AAROGYA SETU: HOW DID SPREADING AWARE...

It was the 2nd of April 2020, the government launched the Aarogya Setu App. Even for an App, this was important for the people of India. Even more than a vaccine that was yet to come out and supply of inadequate test kits. The country was going through a lockdown. Millions of people installed the app after the Prime Ministers referenced it on “Mann ki Baat”. For millions of Indians, this was the first step towards a solution to a massive problem that the whole world was going through. The app became the world’s fastest-growing mobile app, with more than 50 million installs in 13 days of its launching and by 13th May 2020, the number was 100 million.

Let’s elucidate on the features of the app, Features of App :

• User Status (tells the risk of getting COVID-19 for the user);
• Self Asses (helps the users identify the symptoms of the virus and their risk profile);
• COVID-19 Updates (updates on international and national cases of the virus);
• E-Pass Integration;
• See recent contacts option (allows the users to identify the risk levels of their Bluetooth contacts);
• Identifying cases in the local area (in 500m, 1km, 2km, 5km, 10km distance from the user);
• Helpline Numbers.                                                                                                                                                                                                                                                                                               

The app supports 11 languages, which include English, Hindi, Marathi, Oriya, Bengali, and more. The inclusion of regional languages ensures that the program is easily accessible to people from across India.                                                                                                    

This was all well and good until 2nd may, 2020 when Rahul Gandhi, Leader of Indian National Congress (INC), first raised an issue about the app on Twitter, saying the App is “a sophisticated surveillance system, outsourced to a Pvt. operator, with no institutional oversight - raising serious data security & privacy concerns”. The Tweet became a quick controversy with ministers from the government thrashing Gandhi over Twitter by calling him a liar. The highest statement was given by Ravi Shankar Prasad who called out Rahul Gandhi a liar and claimed that the app has a “robust data security architecture”. Ravi Shankar Prasad is an Indian lawyer, politician, and the current Union Minister holding the Law and Justice, Electronics and Information Technology, and Communications portfolios in the Government of India. A member of the Bharatiya Janata Party.

So, before going into the issue in detail first let’s elucidate a little on the fact of privacy.

♦ PRIVACY: First of all, privacy is a fundamental right. It is very important to autonomy and protection of human dignity serving as the foundation upon which many other human rights are built. If described in simple words the most valuable object in today’s world is not money or gold or anything with monetary value, the most important object is Data. The best way of describing the source of data is through the internet. The world is functioning based on data. Hence it must be protected at any cost. if given in the wrong hands it might cause serious destruction to the person or the state or the country. Data privacy is thus a very essential factor in today’s world. The value of data cannot be explained in a couple of lines of this write-up.

Privacy enables us to create barriers and manage boundaries to protect ourselves from unwarranted interference in our lives, which allows us to negotiate who we are and how we want to interact with the world around us. Privacy helps us to establish boundaries to limit who has access to our bodies, places, and things, as well as our communications and our information. The rules that protect privacy give us the ability to assert our rights in the face of significant power imbalances. As a result, privacy is an essential way we seek to protect ourselves and society against arbitrary and unjustified use of power, by reducing what can be known about us and done to us, while protecting us from others who may wish to exert control. Privacy is essential to who we are as human beings, and we make decisions about it every single day. It gives us a space to be ourselves without judgment, allows us to think freely without discrimination, and is an important element of giving us control over who knows what about us.

The more digital we go the better security in information should be applied at any cost.

2020 was the year in which the world went more digital than ever before, owing to the pandemic that altered life as we knew it. One of the silver linings of the year was the spotlight on the importance of data and data flow. Taking this cue, the Indian Government took significant steps in tech policy and data regulation in 2020, like non-personal data, health data, financial data, and data related to e-commerce and other consumer-facing services. The judiciary has also made observations on individual rights regarding data privacy, and the ever-deliberated Personal Data Protection Bill, 2019 (PDP Bill) was a moving piece under Government deliberation during the year.

♦ The Issues Surrounding Aarogya Setu: On 5th May, French ethical hacker Robert Baptiste, who goes by the name Elliot Alderson on Twitter, claimed that there were security issues with the app. The Indian government, as well as the app developers, responded to this claim by thanking the hacker for his attention but dismissed his concerns. The tweet directed towards the Aarogya Setu Twitter handle said “A security issue has been found in your app. The privacy of 90 million Indians is at stake. Can you contact me in private?”, the tweet also mentioned “PS- Rahul Gandhi was right”.

The Developers of the App stated that the fetching of location data is a documented feature of the app, rather than a flaw since the app is designed to track the distribution of the virus-infected population. They also asserted that no personal information of any user has been proven to be at risk.

Robert Baptiste tweeted that security vulnerabilities in Aarogya Setu allowed hackers to "know who is infected, unwell, or made a self-assessment in the area of his choice". He also gave details of how many people were unwell and infected at the Prime Minister's Office, the Indian Parliament, and the Home Office. The Economic Times pointed out that a clause in the app's Terms and Conditions stated that the user "agrees and acknowledge that the Government of India will not be liable for … any unauthorized access to your information or modification thereof". In response, several software developers called for the source code to be made public.

Addressing the concerns on 11th May 2020, the Ministry of Electronics and Information Technology and NIC announced the “Aarogya Setu Data Access and Knowledge Sharing Protocol” a type of protocol, if applied can secure the data even from the private companies.

The situation became more serious when an RTI Application filed by an Independent Journalist and Activist Saurav Das took the answer of the RTI application on social media, pointing out several dangerous issues with the processing of the app. Das approached the NIC, National E-Governance (NeGD), and the Ministry of Electronics and Information Technology seeking to know about the creation of the application, which has been downloaded by millions of Indians during the lockdown. Questions were filed even to find and confirm the creator of the application.

♦ Creator of the App: The National Informatics Centre, which designs government websites, has said that it has no information about who has created the Aarogya Setu app and how it has been created.

The Central Information Commission (CIC) issued show-cause notices to the Central Public Information Officers of the Ministry of Electronics and Information Technology (MeitY), National Informatics Centre (NIC), and the National E-Governance Division (NeGD) following the agencies' failure to disclose information relating to the process of the Aarogya Setu app's creation.

♦ Data Security: On August 7, information officers, having failed to issue answers to any of the questions from the RTI, informed Das (Saurav) that the RTI application had been sent to the CPIO of the National e-Governance Division (also part of the MeitY).

Nearly two months later (October 2), the NeGD responded to Das stating that they had no information at all to provide him. Das then filed a request for an urgent hearing at the CIC, citing the matter as one of “immense public interest.” Also claimed by the NIC that even after 6 months of releasing the safeguarding protocols many of the vital safeguards have not been put in place. Answering most of the questions related to the launching of safeguard protocols by saying still in the process. When asked what protocols have been taken already for the anonymization of the data, the answer was not satisfactory. This means that for millions of users who have already downloaded the applications in good faith, no measures were taken to protect their data.

Not to mention in 2018 the world saw the biggest data security breaches when our Aadhaar data was leaked.

♦ What are the said safeguard protocols?

1. Safeguard-1 (The Paper Trail): A series of documents providing written evidence of a sequence of events or the activities of a person or organization. One of the most important responsibilities for the apps is services that are based on the location information of the app user.
2. Safeguard-2 (Security Practices): A series of protocols that fall under security practices of an application, such as- data backup, user multi-factor authentication, security of the passwords, keeping an eye on the user, monitoring third-party access to the data, keeping the user safe from phishing, limiting social network information, etc.
3. Safeguard-3 (Audit & Review Mechanism): Conduct regular audits and reviews of the massive amounts of information being registered through the app. Keeping an eye on the only necessary information.
4. Safeguard-4 (Anonymization of Data): Increasing the data security as a whole and keeping the information related to location, Aadhaar id, contact details safe.

Das then went on to publish a Blog Post outlining why he believed the app had security flaws. In his blog post, he contended that anybody could access the app's internal database to find the location information of anyone who is sick in the country.

Alleging the government not to maintain a clear protection mandate to keep the information safe. Even saying that the privacy maintenance is so fragile that anybody can easily hack into the system and know the location of the person who is sick in this country.

On October 22, Das took to Twitter to allege that the app was “not keeping your data safe as it should have. Government of India has not followed its own Aarogya Setu Protocol, 2020!” going on to claim that he had evidence of the same. Das' tweet came soon after a hearing conducted by the CIC where information officers from the MeitY admitted that the ministry had no information relating to the app's creation.

When quizzed over the origin of the app, the CIC noted that one of the ministry's CPIOs could provide no “plausible explanation except that the creation of the same involves inputs from NITI Ayog.” He was, reportedly, also not able to explain why the ministry did not have this information either. Calling the responses “extremely preposterous,” the CIC noted that Das had been correct in pointing out the concern over a breach of privacy over an app that has been downloaded by crores of Indians around the country.

On October 28, the MeitY issued a press release stating it was taking the necessary steps to comply with a CIC order that directed it to explain why penalties under Section 20 of the RTI Act should not be imposed on the ministry's CPIOs for “prima facie obstruction of information and providing an evasive reply.”

The Ministry also notes in the press statement that information over the app's creators can be found on GitHub, along with the app's source code. Oddly enough, the NIC had pointed to the contributor list on GitHub in response to another application filed by RTI Activist Aniket Gaurav on August 5. Why it didn't do the same for Das' RTI request remains a mystery that only the NIC can shed light on.

♦ What Does It Mean For Us?

1. One thing that needs to be mentioned over here is, the other countries had also launched apps to raise awareness of the pandemic, but they are open-sourced contact tracing apps. This means that anyone can test the app, anyone can understand the processing of the app, anyone can try and explore the vulnerabilities of the app, they can test the security protocols of the app as well. This means these apps are out in the open for judging and confirming their workability. But not Aarogya Setu.
2. Beyond the legal loopholes there are technical loopholes as well. The unique digital identity in Aarogya Setu is a static number, which increases the probability of identity breaches. A better approach would be constantly changing Digital Identification Keys like what google and apple deploy in their joint contact tracing technology. Static identification numbers raise vulnerability in individual privacy protection.
3. Let us keep the data security question aside for a second and elucidate on the reason that this app was made, can it save us from the virus? First of all, it needs to be understood that any app (government or private) which is constantly tracking your location to function and you have accepted this term when installing the app, there is already a breach of privacy taking place on you. but even after violating privacy can Aarogya Setu save a life? The answer unfortunately is - NO. A self-assessing app to function in its complete form first needs to be installed by a huge amount of people (minimum 50 percent of the population). Even if that is done questions were raised on its self-assessment service. Where a person can easily claim to be uninfected from the virus or not showing any symptoms by clicking an option on his/her mobile. The app will easily take that information as truth and show that person a green signal. After which a huge risk is that person being outside without maintaining any precautions whatsoever. The app does not even give you a red signal if you are affected by the virus. On the contrary, if a person is living in the same building as you, who has the virus the app will not be able to understand and detect which one of you has the virus. This service became a massive problem because the majority of COVID patients are asymptomatic. Which means they show barely any symptoms of the virus. Hence there is a higher chance that they will assess the option of “none of the above” under the question “are you experiencing any of these symptoms?”.
4. Another question was raised on the terms of the time duration of keeping the app on your phone. Will it be temporary? In the beginning, the answer was yes. But very quickly the terms changed and the answer became an unspecified period. Even after a point in time, the app became compulsory to use. Without which you will not be able to travel, you will not be able to go to a market, even it was said to be mandatory to be installed to continue working at an office. On May 6th, 2020 the Noida Police even promulgated not having the app as a punishable offense while you are in Noida. Objections were raised by the Cyber Security Activists saying, it’s not that India is the only country affected by the virus, nor it is the only country to create an app to spread awareness of the virus then why is it creating the pressure to be active on the app, which already has innumerable issues related to violation of privacy. Not to mention South Korea did not create any app to battle the pandemic and they successfully controlled the spread.
5. A very possible reason behind this mandate to install and use the app can be to create commercial access for the private sector. There is even a fear that due to this unprotected data collection these data can be sold to data brokers for commercial use. Keep in mind that this is the same Government that did sell our vehicle and DL data to the insurance companies for approximately RS 3 million.

Lastly, to speak the truth as it is, a huge violation of privacy has already been taken place in front of our eyes. Which besides asking questions on data security, goes much deeper. Even questioning our country’s infrastructure when it comes to advance technologies and people having barely any knowledge of data security but have access to the internet 24*7. The only way out of this, is maybe by questioning the government we can hope that the data collected will not be misused to track surveillance and the government will be liable if so.