India’s contact tracing app raises questions on data freedoms
- Aarogya Setu, India’s coronavirus contact tracing app, raises multiple concerns around transparency, privacy, and governance
It might even seem like we have been willingly giving away our right to withhold personal information for years now (who has read the full Google terms of service?). We prioritize convenience and accessibility to better services over data privacy, every time we click “I accept”.
The public could be forgiven for having the above opinion, especially in 2020 when the global health crisis necessitated the existence of contact tracing solutions. Concerns about data privacy seemed less pressing than the need to identify infection patterns, and governments began cooperating with service providers to produce mobile apps that collect location and other tracing data.
Luckily, technology has evolved to a stage where digital tools are positively impacting virtually every aspect of the healthcare value chain. The Bain Front Line of Healthcare Asia-Pacific Survey found that medical professionals expect to use more digital solutions like telemedicine and AI-driven remote patient monitoring over the next five years, but that COVID-19 has pushed forward the adoption of such tools.
While contact tracing apps could be seen as an extension of these critical services during a contagious crisis, questions around the user data collected abound. India’s contact tracing app, Aarogya Setu, has drawn attention for having a cloudy origin, but it has been downloaded 127.6 million times since being launched in early April.
While some countries passed emergency laws to allow the mass collection of data, India does not have data privacy laws that comprehensively cover the scale of permissions that Aarogya Setu covers. The app collects “demographic” data including age, gender, phone number, and travel history, which is stored on the app’s central server.
Controversially, Aarogya Setu also collects users’ GPS coordinates every thirty minutes and continuously accesses Bluetooth data about nearby users, and stores this data in an encrypted form on users’ phones. Persons found to be at risk can have 30 days’ worth of their contact data uploaded to a centralized server.
As generalized cluster data is sufficient to identify trends for other contact tracing apps, many have wondered why Aarogya Setu needs to have such broad access to their users’ data. Personal data compiled through Aarogya Setu can be shared with Indian government ministries, public health institutions, and – after anonymization– universities and research institutions.
But there is no restriction on private companies or other organizations getting ahold of that data if they can make a case that they need it for research. In a similar loophole, Aarogya Setu is not mandatory to install, but certain residences, air and rail travel, and even certain courthouses require the app to permit entry.
Following some backlash from the public, the Indian government has made some revisions to increase transparency and to narrow down the ways the data can be accessed, even in an anonymized form. The government also released the app’s source code, so the public could confirm what the data is being used for – but some are saying the released code on Github is not the version that is being used now.
Finally, users can delete the app off their device. But it is still unclear if this will permanently delete all data off the government’s servers, or would users have to make a special application to delete their data, like what TikTok requires from users who want to permanently destroy personal data within that platform.
As of Monday, India has the second-highest active coronavirus rate, with over 90,000 new cases. While contact tracing is an active concern, should it take a backseat to data privacy considerations?
When questioned about the use of GPS in Aarogya Setu, the secretary of India’s Ministry of Electronics & Information Technology, Ajay Prakash Sawhney said, “Here (in India), you are dealing with a nation which is as vast as a continent. It is more like the size of Europe, but unlike the countries in that continent, you don’t have as many smartphones and hence, you can’t completely rely completely on smartphones. You have to rely on GPS….”
“Now, when a person is capable of infecting 50 others, will you think about the privacy of the person or about protecting the lives of the people? So, we have to balance everything.”
- Digitally Enabled Real Estate Starts With Simplifying Your Networks
- Grab will not replicate Shopee’s mass layoff amidst a weaker economy
- Nvidia: China remains a significant opportunity despite US ban
- Data management and AI adoption is critical in achieving enterprise success
- Are Uber, Rockstar and Optus facing the same cybersecurity challenges?