India Covid-19 Tracking App Raises Red Flags

Concern is that governments could track more than just illness

By: Neeta Lal

A smartphone app launched by India’s Modi government to track potential Covid-19 victims has been met with suspicion by privacy-focused groups because of the possibility that data could be shared with a wide range of government agencies.

Fears over such coronavirus-tracking apps have been expressed in other countries including Singapore, whose contact-tracing methods have generated similar apprehensions. US technologists are exploring methods such as leveraging smartphone location data and developing Bluetooth systems to emit signals if users have been in the proximity of an infected person.

The overriding concerns revolve around access to user data by the government. Although the Indian device’s privacy policy prohibits the sharing of user data with third parties, one clause has raised red flags. It specifies that tracking data could be shared with as many agencies as the government deems fit for purposes other than epidemic control should there be legal concerns.

Once permission is granted to access a smartphone’s GPS and Bluetooth technology, a status report is generated about the phone’s user and notifications are issued to alert them about the proximity of virus-infected patients.  Developed by the National Informatics Center, which comes under the Ministry of Electronics and IT, the tracking app is available on both Android and iOS smartphones.

The app, called Aarogya Setu, created a world record of sorts by being downloaded by 50 million users within just 13 days of its debut. It is now being used in the campaign against the coronavirus, which so far has been recorded as infecting 12,322 victims and taken the lives of 405.   

Besides the main tracker feature, Aarogya Setu also allows users to take a quick test to check if they have any symptoms. Movement data is tracked regularly to ensure the seamless and smooth functioning of the service.

Frederike Kaltheuner, an independent Mozilla Tech Policy Fellow, said he feared that possibilities that the user’s harvested data might be used for purposes other than medical emergencies can’t be ruled out.

The Internet Freedom Foundation released a paper earlier this week that mentioned major privacy issues within the Aarogya Setu app. “Unlike Singapore and MIT, India's contact tracing project lacks transparency,” Sidharth Deb, Policy and Parliamentary Counsel at the IFF, wrote in a paper quoted by local media.

The paper states that the app’s privacy policy “does not specify which departments or ministry or officials will be the ones accessing that data,” with “a lack of specificity adding to concerns of overreach.”

The app, according to the critics, could be used beyond the purpose it was created for and evolve into a “permanent architecture” without clarity and limits. The report also raised concerns about Aarogya Setu’s use of location data via GPS trails (in addition to Bluetooth), which it adds, deviates from “privacy-focused global standards,” which are restricted to Bluetooth-based technology, which can match devices by not revealing the exact location.

The analysis of the Aarogya Setu app published by the Paris-based cybersecurity consultancy Defensive Lab Agency highlights that, besides the user tracking function and contact tracing function, the app could be used to turn on built-in sensors such as the microphone. It also has the potential to access a smartphone’s data and contacts, it stated.

Unperturbed by all this, however, the Indian government is going full steam ahead to push the app. Its downloads were encouraged by Prime Minister Narendra Modi during his national addresses. “Download the Aarogya Setu mobile app to help prevent the spread of [the] corona infection. Inspire others to download the app as well,” Prime Minister Modi said during his address to the nation.

In a tweet on April 8, Modi wrote: “Aarogya Setu is an important step in our fight against COVID-19. By leveraging technology, it provides important information. As more and more people use it, its effectiveness will increase. I urge you all to download it.”  He reiterated its importance and even provided the links for both Android and iOS users to his followers.

Commercial banks and various ministries are also giving a concerted push to encourage people to use the app. The Central Board of Secondary Education also recommended all its recognized schools and institutions to urge students, teachers, parents, and staff among others to download Aarogya Setu.

What makes India’s case interesting though is that apart from the Center Government, similar contact-racing apps have been launched by many state governments as well to track citizens. Punjab unveiled its COVA app which, like Aarogya Setu, uses Google Analytics for analysis.  Kerala instructed all foreign returnees to download an IBM-owned app called MaaS360, to track the location of those under self-quarantine. Karnataka’s “Quarantine Watch” requires the individual to take a “selfie” every hour between 7 a.m. and 9 p.m. to relay a real-time status report of the quarantining individual.

However, with no transparency on who can access the data and how long it will linger on government databases, critics say, the overarching worry is that the whole procedure and location tracking policies smack of China’s surveillance tactics.  Parallels are being drawn between China as a surveillance state and how through the app India is in a similar process to deploying surveillance technologies to snoop on citizens.

“I think the bigger concern is this is going to open the floodgates of mass surveillance later on,” Pallavi Bedi, policy officer at the Center for Internet and Society was quoted as saying.

“The fear of the unknown far outweighs the app’s benefits,” says a Delhi-based civil rights lawyer. “It offers the government the perfect excuse to expand surveillance in the absence of a data protection law. Users can hold neither the app’s developers nor the government accountable for any privacy breach. Besides, which government agency or independent body is overseeing the database and data collection? What happens if there’s overreach while accessing private date? I’d like to know.” So would India’s 1.3 billion people.  

Neeta Lal is a longtime Asia Sentinel contributor.