Aarogya Setu Technology, User Privacy under Criticism; MIT Cuts the App's Rating to Lowest Level
The Aarogya Setu app, which was being enforced by Indian authorities until recently, is facing tough scrutiny and falling short. First, it was revealed that the exposure notifications system (or contact tracing technology) developed by two giants, Apple and Google, cannot be used by Aarogya Setu due to differences over location tracking. Now, researchers at the prestigious Massachusetts Institute of Technology (MIT) have downgraded Aarogya Setu's rating to just 1 on a scale of 5 over the app's failure to minimise data collection, says a report by the Times of India.
According to the description provided by Aarogya Setu on Google play store, "the app tracks, through a Bluetooth and GPS generated social graph, your interaction with someone who could have tested COVID-19 positive."
On the other hand, the exposure notifications system developed by Apple and Google uses only Bluetooth for contact tracing. This contact tracing application program interface (API) shared by Apple and Google have rules that require user consent and prohibits location tracking.
However, Brad Smith, president of Microsoft, has raised questions over whether Bluetooth-based contact tracing technology can be adopted on a broad and meaningful scale worldwide. In an interaction with MIT Computer Science and Artificial Intelligence Laboratory director Daniela Rus, Mr Smith expressed scepticism about this technology being adopted on a meaningful scale.
"Not everyone is going to walk around with an app on their phone. I think we should recognise that it is a tool, and not a panacea," Mr Smith was quoted as saying in the virtual discussion.
Aarogya Setu requires the user to switch on her Bluetooth and GPS and keep location sharing always ‘on’. "You will be alerted if someone you have come in close proximity of, even unknowingly, tests COVID-19 positive. The app alerts are accompanied by instructions on how to self-isolate and what to do in case you develop symptoms that may need help and support."
The exposure notifications system developed by Apple and Google relies only on Bluetooth. "Our exposure notifications technology is available to public health agencies on both iOS and Android. What we have built is not an app — rather public health agencies will incorporate the API into their own apps that people install," said Apple and Google.
In this API, each user gets to decide whether or not to opt-in to exposure notifications and the system does not collect or use location from the device.
"If a person is diagnosed with COVID-19, it is up to them whether or not to report that in the public health app. User adoption is key to success and we believe that these strong privacy protections are also the best way to encourage use of these apps," the companies have said.
According to Tim Cook, chief executive of Apple, the exposure notification API they have created with Google is available to help public health agencies.
While both Apple and Google have launched the API that uses Bluetooth, Microsoft has a different view on the technology.
Some international experts have also raised questions on the use of Bluetooth technology in tracing apps. According to Jason Bay, the product lead for TraceTogether, the world’s first nationwide Bluetooth contact tracing system, false positives and false negatives have real-life (and death) consequences as there are lives at stake.
"If you ask me whether any Bluetooth contact tracing system deployed or under development, anywhere in the world, is ready to replace manual contact tracing, I will say without qualification that the answer is, No. Not now and, even with the benefit of artificial intelligence (AI) or machine learning (ML) and — God forbid — blockchain?? (throw whatever buzzword you want), not for the foreseeable future," he says in a blog post.
Aarogya Setu claims to use both Bluetooth and GPS for contact tracings. For this, the user needs to keep both Bluetooth and GPS on her mobile handset in always on position. This is possible on Android-run mobile phones. But Apple iPhones have their own protocol, especially on allowing an app to use certain features unconditionally.
For example, if an app that uses Bluetooth needs to be running in foreground all the time. Even developers of TraceTogether app that supports Singapore’s efforts to mitigate the spread of COVID-19 through community-driven contact tracing, have pointed out this issue.
"While in the suspended state, your app is unable to perform Bluetooth-related tasks, nor is it aware of any Bluetooth-related events until it resumes to the foreground."
Coming back to Aarogya Setu contact tracing, the app seeks several permissions including GPS and network-based precise location. It also needs the user to keep location sharing in 'always on' mode. This violates privacy of the user and expose her location details to others.
MIT in its technology review
says, "Many countries are developing limited services that use Bluetooth or GPS to give 'exposure notifications' to people who have interacted with someone found to have COVID-19. India’s app, though, is a massive all-in-one undertaking that far exceeds what most other countries are building. It tracks Bluetooth contact events and location—as many other apps do—but also gives each user a color-coded badge showing infection risk. And on top of this, Aarogya Setu (which means “a bridge to health” in Hindi) also offers access to telemedicine, an e-pharmacy, and diagnostic services. It’s whitelisted by all Indian telecom companies, so using it does not count against mobile data limits."
"What the app lacks also sets it apart. India has no national data privacy law, and it’s not clear who has access to data from the app and in what situations.
"There are no strong, transparent policy or design limitations on accessing or using the data at this point. The list of developers, largely made up of private-sector volunteers, is not entirely public," the review says.
The massive data collection without any privacy concern is what seems to have made MIT to downgrade its rating to 1 out of 5 for Aarogya Setu app.
"It is a well-practiced tactic in India, where 'voluntary mandatory' technology has a history of being used as a gatekeeper to certain important rights," the MIT technology review sums it up.
The recent guidelines released by India's ministry of home affairs (MHA) for the Lockdown 4 had removed the word 'mandatory' for Aarogya Setu app.
However, in between other ministries like the civil aviation and Indian Railways are trying to enforce the app on travellers.
Hope all these authorities are listening to technical experts and follow an advice given by Bruce Schneier, a privacy expert and fellow at the Berkman Klein Center for Internet and Society at Harvard University. He says, "The idea that contact tracing can be done with an app, and not human health professionals, is just plain dumb."