In-Depth | Aarogya Setu app: From efficacy to privacy concerns, what’s under the hood of Centre’s COVID-19 contact tracing app

In the fight against COVID-19, the government of India has launched a mobile contact tracing application called Aarogya Setu to help people assess their risk of getting infected with the novel coronavirus and alert authorities if they have come in close contact with an infected person.

Developed by the National Informatics Centre (NIC) under the Ministry of Electronics and Information Technology (MeitY) and launched on April 2, the app got a big push when Prime Minister Narendra Modi urged the nation to download it, saying it is an important step in the country's fight against COVID-19.

Within two weeks of its launch, the app became the fastest app to reach 50 million downloads. It has crossed 10 crore registrations in just 41 days.

The app has alerted around 1.4 lakh users in the country about a possible risk of infection due to proximity to infected persons and helped generate information about 697 potential hotspots in the country, said a report published on May 12.

This application is currently getting a lot of attention, not only because of the purpose it serves but also about data security of its users – a concern, which gained momentum after a French hacker and cybersecurity expert who goes by the moniker Elliot Alderson took to Twitter to raise alarm over alleged security issues in the app on May 5.

The hacker looked into the Aarogya Setu app and confirmed Congress leader Rahul Gandhi’s fear that it was nothing more than a “sophisticated surveillance system”.

Hi @SetuAarogya,

A security issue has been found in your app. The privacy of 90 million Indians is at stake. Can you contact me in private?

Regards,

Story continues below Advertisement

Remove Ad

PS: @RahulGandhi was right

— Elliot Alderson (@fs0c131y) May 5, 2020

Alderson went on to confirm and tweeted to the government that “A security issue has been found in your app. The privacy of 90 million Indians is at stake” and asked if they could contact him in private. He ended the tweet with a postscript reading: “Rahul Gandhi was right.”

He further confirmed that he did receive calls from the NIC and the Indian Computer Emergency Response Team (ICERT), both government bodies, within an hour of his tweet.

On May 6, a statement was released from the official Twitter handle of the app on data security issues, saying that no data or security breach has been identified by Team Aarogya Setu. Also, it thanked the ‘ethical hacker’ for engaging with them.

Not convinced with the statement, Alderson tweeted, “We will see. I will come back to you tomorrow.”

Since then, union ministers and officials are assuring the safety of the app and counting its success story.

However, with Alderson’s claims and other incidents such as hacking of the app by a Bengaluru-based software engineer, many concerns have been raised with respect to possible security gaps in the application.

The concerns include what data can be collected by the app, who can access it, protocol and more. But before moving to these questions, let’s understand the background of the app thoroughly.

Why Aarogya Setu?

As mentioned earlier, the Aarogya Setu app is a contact tracing solution introduced by the government of India in the wake of the COVID-19 pandemic. It also acts as a one-stop solution for spreading awareness about coronavirus, helping self-diagnose users, providing the latest updates and even to store and display e-pass.

Since its launch, the government has massively emphasised on its use and also made it mandatory under various circumstances, including for public and private sector employees and those living in containment zones. For instance, the Noida administration mandated that all those stepping out in public must have the app on their phones. A similar prescription has been made by the Centre for those who were stranded abroad and are being brought back to India under the 'Vande Bharat' mission.

A version of Aarogya Setu was made available on a model of JioPhone for about five million users on May 14 and will be rolled out for other models in the next few days, Abhishek Singh, President and Chief Executive Officer of National e-Governance Division (NeGD) told news agency PTI. Before this, it was available on both iOS and Android.

The Centre has brought the ‘Aarogy Setu Interactive Voice Response System (IVRS)' for those who do not have smartphones. It is a toll-free service, available across the country, wherein citizens can give a missed call to the number ‘1921' and they will get a call back requesting for inputs regarding their health, according to the union health ministry.

The inputs provided by citizens will be made part of the Aarogy Setu database and the information will be processed to send alerts to people on the action to be taken to ensure their safety, it said.

How does Aarogya Setu work and what data does the app collect?

After downloading, the app asks for continuous Bluetooth access, GPS location and several data. The data collected by the Aarogya Setu app is broadly divided into four categories:

> Demographic data
> Contact data
> Self-assessment data
> Location data

This is collectively called response data.

Demographic data comprises information such as name, mobile number, age, gender, profession and travel history. Contact data means any other individual that a given individual has come in close proximity with, including the duration of the contact, the proximate distance between the individuals, and the geographical location at which the contact occurred. Self-assessment data is about the responses provided by that individual to the self-assessment test administered within the app. Location data includes the geographical position of an individual in latitude and longitude coordinates.

As the data is stored in the app, it accesses the Bluetooth of the mobile phone to establish close range proximity between two people and also a GPS log of all the places that the devices had been at a certain interval. When two smartphones with the app installed come in each other's Bluetooth range, the app collects information. If one of the two people has already tested positive, the app will alert the other person and in the process allow the government to trace potential cases.

It further sends instructions to help self-isolate and even provide support if a user develops symptoms.

Which department can access the data from Aarogya Setu?

The response data shall be securely stored by NIC and shall only be shared in accordance with the protocol issued by MeitY, which allows the data to be shared with the Health Ministry, Health Departments of state/union territory governments/local governments, National Disaster Management Authority, state disaster management authorities, other ministries and departments of the central and state governments, and other public health institutions of the central, state and local governments, “where such sharing is strictly necessary to directly formulate or implement an appropriate health response”.

Researchers can also get access to the data. Wait, what?

Yes. The protocol further empowers the NIC to share response data with Indian universities and research institutions/research entities registered in India “only if it is of the view that such access is sought for the purposes of statistical, epidemiological, scientific or any other form of academic research.

They may also share such anonymised response data with other Indian universities or research institutions/research entities registered in India “only if such sharing is in furtherance of the same purpose for which it has sought approval to access such data from the expert committee”, the protocol states.

Punishment for violators

Any violation of the directions issued by MeitY may lead to penalties as per Sections 51 to 60 of the Disaster Management Act, 2005 and other legal provisions as may be applicable. Penalty clauses under the Disaster Management Act also have provisions for a jail term for officials.

Is the Aarogya Setu app useful?

The Aarogya Setu app has reportedly alerted around 1.4 lakh users in the country about a possible risk of infection due to proximity to infected persons till May 11, serving the purpose it has been developed.

However, the app is people dependent, which means it needs widespread usage and regular self-reporting to be effective. Given the fact that there are bound to be variations in the levels of self-reporting, the efficacy of the app is apparently not foolproof.

What are the concerns being raised over Aarogya Setu?

Initially, Rahul Gandhi raised concerns over the data security of users, as he said that the Aarogya Setu app is a "sophisticated surveillance system, outsourced to a private operator, with no institutional oversight".

However, the issue of the app’s data security triggered after Alderson took to Twitter and said, “A security issue has been found in your app.”

Following this, he made several disclosures regarding the issues he reported about the app in an article, titled, “Aarogya Setu: The story of a failure”

In the article, he claimed that 49 minutes after his initial tweet, NIC and the ICERT contacted him and he sent them a small technical report.

“Few hours after that they released an official statement,” he said.

Statement from Team #AarogyaSetu on data security of the App. pic.twitter.com/JS9ow82Hom

— Aarogya Setu (@SetuAarogya) May 5, 2020

The statement was summed up by Alderson as “Nothing to see here, move on”.

He called the app a “surveillance system.”

“A mobile application that sends your GPS coordinates regularly to a server owned by a government is a surveillance system. #AarogyaSetu is a surveillance system,” tweeted Alderson.

He further said that “Forcing people to install an app, doesn’t make a success story. It just means that repression works.”

Besides Alderson, a Bengaluru-based software engineer has hacked the Aarogya Setu app. The programmer, who goes by the name of Jay, apparently breached the app's defences in less than four hours. Jay told BuzzFeed; “I didn’t like the fact that installing this app is slowly becoming mandatory in India. So I kept thinking of what I could personally do to avoid putting it on my phone.”

Jay managed to bypass the page that requested personal information like name, age, gender, travel history and COVID-19 symptom checker. He also managed to access the app without giving all the necessary permissions.

Also, former Supreme Court judge, Justice BN Srikrishna, has questioned the use of the Aarogya Setu app over a possible breach of data use. He said this (app) is some kind of patchwork that will cause more concern to citizens than to benefit them.

The former apex court judge said that there was no accountability in the system in case of a data breach in the absence of proper legislation in place.

As NIC is free to share personal data from the app with government departments and public health institutions, it could be used to create permanent government databases containing sensitive personal information about Indian citizens, said New Delhi-based digital rights group Internet Freedom Foundation (IFF). It also raised a red flag about the NIC's ability to share anonymised data with Indian universities and research institutions.

Also, the Massachusetts Institute of Technology has given two out of five stars to Aarogya Setu. The app reportedly lost points because of the lack of transparency, making the app compulsory and not defining who the data is shared with.

What the government has to say about the safety of Aarogya Setu?

Aarogya Setu is "secure" and there is no privacy breach in it, said Union IT minister Ravi Shankar Prasad, rejecting charges that the app breaches privacy.

A clarification was released on the alleged data breach in the app, assuring that the app keeps the data safe and private.

Also, a video message was shared by the central government, saying the app is completely safe and the data of the users are fully secure. In the two minutes 39 seconds video, it was explained that the information submitted by a user is encrypted and safely stored in the server.

It further explained that the information about the person is only sent out of the mobile phone to the servers if the person is found to be COVID-19 positive.

The information will not permanently be stored in mobile or server, explained the video.

The captured information gets deleted from the phone in 30 days and from the server after 45 days. In case the user found positive for the novel coronavirus, the information from the server will be deleted after 60 days, the video explained.

Surrounded by allegations of the data breach and its defense by the Centre, the COVID-19 contact-tracing application continues to get popular among Indian masses with the number of downloads increasing exponentially.