The announcements have come thick and fast. On 14 April, Prime Minister Narendra Modi urged citizens to download the Aarogya Setu app, a tracing app that lets you know if you have been in proximity with anyone who is Covid-19-positive. Last week, on 29 April, the government issued a circular stating that it would be compulsory for all government employees to do so. On Wednesday, India’s 48.34 lakh government employees were instructed to download the mobile app “immediately” and commute to their offices only when it showed “safe” status. And on Friday, the Modi government suddenly decreed that the app was now mandatory for all employees, public or private. On what basis it could issue such an instruction to non-government employees was far from clear.
Others started leaping on the bandwagon. Local authorities have been instructed that all residents in a containment zone are obliged to download the app. Many Residents’ Welfare Associations have started imposing the same requirement. Noida went one step further and ordered that anyone in that city caught without the app would be liable to arrest and a fine. The Ministry of Human Resource Development has told schools that students’ parents should download the app. Zomato, Swiggy and Urban Company announced that their employees have to download the app. As evacuations of Indian nationals from foreign countries began Thursday, passengers were told that they would have to download the Aarogya Setu app upon arrival.
This little app, using GPS location services, cell-tower proximity, and Bluetooth, has become, overnight, the government’s weapon of choice for combating the Covid-19 pandemic.
Rigged with risks
Close to nine crore Indians have obediently downloaded the app. There are a few vital problems, however: it is not voluntary, there are inadequate data protections built in and the government can use it to trace all your movements, and not just near Covid-19 patients. And to make matters worse, the famous French “ethical hacker” who goes by the pseudonym Elliot Alderson tweeted Tuesday that the app is not safe: he had identified a security flaw that he would reveal to the government. (Alderson did so 45 minutes later; let’s hope the authorities deploy an effective fix.)
The app, which asks for a user’s age, address, travel history, smoking history, symptoms and location, calculates the risk of contact with an infected person on the basis of Bluetooth proximity. It continuously checks if other people who have downloaded the app are in your proximity, tells the user how many people have tested positive in the vicinity and how many in range have flagged themselves unwell.
There are no global standards for such apps, but China, Hong Kong, Singapore, and several European countries have deployed comparable apps for coronavirus contact tracing. Unlike India, however, using them is entirely voluntary in most countries. Aarogya Setu is not just obligatory but far more invasive, using Bluetooth, GPS and cellphone tower information in tandem and relaying data to an external server. There are few explicit safeguards. There’s also the great danger that the app will be seen as a “magic bullet” when it is no substitute for a comprehensive testing strategy, which India is yet to implement.
There are obvious flaws in any such app, many flagged by the independent journal Nature, which points out that “there is scant published evidence on how effective these apps will be”. Questions abound about accuracy, risks of hacking, and Bluetooth-related security breaches. It omits those possibly afflicted persons who don’t have a smartphone, of course, which excludes people of economically weaker communities. It also risks being misled by some self-declarations, by confusion if a family member borrows your phone, or the opposite problem — going the other way and overwhelming the public health system with false alarms. And, says Nature, one of the deepest flaws in digital contract-tracing apps anywhere is “the fact that only a fraction of any population is likely to have the app at all”.
A surveillance tool
The democratic solution to that problem is to develop public trust in the app, rooted in transparency, but India hopes to overcome the challenge by obliging everyone to use its app. Indications are that all future smartphones in the country will have Aarogya Setu pre-installed. You may soon not be able to leave home to use the Delhi Metro or get on public transport without showing you have the app. Combined with existing government databases, the app will have a synoptic view of its users’ movements and activities. This is why the biggest concerns relate to privacy and the risk of enhanced – and conceivably permanent – surveillance of Indian citizens.
We still don’t have a data protection law in the country, though I personally (and many others) have repeatedly called for one in Parliament. The government has denied the Parliamentary Standing Committee on Information Technology, which I chair, the opportunity to review a law that falls squarely within its mandate, by sending it instead to a select committee chaired by an MP of the ruling party. Our country has no meaningful anti-surveillance laws – intrusive interceptions are still conducted under the 1885 Telegraph Act – and many have expressed the fear that the war against coronavirus is being used as a pretext to erode the privacy of Indian citizens and keep tabs on their freedom of movement.
“The coronavirus is a gift to authoritarian states including India,” author Arundhati Roy told The Guardian. “Pre-corona, if we were sleepwalking into the surveillance state, now we are panic-running into a super-surveillance state.”
The web watchdog NGO, the Internet Freedom Foundation, has cautioned that the app could create a permanent surveillance architecture, and that – since the government has a blanket liability limitation in its service agreements and privacy policies — citizens cannot hold the government accountable or seek judicial remedy. Aarogya Setu’s user agreement states that the data can be used in the future for purposes other than epidemic control and shared with government agencies. The algorithm and source code used by the app are neither transparent nor auditable; there is little transparency around how the data will be handled, what will be the nodal department empowered to share the data with other agencies, which government departments will have access to the Aarogya Setu database, and how effective the promised “data anonymisation” will be. It is well established that it is not difficult to identify individuals from anonymised data sets.
At a time when the Narendra Modi government has seized powers to enforce the ongoing lockdown, charged journalists, arrested student protesters, banned gatherings and severely restricted the functioning of courts, denying bail to many, there are genuine concerns that the Aarogya Setu app will play into an unfolding narrative of greater government control.
Failure to install the Aarogya Setu app is punishable under Section 188 of the IPC (disobedience of an order by a public servant) and Section 51 of the Disaster Management Act (disobedience of an order by an official relating to a disaster). There have been no prosecutions yet. But we have been warned.
The author is a Member of Parliament for Thiruvananthapuram and former MoS for External Affairs and HRD. He served the UN as an administrator and peacekeeper for three decades. He studied History at St. Stephen’s College, Delhi University and International Relations at Tufts University. Tharoor has authored 19 books, both fiction and non-fiction. Follow him on Twitter @ShashiTharoor. Views are personal.