Contact tracing app, Aarogya Setu, was launched on April 2 to accurately help users self-assess and track COVID-19 infections. However, cybersecurity experts have raised some concers over its privacy flaws.
Since the launch of Aarogya Setu, the government has left no stone unturned in encouraging more people to download the app. According to Google Play Store, the app has already crossed 50 million downloads on the platform alone. However, many privacy activists and organizations have expressed serious concerns over the surveillance that the contact tracing app can lead to.
What's bothering some experts?
According to the cybersecurity experts, Aarogya Setu could violate its users' privacy and become the government's surveillance tool. The research paper evaluated the app on various privacy features against similar apps specific to COVID-19 – Singapore's TraceTogether and Massachusetts Institute of Technology's Private Kit: Safe Paths Project.
Despite the concerns, Prime Minister Modi and several government agencies encourage the citizens to download the app.
How the app works?
At the outset, the app seems useful in telling the person if they are at risk of contracting coronavirus by taking a test. The app just needs the user to allow GPS location and Bluetooth access for the app to work.
However, the experts expressed concerns over the terms and conditions that reveal that the "personal information stored in the cloud may also be shared with such other necessary and relevant persons as may be required in order to carry out necessary medical and administrative interventions."
Mira Swaminathan, policy officer at The Center for Internet and Society, a Delhi-Bengaluru based think tank explained that the privacy policies are dictated as per General Data Protection Regulation (GDPR) guidelines. She further adds that the use of "may" in the terms and conditions gives discretion to the app developer to do whatever they want with the data.
"The word 'should' should be used instead of 'may'," she added.
Is the app really a privacy threat?
Following the privacy concerns, the app policies were updated to preserve the users' personal data.
According to the updated terms, the policy limits the purpose of data collection and clearly mentions that the information will not be shared with the third party except when "necessary medical and administrative interventions" are required.
The old policy collected personal information such as name, phone number, age, sex, profession, and travel history in the last 30 days. However, the updated policy only requests for the mobile number that is mandatory to get OTP.
Additionally, the information collected by the app will be retained on the mobile device for a period of 30 days from the date of collection. After 45 days of being uploaded on the server, the information related to people who have been tested negative will be deleted. Whereas, the people who tested positive, their information will be after 60 days after they have been declared cured.
These measures should certainly put privacy advocates' worries at ease and encourages users to download the app for better contact tracing by the government to contain the spread of coronavirus in India.