Covid-19: How The Aarogya Setu App Handles Your Data
Anand Venkatanarayanan evaluates the Aarogya Setu app against the concerns raised using the Lean Data Practices framework.
Situational awareness is prized in difficult situations as being aware of the environment around and the threats and opportunities. Governments around the world use contact-tracing as a means to improve their situational awareness to manage the Covid-19 pandemic. The Indian government’s Aarogya Setu App follows the same trajectory, but there have been legitimate concerns about whether it is privacy-friendly as has been claimed.
Lean Data Practice Evaluation
A simple way to evaluate the app against the concerns raised is to use Mozilla’s Lean Data Practices framework which advocates three principles:
- Staying Lean: Decide if all your data collection delivers value.
- Build Security: Learn how to protect data.
- Engage Your Users: Keep customers informed and empowered.
The primary purpose of the app is to help situational awareness in contact-tracing and Bluetooth low energy or BLE beacons are used to determine users’ social graph, where their devices exchange:
- Media access control or MAC address (of the discovered device);
- Distance between the devices;
- Device ID (A static random ID computed from the personal information and the phone number of the users);
- GPS latitude and longitude;
- Signal strength as seen by the devices;
- Time at which the contact device was seen;
- Bluetooth model name and number.
- Random device ID (that changes every 15 minutes);
- Signal strength as seen by the devices;
- Time at which the contact device was seen.
Clearly, the TraceTogether app collects far less than the Aarogya Setu app and hence while more minimalistic, also delivers the maximum value.
This brings the question of why GPS information of the device is even required.
While it may be possible to argue that this allows in mapping hotspots, the key question is what is the value in knowing about where the infection has been passed on 2-3 weeks ago. The more valuable information is, where the infected person is currently residing and then using that data to locate and quarantine the person, for which phone number is more than sufficient, which is collected by both Aarogya Setu and TraceTogether.
While TraceTogether does not collect any other information at all, Aarogya Setu App, collects some personally identifiable information, which is not relevant for contact tracing. This information can be collected much later during the testing or quarantine phase.
Dave Aitel, the renowned U.S. National Security Agency hacker once said, “Walmart is a critical infrastructure”. The quote simply means that anything that has wide adoption must have the same protection offered to it as if it is critical infrastructure. An app that is pushed by the Prime Minister and is widely used should be considered as critical infrastructure since abuse potential is very high.
- Third-parties tracking individual users over time.
- Avoiding static IDs that allow such tracking.
These risks are avoided by carefully thought out counter-measures. For instance, device IDs are completely random numbers that have limited time validity (of 15 minutes). Further, these IDs are encrypted by encryption algorithms that are very hard to break, unless the encryption keys are known.
In contrast, the Aarogya Setu App uses static device IDs that are vulnerable to sniffing attacks. The device IDs also don’t change over time and are not encrypted, thus making replay attacks trivial.
Engaging users has a single goal, to increase trust. The Singapore government offers a playbook on how it is done.
The technical specifications of TraceTogether are first put out along with the policy brief. All the code is fully open source including the Android and iOS apps along with the back-end. The app allows complete agency to its users. For instance, it does not automatically upload contact information to the back end.
Users have to authorise the upload via an explicit PIN.
Further, the TraceTogether developers have envisaged interactions with multiple health authorities on the ground and it was built with the inputs of front line workers. The lead architect specifically called out that “automated contact tracing is not a panacea” and “we have been working closely with the public health authorities from day one. Theory is theory. Application and execution is something else entirely”.
A common problem in software is scope creep, where multiple parties want to add functionality even though it may not be relevant to the stated aim. The Aaragya Setu app, in Version 1.0.5 has already added a feature to donate to the PM CARES fund and is in the process of adding e-passes for moving around in a lock-down.
These steps make it easier to map its trajectory. It is in the process of becoming a delivery device for various government initiatives which may have no relevance to the pandemic by riding on top of a public safety initiative to gain widespread adoption. For instance e-passes will not be effective, unless they are linked with identity proofs and when linked with location information offer perfect trails of not just individuals but also their contacts.
The Lean Data framework thus offers a framework to understand how health surveillance (a necessity in a pandemic) can soon evolve into mass surveillance – just follow the data collected incrementally over time and judge it’s value to the collector from the stated aim. If it is extraneous and increases over time, it is disproportionate and the intended purpose is different from the stated purpose.
Anand Venkatanarayanan is a software security researcher, and the Chief Financial Officer of HasGeek.
The views expressed here are those of the author and do not necessarily represent the views of BloombergQuint or its editorial team.