Upasana Sharma (Carnegie India) writes that Aarogya Setu, India’s contact tracing application, raises many privacy concerns. And while making the app open source is the right step in ensuring a transparent framework, there is more work to be done in ensuring increased user security and privacy.
Many countries have launched contact tracing applications to trace the spread of the coronavirus. The Indian government launched the Aarogya Setu application on 02 April 2020. This app was made open-source on 26th May allowing global cybersecurity experts to access the source code and detect existing vulnerabilities in the app. While this is a meaningful step in combating the existing privacy issues in the app, domain experts are now claiming that the public version of the code that has been made available is very different from the one actually being used. This recent discussion on the app gives scope to re-examine the existing problems with the app.
Currently, the app has over 120 million downloads and has been recommended by the central and state governments. In response to privacy concerns, the government established an empowered group on technology and data management to ensure effective operation and implementation of the app. The empowered group published a data sharing protocol called the Aarogya Setu Data Access and Knowledge Sharing Protocol, 2020. This document aims to clarify the mechanisms for collecting, storing and using this data while providing safeguards for the same. However, three significant issues with the app remain even after the release of the protocol.
The first issue is that the app collects both Bluetooth data and GPS location data. Collecting location data is largely considered unnecessary by most global standards. This is because Bluetooth data is generally considered a better tool for collecting location data, as it only collects data based on its proximity to other phones that have Bluetooth services enabled. This is in contrast to GPS location data which will allow the government to track a user’s precise location leaving them vulnerable to being directly identified. MIT’s Technology Review has created an index by collating the major contact tracing apps globally, evaluated them on five different criteria, and given them a rating on 5. They have given the Aarogya Setu app a rating of 2 out of 5 stars. The index reveals that only Bahrain, Norway and Qatar are the three other countries collecting both location and Bluetooth data. The developers have not yet clarified why the app uses both Bluetooth and GPS location data.
The second issue is that the personal information of many users of the app is stored on one server. This design potentially allows the government to not only access but also share personal data of users. Earlier last month, cybersecurity expert Robert Baptise who goes by the name Elliot Alderson on Twitter revealed the same. He was able to hack into the database and access the exact location data of infected patients. He could also modify his location to any city of his choice and set his radius parameter to a 100 km. This is problematic because the role of contact tracing apps is only to enable users to check for any active cases in their vicinity and not access the health information of individuals at such large distances. In a response statement, the Aarogya Setu team denied this claim stating that radius parameters can only take the values of 500 metres, 1km, 2 km, 5km and 10 km. They stated that the app collects the user’s location data by design and does not violate user privacy. Elliot clarified that as the government collects the GPS data of users it can still use a process called triangulation to track an individual’s exact location. It is crucial for the developers to clarify whether triangulation is indeed possible without the user’s permission as it is a serious privacy concern.
The third issue is that the tenth clause in the data sharing protocol states that this protocol will be valid for only 6 months from its date of issue, unless the pandemic continues. This is problematic since the empowered group provide an end date to the protocol, they do not provide a similar end date for the app itself. This creates a situation where the protocol that actually provides the safeguards in protecting user data ceases to exist making the user data significantly more vulnerable. In addition, the clause provides no clarity on whether the user data will be deleted or repurposed post the pandemic. It is important to clarify this clause so that users know that their data is being solely during the pandemic and will not be misused later.
Recently, public and private companies have also mandated the use of the app for their employees. Clearly, this practice is being adopted across industries and sectors. As the country slowly resumes its economic activities, this app continues to be used by the Indian population. It is one important way to ensure that work environments are suitable and safe for the employees resuming work. In this situation, while making the app open source is the right step in ensuring a transparent framework, there is more work to be done in ensuring increased user security and privacy. This is especially important as India does not have a data protection law yet. Working on these issues will increase user trust and encourage faster adoption of the app, leading to better pandemic prevention.
This post represents the views of the author and not those of the COVID-19 blog or LSE.
Very balanced view.
Keep it going.
Appreciate the content, Upasana. Words of wisdom indeed !!!
Nice research. Still so many queries are to be answered by Govt or promoters. Govt must take responsibility ensure that the app is fully secured.
Very well written! The comprehensive and structured approach covers each aspect on this debate so well and leaves no doubt.
Excellent in depth research with every minute technical aspect, which is very well explained in simple lay man’s language. Very informative and exhaustive article. Good job Upasana….
Well researched article, Upasana. The issue needs more civil society participation to achieve a fair balance between privacy and public good.
An excellent piece balancing the pros of a contact tracing app with the very legitimate privacy concerns!
Upasna – I appreciate you taking this up but I must tell you, some of your claims are factually incorrect and are not based on a complete understanding of the technology and processes involved(which is understandable as the server side code is not yet available). Let me take a stab at explaining and am happy to answer follow up questions as well (I worked as the Contact tracing and data science lead for Aarogya Setu).
1) Bluetooth vs GPS – Bluetooth and GPS are used for different purposes. While Bluetooth is used for risk propagation, GPS is used for generating hotspot prevalence information. We are exploring a density preserving differential privacy technique to get the same while incurring minimal cost to privacy. I am part of the UN task force on privacy preserving statistics and am discussing with experts such as Andrew Trask how to resolve this. The decision to ban GPS by Google and Apples protocol is largely a political and business driven decision and top epidemiologists globally have confided in me that it is not a scientifically sound decision. I had a conference call with Dean MIT engineering, Professor Ron Rivest(inventor of rSA) and others who appreciated our efforts. The MIT tech ranking is flawed as it gives equal weightage to all parameters and efficacy is not even a paramter. There are other issues with the Google and Apple protocl such as it not being conducive to multiple degree risk propagation (which according to a report by NHSX is crucial).
2) While in principle we have no objection moving to a client side model, it was very important to start with a server side approach for the following reasons:
A) It is much easier to push updates and work in an agile manner with server side code
B) We are now able to use Bayesian techniques / machine learning to infer the curve of transmissibility since time of contact(even during the asymptomatic phase). Also we are able to determine Bluetooth signal strength cutoffs very accurately
We plan to publish these results soon which will be very helpful globally in the fight against Covid.
3) French ‘hacker’ – this guy is a sub par coder, not a hacker. He wasn’t able to pinpoint any exact location.
To each radius, we add a rand error when giving information so that triangulation is not possible. In addition we rate limit the API so that if one sends too many queries, the API stops responding.
This means it’s impossible to triangulate.
Would request you to get your facts right. :).
Please watch this for a simple explanation of what’s going on –
Feel free to reach out at my email in case you have questions.
Balanced and judicious piece-well conceived and well argued.
This innovative mechanism is widely perceived to be a game changer in India. But Upasana does well to demonstrate that we should not be oblivious to data privacy concerns.
What is particularly welcome is the fact that her thesis is completely substantiated by published data and evidence available in the public domain and this makes her findings serious and well researched.
Her writing is clear and effective and she packs a lot of punch in her arguments. Well done. Keep it up!