Aarogya Setu has potential. Transparency, not compulsion, will be its force multiplier
With nearly 100 million downloads contact tracing app Aarogya Setu has been off to a flying start, reportedly even helping forecast some hotspots. Yet, concerns linger which the government should address. A key stumbling (moving with difficulty) block is that a majority of India’s 1.3 billion population lack smartphones. The tack of mandating its use, making India the first democracy attempting this route, is misplaced when propriety and good sense demands transparency and assuaging (relieve) of privacy concerns.
India remains without a privacy or data protection law despite (in spite of) privacy being recognised as a fundamental right by the Supreme Court in 2017. So far, Aarogya Setu claims to have collected contact tracing data from 12,000-odd Covid positive patients while Bluetooth contact and location data of all other users remains on their phones. Consequently, the app would have fallen squarely within the ambit (scope) of a Data Protection Authority of India, but if only India had one. In this context, those like Justice BN Srikrishna have pointed out the illegality of mandating its use. The absence of an independent regulatory authority allows critics to raise concerns about purpose limitation, liability for security breaches and data theft, and potential morphing (change smoothly from one image to another by small gradual steps using computer animation techniques) into a surveillance tool.
The wanton recourse to colonial-era laws like sedition to silence dissent or unauthorised use of malware like Pegasus in smartphones do raise questions whether technocratic solutions outlive immediate utility for repurposing as national security tools. Some European nations and the Google-Apple contact tracing partnership have stressed on decentralised privacy preserving proximity tracing, as opposed to the centralised format that Aarogya Setu is using.
One issue highlighted by security researchers is the hesitation to throw open the Aarogya Setu source code, like Singapore did with its TraceTogether app. This would allow programmers to identify vulnerabilities (the quality or state of being exposed to the possibility of being attacked or harmed, either physically or emotionally) and map the app’s capabilities. The stigmatisation of Covid patients and “high risk” individuals if the app becomes a passport to public life poses privacy dangers and even risk of mob vigilantism. While Aarogya Setu may fill gaps given India’s patchy public health apparatus, governments must also guard against placing all bets on this technology. As Kerala has demonstrated, a posse of human contact tracers does the job much better. Additionally, not only would relying more on human contact tracers generate much needed employment in Covid times, it would also address the problem of most Indians not owning smartphones.