Setu being a few of them.

As the pandemic has confined us all to our homes at great costs to the economy, everyone is anxious to get back to “normal life”.

Governments and institutions under pressure have pinned their hopes on technology to provide a reliable solution for us to return to work and play.

Tracking tracking

“Contact tracing” is the process of tracing and monitoring the contacts of an infected person. It involves working backwards from an infected person to identify people who may have been exposed to the disease, so that they can be tested, isolated and hospitalised if required. This process relies on human labour that requires large cadres of contact tracers.

Digital tools have emerged as a method to expand the reach and efficiency of these contact tracers. Mobile apps for “contact tracing” – perhaps more accurately called “exposure notification apps” – can work if they are secure, reliable and used as a tool in conjunction with other proven techniques.

Keep in mind that such tracing is only useful to inform us about who has been exposed. Without widely available rapid testing and treatment facilities, these notifications with their inherent problems merely become a nuisance for citizens already reeling from the pandemic.

Men wearing protective masks move past figures with face masks installed outside a fuel station in Kolkata, May 1, 2020. Photo: REUTERS/Rupak De Chowdhuri

What happened around the world?

After seeing the success of the “contact-tracing” approach deployed effectively by countries like China, South Korea, and Singapore, countries around the world rushed to adopt their own version. At the same time, institutions came up with standards and guidance that such technologies must use.

In the United States, MIT with collaborators from the Massachusetts General Hospital, Boston University, Carnegie Mellon University and Weizmann Institute of Science came up with PACT – Private Automated Contact Tracing.

PACT is an automated approach that permits effective contact tracing while preserving privacy absolutely, which means it would not be necessary to trade privacy for public health.

In the European Union, two competing protocols emerged: PEPP-PT and DP-3T. The protocols differ in their reporting mechanism. PEPP-PT requires clients to upload contact logs to a central reporting server, whereas with DP-3T, the central reporting server never has access to contact logs. DP-3T requires more computing power but it has major privacy benefits. Most European countries including Germany, Austria, Switzerland have chosen DP-3T to ensure that their citizens don’t have to choose between security and privacy.

Last week, Israel’s Supreme Court, warning of a slippery slope, closed the door on phone location technology for contact tracing and ordered for alternatives to be found that don’t result in monitoring citizens without their consent.

Also Read: Aarogya Setu: Six Questions for the Centre on the COVID-19 Contact Tracing App

Under pressure from various governments, Google and Apple have also banded together to create a decentralised contact tracing tool that will help individuals determine whether they have been exposed to someone with COVID-19. They are only releasing APIs that will let others build their own apps. These are also based on the privacy-respecting protocol, DP-3T.

It is important to mention that the efficacy of these apps is still under question as they are bound to generate numerous false positives and negatives leading to life changes that will only erode trust in these tools over time. Here, I will not examine those issues in detail.

Back home

Now that you are all caught up, I will finally address our homegrown Brahama-astra: Aarogya Setu. On April 2, 2020, the government of India launched Aarogya Setu, a location based app that uses Bluetooth and GPS data to alert whenever one comes within six feet of a COVID-19 infected person.

SFLC.in did a detailed analysis of the app, its privacy policy and raised several concerns with its security and data collection practices. Soon a crescendo of expert voices pointed out the issues with the app before it became a political issue like everything else, testing our patriotism.

India does not have a Data Protection Law after several years of deliberation but its citizens do have a fundamental Right to Privacy. However, this right, or any call to take it seriously, is usually dismissed as a Luddite concern by all and sundry.

In any working democracy, one would expect the highest court of the country to be keen on weighing in on this issue but considering the recent reluctance of the Supreme Court to fulfil its role as the protector of our fundamental rights, an analysis of the constitutionality of the recent government order making the downloading of this app mandatory seems like an indulgent intellectual exercise.

Representative image. Photo: Pixabay/The Wire

Here are just a few issues with Aarogya Setu:

* It is a closed source app, which means its source code is unavailable for examination by experts or community audit. The Central government’s  prevailing policy on adoption of open source software aside, this would be a basic for improving security. When did quality stop being important for the sake of speed?

* The liability limitation clause of the Terms of Service limits the government’s liability even if inaccurate information is given by the app or in case of failure to generate true positives. This acquits the government’s liability in case of any harm caused due to incorrect information. The liability clause also exempts the government from liability in the event of “any unauthorised access to the [user’s] information or modification thereof” (emphasis supplied). This means that there is no liability for the government even if the personal information of users is leaked. Thus, the government can require you to use something but if that something is unsafe, there is  nobody to hold responsible for or complain about.

* Instead of allowing people to choose whatever app they may want to get any exposure notification, Aarogya Setu is mandatory for everyone in India. Without delving into unnecessary questions like how many people have smartphones, the app collects personal information and uploads it to a  central server maintained and used by the GoI. With the WhatsApp snooping scandal and the government’s claims in the Supreme Court about protecting the Aadhaar database with high security walls still fresh in our memory, asking us to just the trust in official security practices is a flaky demand.

* Unlike other apps based on privacy-respecting standards, Aarogya Setu collects a user’s location data every 15 minutes and uploads it to a centralised government server in some conditions.

* While the apps’ privacy policy allows a registered user to “add, remove or modify any registration information supplied”, the application does not have an option of account deletion. Please remember uninstalling an app does not mean your account is deleted from that app.

To sum up India’s current situation, the government can order its citizens to use any piece of software without taking any responsibility for its accuracy, security or privacy architecture; it can eliminate the entire system of standards and architecture of the internet by moving fast, breaking things and as its an emergency, citizens can never ask for any review or rights but must feel very proud about this feat.

Aarogya Setu is a small, insecure moving part in a system of fighting this pandemic. In the absence of a robust system, it will only cause harm laying down a blueprint for surveillance without the desired results. It’s not that digital contact tracing shouldn’t be done, but it cannot be seen as a substitute for human contact-tracing teams or replacement for necessary COVID-19 testing, monitoring and treatment.

No technology by itself will pull us out of this mess. If we aren’t careful, we will be left with yet another useless app on our phones – without the desired results that actually are a matter of life and death these days.

Mishi Choudhary is a technology lawyer with practice in New York and New Delhi, and the founder of SFLC.in, a legal services organisation working on law, technology and policy.