MIT technology maintained a database and as its reviews raise major concerns over data security on the Aarogya Setu App.
MIT reviewed the Aarogya setu app poses serious and considerable risks to the privacy of the user in comparison to several other apps used in other countries to combat Covid-19.
But in addition to this, several other apps used in China and turkey for a similar purpose pose an even greater risk to user privacy than the Aarogya setu app. This app has already been made mandatory in some places across the like (like in Noida).
The central government launched the AarogyaSetu app — for pan-India use on April 2. This app is available in 11 languages and is aimed as the main contact tracing technology to combat Covid-19.
This app has been developed by the National Informatics Centre under the Ministry of Electronics & Information Technology.
Right after Prime minister Narendra Modi urged the nation to download and use this app, it became one of the most downloaded apps globally.
The app now even has options like donating to the Prime Minister’s Citizen Assistance and Relief in Emergency Situations Fund or PM CARES fund and hosting e-passes for essential services providers.
Working of the Aarogya setu app
This app keeps track of the other Aarogya setu users a person came in contact with or it also alerts the person if any of the contact tests positive for COVID-19. Phone’s Bluetooth and GPS capabilities are used to make this process possible.
It keeps a record of all fellow users which were detected nearby using Bluetooth and also a GPS log of all the places that the device had been at 15-minute intervals. All such records will be stored in the phone until any user tests positive or declares symptoms of COVID-19 in a self-assessment survey in the app. All such records are uploaded on the server.
The users are given a color code of either green or yellow based on the answers of their self-assessment. Data of users with a yellow marking is uploaded on the server while those with a green category, their data is retained in the app as they are in the much lower risk group.
This app demands some personal information to be entered like name, gender, age, contact no., current location, and travel history. All this information is uploaded on the government servers. A unique digital identity is generated for every user.
Major Concerns associated with Aarogya setu app
As per many, this app exists in the privacy law vacuum that prevails in India as there is no legislation that can specify it in detail that how the online privacy of users is to be protected.
- Lest just legal, several technical flaws and loopholes have also been pointed out in the Aarogya setu app. This includes the unique digital identity being a static number, increasing the certainties of identity breaches.
- Constantly-changing digital identification keys like what Google and Apple deploy in their joint contact tracing technology has been suggested instead.
- The abundance of data collected and the use of both Bluetooth as well as GPS reference points has been claimed to be an overkill.
- As there is no transparency on the inner workings of the App and no documentation publicly available on the App, it has referred to as something of a black box by the Internet Freedom Foundation and the Software Freedom Law Center.
Hackers indicating flaws
The App has claimed that there is no risk to any personal information.
It was claimed by Ethical hacker Robert Baptiste on May 6 that this App has some major security flaws. He alleged that he could see that five people at the Prime Minister’s Office (PMO) and two people at the Indian Army headquarters were unwell.
“A security issue has been found in your app. The privacy of 90 million Indians is at stake. Can you contact me in private?”, he tweeted tagging the official account of Aarogya Setu on May 5.