Indian authorities plan to make a contact-tracing mobile app mandatory for everything from taking public transit to going to work, raising concerns among digital rights experts about privacy and increased surveillance.
Aarogya Setu, the app launched by the Indian government earlier this month to stem the novel coronavirus outbreak, evaluates users’ risk of infection based on location, and their medical and travel history. It uses Bluetooth and location services to trace a user’s contacts.
While authorities have said use of the app is voluntary, it has been made mandatory for food-delivery workers and some other service providers, and all federal government employees.
It may also be needed to access public transit and airports when a nationwide lockdown lifts, according to local media reports.
But digital rights organisation Internet Freedom Foundation called the app a “privacy minefield”, adding “it does not adhere to principles of minimisation, strict purpose limitation, transparency and accountability”.
“The app runs very palpable risks of either expanding in scope or becoming a permanent surveillance architecture,” said executive director Apar Gupta.
Founder of food-delivery firm Zomato Deepinder Goyal said that “being on the frontline exposes our delivery partners to catching the infection, and therefore, any customers that they get in touch with for those few handover seconds.”
By mandating all its delivery staff to use Aarogya Setu, “the idea is to keep individuals as well as authorities informed in case they have crossed paths with someone who has tested positive for coronavirus – to prevent further spread,” he said in a statement.
India has recorded more than 31,000 cases of the coronavirus, including more than 1,000 deaths, according to a Reuters tally.
About 80 million downloads of Aarogya Setu – meaning ‘health bridge’ in the Sanskrit language – have been reported, a small fraction of the 500-million smartphone user base in a population of over 1.3 billion.
India is among a growing list of nations using mobile apps, facial recognition cameras, drones and other technologies to track the virus, monitor people under quarantine, and determine who can work and take public transit as lockdowns are eased.
A spokesman for the information technology ministry did not respond to requests for comment.
Digital rights experts have warned that use of such technologies increases the risk of surveillance, and that some of these measures will persist even after the situation eases.
At the time of the launch of Aarogya Setu, officials had said: “The personal data collected by the app is encrypted using state-of-the-art technology and stays secure on the phone till it is needed for facilitating medical intervention.”
Like China’s Health Code app that shows a user is symptom-free to board the subway or check into a hotel, federal government employees in India must have a “safe” or “low risk” status on their Aarogya Setu app to go to work, according to a notification dated April 29.
The app may soon be installed on all smartphones by default, according to local media reports.
Bluetooth phone apps for tracking the coronavirus have seen modest early results, although more countries are rolling them out. Luxury carmaker Ferrari has a voluntary contact-tracing app as part of its plan for re-opening its factories.
About 600 scientists and researchers from around the world, in a joint statement earlier this month, said GPS-based contact tracing apps lacked “sufficient accuracy” and carried privacy risks.
Some of these apps enabled government or private surveillance through “mission creep”, they said, a shift from the stated objectives.
Countries are addressing privacy concerns differently, said Anirudh Burman, an associate fellow at Carnegie India.
“What we are seeing so far is that most of these applications are designed for pandemic prevention,” he said.
“We are not yet seeing any significant evidence of the scope of these applications increasing. It is not clear yet that there is a significant function creep,” he said.
But the risk that this may happen is high in India, which has neither a data protection law nor a data protection authority, said Suhrith Parthasarathy, a lawyer.
“Aarogya Setu is framed as a necessary technological invasion into personal privacy to achieve a larger social purpose,” he told the Thomson Reuters Foundation.
“But without a statutory framework, and in the absence of a data protection law, the application’s reach is boundless.”