SUMMARY
User data will now be erased from government servers 30 days after the account is deleted
The app has introduced two new features on iOS devices— Status Check and Approvals
Status Check allows users to check the Aarogya Setu status of select friends and family
The Indian government’s controversial Covid-19 contact tracing app Aarogya Setu will now let users delete their account in an update released to the app on iOS and Android devices today.
The app update, first reported by Medianama, says that deleting the account on an Android device means erasing information from the government servers 30 days after the account is deleted, deleting all app data from the phone, and permanently cancelling the registration.
The report highlighted that in the earlier version, the data stored on the device such as location and Bluetooth data not yet uploaded to the server, was deleted, but personal information (name, gender, age, profession, travel history), which was uploaded to the government server on registration, would be retained for at least 30 days even after the app was deleted.
Further, in an iOS update, it has introduced two new feature on iOS devices (version 2.0.0) — Status Check and Approvals. Status Check allows users to check the Aarogya Setu status of close ones by adding their account through a QR account. Approvals allow external, third-party apps to access the user’s Aarogya Setu status.
The report further noted that the privacy policy and terms of use have not been updated to reflect these new features, data sharing and permissions. The app, which is available in 11 languages was launched on April 2, offers a self-assessment test, and captures the user’s vulnerability to Covid-19 infection and gives contextual advice. It also empowers people with information on the potential risk of infection and how to avoid it.
It also leverages Bluetooth and GPS-based location tracking to identify the possible positive coronavirus cases around the user. It detects other devices with the app and alerts users based on proximity to the device. It also captures all information and informs authorities about the movement of suspect cases.
As per the app’s privacy policy, all personal information is stored locally on the device and will be used by the government (via the cloud) in anonymised, aggregated datasets for the purpose of generating reports, heat maps and other statistical visualisations. However, privacy advocates have questioned the use of this data once in the post-Covid world. Aarogya Setu’s privacy vulnerabilities were revealed in public by French hacker Robert Baptiste, who goes by the name Elliot Alderson. According to Baptiste, anyone with the right technical know-how can find out the Covid-19 status of a given area by exploiting a flaw that allows users to set a location within the Aarogya Setu app.
Though the app clarifies that the user data will not be shared, it adds that personal information may be shared with other people for necessary medical and administrative interventions.
