This article originally appeared on VICE India.
On April 14, as India’s Prime Minister Narendra Modi went online to address the nation about the country’s ongoing fight against the coronavirus pandemic and to announce an extension to the original 21-day lockdown, he also endorsed India’s first nationwide contact tracing app: Aarogya Setu. “Download the Aarogya Setu mobile app to help prevent the spread of corona infection. Inspire others to download the app as well,” he said. Even as the Prime Minister’s words echoed through the quiet isolation chambers of what’s left of our lives, the app also made its presence known through the only other ways it could: WhatsApp forwards, pop-ups on app stores, ads on social media, etc. In fact, so heavily publicised was this app that within two weeks, the app appears to have reached some 50 million Indians’ smartphones—the highest and fastest downloaded in the world.
But, as is the case with most technology, there’s almost always a caveat. And in Aarogya Setu too—which continuously collects location data of the registered user and maintains a record of the places where the user comes in contact with other registered users—several aspects have been flagged by digital and cybersecurity experts. Last week, VICE India reported the growing mass surveillance in the country, and the Aarogya Setu app plays a major role in this escalating technological scheme of things.
So what’s so problematic about this app? And why should privacy matter at a time when the pandemic is wreaking havoc on almost all fronts? To answer some basic questions, VICE reached out to Delhi-based tech expert, Sidharth Deb—the policy and parliamentary counsel at Internet Freedom Foundation, a digital and civil rights advocacy NGO. Earlier this week, Deb came out with a super comprehensive paper on tech interventions during the coronavirus pandemic. We caught up with him so he could tell us whether this is the app the nation needs:
VICE: What exactly does the Aarogya Setu app do?
Sidharth Deb: In an ideal world, a contact tracing app like Aarogya Setu should be able to tell you wherever you are situated, is safe or not from the coronavirus. In a good model, this interaction between you and the technology should not have involvement of the government, or the government shouldn’t be the intermediary in this interaction. But in the Aarogya Setu model, that’s not the case. On top of that, the Aarogya Setu model can be repurposed to coerce your behaviour and, in fact, maybe become a decision-maker in terms of whether you may board a train, a metro or even a flight. And that can have implications on your movements and even people's livelihood.
Does that mean that this app could potentially dictate my decisions, control my movements or modify my behaviour?
Right now, the state’s attempt to control your behaviour is to ensure, at least in this initial stage, that people follow the lockdown order or quarantine directives. But in a democracy, the government, even in emergency situations, may only restrict your civil liberties in a narrow manner when there is a legal regime that allows for narrow/reasonable restrictions. Unfortunately, in India, there is no such legal system like a strong data protection framework which can hold the government accountable. So, a combination of the underlying tech of the app in conjunction with no legal safeguards makes it a risk to your civil liberties, including the right to privacy.
But this app does take my consent when I register. What does that mean?
A lot of research suggests that just because the app says that an individual’s consent is taken, it could be informed consent, but need not necessarily be a meaningful one. What I mean by that is, if suddenly the system of app is repurposed in the way that it becomes mandatory for your travel, how does it matter if it’s taken your consent or not? It may become something that you need to download just so you can travel. Another thing about consent is that when you take it, it’s for a specific/singular purpose. But that one act of taking consent can’t allow the government to do multiple things—and the Aarogya Setu app has the capability to allow a lot of things.
Also, when it comes to other apps, it collects someone’s personal information in the way that it uses one data point. But in Aarogya Setu, you have to feed way more information than the system requires. Like in the self-identification test, you have to input 8-10 pieces of information about you. The citizens should think about this as the pandemic goes on, and the long-term implications of all of this.
But what will the government even do with my personal data on this app?
It’s a part of a larger risk of a permanent system of surveillance. For instance, in the US, when the 9/11 took place, a lot of people’s data was collected to map their location and movements in secret, given that there was this perception of risk which manifested into the global war on terror. Consider that level of panic, and amplify it to the situation now when it’s across the world. This virus is something that creates fear within people, and that’s a great tool for governments to be able to justify a lot of otherwise unpalatable means of intrusion.
On top of that, there is also the possibility of a phenomenon called “reputation laundering”, where certain types of technologies or systems that would otherwise be rejected by the public may become a lot more, let’s say, marketable. Like the Israeli cybersecurity firm whose software was linked to the huge breach on WhatsApp in 2019, which impacted civil rights activists across the world including India. Today, they’ve already started packaging contact tracing solutions and pitching to governments.
But doesn’t the app fall under any legal framework under the Indian law, so that it doesn’t do more than what it claims to?
India is uniquely disadvantaged in holding its government accountable when it comes to such measures during emergencies because even though we have our right to privacy, it doesn’t have a complementary data protection framework that could hold the government accountable for restricting people’s right to privacy.
So you need to ask things like why is Aarogya Setu—which is only supposed to establish contact between me and another user—collecting both my GPS trails and accessing my Bluetooth? In the middle of all of this, if you go through the app's ‘Terms of Service’, there is a liability limitations clause, which means that if there is an error in the application, you can’t hold the app accountable for any mistakes or glitches they make. What’s that, you ask. Sample this: What if the app diagnoses you as positive because of a glitch? Its algorithms or grounds for that decision are not transparent or available to the public. Which means, a mistake by the app could mean you may not be able to go to work or travel and so on. And for any such mistake, you will not be able to seek remedy against the application provider i.e. the government.
Also, there is also no sunset clause that says that every two-three months, they will revisit whether the system is actually helping the government’s response to the public health crisis. Because yes, governments should be able to use technological responses to a crisis, but if it’s not working and is still restricting your privacy, then there should be an override function to terminate that system.
But similar tech worked in countries like Singapore and South Korea. Does that mean they have safer laws?
That’s actually a misnomer. To what extent has the technology supported the response is unknowable at this stage because there is not enough information. In fact, the reason South Korea, Singapore and Taiwan have been successful is as much about testing and detecting the positive cases aggressively as technology. Technology by itself can’t do anything. It has to be combined with testing and creating enough infrastructure, facilitating treatment, ensuring the safety of healthcare workers, etc.
So, is this app going to be effective at all?
I don’t think even the government can legitimately answer this at this stage. Contact tracing apps are experimental technology, which don’t have a successful model yet. The only such app which is being marketed as successful during this coronavirus crisis is the Singapore model, but to what extent it has actually been successful is unknowable. Also, there are some studies that say that contact tracing is discriminatory to segments of society that don’t have smartphones. Right now, the Aarogya Setu app is concentrated on the smartphone users in India, who constitute less than a third of the country’s population.
Why should I care about my privacy, when the risk of the virus is so much more than the risk of losing my privacy?
Your life is, of course, important, but that’s not to say that privacy and your life are two competing interests. Now you’ll say, “No, but this is an emergency.” The counter to that is, if there are no defined limits to a system, there are risks that these systems will become permanent, and that’s when you’ll envision real risks of prolonged or continuous surveillance of people.
Let me give you an example. I talked about Aarogya Setu collecting GPS data. The reason why it collects your movement data is that your movement can convey very revealing information at an individual and group level. Like your address, who your family or friends are, where you work, what your socioeconomic background is, and so on. Zoom out, and people with access to such systems may also be able to glean aspects like your political leanings, for instance.
Okay, so if I do choose to download this app, is there a way to protect at least some privacy?
Well, it’s on your device. If you register, it will ask you a series of questions. You may lie to these questions, but the ‘Terms of Service’ tell you very clearly that you cannot produce false information when requested. That creates a certain contractual obligation. And the way the app is designed, it collects much more information than is required. And if you think of lying there, that will give grounds for the system to retain other personal information like your GPS movement for a longer period of time.
How about I uninstall the app after the pandemic? Will my personal data still be at risk?
If you cancel your registration, the government says that your information will be deleted in 30 days. What the app lacks right now is a means for users to check and ensure that the government complies with these requests, which leads to no accountability.
So, I shouldn’t download the app then?
You can, if you want to. Just study the risks before you do it. I personally wouldn’t, but that’s out of my desire to not want to use such apps in general.
Follow Pallavi Pundir on Twitter.