India’s very own COVID-19 tracking mobile application Aarogya Setu has now been made mandatory for employees. The app developed by the National Informatics Centre (NIC) of the Ministry of Electronics and Information Technology (MeitY) is a tracking app that, with the help of users’ smartphone GPS and Bluetooth, tracks the COVID-19 infection.
However, ever since the app has been launched in India, concerns regarding the data privacy of users have been raised time and again. “The Arogya Setu app, is a sophisticated surveillance system, outsourced to a pvt operator, with no institutional oversight – raising serious data security and privacy concerns. Technology can help keep us safe; but fear must not be leveraged to track citizens without their consent,” said Rahul Gandhi most recently.
Nevertheless, the government has dispersed all concerns regarding the app, and said that all processing of contact tracing and risk assessment is done anonymously and no personal information is exchanged post the registration. Through a series of tweets, the government also explained what they do with user data.
How User Data is kept private on the Aarogya Setu app
Once a user downloads the Aarogya Setu app, he/she is required to fill their mobile number and other personal information at the time of registration. The government says that the submitted information is securely encrypted and stored on the server.
Upon successful registration, the app assigns users a unique, anonymized, randomly generated Device ID. The Device ID is then linked to the mobile number, and is securely encrypted and stored in a server. This is a one time process and all future interactions from the device to the server are done through the Device ID.
When a user comes in proximity of another person with the Aarogya Setu app installed, the app stores encrypted information of this interaction in a secure manner on users’ mobile devices. There is no exchange of personal information during this process.
Unless users have come in contact with someone diagnosed as high risk, or a user is categorized as high risk upon self-assessment, the information of social interactions of those who have downloaded the app is not sent to the server, says the government. The government adds that user data will only be used for the purpose of administering necessary medical interventions, and no third party has access to the data.