Countries such as China and South Korea stand on the extreme end of coronavirus tech surveillance. Somewhere in the middle, we have countries such as India, trying to force their citizens to download an app by the name of “Aarogya Setu”, wherein everybody has to provide their personal details – including their gender, travel history, and location data, and more.
Residents of India are now being slowly mandated to download this app on their smartphones; getting out of homes without having this app installed in a major metropolitan city in India can result in harsh punishments such as jail time.
Currently, all government employees are to install this app without fail.
Simply put, the “Aarogya Setu” app, developed by India’s Ministry of Electronics and Information Technology (“MEITy”), requires users to give access to their location – after which it also uses Bluetooth to monitor whether registered users have come in proximity to infected individuals.
Indian non-profit organizations such as SFLC.IN have extensively discussed the concerns of the “Aarogya Setu” app. The organization, in a coalition with other organizations and professionals, has jointly sent a letter to the Indian government on how the app was potentially invasive and what measures were to be enforced around it.
Here’s what Prasanth Sugathan, the Voluntary Legal Director of SFLC.in, said: “Central and State Governments are taking various steps like publishing information of patients and persons under quarantine and are coming out with apps that collect and process personal information. Although this is an extraordinary situation, care should be taken to ensure that the personal information of individuals are handled securely and with due care respecting their privacy rights. Any measure adopted for public health purpose should be the least intrusive and should not violate the privacy rights of individuals. Publishing of route maps and contact tracing should be done without publishing the personal details of patients.”
It is also worth noting that there is no concrete law in India around personal data collection, making the download and registration on the app even more concerning. With no laws in place, the scope for theft and misuse of personal data of registered users is sky high. While the Indian government proclaimed that the app cannot be hacked at all, there have been instances where techies have successfully managed to hack and break the app.
Yesterday, we reported how one Indian city was revealing coronavirus patients’ names and addresses on Google Maps.
A Bangalore-based Indian software engineer, known as Jay, managed to hack into the app within four hours and bypass all the information asked on the app.
Jay said that he wasn’t fond of the idea that downloading and registering on the app was slowly becoming mandatory across the country. As of now, people wanting to travel in the special train services that have recently reopened in the country, are also mandated to download and register on the app.
“I didn’t like the fact that installing this app is slowly becoming mandatory in India,” said Jay, who requested a pseudonym to speak freely. “So I kept thinking of what I could personally do to avoid putting it on my phone.”
Among the various concerns around the app, the two main issues include the fact that it’s not open source and its concerning privacy policy. The Indian government has embraced open-source software for several public applications it has developed and released. However, the Aarogya Setu app isn’t. Nonprofits such as SFLC argue that open-source developed applications result in better transparency and help users understand how their data is being used, transferred, and stored.
Moving on to the privacy policy of the app, here’s what an excerpt taken from clause 2 (a) reads:
“Any personal information uploaded to the cloud will only be used for the purpose of informing you, or those you have come in contact with, of possible infection. Such personal information may also be shared with such other necessary and relevant persons as may be required in order to carry out necessary medical and administrative interventions.”
Based on this, it becomes clear that the Indian government can share people’s sensitive data with any “necessary and relevant persons,” but doesn’t define who they could be.
Ironically, another clause in the Terms of Service of the app says that the Aarogya Setu application must not be reverse-engineered. Cybersecurity professionals commonly reverse engineer applications to find out their workings and it’s only through reverse-engineering the app can researchers find out if it’s safe and keeping data private.
Furthermore, the country’s own laws provide no objection to reverse engineering applications, which cannot be simply nullified by the Terms of Service of “Aarogya Setu”.
By and by, organizations and tech-savvy individuals are voicing out their concerns with the app and how personal data cannot be given away without a robust application with strict security considerations in place.
Be it China or India, every nation across the world is now forcing its people to disclose their private information and is implementing full-blown tech surveillance, all thanks to the pandemic.