Sunday, 29 May, 2022
HomeTechSource code & privacy — how Aarogya Setu compares with contract-tracing apps...

Source code & privacy — how Aarogya Setu compares with contract-tracing apps of 5 nations

India is the only democracy among these six countries to keep the software source code of its Covid contact tracing closed to public scrutiny.

Text Size:

New Delhi: The Narendra Modi government made its contact-tracing app Aarogya Setu voluntary on 17 May, weeks after several privacy experts raised questions over the app which the administration is using extensively in its battle against the Covid-19 pandemic.

Even as Aarogya Setu joins government-backed Covid contact tracing apps from other countries that can be used voluntarily, its software source code remains private, meaning the code that created the app is not available for public scrutiny.

This is unlike other such apps from some major countries.

The Modi government has no immediate plans to make the code open source either. In an 11 May interview, IT secretary Ajay Prakash Sawhney told Business Standard, “If I open up my source code, and say, some 50,000 people start criticizing it, raising issues every day, we will have to spend too much time in reacting to those. We might do that for all in due course, but right now we are planning to open it up to some of the top cybersecurity experts in the country.”

As privacy questions persist over the app, ThePrint compares Aarogya Setu and five other contact-tracing apps backed by governments in the UK, Australia, Singapore, Israel and China on five criteria.

Graphic: Ramandeep Kaur/ThePrint
Graphic: Ramandeep Kaur/ThePrint

Source code

Tech policy think-tank The Dialogue has encouraged the Modi government to make the source code for Aarogya Setu public.

“The app needs to be transparent and verifiable. It is important that to popularise it among the masses, the application be open source,” it says.

The UK, Australia, Singapore and Israel have open-source apps. The details about China are not available.

As of Sunday, the Indian government, however, revised the privacy policy to allow reverse engineering. But this is different from open source.

“Difference between open source and reverse engineering is that open source gives legitimate access to the source code used to build app, where as reverse engineering is breaking down, analysing app using third party tools and trying to guess what the source code might be,” said Atul Kabra, co-founder of cybersecurity firm PolyLogyx.

Also read: Grocery delivery apps and video streaming — Covid is boosting the stay-at-home economy

Data collection

The less data an app collects, the better it is considered for a user’s privacy. In its critical comments on Aarogya Setu, Internet Freedom Foundation said, “…data collection needs to be necessary and proportionate with regard to the purpose for which it is being collected.”

India’s Aarogya Setu leans towards collecting more data than other government-backed apps on this list, with the exception of Australia and China. See chart.

GPS and Bluetooth usage

Aarogya Setu uses both GPS (global positioning system) and bluetooth tech for contact tracing.

There are privacy concerns over a contact-tracing system using GPS to track locations where users may have come into contact with each other. It is primarily due to this that US internet giants Apple and Google will reportedly not allow location tracking or use of GPS data in the contact tracing tool they are building together for any government that may wish to use it.

Instead, this tool will use bluetooth technology to detect users encountering each other.
Existing contact tracing apps from Singapore, Australia, and the UK also use only the bluetooth tech. However, these apps are not using the tool which Apple and Google are making.

In contact tracing, bluetooth tech is not used to track location but to detect nearby devices which have the same contact tracing system installed. A phone with bluetooth switched on emits signals that other phones with bluetooth switched on can detect. Two such phones will exchange information like date and duration of the encounter and will be stored on each other’s phones at the back-end (not accessible to the user). This information is typically linked to a user ID generated by the contact tracing app and helps the government server keep track of which user device uploaded what information.

Bluetooth is considered more accurate than GPS, which may incorrectly show all users in a congested area as users that have encountered each other.

However bluetooth also has a weak point in contact tracing, specifically in iPhones. In iPhones, if an app is not actively running on the screen but is only operating in the background, then the app can’t use the bluetooth tech to effectively scan for nearby devices, rendering contact tracing ineffective.

In this list, Israel is the only other country that uses GPS. China is using the infrastructure of pre-existing apps like Alipay and WeChat.

Also read: China’s got a new plan to overtake the US in tech

Centralised data storage?

Non-profit organisations working on digital rights and privacy say decentralised storage, where data collected from contact tracing apps remain on each user’s phone, is better over a central government database where all users’ data can be stored (centralised storage).

Except China, for which information isn’t available, all the countries on this list have centralised storage.

These countries require users, typically people who are Covid-positive or at the risk of turning Covid-positive, to allow the app to send information logged at the back-end of their phone to the government server. This may include information about other users they may have encountered in recent weeks.

Data storage duration, and access

Amid privacy concerns, data deletion as soon as possible, and access to only a minimal and most essential number of authorities is preferred.

Aarogya Setu privacy policy says data is deleted from the government server after a maximum of 60 days after a user is declared recovered. However, it deletes information stored on phone in 30 days. The UK, Singapore and Australia delete the data stored on phone in three-four weeks, but don’t mention how long they take to delete information stored on government servers. However, in Australia and Singapore, users can request for their their data stored on government servers to be deleted. Aarogya Setu users can’t make such requests.

Information isn’t available on the other two.

An 11 May Ministry of Information and Technology protocol for Aarogya Setu said the data after undergoing “hard anonymisation” can be used for research purposes, indicating that the data may still be available in some form. It said the stipulated data retention clause is not applicable to anonymised data.

Internet Freedom Foundation, which analysed the protocol, said, “There is no policy for destroying contact, location and self assessment data based on a user request… The total failure to consider user-request based destruction of such data amounts to retaining personal data without consent and is a clear breach of the right to privacy.”

Also read: CCI ‘looking into’ antitrust complaint against WhatsApp payments service, says report 


Subscribe to our channels on YouTube & Telegram

Why news media is in crisis & How you can fix it

India needs free, fair, non-hyphenated and questioning journalism even more as it faces multiple crises.

But the news media is in a crisis of its own. There have been brutal layoffs and pay-cuts. The best of journalism is shrinking, yielding to crude prime-time spectacle.

ThePrint has the finest young reporters, columnists and editors working for it. Sustaining journalism of this quality needs smart and thinking people like you to pay for it. Whether you live in India or overseas, you can do it here.

Support Our Journalism

Most Popular