For days, Jay, a software engineer in Bangalore, watched with increasing alarm people in India forced to install the government coronavirus contact tracking application. Then he rolled up his sleeves and pulled out his guts.
"I didn't like the fact that installing this application is slowly becoming mandatory in India," said Jay, who asked for a pseudonym to speak freely. "So I was wondering what I could do in person to avoid putting it on my phone."
Jay started work at 9 am on a Saturday. He typed in the application code to bypass the registration page that required people to register with their cell phone numbers. More pruning allows him to ignore a page that requested personal information such as name, age, sex, travel history and symptoms of COVID-19. Then he cut off the permissions he considered invasive: those that required access to the phone's Bluetooth and GPS all the time
At 1 pm, the app had become a harmless shell, without collecting data, but still displaying a green badge, declaring that the user was at low risk of infection.
"That was my goal," said Jay. "I was successful. You can show the green badge to anyone if they ask to check your phone and can't find out."
The Indian government launched Aarogya Setu (in Hindi for "a bridge to health") in early April. According to India's IT Ministry, it has been installed almost 100 million times – on about a fifth of Indian smartphones. But the application has worries drawn of privacy experts from around the world, who claim that, in the absence of a federal privacy law, it can be used as a state surveillance tool after the end of the pandemic, as it requires constant access to Bluetooth and location data from people.
Although installing the app was initially voluntary, many Indians found they had no choice. Last month, India’s top food delivery apps ordered facility workers to install the app. Last week, police in Noida, a city on the outskirts of India's capital, New Delhi, ordered residents to install the app or face jail time. That mandate followed feds who required government officials and private individuals to install the app. Indians may also need the app to board trains, flightsand public transportation, work for food delivery companiesor visit pharmacies.
Hackers like Jay have been trying to find ways around this. After creating his own version of the app, Jay shared it with a circle of around 15 friends. It's not a large number, but a leak from any of them could hamper the government's contact tracking efforts – so Jay is trying to keep it private.
But it is unlikely that he will be the only one to break into the application.
Indians with less technology knowledge than Jay are trying to find simpler solutions, with some reports that they have captured screenshots of the green emblem instead of putting the app on their devices.
"I will be booked if I don't have [the] Aarogya Setu [app] installed on my phone? " someone He asked on Reddit earlier this week.
"Make your wallpaper lol", someone replied. "Worked for a friend in Delhi."
"I am rebelling against the mandatory nature of this application," he said. "I don't want to share my location 24/7 with the government." He said the Indian app did poorly against what Google and Apple were helping to build, plans that do not store personal information on centralized servers. "If I were coding this application, I would have chosen to keep data points to a minimum," he said. "If I have your location information for a month, I can evaluate many things about your life."
Jay's concerns are rooted in the history of the Indian government. Ten years ago, when the country launched Aadhaar, a biometric identification system which stored the fingerprints and irises of 1.3 billion Indians in a single database, enrollment was voluntary. But soon, everything was mandatory, required for everything from getting a cell phone connection to registering taxes
"My concern is that, as with Aadhaar, you will soon be unable to go to a restaurant or cinema without the Aarogya Setu app installed," said Jay. "Even if the government doesn't make it mandatory, movie owners will impose it on you. That's the kind of culture we have."
To mitigate privacy concerns surrounding the app, the government of India released a set of rules on Monday about how the app collects and uses data. Among other things, the order says that the data collected by the application will be anonymized and used only for purposes related to COVID-19, but they are scarce in detail. Still, India plans to add new features to the app, in addition to contact tracking, such as telemedicine and electronic passes that states can issue to allow people to move around when India suspends its national blockade.
Jay said it is unlikely to stop hacking the app. "I will accompany them," he said. "If they make significant changes or updates to the application, I will find other workarounds."