Aarogya Setu Mobile App – a vague untested solution to modern day Pandemic

You might have come across this if your an Aarogya setu app users. Entire nation is in lock down due to the viral spread of COVID-19. Many people have tested positive and are hospitalized to recover from this virus.

Aarogya Setu is a mobile application developed by the Government of India to connect essential health services provided to the people of India in our combined fight against Covid-19. On 2nd April 2020, India launched Aarogya Setu mobile App for helping the efforts of limiting the spread of Covid-19, with an objective of enabling Bluetooth based contact tracing, mapping of likely hotspots and dissemination of relevant information about Covid-19. The App has successfully succeed to connect with over 100 million users within the short span of 40 days. The App is available in 12 different languages and on Android, iOS and KaiOS platforms, developed by the National Informatics Centre under the Ministry of Electronics and Information Technology which is programmed using JAVA, KOTLIN.

Millions of Indian citizens are installing and using Aarogya Setu as suggested in various guidelines issued by Ministry of Home Affairs. Government is actively promoting it using various digital and traditional methods that are possible.

How it works?

Aarogya Setu is a GOI app which works on Bluetooth and GPS technology and alerts the installer if they are in the vicinity of Corona virus suspected person or are in the vulnerable location. The app tracks and traces the location of the installer and send it to the servers. Based on the data, the app predicts how vulnerable you are of getting infected by being in that location. If you are vulnerable then it raises an alert and tries to help you. It works on the network effect.

After downloading the Aarogya setu app, you need to provide your moblie number The Android version of the app requests multiple permission, and enable Bluetooth to determine your location. The Aarogya Setu Android app privacy policy surveys the user regarding their gender and also ask whether they have traveled internationally in last 30 days. You need to submit your response honestly and then answer few questions regarding your health status which includes survey on whether you have cough, headache, or difficulty in breathing. The user will also have to declare their travel history.

The provided information is stored securely on a server operated and managed by the Government of India. In addition, it receives data from internet, prevents device from sleeping, runs at startup, and has full network access, as listed under the permissions tab of the app.

Howdy App! Rowdy solution.

Lately a new trend has emerged in India. Every issue is being solved by launching an App. Good enough. But, there is a basic problem with this solution. Smartphone ownership only stand at 24% as per PEW Research Center in 2019. So, what is the plan for rest of us? None? Moreover, as per a report on Corona Virus Research by a team at University of Oxford, an effective configuration of Digital contact tracing application would require 80% of all smartphone users using the app, or 56% of the population overall. These numbers are not practically reachable owing to privacy, accessibility  and legal issues anywhere in the world. Yes, not even in the States. Even if we consider ourselves as primitives with zero privacy or legal concerns in India, as read above, smartphone ownership is limited at 24 percent only. It is rude of Setu App’s developers as people without compatible or no smartphones are simply left out.

Use of Bluetooth signal strength for proximity tracing itself posses a potential risk of false alerts and serious over reporting. How? Because our Setu or any other proximity application cannot identify people separated by walls or floors or in two adjacent cars stopped at a traffic signal. It cannot even guess whether a grocery store clerk or a medical practitioner is wearing protective gears and equipment or whether a specific person is taking extensive precaution to prevent the transmission of virus owing to the nature of their work. I am not sure how effective Bluetooth based proximity tracing is in above said cases.

Use of Setu App is going effect your battery life and might cause other real life issues. For example your 59 year old mother might not be able to communicate with you at all owing to no battery charge left, thanks to heavy battery consumption by a contact tracing app like Setu.

Aarogya Setu is open

While making the code open source, Government of India also seeks the developer community to help identify any vulnerabilities or code improvement in order to make Aarogya Setu more robust and secure.

The Ministry of Electronics and Information Technology has announced that they have released the Android source code of the app currently available on GitHub, a collaboration platform for software developers, where code can be developed or reviewed collaboratively. Both the iOS and KaiOS source codes will be released over a period of time, starting with the iOS version, which will be available as open source. To check open source on GitHub click here.

This means that researchers and cybersecurity experts will now be able to audit the Aarogya Setu app at their full discretion, helping find potential flaws in India’s first truly comprehensive COVID-19 tracking app.

All this is done under the National Informatics Centre (NIC) and is licensed under Apache License version 2.0.

The decision to make Aarogya Setu open source comes after several security issues were raised against the app. A popular ethical hacker suggested that the app has privacy issues. Aside from open sourcing the code, the government has launched the Bug Bounty programme that will be hosted by the MyGov team. The program will invite developers to find security vulnerabilities, flaws, and code improvements in the Aarogya Setu app. With this, if any issues prevail, the app will be fixed to make it more secure for users. It is offered by many websites, organizations and software developers by which individuals can receive recognition and compensation for reporting bugs.

Aarogya Setu & Privacy Issues

Many people are conscious about Aarogya Setu app because they have many privacy concerns. Aarogya Setu is being widely criticized by many due to various privacy concerns. Yes it has a lot of issues. Government is invading our Privacy and continuously collecting our data without our permission and storing it.

In a technical analysis, Software Freedom Law Center of India has found that web application is deployed in US-based Amazon Web Services hosted in Mumbai. Static files for the above mentioned web app are served from Cloudfront CDN. It shows how serious our government is about the data and its privacy. In a world of secret laws and National security letters, any thought of hosting our data with a US-based company is real mockery of individual privacy. Further, making it a slave to Google Play services for basic functionality is a debacle. Google has been fined time and again for major privacy infringements in European Union. We are serving Google’s servers with vast treasure trove of data that it craves for any day. Google must be loving it.

The app’s terms and conditions provides blanket limited liability on the government. Thus, there is no government accountability in case of data theft of users.

The Protocol is effectively issued under orders of the National Disaster Management Authority under the Disaster Management Act, 2005, which does not specifically allow for the collection and processing of personal data as envisioned by the Aarogya Setu app. Thus, it will be far-fetched to say that the Protocol provides sufficient legal backing to Aarogya Setu. While the Protocol limits data collection by the Government to what is necessary and proportionate, it fails to explain as to why such mandatory collection of data is necessary to achieve the aim of disease prevention. The app breaches the fundamental right to privacy. Currently there is no legal framework that governs the contact tracing app Aarogya setu beyond the Privacy policy and term of use.

Contact-tracing apps are not a solution to the COVID-19 pandemic.

Contact tracing involves working backward from infected cases to identify people who may have been exposed to disease, so that they can be tested, isolated, and also provides treatment for positive COVID cases. The app is useless for a lot of citizens in India. There exists no alternative for people who do not own a compatible smartphone or cannot use one for any legit reason. It would not work for privacy-oriented people who do not like Google services or apps installed on their smartphones. A lot of people in post Snowden world do not like to have privacy invading Google services on their smartphones. A lot of them are moving to custom de-googled Android based ROMs like LineageOS or /e/.

There are many basic vulnerabilities underlying this platform that cannot be addressed. We cannot solve a pandemic by coding a fancy proximity tracing app. An unproven digital contact tracing model with impractical configuration cannot be reckoned on for resolving a pandemic as a magic like tech. Most of the economies in the world are not even able to make tax filing, a 100 percent digital till date. Conventional filing of taxes is still in practice or an option for businesses around the globe. How can we expect a resource demanding smartphone application to be a solution to a common man’s problem in pandemic? Infrastructure is still not there even in developed countries like USA for it to be a universally accepted solution for general public. It is only a week ago, a Student committed suicide owing to lack of Mobile access for education in Kerala State of India owing COVID-19. Forcing a digital contact tracing app like this in India is going to cause other fatal issues along with uncertain results. Sometimes, a family might only have a single smartphone. Who is going to decide whether the child needs it more than the working parent? Whose life is more important? Is this model with ineffective configuration for digital contact tracing worth it in India or any where?

The government is spending a lot of resources to distribute and keep this app and our data as secure as they can. We are not doubting their intention at all. But,  should not we be more focused on conventional methods and what is beyond the user notification and alert on this Setu app?

To conclude it might be a good supplement to conventional or traditional contact tracing method. But it is untested, unproven method and the ideal configuration for digital contact tracing to work as per University of Oxford isn’t met any where in the world owing to plethora of reasons. The same goes for India.

Even if the ideal conditions were met, the country’s conventional medical mechanism still has to isolate its positive cases, not being done by many others around the world and strictly enforce quarantines. Faster affordable mass scale testing of citizens as executed by South Korea’s drive through test facilities is another step to help quickly stabilize the situation versus digital contact tracing based on a model with impractical configuration or requirement for majority of the human population as of yet owing to technological constraints.

It is not a silver bullet as misunderstood by general public. It is direct act of citizens  especially non-tech ones like wearing a mask and physically distancing yourself in public that are proving to be effective and reliable in preventing the spread of Corona Virus. So, educate yourself and others, also trust but verify first.

The lockdown came into being just for our benefits as per the Government, so I hope you all doing good. Stay home and Stay safe.

For official information on Aarogya Setu app visit MyGov.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.