The COVID-19 pandemic has taken upon the world in the worst possible way. Initially, it was compared to the 1918 H1N1 virus pandemic that infected about 500 million people (one-third of the world population) all around the world and claimed the lives of at least 50 million people.
The worst thing about the stats here is that SARS-CoV-2 is being considered even more dangerous than the 1918 pandemic. The virus is considered to be transferred through human to human contact via mucus droplets that are released when an infected person coughs or sneezes and, in some cases, exhales.
This is the exact reason for the rapid transmission of the COVID-19 from one human to another.
7.04 million people around the world have been infected with the virus. And till now and 404k have lost their lives, the worst hit being the United States of America.
On 10th June 2020, India reached the 5th spot in the “worst-hit countries” list with 277k infected and 7,745 people dead. And these numbers are rapidly increasing with time.
The only cure to SARS-CoV-2 is prevention. Thus the Government of India launched an application named “Aarogya Setu”- the bridge to Health (Sanskrit meaning) on the 2nd of April 2020.
The National Informatics Centre under the Ministry of Electronics and Information Technology developed the application.
Mr. Lalitesh Katragadda the founder of Indihood, who has earlier worked on building crowdsourcing population scale based platforms like Avanti for financial inclusion along with Google India Products have worked with a team of 30 volunteers in developing the Aarogya Setu app.
The aarogya setu application keeps constant tracks of users who might have come in contact with each other. It then alerts the users if a specific person tests positive for the COVID-19.
How Does Aarogya Setu Work?
Once installed, the application requires the users to fill in personal information like name, age, gender, and profession.
The app has access to not just the information posted above, but even your contacts and GSP location at all times. Using your phone’s Bluetooth and GPS location, the application alerts its users if they have been near someone infected with COVID-19 by analyzing the database of known positive cases of the virus.
This data is also shared with the government of India.
As per Abhishek Singh, the CEO of MyGov at India’s IT ministry, the Aarogya Setu app will calculate your risk of infection based on how recently you were in close proximity to a COVID-19 patient. It then recommends the measures you need to take.
Your records are saved on the phone until you test positive for the virus or declare symptoms in the self-assessment survey provided by the app. In such cases, the records are uploaded to the server.
The record consists of a user’s name, numbers, gender, travel history, or whether you are a smoker or not.
Is the App Mandatory?
The Prime Minister of India Narendra Modi tweeted in support of the aarogya setu application making it mandatory for all residents of the containment zones and for all government as well as the private sector employees.
The application has been made mandatory for all Noida and Delhi residents. If they fail to comply with the government’s order, they would be liable to be jailed for up to 6 months.
Companies like Swiggy and Zomato have also made the application necessary for all employees.
This act of making the app necessary for all is “utterly illegal,” according to BN Srikrishna, a judge at the Supreme Court. He says, no law backs such irrational mandates.
In such cases, the ultimate decision has to be taken by the people of India, whether the application should be downloaded or not. Whether we must accept the government’s decision or question it, whether we must first fight the current problem then think of the future.
There are just too many doubts with answers varying individually.
Aarogya Setu app broke all records in terms of active users. In the first 13 days of its launch, the application recorded 50 million downloads, which now surpasses 100 million.
The controversy revolving around the application started when a French ethical hacker Robert Baptise who goes by the name Elliot Alderson raised concerns over the potential data breach the app exposes its users to.
He claimed to have found a security glitch that can lead up to misuse of the private data of all its users.
Following the tweet, the Prime Minister’s office had a word with the ethical hacker and later tweeted:
The Report submitted by the government of India still did not impress the hacker who seems to believe that aarogya setu possesses a serious threat of data breach.
In a series of tweets, the hacker rubbished the government’s claims, as did the government.
Alderson says, “Forcing people to install an app doesn’t make a success story. It just means that repression works.”
This twitter war brought to light the “possible security threats” the application may possess. With the number of users surpassing 100 million, the GoI must take all measures in securing every individual’s data.
What Brings Skepticism?
Since Elliot Alderson threw light on the possible security breach, many media houses and individuals started digging into the matter.
Which highlighted some severe issues with the app:
- According to the app’s terms and conditions, upon installation, the user “acknowledges and agrees that the government of India shall not be liable if any unauthorized device or person accesses the information or modification.”
- The government’s decision to mandate the application and sentencing those who do not comply with it for up to 6 months is in no way legal.
The decision goes against the provisions of the IT Acts, and the Personal Data Protection Bill.
- Experts say that the app is invasive from a privacy and security viewpoint.
The app does not restrict your information just to the hands of the health ministry. The biggest threat the app possesses is that any third party can access a user’s data. Not only that, but the app also tracks its user’s information, which has been deemed unnecessary worldwide.
- Another hard to ignore glitch in the app is the failure to access the proximity. Suppose a COVID patient is on the 1st floor and another user is on the 2nd floor, the application still considers that they have met. Since the app uses Bluetooth to access proximity and the Bluetooth travels through walls, it makes it more prone to show ‘false positives’ or ‘incorrect data.’
- The aarogya setu app allows the government to upload a COVID-19 positive user record on the server, which is then sent to persons carrying out administrative and medical interventions related to the virus.
This implies that the government can share the data with practically anyone.
- The application is poorly encrypted. Hence anyone with a good knowledge of hacking can find out any sick user’s location, name, age, profession, or anything as per the claims of Elliot Alderson.
The government of India has rubbished all claims made by the hacker as well as IT experts and scholars saying that the application, in no way, can be a security threat.
- As per the government, the application has been built with privacy as the core principle. Hence the process of risk assessment and contact tracing is carried out in an anonymized manner.
- Upon installation, the app assigns the user with an ”anonymized ID. All interaction between your device and the government’s server is done through this ID. Thus no personal information is exchanged.
- An official from the Ministry of Electronics and IT, talking on the “user acknowledgment issue” said, that these clauses are standard across the whole industry, and no company guarantees “unlimited liability”, be it a governmental organization or a private one.
- The government decided that “anyone who tries to misuse the data provided in the aarogya setu app will have to face legal repercussions. But that does not mean we take the entire liability on ourselves.”
- The new guidelines issued by the government prohibit the storage of data beyond 180 days. An individual can even seek the deletion of data from the aarogya setu app within a month of raising the request.
The image attached above in the article states the exact Report rolled out by the government of India.
What Measures Must Be Taken?
The application is no longer a trivial matter; the government of India, forcing people to install the application, makes this even more concerning.
Some actions can be taken by the Government of India to ensure better safety of users data:
- Better Encryption:
The application owners must pay proper attention to the current encryption it has. If Elliot Alderson was able to hack into the application and locate any user, he wanted to. Anyone else can also do it.
It may not always be a person who brings this to light. The leakage of the data of more than 100 million individuals would be an embarrassing event.
The application must change the encryption algorithm to advance security measures. Encryptions like TwoFish, 3DES, or AES- 1024 bits can be used to ensure better security.
- Restraining the personal information to just one ministry:
The application must restrict the personal information to just one ministry, preferably Health. The data may only be accessed by specific individuals working in the healthcare department. The GoI must not be the data collector.
- The government of India must bring the application under a legislative framework to carry out contact tracing in a legal way.
The application remains in “controversy” since May 5th. While the app is a great initiative to prevent the spread of COVID-19, the security threat it poses has instilled skepticism in people, which results in them refraining from downloading the application.
The government of India must not rubbish such claims and try to fix what can be fixed.
The app can prove to be beneficial to everyone if appropriately regulated.