Is Aarogya Setu Aap Bridging the Trust Deficit Gap or Widening it?
Privacy, data protection, cyber-security, encryption — terms that are now bandied about with nonchalant ease — first became a hotly-debated topic of discussion about the time the NDA government pushed for Aadhar, beginning with making it a pre-requisite for availing public welfare programs to making it mandatory to link an individual’s Aadhar card number with their PAN number — a move that was upheld by the Supreme Court in 2018.
Critics were quick to point out how the absence of a stringent data protection law could endanger the security of individuals’ personal data. Trenchant voices even drew attention to the Government’s morbid fascination for data collection. Debates, for & against, flamed and smoldered — never quite extinguished — only to be kindled again in November 2019 when disturbing reports emerged of spyware Pegasus being used to snoop on selected WhatsApp users including Indian journalists and rights activists.
The debate over data privacy has just been reignited again, thanks to the Aarogya Setu app endorsed by the Government in the wake of Coronavirus pandemic.

Aarogya Setu — Privacy in the Midst of a Pandemic. Innocuous or Insidious?
Aarogya Setu is a contact tracing mobile application that is designed to keep track of other Aarogya Setu users an individual came into contact with, and notify him/her if any of those users tests positive for COVID-19. If a user tests positive or declares symptoms, the records are uploaded to the government servers. The app collects personal details including name, age, sex, phone number, travel history, and current location that is uploaded to the servers which generate a unique digital identity for that user.
Being touted by the Government as an effective tool to monitor, and thus contain, the spread of Coronavirus, the application has crossed over 90 million downloads since it was launched in the first week of April. But concerns over privacy issues have been consistently raised by organizations and individuals alike.
While IT minister Ravi Shankar Prasad was quick to dismiss Congress leader Rahul Gandhi’s recent claim that the app was “a sophisticated surveillance system” as a mendacious maundering, organizations such as IFF (Internet Freedom Foundation) and Software Freedom Law Centre have long been asking questions about the privacy & security of reams of personal data. It must be noted that the IFF has legally challenged the Noida authorities’ mandate of making installation of the app incumbent on all smartphone users in the area. It has also expressed apprehensions that similar orders might be issued in other parts of the country. Likewise, French ethical hacker and cybersecurity expert Robert Baptiste – who calls himself Elliot Anderson on Twitter – pointed out security flaws in the application, prompting the Aarogya Setu team to issue a statement declaring that no personal data was proven to be at risk by the hacker.
Chinks in the Armour — Aarogya Setu Aap and Privacy Concerns — Technical And Legal
The efficacy of the Aarogya Setu app is not indisputable. Automated contact tracing technology depends on people, and its effectiveness relies on widespread usage and self-reporting. Since its usage is restricted to smartphone users and levels of self-reporting may differ, the app cannot be deemed a foolproof tool to accurately identify COVID-19 patients – a fact clearly articulated in the application’s terms of use. Moreover, experts including Mr. Baptiste, have pointed out vulnerabilities in the app including clear text database – meaning anyone with a bit of technical knowhow can see data. Pertinently, Mr. Baptiste added that Rahul Gandhi was right in terming the app “a sophisticated surveillance system” and called for making the application’s source code open to boost security and enhance transparency, an idea echoed by IIT Delhi professor Subhashis Banerjee.
Another technical chink in the app’s armor is the unique digital identity being a static number, making it susceptible to identity breaches.
A dynamic Digital ID would have added another layer of encryption like there is in the Apple-Google contact tracing technology project and TraceTogether app from Singapore. There are also serious privacy concerns, given that India is yet to formulate digital privacy or data protection laws. In the government’s privacy policy pertaining to the app, the language around who will have access to the data can at best be termed hazy.
There is no legislation to guide and shape the app’s functioning and usage of the sensitive personal data collected. The disconcerting absence of a sunset clause or rule limiting the purpose and length of time for which the data can be used has also sparked concerns that the app may be used as a tool of mass surveillance even after the threat of COVID-19 has subsided.

Addressing And Allaying Concerns
Several governments around the world are launching applications to trace the contacts of infected persons. The European Parliament recently passed a resolution making it obligatory for all contact tracing apps to have expiry dates. Israel’s Supreme Court disallowed the country’s intelligence agency from conducting electronic contact tracing of Coronavirus patients in the absence of statutory legislation. In Italy, Singapore, and South Korea, installing the app is completely voluntary. The Australian Government has published a privacy impact assessment on concerns with its COVID-19 tracing app and also indicated that it will soon publish its source code.
While the Indian Government’s intent behind launching the Aarogya Setu app may be positive, it would do well to embrace some of the aforementioned best practices and address and allay the concerns raised by opposition members and digital security experts alike. Firstly, the government ought to seriously consider some kind of judicial oversight or legislation for the Aarogya Setu project.
Particularly so, because adding new features to the app such as telemedicine and e-pass service is in the offing. Secondly, it ought to eschew its cloak-and-dagger approach with regard to which authorities can have access to this data and put out a clarification or explanation regarding the same. Thirdly, it should prioritize making the app’s source code available to all as well as address other technical flaws detected by experts in the app’s security infrastructure, ensuring data anonymization and elimination of leakage risk.
It must be noted that usage of the application cannot be made mandatory at present without legislative backing.
But considering the app’s swelling popularity and its indefinitely continuing importance due to lack of foreseeability with regard to the pandemic’s end, the Government must endeavor to bring in a robust, comprehensive data protection law in order to bridge the ever-widening trust deficit.
Related:
Beyond A Dystopian Reality: The World After Coronavirus Pandemic — Will You Survive?
The Looming Threat of ‘Big Brother’
In Nineteen Eighty-Four, George Orwell’s chilling dystopian novel centered on the fictitious totalitarian superstate of Oceania – the protagonist Winston Smith is taken inside Room 101, the torture chamber, located in the Ministry of Love. Here, dissidents are confronted with their worst phobias, which in Winston’s case is rats.
The fact that the Party is aware of this — indicates that individual citizens are surveiled in the state to the extent that even their fears & phobias, products of the realm of the mind, are stripped naked, deprived of even a shred of the robe of invisibility. Of course, we are not heading towards such a state. Or such a state of affairs. Are we?
Surviving With The Trumps — Nepotistic White House Nexus Behind America’s Coronavirus Response
If Trump Goes For Military Retaliation, Xi Can Show Who’s The Boss In East Asia
The Stakes Have Never Been Higher For ModiNomics
The ‘Bois Locker Rooms’ Are Vast And The Problem Lies In The Past
Trump’s Madman Policy On China Is Building A Legacy Of Weak Statesmanship
From Michelle Obama To Melania Trump — The Devolution Of The FLOTUS
