Search
+

    'Aarogya Setu's not all that healthy for a person's privacy’

    Synopsis

    IFF raised concerns about information collection, purpose limitation, data storage, institutional divergence, and transparency and audibility. These concerns come amid affirmative claims by certain sections of the government and technology volunteer groups that the app was designed with a “privacy-by-design” approach.

    Bengaluru: Even as the govt pushes for aggressive adoption of its contact-tracing app, Aarogya Setu, privacy-focused groups such as the Internet Freedom Foundation (IFF) are raising alarm over its compliance with the globally-held privacy standards, while also recommending privacy prescriptions for these technology-based interventions.

    In a detailed report and analysis on contact tracing apps, which ET has accessed and reviewed, the New Delhi-based IFF raised concerns about information collection, purpose limitation, data storage, institutional divergence, and transparency and audibility. These concerns come amid affirmative claims by certain sections of the govt and technology volunteer groups that the app was designed with a “privacy-by-design” approach.

    For instance, the report observed that the app’s privacy policy “does not specify which departments or ministry or officials will be the ones accessing that data”, with “a lack of specificity adding to concerns of overreach”.

    Sidharth Deb, the IFF’s parliamentary and policy counsel, also the author of the report told ET, “In Singapore, for instance, the ministry of health has access to data of its contact-tracing app and decision-making powers, besides clearly stating its purpose of concentration towards disease control and spread. In India’s case, the disclosed purpose for the app is vague enough for the government to repurpose it or expand its scope.”

    Currently, there is no legal framework that governs the Aarogya Setu app, beyond the privacy policy and the terms of use.

    Sidharth Deb added, “The involvement of the health ministry is minimal or negligible, besides it being steered by other departments and institutions in the government. Even in the case of the Apple-Google announcement of its joint partnership, there is an intent to work with public health authorities who are steering the effort. Therefore, it certainly seems like there is a degree of institutional divergence when compared with international examples.”

    However, government sources said that the medical and health-related aspects of the app are “strictly in consultation with the Ministry of Health and Family Welfare,” while Meity largely focuses on the data aspect as the nodal department.

    Purpose limitation has become a key point of concern among civil society activists — that the app could be used beyond the purpose it was created for and evolve into a “permanent architecture” without clarity and limits. “It becomes problematic when there is collating of data on the central server, and once that gets entangled with other databases. We don’t know how long this pandemic will last, but once it is over, the data must be deleted,” added Deb, while alluding to the Singapore app, which “clearly specifies that it will not be used to enforce lockdowns and other such purposes.” There have been suggestions from certain sections of the government that the data must be deleted immediately once this pandemic is over.

    The report also raised concerns about Aarogya Setu’s use of location data via GPS trails (in addition to Bluetooth), which it adds, deviates from “privacy-focused global standards”, which are restricted to Bluetooth-based technology, which can match devices by not revealing the exact location. Such technologies have been in use, in the case of the TraceTogether app (Singapore), and the framework suggested by the Massachusetts Institute of Technology.

    “GPS trails are not reliable in indoor settings — in mass-transit situations like the metro etc. Bluetooth is preferred from a privacy-respecting perspective,” added Deb.

    Besides, the report added that there are also risks of misidentification (or a false-positive) if the device is switched or is shared between people. The report highlights how algorithm-based predictive models to determine if an individual has tested positive for deviates from how contact tracing usually works and has a material impact on people's civil liberties.

    There are also concerns of information collection, far beyond ones collected by the Singapore and the MIT app. While the government has repeatedly insisted that all the data collected by the app would reside within the device locally, it equally says that in certain conditions (exceptions) the information could be uploaded to a cloud server.

    Also Read

    28 Comments on this Story

    V.UDAYSHANKAR8 hours ago
    The government has right to devise ways to control and manage such emergency situations the country is in. But nothing prevents it from making the below clearly to eliminate suspicion and lingering doubts.
    # Which department and which teams with the position names in the department will only use.
    # that the shall not be used by any other departments and ministries and shall not be shared with any entity that profiles the data for any purpose other than the covid 19 use.
    # If some opts not to use this app must carry aadhar card or voter card always when in public. How can govt assume that every one has a mobile or has a mobile that is compatible for downloading apps, however miniscule such set of people may be.Some people may prefer for medical reasons not to carry use a mobile phone at all.
    A single statement that every one must have this app is nothing but an authoritarian approach not grounded in reality.
    Vajji Satyanarayana10 days ago
    as of now,no ALTERNATIVE to help fight covid19 pandemic in India.
    ashish ashish16 days ago
    you can download chinese apps and chinese mobiles and preserve privacy
    The Economic Times