Do We Need Aarogya Setu?

    21-May-2020
Total Views |

1_1  H x W: 0 x
 
 
Vikram K Malkani
 
As COVID-19 pandemic has swept the globe over the last few months, governments across the world have had to absorb a flood of information from a 360° window, probably 24 hours a day, and have taken series of decisions to protect their nations’ populations from the dreaded infection.
 
Among the many progressively enforced measures have been restrictions on travel, socialising, commuting, maintaining personal hygiene, and finally lockdowns in many countries. India was the first country to impose a nationwide lockdown, which has been extended twice, with some relaxation in rules being introduced in the second and third lockdowns.
 
Even before the pandemic hit India, Government of India (GoI) has been severely attacked across the political spectrum and beyond for having let the economy go into a tailspin. Irrespective of whether the attacks were exaggerated or accurate, everyone will agree that the lockdown has dealt a body blow to the economy, even as one needs to acknowledge that there was no other choice before GoI.
 
Governments have also realised that the novel coronavirus (NCoV) isn’t leaving us any time soon. Even the official stand in India of late has been that “we have to learn to live with the virus”. However, the fear of the spread of NCoV is still real, just as it is dynamic (with countless members of the unorganised workforce heading to their villages and towns).
 
The question before decisionmakers, especially in countries like India has been – forceful protection of masses leading to widespread unemployment, starvation, social unrest and over a period, susceptibility to more common infections, or easing restrictions so that large sections of India’s workforce can go back to earning and feeding themselves and their families,? Governments have no choice but to revive the economy by allowing small, medium and large businesses to resume in phases. It’s also inevitable that movement restrictions will need to be lifted further.
 
To manage the resulting threat of COVID-19 spreading, among the measures introduced by GoI is Aarogya Setu, the contact tracing (among other features) mobile app.
 
What do such apps do?
 
On installation, as part of registration, Aarogya Setu asks users to enter personal details such as name, phone number, age and gender, besides asking simple questions on how one is feeling, to assess if there are any symptoms of COVID-19. This information, stored on a server, is hashed with a unique digital id (DiD) that is pushed to the user’s app. The DiD thereafter is used to identify the user in all the app-related transactions. At the time of registration, location details are also captured and uploaded to the server.
 
In addition, it asks the user to keep Bluetooth on. When two users come within Bluetooth range of each other, their apps automatically exchange DiDs and record the time and GPS location at which the contact took place. The information collected from one user’s app is securely stored on the mobile of the other user and is not accessible by them. If one of the two users tests positive for COVID-19, the DiD information of contacted users on the infected user’s mobile is securely uploaded from latter’s mobile to the server. This will give a view of each person who must be reached out to as a possible case for COVID-19.
 
Each time a user completes a self-assessment on the app, their location data will be uploaded to the server.
 
At 15 min intervals, the app also collects a user’s location data and stores it securely on their mobile device, uploading to the server only if self-declared symptoms indicate that a user is likely to be infected with COVID-19; and/or if the result of the self-assessment on the app is either YELLOW or ORANGE; and/or a user actually test positive for the infection.
 
Among other democracies, Australia, Singapore and Israel too have introduced contact tracing apps during this time of crisis. In contact tracing apps, the two solution options can be a centralised model (user and contact information collected stored on servers, as in Aarogya Setu) or decentralised model (data stored only on user mobiles and alerts sent to user contacts’ once a user tests positive). India, Australia and Singapore are using the centralised solution, which Israel is using the decentralised one.
 
Data Retention in Aarogya Setu
 
According to Terms of Use of the app, personal information such as name, mobile number, age and gender will be retained on government servers, while the others related to location and contacts’ details collected via Bluetooth will be retained on a user’s phone only for 30 days, then purged if they haven’t been uploaded on the server already. If the details have already been uploaded and if the contacts do not test positive, the details will be deleted from the server 45 days after they were uploaded. For users having tested positive, data will be deleted from the server 60 days after their infection has been cured. If a person chooses to deregister from the app, the data will be deleted from the server 30 days later.
 
What are the concerns?
 
Several countries have introduced contact tracing during this time of crisis, and perhaps each one has had someone or the other raising privacy or data security concerns. Aarogya Setu has been called a “Sophisticated surveillance system outsourced to a pvt operator, with no institutional oversight”. According to the app’s terms of use, the data storage will be “on a server operated and managed by the Government of India”. In addition, the terms of use also mention the storage will be secure. The data retention and purging rules too have been stated in the same document. It is up to an individual to decide whether they want to believe GoI’s terms of use or not. Meanwhile, an MIT-based assessment has stated that “Aarogya Setu scored positively on the timely deletion of user data and collection of only useful data”.
 
Another view is that the decentralised solution should have been selected, by which governments do not get oversight at all on any aspect of user information other than basic data on every registered user. Contact details are downloaded on phones, analysis done on phones and any alerts sent directly to those users. One scenario for using this solution is where governments are incapable of managing the data securely, or unwilling to do so. This is not the case in India.
 
Another important factor for selecting the decentralised solution would be when users receiving alerts have a sufficiently high level of awareness and responsibility to contact authorities, even as they begin to take all possible precautions from that moment onwards. It’s unrealistic to think every Indian receiving the alert will not ignore it or know what to do to not spread the infection further and will know who to contact. COVIDSafe, Australia’s contact tracing app follows the centralised model with authorities calling the exposed people. However, they have added a layer of data protection. According to the Australian government's COVIDSafe page, "State and territory health officials can only access app information if someone tests positive and agrees to the information in their phone being uploaded. The health officials can only use the app information to help alert those who may need to quarantine or get tested".
 
Yet another concern is that the DiD created in the present solution is static, which is less secure than a dynamically generated one. GoI has stated they will switch to the latter, although its implementation date has not been declared.
 
Another concern has been that Aarogya Setu is not an open-source app. While bugs and vulnerabilities can be identified quickly in open source apps, they can also be exploited quickly. While GoI is straining on multiple fronts to contain the spread and to manage consequences of the lockdown, should it invite another challenge?
 
Finally, one hacker earlier this month declared he had hacked into the app’s server and was able to view “medical data of 90 million Indians”. In their wisdom sections of Indian media have described him as an ethical hacker. One wonders what is ethical about publicly stating having hacked into the system intended to help manage a crisis, and then threatening a nation’s government. However, it’s more important to understand if the concerns he’s raised are real and if they are, what GoI is doing about it. According to one statement by the hacker, the flaws were “fixed silently”. Good move, if true. He also mentioned that “an attacker can know who is infected anywhere in India, in the area of his choice”. This was the app’s managing team’s response on Twitter to the hacker’s claims.
 
So, should one install Aarogya Setu?
 
The app was launched on 02-Apr and less than three weeks later there was a report that it’s been successful in controlling the spread. How they arrived at this conclusion is not clear, since no supporting analysis has been provided. There was also no GoI statement during this period on the effectiveness of the app. It had 6.7 crore users on that date (about 5% of India’s population). One would think its effectiveness can be assessed over a much longer period and with a much larger user base.
 
An additional factor is that contact tracing apps aren’t working as effectively on iPhones. However, given the limited popularity of iPhones in India, this should not be a major concern.
 
Approximately 10 crore (100 million) people have downloaded the app so far. Those voicing concerns over assumed misuse of data by GoI should look up how many Indians have a digital footprint over various social media platforms, where personal attributes including current location are voluntarily splattered by users. In addition, there are dozens of apps installed on phones, which suck data such as location, browsing history and details of our contacts. These apps are used either for our convenience or recreation, and are generally retained long term on devices. By contrast, Aarogya Setu is intended to protect us and others from an infection, and does not need to be retained on devices after the infection is no longer the problem it is today. It also seeks much less personal information than users pump into social media platforms. If GoI desires anyone’s personal information, they can ask social media companies to provide it. Is using this app temporarily exposing us any more before the government that we already may be?
 
It’s important to note that contact tracing apps are no silver bullet. Neither are other recommendations such as social distancing, masks, frequently washing hands or not touching one’s face. However, a combination of these measures will reduce chances of us contracting the infection. As we stand on the threshold of a further loosened lockdown, Aarogya Setu may well be one piece of the thin shield we can create to protect ourselves and others.
 
INDIA FIRST