Many governments across the globe have launched contact-tracing apps as part of their several measures to contain the Covid-19 spread. These apps use Bluetooth and location-based technologies to identify people who may have been exposed to the pandemic and raises awareness among others. On 2 April 2020, India too launched a homegrown contact tracing app, Aarogya Setu, to fight the Covid-19 spread. While experts agree that the intention behind Covid-19 is good, there has also been criticism around issues related to privacy. Some have even termed the healthcare app as a sophisticated surveillance system.
In an exclusive interaction with Better World’s Jatinder Singh, Dr. Pavan Duggal, one of the top cyber law experts in the country, throws light on the overall issue and explains how the new guidelines around Aarogya Setu are a start in the right direction.
Excerpts from the interview:
Better World: The Government of India has recently made Aarogya Setu app for Android open source. Does this make Aarogya Setu less intrusive and quell the concerns being raised over privacy?
Dr. Duggal: I think making this app open source is a first step towards transparency. However, that alone doesn’t mean that it is now completely secure and transparent. I’ve yet not seen any privacy terms in the privacy module of the app describing how it (Aarogya Setu app) complies with the requirements on cyber security under the Indian IT law. Users are still not sure whether the government is putting the reasonable security practices and procedures in place with respect to their data.
It is also not clear how the app complies with ISO 27001, an information security standard that systematically examines an organization’s information security risks, threat possibilities, vulnerabilities, and impacts. So, still, a lot needs to be done.
Better World: So, in the hindsight, is it that the app was launched hurriedly and the government is now trying to play catch-up?
Dr. Duggal: I think it’s [Aarogya Setu app] a work in progress. The intention of the government is noble. In fact, everyone’s intention is wise and revolves around defeating Corona. However, the earlier approach adopted by the government was neither prudent nor feasible. It was trying to compel smartphone users to download an app, which was insecure and had little attention to privacy. Now, by taking these steps, the government has become sensitive to the criticism it has received and is constructively trying to identify ways to better the Aarogya Setu app.
Better World: The government has also announced the launch of ‘Bug Bounty’ program, which states that anyone who identifies and submits a bug or suggests improvements in the Aarogya Setu app will be rewarded. How will this make the app more secure in future?
Dr. Duggal: Well, this is an implicit diversion from the earlier stand that Aarogya Setu was completely safe and secure. Realistically, no computer system across the world is completely and comprehensively secure. The announcement of the Bug Bounty program is an attempt by the government to track and identify the loopholes in the Aarogya Setu app, which are many. Once the program provides cues to more vulnerabilities, the government will potentially work on addressing those loopholes.
It is important to note that the bug bounty program has no connection with the intrinsic architecture of the Aarogya Setu app. The program just says that here is my program and here is an open source code, please attack and let me know the vulnerabilities. It doesn’t say how I can alter my architecture.
Better World: From a cybersecurity perspective, what should be the next steps that the government should take to make Aarogya Setu truly reliable?
Dr. Duggal: Right now, the challenge is that this app is speaking less and hiding more. When you read those terms and conditions before downloading the app, you know that the app is capturing data every 15 minutes. However, it says that the data will be submitted to the server only when you will be identified as distinct Covid-19 positive. Let’s suppose, you download the app today and you become Covid-19 positive after 18 days. From today, till the next 18 days, the app is collecting data every 15 minutes. But where is the data going? Where will it be stored? Who is accessing it? Nobody has an answer to these questions.
Moreover, if you look at the Aarogya Setu app, it has no end date. That means it is going to continue for a long, long time. Also, it is logical to expect that the government will keep the app active even after winning the first phase of corona. So, I believe that the privacy related issues need to be dealt with separately and independently, specifically in connection with the architecture of the Aarogya Setu.