Aarogya Setu: Care Taker or Privacy Attacker?

“Government Of India recommends use of Aarogya Setu app to fight against COVID19.” / कोविड -19 (COVID-19) वाइरस बीमारी से सतर्क और बचे रहने के लिए डाउनलोड करें ‘आरोग्यसेतु एप (AAROGYASETU app). भारत सरकार द्वारा जनहित में जारी. 

Almost everyone has seen versions of this message for the app created by the IT ministry that is being heavily promoted — either through text messages, WhatsApp forwards and news channels.

As countries around the world rush to build smartphone apps that can help track the spread of Covid-19. India launches its app created by the IT ministry of India called Aarogya Setu. Prime Minister Narendra Modi boosted it on release by urging every one of the country’s 1.3 billion people to download it, and the result was that within two weeks of launch it became the fastest app ever to reach 50 million downloads and now the app has more than 96 million users of today’s date. “We beat Pokémon Go,” says a smiling Arnab Kumar, who is leading developer of this app for the Indian government. The Government Of India claims that the app primarily uses location data generated via GPS, bluetooth and a user’s phone number to trace the places the user has been to. This information is then cross-referenced with the Indian Council of Medical Research (ICMR) database where positive cases have been reported. Whenever there’s a match in location data.

Although the app’s growth is unprecedented, in today’s Blog we are going to see some serious flaws which I think are worth mentioning and will be worth reading for you guys.

Not transparent:

Many of these difficulties can be traced to a lack of transparency. Neither the privacy policy nor the terms of service for the app were publicly accessible at the time of publication, and the developers have not shared them despite requests. Since the app is not open source, its code and methods can’t easily be reviewed by third parties, and there is no public sunset clause stating when the app will cease to be mandatory, although Kumar says data is deleted on a rolling basis after, at most, 60 days for sick individuals and 30 days for healthy people. And there is no clear road map for how far India’s national and state governments will go: one recent report said the government wants Aarogya Setu preinstalled on all new smartphones; another said the app may soon be required to travel.

In the early days of the app’s development, Arnab Kumar said it would leverage the technology being jointly developed by Apple and Google for iPhone and Android. That system will be released in just a few days, but it now comes with rules that include requiring user consent and banning location tracking—neither of which Aarogya Setu complies with. Arnab Kumar says Google engineers have been in close contact with Aarogya Setu’s developers, and his team will evaluate whether they can still implement the decentralized Silicon Valley system, which is intended to preserve privacy.

Who has access to our Data and In What Situation?:

When you ask that question to yourself, you understand that there’s no answer to it in India because India has no national data privacy law, and it’s not clear who has access to data from the app and in what situations. There are no strong, transparent policy or design limitations on accessing or using the data at this point. The list of developers, largely made up of private-sector volunteers, is not entirely public.

Arnab Kumar, who is leading developer of this app for the Indian government stresses that the app was built to the standards of a draft data privacy bill that is currently in the country’s parliament, and says access to the data it collects is strictly controlled. But critics have expressed concern because it is not open source, despite an Indian government mandate that its apps make their code available to the public. Kumar says that this is a goal for Aarogya Setu and will happen down the line, but he could not confirm a timeline or expected date.

Could leak sensitive medical information:

Unlike many of the apps rolling out across Europe now and soon in the United States, Aarogya Setu traces potentially infected people's movements via GPS rather than Bluetooth data alone. It may represent a cautionary tale about how flawed implementations of contact tracing apps—particularly those that rely on location data—can lead to serious leaks of sensitive medical information.

We all know that many of the contact tracing apps to have these types of issues, and particularly the ones that rely on GPS are going to be more privacy invasive and when you tie it to something like health status it’s not surprising that these types of inferences can be made.

Voluntary or Mandatory?: A Big Question:

While official policy is that downloading the app is voluntary, the truth is that government employees are required to use it, while major private employers and landlords are mandating it as well.

When Aarogya Setu was first announced, the Indian government did seek consent, and using the app initially sounded voluntary. Today, at least 1 million people have been given orders to use it, including central government workers and employees of private companies like the food delivery services Zomato and Swiggy. The city of Noida is now reportedly fining and even threatening to arrest anyone who fails to install the app on their phone. It’s a well-practiced tactic in India, where “voluntary mandatory” technology has a history of being used as a gatekeeper to certain important rights.

While India is the only democracy to make its contact tracing app mandatory for millions of people, other democracies have struck deals with mobile phone companies to access location data from residents. In Europe, the data has largely been aggregated and anonymized. In Israel, law enforcement focused on the pandemic has used a phone tracking database normally reserved for counterterrorism purposes. The Israeli government’s tactics have been the subject of a legal battle that made its way up to the country’s Supreme Court and legislature.

That’s a clever move by Government Of India to force the people to download the app while officially signing that downloading the app is voluntary.

Ability to know who is sick anywhere in India: 

In the app, you have the ability to know how many people did a self assessment in your area. You can choose the radius of the area. It can be 500m, 1km, 2kms, 5kms or 10kms.

When the user is clicking on one of the distance:

- his location is sent: see the lat and lon parameters in the header

- the radius chosen is sent: see the dist parameter in the url and the distance parameter in the header

The first thing noticed is that this endpoint returns a lot of info:

- Number of infected people

- Number of unwell people

- Number of people declared as bluetooth positive

- Number of self assesment made around you

- Number of people using the app around you

The 1st thing I tried was to modify the location to see if I was able to get information anywhere in India. The 2nd thing was to modify the radius to 100kms to see if I was able to get info with a radius which is not available in the app. As you can see in the previous screenshot, I set my location to Mumbai and set the radius to 100kms and it worked!

What are the consequences?

Thanks to this endpoint an attacker can know who is infected anywhere in India, in the area of his choice. We can know if our neighbor is sick for example. Sounds like a privacy issue for me…

So I decided to play with it a little bit and checked who was infected in some specific places with a radius of 500 meters:

- PMO office: {“infected”:0,”unwell”:5,”bluetoothPositive”:4,”success”:true,”selfAsses”:215,”usersNearBy”:1936}

- Ministry of Defense: {“infected”:0,”unwell”:5,”bluetoothPositive”:11,”success”:true,”selfAsses”:123,”usersNearBy”:1375}

- Indian Parliament: {“infected”:1,”unwell”:2,”bluetoothPositive”:17,”success”:true,”selfAsses”:225,”usersNearBy”:2338}

- Indian Army Headquarters: {“infected”:0,”unwell”:2,”bluetoothPositive”:4,”success”:true,”selfAsses”:91,”usersNearBy”:1302}

(The following technique is performed by a computer programmer and posted on twitter. Used for educational purpose only) 

Conclusion:

Call it whatever you want, but this is definitely mass surveillance and definitely poses a serious risk to privacy. Who knows this could turn into a backdoor to spy on your population. But the main problem is, when this is all over, Will Governments give back their powers of spying on us through various resources? The answer is probably__.

I will give that power to my readers; answer me in the comment section. Whether your answer is yes or no. 

Peace.

-Sourabh M.