The Indian government states that most of the user’s personal data and location is ultimately deleted, but critics say the lack of Indian data protection laws makes millions of people potentially violate privacy. They also worried that private information could be sold by the government to private companies, or even be used for surveillance outside Covid-19 concerns.

Millions of users

The Aarogya Setu application was developed by the National Informatics Center, an ICT and e-governance body under the Ministry of Electronics and Information Technology, in collaboration with voluntary technical experts from the private industry and academia.

Unlike many other countries’ contact tracking applications, Aarogya Setu uses Bluetooth and GPS location data to monitor the user’s application movements and proximity to others.

Users are asked to enter their name, telephone number, age, gender, profession, and country that they have visited in the past 30 days, as well as their previous health condition and self-assessment of Covid-19 related symptoms.

A unique digital ID (DID) is generated for each user, which is used for all future application-related transactions. Through GPS, the application records the location of each user every 15 minutes.

When two registered users come within Bluetooth range of each other, their application automatically exchanges DiD and records time and location. If one of the users tests positive for Covid-19, the information is uploaded from their mobile to the Indian government server and used for contact tracing.

On June 1, Aarogya Setu identified 200,000 people at risk and 3,500 Covid-19 hotspots, according to leading developer Lalitesh Katragadda, founder of Indihood, a private company that builds population-scale crowdsourcing platforms, and one of the voluntary private industries working with government agencies in the app.

“We have an efficacy rate of 24%, that is, 24% of all people who are estimated to have Covid-19 because the application was stated positive,” Katragadda said. This means that only about 1 in 4 people are suggested by the application to get a truly positive test.

Subhashis Bannerjee, professor of computer science and engineering at the Indian Institute of Technology, New Delhi, said the combination of Bluetooth and GPS locations is likely to return higher levels of false positives and false negatives. For example, GPS is often unavailable or unreliable indoors, and Bluetooth exaggerates risks in large open spaces, across walls and floors, which radio waves can penetrate but viruses cannot.

Government protection

The Government of India states that adequate privacy and protection parameters have been established to ensure permanent erasure of application data.

“All contact tracking and location data on the mobile phone are deleted in the rolling 30 day cycle. The same data on the server is deleted 45 days from the upload unless you test positive. In this case all contact tracing and location information is deleted after 60 days after being declared cured,” said Abhishek Singh, CEO of MyGov in the Indian IT ministry.

“There is no way to check and verify whether total data destruction has occurred and if a third party sharing the data has also destroyed it,” said Apar Gupta, a lawyer and executive director of the IFF.

Responding to the call for further transparency, the Indian government opened the application source code on May 27 and announced a bug program to provide incentives for software experts to find security vulnerabilities in applications, to correct errors, if any.

On June 1, Singh from MyGov, said the government plans to release server code in a few weeks.

However, Katragadda said that even with server code, access to information about data sharing would be limited.

“It will never be possible to see exactly who the data is being shared with because for that we have to open up the sources of the entire government,” he said.

There are no data protection laws

The Personal Data Protection Bill imposes limits on how occupants’ personal data are used, processed and stored. If passed, the bill will also form a new oversight body – the Data Protection Authority (DPA) – to monitor compliance. Critics say the bill is flawed for a number of reasons, including that the law allows the government to free its departments from laws based on national security.

But at present, there is some protection for data in India.

“There is no legislative framework which means there is no official level of accountability. So, if there is a data accident, there will be no penalty, there will be no protection,” Gupta said.

“India has made a strategy to sell citizen data and thus make it a commodity by claiming ownership of Indian personal data, which is contrary to Indian people’s fundamental rights to privacy,” said Kodali, a public interest technology expert.

Last year, the Modi government sold vehicle registration and driver’s license data to 87 private companies for 65 rupees crore (around $ 8.7 million) without the residents’ consent. This caused a reaction with the opposition party to question the government’s motives and selling prices in parliament.

Despite government guarantees that all Aarogya Setu data will be deleted, Katragadda told CNN Business that some information from the application will be automatically transferred to the National Health Stack (NHS). NHS is a cloud-based health registrar, which is currently being developed, which will include a citizen health history, insurance coverage and claims.

“Any residual data from the Aarogya Setu application will automatically move to National Health Stack in the approval architecture, as soon as the health stack starts to take effect,” Katragadda said.

Residual data means any data that still exists on government servers when the NHS becomes active. That includes location, health, and personal data that has been downloaded to the server but has not been deleted within the timeframe set by the government, Katragadda said.

No date has been set yet for the NHS release, but Gupta from the IFF is worried, again, that there is no legal framework to protect data.

“Although it is repeatedly stated that consent will be the basis of information sharing, it is important to note that in both the Aarogya Setu and NHS applications, approval is incorporated into architecture which is a technical framework rather than a clear legal source of authority.”

Ticket to move

Like other countries that have introduced contact tracking applications, India says this technology is very important to stop the spread of the virus. On June 22, the country confirmed more than 410,000 cases and 13,254 deaths.

Citizens and activists also fear the creep function of the application, which means that information obtained through the application can be linked to other services.

“In the past we have seen that technological interventions by the government such as the Aadhar program, which were originally built to ensure that everyone has a digital identity, have become a pervasive system,” Gupta said.

“Originally built for the purpose of accessing government benefits and subsidies, it was immediately mandated to open a bank account, availing mobile numbers and continue your business.”

However, in 2018 a journalist discovered a security breach that revealed citizens’ personal details. The government introduced new security measures, but the scandal eroded confidence in its ability to keep data safe.

Before reducing its mandatory download orders, India is the only democratic country that requires millions of citizens to download applications. The only other countries that apply similar rules are Turkey and China. Activists say that’s just a concern.

“In terms of technology and public use, the largest democracy in the world draws from the Chinese handbook – using national security or public health crises to build digital models for collecting, monitoring and monitoring digital data,” said Vidushi Marda, a lawyer working on new technology and human rights.

“I would say this kind of complex technical architecture does not occur collectively in India, but there is a danger that they will be built through platforms such as National Health Stack,” Gupta said.