What do you get when you cross a right-wing government in a state of economic crisis due to a pandemic and the endless need to control a nation? A mass surveillance program which feeds on public fear. This contact tracing app, called Aarogya Setu (which means ‘Health Bridge’), was released by the Indian Government on April 2 (with over 100 million downloads after 40 days of launch) as a means of tracking other users of the app that a person came into contact with and alerting them if any of the contacts tested positive for Covid-19.
According to a Press Information Bureau release on April 2, the app is described as a “public-private partnership” and “ensuring privacy first”, while only a few individuals who were involved in the development process had stepped up to defend privacy breach accusations including former Google India executive Lalitesh Katragadda, MakeMyTrip founder Deep Kalra, NITI Aayog’s Arnab Kumar and IIT Madras professor V. Kamakoti.
The government lacked an indispensable release of a full list of private developers who created the app alongside crucial information like partnership terms, future management and strategy inputs, etc. Such incongruities had already begun trust issues regarding the app and its accountability to the public.
A French security researcher, alias Elliot Alderson, had recently tried to access the app’s internal files, along with several other ethical hackers reporting potential data breaches due to the poor build quality of the app. Alderson found a strangely behaving activity upfront that could give attackers access to any internal app file, including the local database used by the app.
On May 4, they tried to push their analysis ahead and found the previous issue had been silently fixed. Upon analyzing more, he found another endpoint which allowed an attacker to know who is infected anywhere in India, in the area of his choice. “I can know if my neighbour is sick for example. Sounds like a privacy issue for me…”, they quoted.
— Aarogya Setu (@SetuAarogya) May 5, 2020
Alderson’s snooping was met with an official statement from the app team which openly lied about the app not letting anyone know infections larger than the radius of 10km while admitting changing location allowed a user to access data of different locations. This may be considered as reputational laundering, as different data types that wouldn’t usually allow the state to hold ethically are extracted with the use of the app. This can directly correlate to the Israeli cybersecurity firm that breached WhatsApp and monitored over 20 Indian journalists and human rights activists.
India lacks a competent data protection framework to hold the government accountable for any potential breach of the right to privacy. The app tracks users through their Bluetooth and GPS data under a digital anonymous identity. However, anonymous location data can reveal a lot of sensitive data about a particular person, including address, family/friends, work, and even things like their political leaning, for example, which can be extremely harmful in the wrong hands.
Also, the Ministry of Home Affairs ordered the establishment of an ‘intensive surveillance mechanism within containment zones,’ requiring the local authority to cover 100 per cent of the population of containment zones. The transition from “voluntary” to “mandatory” is analogous to the Aadhaar surveillance project.
Ideally, policymakers should consider the effectiveness of contact tracing and its threats to privacy, equity and civil liberties before widely adopting it. There are about 450 million smartphone users in India which are around 34% of the total population of India (1.38 billion). Even with draconian measures that mandate 100% coverage of the app in the entire nation, there are glaring holes in any valid tracing of the transmission of the virus on that scale.
The government is continually struggling to offer any credible reason for the introduction of a contact tracing system as well as the requirement for its use. However, the terms of usage explicitly state that the government would not be responsible for inappropriate access to information, leaving the back door open for abuse.
There are striking similarities between the Aarogya Setu data collection in India and the US post 9/11 Terrorist Surveillance Program. Both ventures used public fright to validate their operation. Moreover, the software lacks a sunset clause that allows for its removal after it has been used for a defined amount of time in the face of which the Union Minister for Information and Broadcasting, Prakash Javadekar, recently announced that the service will continue for the next couple years.
In order to increase transparency and improve the security of the app via third-party developers, the government needs to make its code open-sourced. Considering the government’s refusal to either allow the app go open-sourced or set up a sunset clause for its fair termination, the project seems most likely to be a cloaked means of mass surveillance in a post-COVID India.