Aarogya Setu should keep privacy in mind for contact tracing

The Ministry of Health and Family Welfare, Government of India recently launched the Aarogya Setu app, which will connect the Indian citizens to health services in the fight against the coronavirus or COVID-19 pandemic. The app aims to inform users about the risks, best practices, and relevant advisories pertaining to the containment of COVID-19.

At the time of writing, the total number of cases in India have now jumped to 4,374, as per the latest data, released by the ”Home Ministry’.

Nikhil Pahwa, founder, Medianama.com, TED Fellow, and co-founder SaveTheInternet.in, said that the app only works if everyone has the app running, and they have their location and Bluetooth on. It won't work for people without the smartphones, which is large population in India. However, it is important to have contact tracing, if it's done keeping privacy in mind.

Data being collected by the Aarogya Setu app is stored locally (on device) only. It traces the user movement and records details of those in proximity (if they also have Bluetooth on). Data from a user should only be shared with the government once a case tests positive, and not before. Data of a positive case should not be public, nor of those who they've been in contact with.

It's very important that the Aarogya Setu app be open sourced, so that it can be tested for privacy. Further improvements can be suggested by the security researchers. The purpose of contact tracing can be met, even while protecting privacy. Singapore has done this.

Unprecedented times

The privacy challenge we are all facing right now is balancing the health of many vs. the privacy of a few.

Since these are unprecedented times, therefore, unprecedented measures are being taken. Surveillance is happening right now: contact tracing, lists of international travelers/quarantined people are being published online (for example, in Karnataka), drones are being used to surveil localities (several parts of the country), quarantined folks are being asked to take selfie of themselves (in Karnataka), and facial recognition being used on quarantined people by police (in Tamil Nadu).

While some of these actions may be necessary right now, and speed would have been given prominence over other factors, there is a case to go back and assess the measures to limit the negative impact on individual privacy.

Using data

So, how will the Government of India use this data, if the data gets shared?

He added that there are three things here:

* Just because these are unprecedented times, it doesn't mean that there shouldn't be proportionality in actions taken, and necessity be the benchmark. Necessity and proportionality need to impact our choices when it comes to privacy violating actions. Releasing traveler data, publishing lists of quarantined people is neither necessary nor proportionate.

* It's important that we ring-fence measures to areas where they are necessary, and time-limit them to emergency situations. Situations need to be assessed regularly and actions reconsidered.

* There are opportunistic companies now looking to sell surveillance technology to governments who are always eager to buy them. This situation cannot be used to legitimise technology that violates privacy, especially given that we don't yet have a data protection law. The current bill doesn't restrict government surveillance, and there is no surveillance reform in India.

A reforms bill limits the actions of what India's security agencies can do, and this would also help protect our rights. The bill can have a specific provision for temporary measures that may be taken in situations like this one, and clearly define what can be done and what cannot be done by the agencies.

The measures being taken now should be temporary and limited by proportionality and necessity. They should not continue beyond this situation. This situation cannot be also used to legitimise the violations of privacy as the norm.