Coronavirus pandemic

India's tracing app gets flak over lack of data security

Questions of efficacy arise as Delhi makes downloading it mandatory for more people

Aarogya Setu has been downloaded over 90 million times. PHOTO: AAROGYA SETU/TWITTER

New Delhi-based student Shrutika Patade downloaded Aarogya Setu last week after she received at least 10 text messages from the Indian government urging her to use the tracking app.

"I thought that staying safe should be my priority," said the 23-year-old, who also convinced her two roommates to download the app - but soon, the three were "disappointed".

"On each of our phones, the app shows a different number of positive cases near us," said Ms Patade.

To facilitate the enormous task of contact tracing in one of the world's most populous nations, the Indian government's Ministry of Information Technology designed the Aarogya Setu app with the help of volunteers from the private sector, and launched it early last month.

Supposedly inspired by Singapore's TraceTogether app, Aarogya Setu continuously collects data on the location of the user through Bluetooth and Global Positioning System (GPS) and cross-references it with the central government database to determine if the user has come into contact with an infected person.

It requires users to keep their GPS location on at all times, which the government says can also help it to identify infection hot spots.

Last week, the government made downloading Aarogya Setu mandatory for all public and private sector employees, people who live in "containment zones" and Indians stranded abroad who are now being flown back on special flights.

From the outset, privacy advocates have criticised the app's inadequate data security. With more people forced to download it, questions about its efficacy have arisen.

"The app was launched without a data protection law in India, and without a sunset clause (when health data collected will be deleted). The government said Aarogya Setu is only voluntary. Well, it's clearly not voluntary any more," said lawyer and constitutional expert Gautam Bhatia.

The police in Noida, a district bordering Delhi, have said they will punish anyone without the app on their phone with a 1,000 rupee (S$18.50) fine or six months in jail.

Employees of L&T Financial Services, Cisco, Diptab Ventures (Bangalore), One Advanced (Bangalore), Virtuoso Optoelectronics (Nasik), Mercedes Benz (Bangalore), ISGEC Heavy Engineering (Haryana), Flipkart and Standard Chartered Bank (India) said they received e-mails from their company's human resources department asking them to download the app.

Some companies had a self-declaration form, or demanded screenshots. Others had team managers checking their employees' phones.

Most employees said they followed orders, but did not keep the GPS and Bluetooth on at all times, as it drained the battery. Some were also concerned about privacy.

Aarogya Setu's privacy policy says collected data will be used only to trace contacts, but its makers have suggested that it could eventually be used for telemedicine and as a condition for movement passes.

Public health experts also caution against viewing contact tracing apps as a cure-all. "This excessive focus on simple, one-dimensional apps to solve a complex public health issue is taking the focus away from on-the-ground efforts that involve human interaction and ensure trust and reassurance," said Dr Sonali Vaid, a Delhi-based public health professional.

Another concern is how many users are needed for the app to work effectively. A recent study by epidemiologists in Britain estimated that, for the pandemic to be stopped, at least 60 per cent of the population would need to use such an app. But a 2016 Pew Research survey revealed that only 17 per cent own a smartphone, which is required to run Aarogya Setu.

Join ST's Telegram channel and get the latest breaking news delivered to you.

A version of this article appeared in the print edition of The Straits Times on May 11, 2020, with the headline India's tracing app gets flak over lack of data security. Subscribe