The Pulse | Security | South Asia

Walking the Tightrope: Privacy Risks in India’s Contact Tracing App

Created to fight the spread of COVID-19, India’s contact tracing app raises all kinds of privacy concerns.

By Mohit Saini and Aakash Mehrotra for
This article is free

The Diplomat has removed paywall restrictions on our coverage of the COVID–19 crisis.

Walking the Tightrope: Privacy Risks in India’s Contact Tracing App
Credit: Pixabay

India’s Aarogya Setu app, created to fight the spread of coronavirus, has been criticized for various data and privacy risks. The government should make efforts to design a privacy-first app, otherwise there can be serious implications for the country’s 1.3 billion people. 

Many countries have launched contact tracing smartphone apps to help track and stop the spread of coronavirus and in order to relax lockdown restrictions. Around the world, governments are pushing this latest tool by making it either mandatory or voluntary, but strongly urged. More than 30 countries are working on such apps in the absence of any global standards. Interestingly, these solutions, which have certain limitations and privacy concerns, are yet to prove their actual effectiveness

Following this global trend, the government of India launched the Aarogya Setu app to use contact tracing technology to fight the spread of the coronavirus. However, the app came under suspicion when opposition leader Rahul Gandhi raised data security and privacy concerns in an early May tweet. Soon after, French ethical hacker Robert Baptiste raised the alarm, drawing the concerned departments into issuing a statement on the app’s security and data privacy. Experts in India have raised concerns over government overreach and privacy issues related to the app. A digital rights organization, the Internet Freedom Foundation, called the app a privacy minefield. With no standard guidelines, and weak regulatory frameworks on data protection and privacy, the app leaves one peering through the fog of uncertainty.

When any government holds sensitive data on its citizens, serious questions about security and privacy breaches, data vulnerabilities, data integrations, and even the dreaded profiling of citizens arise. In-depth data carry heavy price tags in consumer markets. 

Take South Korea for example. Its response to fight the pandemic without enforcing any lockdown has been widely praised. However, its use of a smartphone app raised serious privacy concerns. For example, texts sent by the authorities contained a lot of personal information, and these texts traced the movements of individuals who had tested positive.

The fundamental issues regarding India’s app are rooted in its privacy-lacking design. The app is hosted on a Google server and the app data is hosted by Amazon Web Services (AWS). Therefore, user data is not only in the hands of the government of India but private companies. Some fears arise due to unclear privacy policies of the app which does not specify which department or ministry will be using the app data. These concerns are further aggravated by the fact that information collected in the app, like smoking habits, name, mobile number, profession, and so on goes far beyond the data collected in other contact tracing apps.

The information available at present is not enough to know if the government will have exclusive access to the data. It is not specified if the data will only be used for pandemic purposes and how long it will be stored. 

The app uses location data via GPS trails in addition to Bluetooth. This deviates from privacy-focused global standards, which are restricted to Bluetooth-based technology. Singapore’s TraceTogether app only uses Bluetooth technology, recommended in the Massachusetts Institute of Technology (MIT) framework. This should be viewed in light of the fact that on May 4, Google and Apple, whose operating systems are installed on 99 percent of smartphones, decided to ban the use of GPS location data with contact tracing apps. Knowing the security issues, the Indian army directed its personnel not to use the mobile app in office premises, operation areas, and sensitive locations.

These concerns over the app point toward the lack of comprehensive regulations on data protection, and a weak legal environment to tackle the rising concerns on data privacy breaches in India. 

The app developers can take inspiration from countries like Singapore to design a privacy-first app for India’s 1.3 billion people. When the government is capturing the highly sensitive health data of citizens, they need to take into account the privacy concerns of those citizens and ensure that the app meets the highest standards of transparency and safety. India should make the app download voluntary and offer a choice to users to delete their data from all systems. The app should collect minimal data, as well as anonymize, encrypt, and aggregate it. 

The updated version of the app should avoid collecting unwanted data like name, mobile number, gender, profession, and smoking habits. Further, it should clearly define data retention rules. Limiting the duration of data retention, avoiding storage in a central server, and creating a provision to delete user data after a certain number of days are few important steps in this direction. 

Certainly, it is tricky to strike a balance between using technology to tackle health crises and safeguarding privacy. These are pertinent challenges every government faces, finding solutions to such questions, and maintaining the fine harmony between government monitoring and civil rights, is what defines democracy.

Mohit Saini is a master of International Affairs candidate at the Fletcher School, Tufts University. 

Aakash Mehrotra is a research professional focusing on financial inclusion in Asia and Africa.