The app collects contact information, location and self-assessment data of users
Previously, Aarogya was given two out of five starts by MIT Technology
The de-ranking coincides with Apple and Google launching their API to enhance the quality of contact-tracing
MIT Technology Review, a magazine owned by the prestigious Massachusetts Institute of Technology, has downgraded India’s contact trace app Aarogya Setu app. In an in-house review, it downgraded the application’s rating to one star out of five. Researchers had earlier given it 2 out of 5. a than required.
The app lost more points on the parameters of “data minimisation” which means the app is collecting more data than needed for the app to work.
The report ranked 25 individual, significant automated contact tracing efforts globally on five factors — voluntary or mandatory usage, usage for public health purposes only or law enforcement, provision for deleting the data within a reasonable amount of time, data collection and transparency.
The app’s privacy policy states that only contact information, location and self-assessment data will be collected by National Informatics Centre (NIC), who will also be responsible for deleting the data after a reasonable period of time.
The de-ranking of the Aarogya Setu coincides with Apple and Google, in partnership, launching their own application programming interfaces (APIs) to enhance the quality of the existing contact tracing apps. The companies had clarified that the API cannot be downloaded by users, but can be integrated with other contact trace apps.
The API offers a range of features that can be incorporated in the existing contact trace apps as well. For instance, the solution requires user permission for opt-in for ‘exposure notifications’ and not collecting location data from the device. Meanwhile, a person tested positive for Covid-19 will have the option to report it in the public health app.
As of now, 23 countries have requested and received access to the API so far. Google and Apple are expecting more requests in the coming weeks.
The API relies on bluetooth for contact tracing and does not collect user location data, according to Paran Chandrasekaran, CEO and founder of cybersecurity firm Scentrics. On the other hand, Aarogya Setu relies on both bluetooth and GPS location data to contact, trace and collect users’ location data.
According to cybersecurity consultancy firm Defensive Lab Agency’s analysis, the Aarogya Setu app gathers a user’s identity, tracks their movement in realtime, and also checks if other people in close proximity have downloaded the app.
This will allow the app to create a social graph of users by tracking everyone they have been close to, and can expand powers of surveillance once combined with the government’s existing databases. Meanwhile, French hacker Robert Baptiste, who goes by the name Elliot Alderson on Twitter, has also exposed the vulnerabilities of the app recently.
Alderson highlighted that anyone with the right technical know-how can find out the Covid-19 status of a given area though the app. He also revealed the number of people feeling sick in the Prime Minister’s Office (PMO), defence ministry, Indian Parliament and Indian Army headquarters in New Delhi.