The Indian government released the Arogya Setu app; a means that aims to help people to self-assess their chance of being infected with Covid-19. The app utilises Bluetooth technology and GPS generated data to alert citizens about their closeness to Covid-19, infected persons.
Launched by the National Informatics Centre, under the Ministry of Electronics and Information Technology, the application has garnered over 500,000 downloads at the Google Play store within 36 hours from its launch.
On the app store, though, the description reads a bit differently. “The app is proposed at augmenting the initiatives of the Government of India, especially the Department of Health, is actively reaching out to and notifying the users of the app regarding risks, best practices and related advisories about the containment of COVID-19.”
It also states that the app was developed by the Government of India to connect primary health services with citizens in the fight against Covid-19.
What’s under the hood
The app commences by asking for the person’s mobile number to confirm the signup, which can be done in English and ten different Indian languages. It is accompanied by a security and privacy notice that features all the data that the app will collect and utilise.
The app will then ask for access to the device location, accompanied by the switching on of Bluetooth connectivity for 120 seconds. Note, the app requires Bluetooth and GPS to be switched on continuously for it to run.
The self-assessment starts with a request for information such as gender, full name, age, and countries went to in the last 30 days and professional details.
Accidentally, under professional details, the accessible options are only healthcare workers(doctors, paramedics, nurses), delivery workforce, police /law enforcing personnel, pharmacists, industry workers/manufacturers, retailers and grocery shop, workers.
The self-assessment questions are comparatively basic:
Gender and age
Symptom checklist for cough, fever or difficulty in breathing
Symptom checker for whether you had diabetes, hypertension, lung disease or heart disease
Question on overseas travel over the last 14 days.
Questions on whether the user had any recent interactions with people infected with Covid-19 or if you are a healthcare worker who tested a Covid-19 positive case without adequate protective gear.
The application’s dashboard highlights a risk level box which will either put the person below low risk or the high-risk category. It comes with data about Covid-19 help centres and their contact numbers from several states. However, most countries just had the number 104 against their names.
There is also further information about Covid 19 with do’s and don’ts and safety standards to be taken.
The app needs the device location and Bluetooth to be switched on. It’s advised to be set to ‘always’.
“Your data will be shared only with the Government of India. This app does not allow your name and number to be disclosed to the public at large at any time,” is the information that shows up following Terms of Service and privacy.
The app recommends that the personal information received will be stored locally in the device and will solely be uploaded and used by the government in “aggregated anonymised datasets.” (Anonynimzed refers to transfer personally identifiable information from data sets) to create reports, heat maps and different statistical visualisations for the management of Covid-19.
However, the application does not showcase any reports, heat maps or statistical visualisations toward the end-user.
However, personal data may also be shared with such other “important and related persons” as may be needed to carry out necessary medical and administrative invasions. It added.
Regarding retention of data, the app could still hold on to report (other than Bluetooth and GPS) even after the user had uninstalled it for purposes needed under any law which is under force, or for practice under the law.
Does it work?
The app states during installation that the user will be warned if they come into proximity with anyone who could be infected with Covid-19.
When examined the app to find out if the alert feature operates in the real world, the results weren’t reliable.
We used two mobile phones with mobile data, GPS, and Bluetooth enabled and kept them in the vicinity to each other. Fictional data was utilised to complete the self-assessment examination on both phones. One came as high risk, and the other user showed under the low-risk category.
However, the app didn’t send any warnings to the low-risk user even after an hour.
It showed that the self-assessment test could be retaken many times, with diverging results.
Issues in Aarogya Setu app
In less than 48 hours after the Android code of the Aarogya Setu mobile application was launched open for review, at least 165 points of distinct levels of severity were flagged by the software developer community to assist the government in identifying and plugging holes. It consisted of the way it uses Bluetooth for contact tracing to typos within the text.
The number and nature of ideas that poured in could make Aarogya Setu, presently being utilised by over 100 million Indian citizens, one of the first essential government projects improved through public inputs, authorities said.
“People have flagged raised a lot of issues and while among these, many may be minor, what it shows is participatory governance in the making,” said Srinivas Kodali, an autonomous researcher working on the technology, governance and data. “But it needs to be extended to other governance applications and IT systems – it cannot be one-off,” he added.
The programming code of Aarogya Setu for Android phones was distributed publicly on code-sharing website GitHub. An analysis of issues posted by people ranged from concerns over the way the app deployed Bluetooth, typos in the text presented by the application and suggestions for enhancements.
“All suggestions are under review by the technical team,” stated Abhishek Singh, CEO of MyGov. An IT ministry official, who requested not to be named, added that the technical crew had been instructed to inform MyGov in case of a critical issue. Other issues, as stated in the timeline by the government, will be analysed and corrected in the coming days by the team.
So far, no “significant” progress has been flagged, stated the official.
However, some posts said that the version that is available for users to download via the Google Play store is not the same version for which the software code was shared publicly.
One of the more pressing matters, flagged by Sydney-based developer Jim Mussared, worried the way contact-tracing applications use Bluetooth to conclude whether people have been in close contact with a different person.
The vulnerability, which has at most limited been identified in Australia’s COVIDSafe application, provides for long-term tracking of users and probably enables other Bluetooth-based invasion vectors, the global vulnerability listing of the query showed.
“We have not confirmed that the issue exists in the Aarogya Setu app, we just wanted to reach out to the team so they could clarify for sure. Given that it affects other apps, it seemed important to check with them, but we haven’t been able to get a reply by email yet,” stated Mussared in an email to HT.
The researcher added that several issues in contact-tracing apps have come up from multiple countries and that several of these are due to using Bluetooth in this method. The details of this vulnerability will be shared publicly on June 19 at the end of a 45-day restriction that his meant to provide developers time to correct it.
Bluetooth is short-distance radio technology. Its small range is one of the causes why contact-tracing tools have favoured to use it to ascertain close contacts, but the technology itself is exposed to hacking.
Numerous of the other posts on the Aarogya Setu GitHub page also recommended how the Bluetooth deployment could be made more reliable.
The government has declared a bug bounty, offering ₹1-3 lakh for researchers who reveal serious vulnerabilities.
Barriers to approval
For Aarogya Setu to be efficient, the app must be installed on as several phones as possible, and users must continuously update their health status so that community intercommunications can be mapped out. The developing team stated that at least 50% of the population should ideally possess the app installed on their phones, though this vestibule may vary between urban and rural regions. The teledensity in India is highly skewed in the urban areas as contrasted to the rural hinterlands.
So, while it might be simpler to hit the 50% threshold in big metropolitan cities, it will be far more challenging to guarantee coverage in rural areas. Thus reducing the effectiveness of the app in identifying cases in the medium term as the pandemic spread raises in rural areas.
For Aarogya Setu to be efficient and effective, the app must be installed on as multiple phones as possible, and users must continuously update their health status, so that community interaction is figured out.
Though India possesses more than a billion mobile connections, the amount of mobile connections does not equal to the number of different users as India has a multi-SIM culture with all user having multiple relationships. Further, it is regarded that the number of smartphone users is about 550 million. Smartphones can’t download the application and aren’t connected to the leading app stores. Nonetheless, there have been around 100 million installs on smartphones.
Reports also show that new Jio phones, a feature phone launched by telecom operator Reliance Jio, will have its own Aarogya Setu app installed on the device. It is still unclear if there are going to be preparations for the app to be installed on more traditional machines and other feature phones. Thus, the app will hit a natural limit on adoption by the masses, owing to the character of India’s telecom demographics.
On May 1 2020, the home ministry declared it mandatory for government and private-sector workers to install Aarogya Setu on their phones. It announced it was the duty of the head of the company to “ensure 100% coverage of the app among employees.” Nevertheless, subsequent guidelines from the MHA softened the position in this regard, and now urges employers and district officials to guarantee the app’s installation on compatible phones. Introducing the app had also become compulsory for travel through railways and flights, but the current guidelines have relaxed these norms and let different states decide protocols.
However, there is still a vital creep in making the use of the app compulsory over the last two months. Noida city declared an order which made it mandatory for the app to be installed by natives and people who don’t have the app on their phones could invite a jail term of six months. The app has also been made compulsory by e-commerce businesses delivering products. Food delivery firms like Zomato and Swiggy have made it mandatory for all its employees to have the app installed on their smartphones to start their delivery sessions.
Employees and frontline workers have displayed concern over the effectiveness of the app and monitoring by the government using the data gathered following the pandemic are over.
Further, both public and private sector companies have been urging employees to install the app on their phones as they retreat to their workplaces with guidance to line managers to assure compliance with company-wide orders. Employees and frontline operators have expressed concern over the effectiveness of the app and monitoring by the government using the data collected after the pandemic are over. There is anxiety that not having the app installed on their phones will become a check for going anywhere and that those without the app will be denied admittance to different services.
Design and privacy concerns
The Aarogya Setu app is comparable to the contact tracing app formed by Google and Apple and relies on Bluetooth technology. Nevertheless, unlike Apple and Google, it too collects GPS location data. Once installed, the app first accumulates the following demographic information from users: name, gender, age, profession, travel history and telephone number. These aspects are then hashed to a unique device ID and uploaded to a primary database.
To begin with, the server will stay on Amazon Web Services then passed to a NIC server. The app asks Bluetooth and GPS to be switched on all the time and demands admin access for the Bluetooth settings. Admin entrance on devices is a security danger as the application can send more data than required.
When two devices come into vicinity, they exchange these IDs with each other. Specialists point out that the app uses pseudo-static ID somewhat of the more privacy-restricting dynamic pseudo ID as was the situation with Singapore’s contact tracing app. The area and Bluetooth device interaction data are stored locally on the phone.
Still, once a user begins registering symptoms of COVID-19, the system will upload this information to the central server. Their device communications are then traced and mapped out to present clusters or if there are COVID-19 positive patients nearby. Officials state that 15,000 people’s location and Bluetooth information has been uploaded to the primary server.
The location and Bluetooth device interaction data are stored locally on the phone. Still, once a user begins registering symptoms of COVID-19, the system will upload this data to the primary server.
MeITY’s “Aarogya Setu Data Access and Knowledge Sharing Protocol” state that de-identified response data can be shared with virtually any government ministry or agency for forming plans to tackle COVID-19. Though it makes some preparations for data to be shared to third parties places situations that they will not be disclosed to any other body, it also has a data retention time frame of 180 days for private data which is held, and third parties will have to agree with specific rules as well.
Measures such as obtaining the code open source and removing limitations on reverse-engineering the application are appropriate steps and will increase transparency and assist in building trust.
Though the earlier changes are welcome, vital concern remains, namely that there are no precise methods for users to opt-out of the app. In part on user rights, it is stated that users can cancel their registration and all the data that was provided will be deleted after 30 days of the terminus. However, the app does not offer a provision to remove the booking or delete the account, and it is unclear if a person eliminating the application on their device will be counted as dropping their registration.
The current pandemic is a public health emergency, and personal rights need to be tempered with the common purpose and the greater good. However, the Indian government manages to view citizen’s data as a natural source to be exploited and monetised. The Economic Survey of India 2018-19 states that citizens’ data should be treated as a common good, and some elements should be monetised by providing access to private companies to ease the burden on government finances. Precaution should be taken that ministries and government agencies do not utilise this data as a means to profit.
Actions such as making the code open source and eliminating restrictions on reverse-engineering the application are concrete steps and will increase transparency and assist in building trust.
What happens to the app and information after the pandemic is gone?
The Knowledge Sharing Protocol possess a sunset clause of six months, and that indicates that the personal data will be removed after this period. But it also has a prerequisite to extending the period of the sunset clause. It requires to be noted that this sunset clause does not refer to the Aarogya Setu app, and it may be repurposed after the pandemic. Concerns of a function creep are now manifesting with the Aarogya Setu developing team’s plans for combining telemedicine, e-pharmacies and home medical diagnostics to the app in a different section called AarogyaSetu Mitr.
NITI Aayog officials have stated that the app will have no use after the pandemic, but it will put the foundations for building the National Health Stack (NHS). A story from The Ken points out that the Aarogya Setu will be the “master” app for the National Health Stack very similar to how BHIM was the “master” app for the Unified Payments Interface (UPI). The NHS is a collection of cloud services which keep a national health electronic registry, coverage and rights platform, a personal health records frame and an analytics platform that can be accessed through a collection of APIs by third parties.
As India still does not own a Personal Data Protection law in place, it would be ill-advised to expand the scope of Aarogya Setu far beyond its fundamental purpose of tracing COVID-19 patients. It is yet unclear how the National Health Stack’s consent program will work and if there are adequate safeguards for sensitive personal data including health reports, prescriptions and discharge reports.
Moreover, India currently stands at number four in terms of COVID-19 positive cases at the time of writing this. Therefore, it becomes more critical that Aarogya Setu fix its queries of exclusion for effective health monitoring rather than making more functions. There is a requirement for the government to show the effectiveness of the app to establish trust between frontline health workers and citizens.