Aarogya Setu :  Could it be better?

Government recently launched the Aarogya Setu app that intends to track the spread of COVID19 virus in India. The Aarogya Setu app can help the Government in identifying and tracking people who might have contracted the virus already and also those who might have come into close contact with affected patients.

It can potentially help identify individuals who are vulnerable and likely to get infected soon. Identifying the locations that need immediate attention and special care seems to be the goal. Eliminating the risk by identifying the threat vectors seems to be the approach. The intentions of the Government behind launching Aarogya Setu app are good. However, how effective is the current implementation of this app and the policies around it? An analysis of the application can provide some answers.

A first glance at the app shows us it allows users to register themselves by providing a valid mobile phone number and asks for access to location data through app permissions. Once granted, a second permission prompt appears asking to allow the phone to become visible to other devices for 120 seconds. Apart from these actions everything else appears to be static and optional. Static pages are displayed with standard information about COVID-19 virus and steps to prevent its spread. It appeared that the app had interest in knowing the user’s personal details, but, primarily, the app appeared more interested in knowing the user’s phone number and was very particular about taking permissions to do certain tasks on the user’s device.

For a first time user it might be difficult to understand how the app is supposed to accurately identify a vulnerable person, under what circumstances it would notify the authorities, and how often it would share the user's data with concerned authority. It is unusual for apps to disable pressing of the “back” button, especially on a screen that’s asking for user’s permissions.

Aarogya Setu app appeared to force its users into granting all of the permissions being asked by the app, at the time of user registration.

The optional form that asked users to enter their personal details had disappeared once the data was submitted successfully. There was no way for users to edit, delete, or even view this data anymore. At least the app did not allow any such option. Given these circumstances, it was hard to conclude how the correctness of data entered by a user was being validated through the app or server. If validating the correctness of user-entered details was not possible, then what was the purpose of collecting all these user details?

The Privacy Policy and Terms of Service documents do not help much in understanding the exact functionality of the app, either. Most of the statements are either too vague, grammatically incorrect or confusing. In short, the privacy policy says that it collects anonymous data that could be stored and used in different forms and different ways by different people at different times. The retention policy talks about purging of data stored on users’ mobile devices, but it says nothing about when and under what circumstances the data stored on the cloud servers would be deleted.

A static analysis of the Aarogya Setu app using MobSF and Android Studio APK analyzers revealed some interesting details about the app and its internals. Looking at the permissions that were defined in the app, it was evident that the app had full control over Bluetooth features and had capabilities to manipulate the Bluetooth settings using the Bluetooth admin permissions. For example, the app could initiate Bluetooth device discovery, change the name of a Bluetooth device, establish a connection with nearby Bluetooth devices, etc. Asking for Bluetooth admin permissions is not a usual behaviour for normal apps and it instantaneously raises suspicions on why this permission is being asked for. It could be due to the nature of tasks that the app requires to do to track the spread of COVID-19 infection. But, it comes back to the same question. If we are all in it together, fighting for a common cause, against a common problem, then why is it difficult to reveal to everyone what all tasks the app intends to do and what exactly would be done with the user’s data once it leaves the user’s device.

Privacy-preserving protocols for community-driven contact tracing across borders A recent whitepaper, titled BlueTrace: A privacy-preserving protocol for community-driven contact tracing across borders, talks about possible challenges with purely decentralised contact tracing systems. It considers the situation wherein individuals could falsely declare themselves as infected, causing unnecessary anxiety and panic in other users, and eroding trust in the system. The section titled “Human-in-the-loop vs Human-out-of-the-loop” cautions us against an over-reliance on technology. It suggests that contact tracing should remain a human-fronted process. It says:

“Since Bluetooth-based contact tracing solutions do not, by themselves, record location/environment data, this information needs to be obtained through other means — a human-led contact tracing interview”

Two days ago, the source code of TraceTogether contact tracing app was open sourced.

Can we see the imminent effect of this act? Nothing is hidden anymore from the people who are willing to use this app. Infact, this act alone could possibly encourage more people to download the TraceTogether app, feed correct data into the system, and improve the overall accuracy of the process.

BlueTrace is not the only contact-tracing protocol to exist. There are many other contact-tracing protocols like PACT (Private Automated Contact Tracing), which follows a decentralised approach to using smartphones for contact tracing, and Google’s Bluetooth contact tracing system, which claims to follow a privacy-preserving Bluetooth protocol to support contact tracing.

It could be a good idea to study the existing protocols, borrow their strengths and learn from their experiences to ensure that our own contact tracing system doesn’t violate its users’ privacy and still gets its job done efficiently.

 

The Afterthought

Given the vagueness and incompleteness of statements mentioned in the privacy policy of Aarogya Setu app, the current privacy policy document does not help much in gaining trust of the people who are expected to use it. Rather, it inculcates a fear of the unknown and harbors distrust about the intentions of the app. The privacy policy needs to be elaborated and its quality needs a major improvement. It definitely needs a review and inputs from experts in the field.

Doubts, fear and distaste arise in the absence of information. People should not be asked to believe something is good just because someone says so. We need to create trust. We need to share our knowledge and vision with each other. There is a need for open conversations. There is a need for accountability and cooperation. Those in power need to gain the trust of the general public by taking concrete steps, with mutual agreement and informed discussions.

There’s no way forward without trust and respect for each other’s work. We have to believe that India is not just a group of millions of people waiting to be told what to do without giving it a second thought. We have to allow our enthusiastic brains to tick and come up with practical solutions.

We are known for standing together in times of adversity. It’s a crisis going on right now. Let’s not focus on creating more uncertainties. Let’s create room for innovation, instead. How about we start by open sourcing the Aarogya Setu app? How about spending some effort in creating high-quality detailed documentation around the app’s intended usage and the lifecycle of personal details collected from the app users?