SUMMARY
Aarogya Setu cleared just two of the five criteria in MIT Technology Review’s report
The contact tracing has alerted over 1.4 Lakh users so far, the government claims
Kerala HC has sought central government guarantee on the deletion and proper use of data
The Indian government’s contact tracing app Aarogya Setu has been gaining attention for both good and bad reasons. The app has been downloaded by over 10 Cr users and is said to have alerted over 1.4 Lakh users so far about potential Covid-19 contact. However, its mandatory usage and privacy concerns have also been raised by many as well as its potential use for mass surveillance.
Even as the Indian government has promoted the Aarogya Setu app as an absolute necessity, it has also gained international attention due to the large scale and some of the privacy-related vulnerabilities in earlier versions. Now, as per an MIT Technology Review report published on May 7, India’s Aarogya Setu does not stand on par with its global counterparts on several aspects.
The famed university ranked 25 individual, significant automated contact tracing efforts globally on five factors — voluntary or mandatory usage, usage for public health purposes only or law enforcement, provision for deleting the data within a reasonable amount of time, data collection and transparency.
India’s Aarogya Setu only cleared two of these criteria. The app’s privacy policy states that only contact information, location and self-assessment data will be collected by National Informatics Centre (NIC), who will also be responsible for deleting the data after a reasonable period of time.
“Unless a specific recommendation to this effect is made in the review under Para 10 of this Protocol, shall not ordinarily extend beyond 180 days from the date on which it is collected, after which such data shall be permanently deleted,” The Aarogya Setu Data Access and Knowledge Sharing Protocol, 2020, issued by the IT Ministry highlights.
Kerala HC Seeks Govt Report On Aarogya Setu Privacy
Taking the rising privacy and data collection concerns into account, the Kerala High Court, on May 12, asked the central government to guarantee that the information collected by Aarogya Setu will not be misused. The court has sought a report on the app’s privacy safeguards from the centre.
John Daniel, general secretary, Thrissur District Congress Committee, filed a petition in Kerala High Court challenging the mandatory use of the app. Daniel pointed out that the centre’s directive had violated the fundamental rights of the citizen. There was also a possibility of misuse of the personal data collected by the app as well as surveillance of citizens.
It must be noted that India was not the worst of the various contact tracing solutions that MIT Review tested. China’s health code system earned a score of zero after failing all criteria. Contact tracing solutions from Austria, Czech Republic, Iceland, Israel, Norway and Singapore received five stars and cleared all criteria.
Aarogya Setu’s privacy vulnerabilities were revealed in public last week by French hacker Robert Baptiste, who goes by the name Elliot Alderson. According to Baptiste, anyone with the right technical know-how can find out the Covid-19 status of a given area by exploiting a flaw that allows users to set a location within the Aarogya Setu application. Using the flaw, Alderson was able to find that five people each in the Prime Minister’s Office (PMO) and defence ministry who had reported that they were feeling unwell today (May 06).
The cybersecurity expert also said that inside the Indian Parliament, an individual updated their status to infected while two people said they were feeling unwell. He also found that two people had selected the unwell option inside the Indian Army headquarters in New Delhi.
