Nimish SawantMay 9, 2020 3:00:15 PM IST
When we started the seventh week of blocking, the rate of COVID-19 infections just doesn't seem to be decreasing. Every day, the chart looks like a trekker ascending Mount Everest, with the summit nowhere in sight. With most of the 1.3 billion people confined to their homes and locked up, things don't look like they are going to change anytime soon. The government announced new measures as of May 3 regarding new changes in the newly defined red, orange and green zones.
One way that the Government of India hopes to follow the trends of COVID-19 is through its Aarogya Setu app. Launched on April 2 and developed by the National Computer Center (NIC), the Aarogya Setu cross application 90 million downloads on May 4, according to the CEO of NITI Aayog, Amitabh Kant. Prime Minister Narendra Modi himself called on the citizens to download this app in his speech to the nation.
Aarogya Setu 101
It is safe to assume that most of us have heard of Aarogya Setu application, as it has been in the news for all kinds of reasons, good and bad. But for those of you who have had a news hiatus to maintain your sanity, the Aarogya Setu The app is a contact tracking app that uses your smartphone's GPS and Bluetooth and alerts you if you have been in contact with a COVID-19 positive patient throughout your life.
Before we go any further, if you want to know what contact tracking means, Nandini explained this very well in this video.
Contact tracking explained in less than 3 minutes
Apple and Google are working on a contact tracking tool; the Indian government has a contact tracking app called Aarogya Setu. But what does contact tracking mean and how does it work? pic.twitter.com/Ia8tggdKnS
– Firstpost (@firstpost) April 24, 2020Advertisement
Contact tracking is a physical method of tracking infected people, meeting everyone who was close to them and encouraging these people to stay home until it is clear that they are not sick. Given the scarcity of medical professionals and the rapid growth of COVID-19 cases, many countries are switching to cell phone contact tracking. To give you an overview, smartphones that you carry around the clock will have an application that communicates with neighboring phones and creates a log of virtual IDs. If you are positive, everyone in the virtual ID log on your device will be informed. Ideally, this will be limited to the region where you found the infected person. Now let's see how this method is implemented in Aarogya Setu app.
After obtaining the correct permissions while downloading the application, it asks you several questions during the registration phase. The application is available in 11 languages and requires you to enter details such as name, sex, age, location, cell phone number and whether you have traveled to a foreign country in the past 30 days. You are also asked to enable your Bluetooth and GPS in order for tracking to be enabled. If someone is nearby, your phone will store the anonymous Bluetooth digital ID generated by that device (as long as the Aarogya Setu the app is also installed on that phone) and your phone ID will be stored on the devices around you. In addition, every 15 minutes, the user's latitude and longitude are stored on the device.
In addition to PDFs with information about COVID-19, the application also has a feature called "Self-Assessment", which allows you to take an online test to determine if there is a chance that you have been exposed. You need to answer a lot of questions and base the guidelines of the Indian Medical Research Council (ICMR), the app lets you know your risk level. Every time you take a self-assessment test, your location data is sent to a central government server managed by the NIC.
On May 2, the government mandatory application download for all of its employees and asked private organizations to ensure that all employees also have the Aarogya Setu application on your phones. "It will be the responsibility of the head of the respective organizations to guarantee 100% coverage of this application among employees," said the ministry. This mandate attracted a lot of criticism from privacy activists.
Advantages of contact tracking applications
Countries such as Taiwan, Singapore and South Korea have used contact tracking applications in their fight to prevent the spread of the coronavirus. There is no concrete evidence that these contact tracking applications have been effective in containing the spread. But apps in Singapore and Taiwan were open to public scrutiny. In fact, in Taiwan, hactivists, developers and citizens worked with the government to develop new features and has been a bottom-up and top-down approach. In the case of Singapore, the TraceTogether The application only needs your mobile number and does not need anything else, and its use is voluntary.
We need to understand that Taiwan and South Korea – the two countries besides China that managed to flatten the curve quickly – have had SARS and MERS outbreaks before, so their health officials are equipped to deal with virus outbreaks or, at least, have the right. systems in place. An Indian example of this would be the state of Kerala, which had the correct systems after the state was affected by the Nipah virus and it has been impressive in containing the spread of the coronavirus compared to the rest of the country.
Contact tracking apps are a measure above responses on the spot.
To put things in context, we need as many users of contact tracking apps as there are WhatsApp users in the country.
“If you ask me if any Bluetooth contact tracking system deployed or in development, anywhere in the world, is ready to replace manual contact tracking, I will say without qualification that the answer is 'no'. Not now and, even with the benefit of AI / ML and – God forbid – blockchain, not in the near future, "said Jason Bay, Singapore product leader TraceTogether app on a Medium post.
Are contact tracking applications effective? According to an Oxford study, contact tracking can be highly effective if there are 60% of the population is actively using apps. This is a large number of people. To put things in context, we need as many users of contact tracking apps as there are WhatsApp users in the country. Getting to this type of voluntary application adoption takes years. Whereas there are approximately 500 million smartphone users in India, and Aarogya Setu The app reached a base of 90 million, which still constitutes about 18% of users. And ordinary phone users who can't download the Aarogya Setu app? We will discuss this later in this article.
Although the government order requires downloading the Aarogya Setu I spoke with about 15 friends who work in the private sector and still haven't found anyone who has heard from their administrators about downloading the application. But there are cases like the head of Zomato, Devinder Goyal determining the use of this application among your employees.
Today, we begin to force each of our delivery partners to install and use @SetuAarogya. The idea is to keep individuals and authorities informed if they cross paths with someone who has tested positive for the coronavirus – to prevent further spread.[6/n] pic.twitter.com/tTok9LyTBA
– Deepinder Goyal (@deepigoyal) April 22, 2020
For the time being, aside from general inertia, the main impediments are the privacy issues raised about the Aarogya Setu app.
The fact that the app is made by the government, which doesn't really have the best privacy history – you just have to watch how Aadhaar was misused – raised many concerns. The act of making the download mandatory for the entire smartphone using the population is another complicated issue. Let's take a look at each of the concerns.
Assuming everyone owns a smartphone is wrong
The Internet Freedom Foundation (IFF), one of the leading groups of experts in digital privacy, says that in the absence of a comprehensive data protection law, the chances of misuse of a contact tracking app ; for systems that control the movement of people are high. It also sent a government representation against Aarogya Setu app.
One of the arguments presented by the IFF against the requirement to download the Aarogya Setu The application is that this will result in discrimination against certain regions with a lower concentration of smartphones. "Specifically, it can lead to detrimental results for people who reside in economically weaker areas," says IFF. Think about it, there is data to support this claim.
Although the smartphone user base in India may have crossed 500 million users, IDC says that there are still about 550 million ordinary phone users and around 45% of ordinary phone users have a device under Rs 1,000. O Aarogya Setu The application will not work on these feature phones. So, what about this part of the population? We saw discrimination against some people who were being entry denied in a pharmacy because they didn't have the Aarogya Setu application on your smartphones.
What would happen to people who don't have a smartphone to start with?
MyGov, which is the government arm behind the Aarogya Setu application, also plans to include non-smartphone users. MyGov CEO Abhishek Singh, in an interview with HT confirmed that the government is working on developing a version of KaiOS of Aarogya Setu application for almost 110 million JioPhone users. For those using ordinary phones, the government has started an IVRS call service to the number 1921.
“Those with ordinary phones can make a missed call at this number. Then we’ll call you back and go through the same questions that are asked in Aarogya Setu app. Based on the responses, the caller will get information about their health condition, ”said Singh.
On what basis is the government ordering the download of Aarogya Setu app?
The application of downloading an application without any legal basis is another area of concern.
According to privacy law expert Asheeta Regidi, there is no law that explicitly allows a government to order an application to be downloaded.
“The Ministry of Internal Affairs orders the use of Aarogya Setu was issued under the Disaster Management Act of 2005. Section 6 (2) and Section 35 give the National Disaster Management Authority and the central government broad powers to define & # 39; policies & # 39; and take & # 39; all measures deemed necessary & # 39; to manage the disaster. . The use of this power to determine the download of an application is similar to the use of Section 144 CrPC to issue shutdown requests from the Internet. The problems that arise are also similar, ”said Regidi in an email interaction with Tech2.
Lack of transparency
“There are already reports that confirm that this server is being linked to other government data sets. This link increases the risks of permanent mass surveillance systems, ”says one IFF report.
“The laws in use today, like the IT Act / DMA, were enacted between 15 and 20 years ago and do not provide for the ways in which the technology can be used today. Activities such as open source, white hat hackers, etc. also fall into a legally gray area. Given that the application is supposedly voluntary and for the public benefit, there is no reason why the government should not invite public participation to guarantee its safety, mainly because it may imply a massive invasion of people's rights, ”says Regidi.
Data minimization is questionable
As explained earlier, the number of details you must fill in before starting to use the application includes a lot of personally identifiable information. IFF compared Arogya Setu with that of Singapore Trace Together and MIT Private Kits: Safe Paths.
According to the IFF, “other applications only collect a data point which is later replaced with a clean device identifier. From India Aarogya Setu collects multiple data points for personal and confidential information, which increases privacy risks. "
Although there is no defined definition of what comprises minimum data, there must be justification for all the information used. According to Regidi, with regard to Aarogya Setu application, the purposes of your lists are quite broad:
- use of anonymous and aggregated data to generate reports and heat maps
- provide people who perform medical interventions with the information they need to do your job
- use of information to calculate the probability that you are infected with the disease, among others
“The collection of confidential data, such as health data, must first meet the purpose limitation principle and then meet the data minimization criteria. The absence of a law here is a major concern, ”says Regidi.
The code is not open to the public
One of the main objections of many privacy activists is that the source code is not open to scrutiny, as the government has not opened it to the public. Prasanth Sugathan de SFLC.in, a privacy think tank that made a detailed analysis of all versions of the Aarogya Setu app, considers that his team's findings were limited because reverse engineering of the application is not allowed. Since the source code of the application is not known, SFLC was able to do an analysis using only the front end of the application and the client side.
“If the government opens the source code and lets people know what is happening on the server side, that information will be very useful. I see no reason to hide the source code, because you are not helping security in any way. If there are vulnerabilities, developers can flag them and that will help fix them more quickly, ”said Sugathan in a phone interaction with tech2.
But, according to the government, there is a reason for not disclosing the application's source code. According to Singh, from MyGov, the application was developed in two weeks, for changes to the code to occur regularly, as the team receives new insights from users. Unless the application is stable, Singh said that releasing the source code would not help much, as there would always be someone setting up false alarms. He also mentioned that this could lead to the misuse of the application by non-state actors.
How long is the data kept on the NIC's servers?
The duration of data retention on NIC servers depends on the cases. Singh claims that data is sent to servers only if a user of the application is positive for COVID-19 and that, at all other times, the data will always be on the user's device.
At the time of registration, the data sent to the servers includes name, phone number, age, sex, profession and countries visited in the last 30 days. The location details are also uploaded to the server. This data will be hashed with a unique digital ID (DiD), which is sent to the application on your phone. Any transaction or query related to the application will be associated with this DiD. This data will remain as long as your account exists and "for the subsequent period required by any law currently in force", a statement as vague as possible and does not generate much confidence.
In addition, there are three instances where data exchange takes place.
- When two registered users contact each other, anonymised Bluetooth data will be stored on both phones.
- Whenever you complete a self-assessment test, your location data, along with DiD, will be uploaded to the NIC server.
- The app constantly collects your location data every 15 minutes and stores it locally on your device. This information log will be uploaded to the NIC's servers along with your DiD only if you are positive for COVID-19 or if self-reported symptoms indicate that you are probably infected or if the result of your self-assessment test is Yellow or Orange. If the self-assessment returns Green, no data will be sent to the servers.
The data in the three cases will be present on the cell phone for at least 30 days. If you have not tested positive for COVID-19, the data will be released after 45 days. If you tested positive for COVID-19, the data will be cleared 60 days after curing. But what if someone testing positive for COVID-19 deletes the app? Also, does deleting the application from your device clear the data or does it need to be done separately? There is no clarity about this.
“According to Section 43A of the IT Act, India's primary data protection provision applies to sensitive personal data collected by a corporation. While this may include government agencies (UIDAI is a corporate body), the Aarogya Setu The application only mentions the "Government of India" without specifying the department / agency. Therefore, it is not clear whether Section 43 applies here, or who can be held responsible for any data breach, ”says Regidi.
But, all things considered, Section 43A and the SPDI IT rules contain provisions that require deletion of data when its objective is achieved. However, it does not give people the right to that information. However, this is part of the next personal data protection law, according to Regidi.
What if I don't want to use the app? What are the ramifications?
Although a punishment has not been announced across the country, if you do not download the Aarogya Setu app, in Noida things are different. Those of you who live in Noida and Greater Noida are will probably be fined (Rs 1,000) or imprisoned (6 months) if they do not have the Aarogya Setu application on your phone.
“All those with smartphones that don't have the app can be registered under Section 188 of the IPC. After that, a magistrate will decide whether the person will be tried, fined or left with a warning, ”said Akhilesh Kumar, DCP Law, and Order to Indian Express.
This also applies to those entering Noida. But there is no clarity on how people who don't use smartphones should comply with that request. The Noida police order is not in line with the government order, which only requires public and private sector employees to download the application. The Noida police order appears to go much further than that and even involves police officers calling residents to see if they have downloaded the app in containment zones.
The IFF has legally contested this order by the Noida police. According to the document, the main reasons for contesting include arguments that the order is contrary to the law, contrary to the facts and violates privacy and personal freedom.
How can the situation be improved?
So far, only Noida has taken the extreme step of announcing measures against those who do not download the app. However, as blockages start to increase (hopefully after May 17), there will be an increasing impetus for private organizations to determine the use of the application. The government also presented the idea of allowing this application to be used in an post-blocking e-Pass, so that there is a greater impetus for everyone to have this application installed.
Bottom line: We may have to live with this application eventually.
How to convince those who are still afraid to use the app?
“The best way to allay fears is to look for technologies that are privacy first, then try to open the open source app and make people understand what the app does, and finally make it clear a sunset clause – for how long you will you keep the information? This includes not only the information collected when you are using the application, but also your personal information. As we do not have a data protection law, there must be guarantees from both the technical and the legal side. This should not be the beginning of a surveillance regime as such, ”said Sugathan.
Addressing the question of whether Aarogya Setu can become a surveillance application, Singh said that was not the goal. He claimed that data for only 0.5% of application users is sent to central servers, because the data is sent only when certain conditions are met. In addition, according to Singh, there will be a limited time within which the pandemic will be contained, a post that will not be required by the application.
“Anyone who thinks this is a surveillance tool is wrong. Only the data of those suspected of having a positive test is sent to the servers with the aim of alerting those with whom you have contacted in the last 14 days … This also helps us to track the locations of suspected patients visited, ”said Singh, saying that even before someone starts using the app, informed consent is obtained. According to Singh, using this app is the only way to help level the curve and reduce the number of cases.
"We can't always get stuck. So, when we are opening up and we realize that cases can still continue to increase, how do you guarantee that it reduces the impact of the virus? So this application becomes an important technological tool to limit this pandemic only to those affected ”Said Singh.
Unlike the past, this time, the government got involved with French security researcher Baptiste Robert, who uses the surname @ fs0c131ty after he reported problems with the Aarogya Setu app. While Baptiste in his Medium post claims that the government responded in 49 minutes, the government does not adequately address the concerns it raised.
A security issue has been found in your application. The privacy of 90 million Indians is at stake. Can you contact me in private?
PS: @RahulGandhi was right
– Elliot Alderson (@ fs0c131y) May 5, 2020
Aarogya Setu's Twitter handle released a statement addressing Baptiste's objections and Singh in the interview with HT ensured that all claims made by any ethical hacker would be taken seriously and worked on.
– Aarogya Setu (@SetuAarogya) May 5, 2020
Is this the only way forward when it comes to tracking digital contacts? Fortunately no.
In the next part of this two-part series, we'll look at how contact tracking applications are working around the world and how the "decentralized" Google-Apple approach is different from that used by Aarogya Setu app.
Find the latest and future technology gadgets online at Tech2 gadgets. Get tech news, reviews, and gadget ratings. Popular gadgets, including laptop, tablet and mobile specs, features, pricing and comparison.