NewsClick 8 Jun 2020

Aarogya setu: The bridge to nowhere 

by Subhash Rai

‘If technology has to help in the contact tracing process, the onus lies with governments to convince the public to recognise its benefits, while enforcing the rights of its people at the same time.’

The pandemic is forcing us to make Faustian choices: your privacy or your life. It need not be that stark a choice. The people behind Aarogya Setu, India’s digital contact tracing technology (DCTT), have not made things easy in adopting or even rejecting the app. The all-too-familiar confusion, obfuscation and the cloak-and-dagger approach of this government has marred India’s attempt at an effective DCTT.

If contact tracing is a proven need to better manage an unlocked situation during a pandemic, and digital technology offers tantalising possibilities to make the otherwise difficult task easier and, maybe, even more effective, then answering the whys and hows that will get asked, will help get people on board easily.

Alongside making a hash out of a severe lockdown which has immiserated the population, the Government of India wants all Indians to install the Aarogya Setu smartphone mobile app. All those who install the app have to part with their age, sex, phone number and profession, along with their geolocation, while installing the app. Sounds innocuous, but not quite.

Even if a “benevolent” and “benign” Indian state has no intention to surveil its harangued population, this “bridge of health” is a surveillance tool alright. With it, the government potentially knows who, where and what each Indian is up to. Prime Minister Narendra Modi has personally extolled the virtues of the Aarogya Setu app and appealed repeatedly to all Indians to install it soon. In a tweet, he said: “Aarogya Setu is an important step in our fight against COVID-19. By leveraging technology, it provides important information. As more and more people use it, its effectiveness will increase. I urge you all to download it.”

But here’s the crick. For DCTTs to be effective, according to a study titled ‘Effective Configurations of a Digital Contact Tracing App: A report to NHSX’, “use by 80% of smartphone owners, or 56% of the population overall, will be needed to suppress the epidemic.” With 401.74 million smartphone users in India, according to one forecast, out of a population of 1.3 billion, which way below even 50% of the population, DCTT as an option seems like a non-starter. But this hiccup notwithstanding, the Government of India launched the Aarogya Setu app in a public-private initiative, with the government’s National Informatics Centre being the primary developer.

If commercially popular apps do not have such high rates of uptake, it is quite unlikely that governments can get anywhere close to the kind of uptake to make it effective, even if it was mandatory. In fact, Singapore’s much-talked about app, TraceTogether, managed only about 20-25% uptake, compelling it to launch a more comprehensive process that that involves offline aspects as well. Since May 12, Singapore has used the SafeEntry approach.

The other other spanner in the works is the technology itself. It uses the phone’s Bluetooth technology to trace the existence of another Bluetooth-enabled device close by, apart from using the phone’s location feature as well. Casey Newton, writing for The Verge, shows why Bluetooth apps are bad at discovering new cases of COVID-19. Newton asked Farzad Mostashari, the CEO of a company that makes management software for physicians, why he thought Bluetooth was not great solution. Mostashari said: “If I am in the wide open, my Bluetooth and your Bluetooth might ping each other even if you’re much more than six feet away… You could be through the wall from me in an apartment, and it could ping that we’re having a proximity event. You could be on a different floor of the building and it could ping. You could be biking by me in the open air and it could ping.” Health workers involved in contact tracing using the Arogya Setu app would therefore be chasing a lot of false positives.

Nevertheless, this hasn’t deterred other countries from launching their own DCTTs too. Some have relied on the Apple and Google initiative, that integrated iOS and Android operating systems respectively to use DCTT, but which is less likely to make it possible to identify individuals, thus maintaining a higher degree of privacy. But post-Snowden and Cambridge Analytica, and the way Big Tech has behaved lately, people have been wary of trusting them.

Since it will be at the operating system level, the technology will work more efficiently in the background. Location pings are also not recorded by the apps. Apple and Google wanted data to be held only on the users’ devices without a central repository for data. But countries like the UK and France have said that this would prevent effective analysis.

At the heart of the discomfiture with DCTTs is privacy, but they also pose challenges at the legal level as well. With a raging pandemic underway, people may be willing to sacrifice their privacy, but it is incumbent on the government to reassure them on some of these counts. Consider, for instance, how long does one have to use the app? Of course, it depends on how long the pandemic lasts. What will the government do with the data that has been collected on the app after the pandemic? None of this is mentioned in the Terms of Service (ToS). Shouldn’t the ToS have a clause that states that the app will be used for a limited purpose and time and clearly mention the use of the data? The ToS of Aarogya Setu provides no such assurance, according to a reading by the Internet Freedom Foundation.

Despite the challenge for its uptake and doubts about the efficacy of the technology, this government of obscurantists’ eagerness to have citizens install the app can only be viewed with scepticism over its real purpose. Thus, even if the Ministry of Home Affairs has said that installing the app is not mandatory, the installing of the app has been surreptitiously foisted on people. The Gujarat government has made it essential for all government employees to install it, while Uttar Pradesh has made it mandatory for all people living in red zones. Airlines have made it mandatory to install the app during travel and private offices have been mandated to ensure that all employees download it. The Internet Democracy Project has an Aarogya Setu Tracker that keeps a close watch on all governments and institutions imposing the use of the app. Some courts too order the use of the app. For instance, the Delhi Court extended the interim bail of an undertrial and asked him to install Aarogya Setu on his phone.

The higher judiciary has not been willing to deal with the obvious privacy concerns that have been brought to its notice. Given the extraordinary situation, the courts might be disinclined to delve into the privacy concerns with the app, but the blasé approach of the government when faced with an ethical hacker’s entreaties to plug gaping holes in its data, must be a cause of worry. What lends greater credence to the real intentions of the government is how it has responded to demands to make the app an open-source project. On May 6, the well known ethical hacker, who goes by the name Elliot Anderson, proved that the app had serious data leaks. After reaching out to Anderson and fixing the problem, the babus could only think that all was well. To ward off growing unease over the security of the app, the best the government could do was when Union Minister Ravi Shankar Prasad, on May 29, declared that the app was completely secure and that there was no security or data breach. That did not dispel the public’s unease, especially since the government’s track record scope-creep remains dubious. The most obvious can be seen in the way Aadhaar has been foisted on the country.

There was more embarrassment in store. The government suddenly announced that it had “released” the source code of the app for people to look under the hood and see that the government had nothing to hide — supposedly an exercise in transparency. There were tweets by activists that it was a victory, only to discover that the code that was released was not the one one that was actively being developed by authorities, but a version of the code that cannot be used by the open source community.

More reason to suspect the real intention of the government.

Faced with a pandemic and looking at the data visualisations that convey humanity’s collective fear at how the novel coronavirus will be tamed, it might be required to jettison cynicism, but not the suspicion the people have towards governments trying to use DCTT. Contact Tracing is a laborious task as noted by WHO. If technology has to help in the contact tracing process, the onus lies with governments to convince the public to recognise its benefits, while enforcing the rights of its people at the same time.

A good place for the babus in the Home Ministry’s Empowered Group-9 to start, would be the Digital Contact Tracing for Pandemic Response Guidance by Johns Hopkins University. Another good step would be to use the expert technological expertise, available within the country, to develop and deploy an app that keeps the privacy and security of its citizens at the heart of its technology. A third and important step would be to find a solution for the safety and security of those who cannot afford smartphones and cannot benefit from a technology-led initiative.

Originally published in NewsClick.