As the world and India battle the novel coronavirus pandemic, India has all but made it mandatory to download and use a mobile phone application called Aarogya Setu developed by the National Informatics Centre (NIC) under the Ministry of Electronics and Information Technology.
According to new guidelines for the extended lockdown beyond May 3, use of Aarogya Setu is required for all employees, private and public, with the head of the organisation made responsible for ensuring 100% coverage among employees. Earlier in the week, all central government employees were asked to download the app and, beginning Friday, it has been made mandatory for everyone crossing the Delhi-Gurgaon border.
How does a mobile phone app help in the control of a viral epidemic?
The Indian government has adopted the strategy of aggressive and elaborate ‘contact tracing’ (along with testing) as the key to controlling the disease and restricting its spread.
Aarogya Setu is a contact tracing app that uses GPS coordinates and Bluetooth data to track the user’s location, both on their own, as well as relative to other users, to establish whether they have come physically close to someone suffering from COVID-19, and to make an assessment of their risk of infection.
Many countries are using mobile apps to track the spread and progress of the disease. South Korea and Singapore were the early starters. In South Korea, the app was rolled out by private developers; in Singapore, it was an initiative of the government.
The use of these apps has been credited with a significant extent for these countries’ success in flattening the disease curve. The outbreak in these countries began relatively early, but as of the end of April, South Korea had under 11,000 cases and 247 deaths, while Singapore had 15,000-odd cases and only 14 deaths. Their case fatality rate and deaths per 1 lakh population were very low — 2.3% and 0.48, and 0.1% and 0.25 respectively, according to data on the Johns Hopkins University pandemic tracking dashboard.
China has been using health apps to ward off a potential second wave of infection. Italy, which seems to have got over the worst of its crisis, is working on an app, and Germany has backed a joint Google-Apple initiative to build a contact tracing API. The same initiative is under discussion in France, amid disagreement over the amount of data to be collected.
In the UK, a Bluetooth-based contact tracing app is under testing. In Israel, the NSO group, which built the Pegasus surveillance software last year, has tested a contact tracing app, even though an initiative by the Israeli police to use mobile phone location to enforce quarantine measures has been blocked by Parliament over privacy concerns.
Several health experts have argued that a key tool at governments’ disposal to contain the COVID-19 outbreak, and which was not around during the 1918 Spanish Flu, is the ability to harness digital technologies to track the spread. At the same time, deployment of contact tracing apps by governments or public health authorities has added to the debate on online privacy and personal data protection.
While some of these apps have sought sweeping access to smartphone functionalities, others stop just short of that, collecting and uploading data without specifically obtaining the consent of users in every case.
So, which countries already have such apps, and what data do they collect?
There are private initiatives in several countries, but the main government-backed apps are, apart from India, in Poland, Singapore, Iceland, and Australia. Each of these apps requires a specific set of permissions from users, and have different policies on how they store, maintain and share data collected from users.
India’s Aarogya Setu seeks nine sets of permissions (in the chart, the entry on Bluetooth refers to two sets of permissions) — including for network-based location, GPS location, receiving data from the Internet, running at device start-up, and preventing the device from ‘sleeping’. The number of permissions sought by Aarogya Setu is higher than only Australia’s COVIDSafe app, which does not seek permission for network-based location or for receiving data from the Internet.
The reasons for seeking particular permissions range from the purpose and design of a certain app, to the data that the app’s developer intends to collect. For example, the “prevent device from sleeping” permission, which all apps analysed for this report (except Australia’s COVIDSafe) seek, is intended to ensure the app is able to keep the smartphone’s CPU awake to complete work.
Android devices are designed to fall asleep when idle, to prevent draining of the battery. But some apps need to work in the background, and for this, they seek permission to wake up the phone’s screen or CPU.
Again, given that Poland’s Home Quarantine app is meant to ensure those under quarantine stay that way, it periodically asks people to upload a selfie, which is geotagged. Upon failure by a user, police are notified. To make this effective, the app seeks access to camera and storage.
How exactly does Aarogya Setu work?
India’s official COVID-19 contact tracing app functions in the following manner:
When someone registers on the app, their name, phone number, age, sex, profession and the countries they visited in the last 30 days are collected, and stored on a server run by the Government of India. This is stored with a unique ID, which is used to identify the user in all subsequent app-related transactions. This digital ID is also associated with any information that may subsequently be uploaded.
At time of registration, the person’s location details are collected from the device, and uploaded to the server. For the app to do its job, users must keep the location and Bluetooth features switched on at all times.
When two registered users come within Bluetooth range of each other, typically less than 10 metres, the apps on their respective devices will automatically exchange the digital IDs and record the time and GPS location at which the contact took place.
This information collected at this point is stored locally on the devices. If one of these registered users tests positive for COVID-19, the information will be uploaded from their mobile device, and stored on the server.
What about questions of user privacy?
“We cannot access any contact data stored on a device, or share this with health officials, unless and until a COVIDSafe user consents to upload the data to the data store.” The COVIDSafe app is based on a source code from Singapore’s TraceTogether app, but differs from the original app in several ways.
Around the world, questions have also been raised about what happens to the data and the app itself once the pandemic recedes.
Policies of these apps have detailed clauses on deletion of data. Iceland’s Rakning C-19 app says phone numbers it stored will be deleted when the need for contact tracing is over, and all location data will be deleted from the database 14 days after uploading.
COVIDSafe gives an option to its users to request deletion of data held in its database; this is in addition to all contact data being automatically deleted after 21 days.
Aarogya Setu says that “all personal information collected. at the time of registration will be retained for as long as your account remains in existence and for such period thereafter as required under any law for the time being in force”. It will, however, purge all data stored on the app that is not uploaded to the server after 30 days.
Singapore’s TraceTogether app says that on request, it will delete contact information and identifiers from its servers, thus rendering “meaningless all data that your phone has exchanged with other phones, because that data will no longer be associated with you”.
How many people are currently using Aarogya Setu?
The Android and iOS versions of the app have been downloaded more than 75 million times, according to official data.
While Aarogya Setu started off as a voluntary exercise to top the government’s efforts of containing the COVID-19 outbreak, it is gradually inching towards becoming one of the mainstays in the battle. The government has mandated all central government employees and officers to download the app. Only if they are marked “safe” or at “low-risk” by the app should they commute to work, the government order said.
This is in addition to several private companies asking employees to download the app as they prepare for lifting of the lockdown. It is possible that a ‘safe’ status on Aarogya Setu could become a formal or informal ‘permit’ to enter public buildings and spaces in the future.
There is one important point to consider regarding penetration of the app, however – which is directly linked to its effectiveness.
📣 Express Explained is now on Telegram. Click here to join our channel (@ieexplained) and stay updated with the latest
Officials from most of the governments rolling out these apps have pointed out that the key factor that will determine the success of these projects would be the rapid emergence of a critical mass of users. The apps, including Aarogya Setu, must have a penetration of at least 50%. This means that unless half the population of the country downloads the contact tracing app, the intended outcome will not be achieved.
While this is a reason for governments to aggressively push for downloads, critics have argued that this particular response to the pandemic opens out a vast space for intrusive surveillance by state agencies, threatening the privacy of large sections of their users.
The critics have said that while some of the features that do not necessarily adhere to all privacy norms are all right as long as the app is voluntary, governments may begin to make the apps mandatory in order to achieve the necessary penetration. This could mean using the app to give a safety clearance to individuals before they use public transport, enter their workplaces or even step out of their residential premises.