By Sarosh Bana
For quite some time now have people in India been agitated by the system of oppressive surveillance they have been under, often petitioning the courts of the land on grounds of violation of personal freedom and liberty.
And now as the country, as the rest of the world, battles the COVID-19 pandemic, they are alarmed by what they perceive are government attempts to exploit even such a full-blown health crisis to deepen such surveillance over them.
The centrepiece of their concern has been the mobile application called Aarogya Setu (literally, “health bridge” in Hindi) launched by the government, which says the app’s purpose is “to connect health services and we the people of India in our combined fight against COVID-19”. To check the virus spread, India has imposed the world’s biggest lockdown where its population of 1.3 billion has been quarantined since 25 March. This curfew was to have been for 21 days, but was subsequently extended till 3 May, and now once again till 17 May.
The closure of almost all activity that had been announced just four hours earlier on 24 March has especially struck the millions of impoverished daily wagers and migrant labourers, who have been stranded in their workplaces without work or food and far from their homes and families, with no means of reaching there. There is much disquiet that instead of prioritising the welfare and safe passage of these marginal people who otherwise have no social and job security, the government was focussed instead on maximising the coverage of Aarogya Setu across the country.
Launched in 11 of India’s 22 official languages, Aarogya Setu will, as officially claimed, augment the government’s outreach to the users about “the potential risk of infection, best practices and relevant medical advisories pertaining to the containment of the COVID-19 pandemic”. “With Aarogya Setu, let us take a step forward to protecting ourselves, our family and loved ones,” affirms the official website.
With the initial public response to Aarogya Setu rather lukewarm, the Home ministry has now made the app mandatory for all those working in the public as well as private sectors, making it incumbent upon the respective organisational heads to ensure 100 per cent coverage of this app among the employees. The app has also been made compulsory for all those living in government-designated “COVID-19 containment zones”, which include vast swathes of the metropolitan cities of Mumbai, Delhi, Kolkata, Hyderabad, Pune, Bengaluru and Ahmedabad. These containment zones are identified by rapid response teams, based on the extent of cases or contacts listed and mapped by them.
What has roused widespread concern is that Aarogya Setu continually garners data on user location and cross-references it with the expansive database of the Central government to ascertain whether the user has come into contact with an infected person. Personal information required by the app spans over the name, telephone number, profession, gender and age of the user to the list of countries he or she has visited in the previous 30 days. The app also requires Bluetooth and GPS location sharing to be turned on at all times as it uses these tools to track the user. The personal details provided are stored on the application server, and when a mobile phone bearing the app comes within the range of another’s Bluetooth, the GPS location and digital details of that user are stored locally.
If one user tests COVID-19 positive, all his or her details are cross-referenced with that of those he or she came into contact with, pinpointed by digital ID and GPS information. The mobile application also allows users to self-assess their symptoms, and categorises them into different groups based on their COVID-19 risks.
Another major concern has been the government stipulation that the Aarogya Setu app be pre-installed on all smartphones in India, once their manufacture resumes in the country. The app’s user agreement darkly states that the data can be used in future for purposes other than epidemic control, if there is a legal requirement. Its privacy policy also declares that the personal information gleaned by Aarogya Setu will not be shared with “third parties”, but does clarify that these data may be shared with as many agencies as the government deems fit.
Among the many voices that questioned the government’s introduction of the mobile application was opposition Congress party leader Rahul Gandhi. “The Aarogya Setu app is a sophisticated surveillance system, outsourced to a private operator, with no institutional oversight—raising serious data security and privacy concerns,” he pointed out. “Technology can help keep us safe, but fear must not be leveraged to track citizens without their consent.”
There are suspicions that Aarogya Setu may be based on the COVID-19 tracker codenamed ‘Fleming’ by its creator, Israel’s NSO Technologies Group, which claims its ‘advanced analytics system’ is “already being operated by countries around the world, as health officials work to stop the spread of COVID-19 and keep citizens safe and healthy”.
NSO had been in the news last year when its state-of-the-art mobile phone spyware suite called Pegasus had targeted some 1,400 select persons across 45 countries, including 18 in India. NSO caters only to governments, and not private agencies or individuals, and that too after written approval from the Israeli defence ministry. The malware attack had come to light last May, when it was found to worm its way through the video calling feature of the popular Facebook-owned WhatsApp messaging platform. It required but a click on a specially crafted exploit link by the user to penetrate the security features on the mobile phone and deliver a chain of zero-day exploits to install Pegasus without the user’s knowledge.
NSO states that Fleming, which is based on AI (artificial intelligence) analytics, deploys on the customer’s premise or on secured cloud “to provide state-level strategic insights” from outbreak to full mitigation. “The decision approved by the Israeli government allows the Ministry of Health to obtain two critical pieces of data to help stem the spread of the virus – locating the places where those patients have been in the previous 14 days and mapping the people who were in their vicinity,” it maintains, adding, “Our products help licensed government intelligence and law-enforcement agencies lawfully address the most dangerous issues in today’s world.”
“I am told Aarogya Setu app has all the features of Fleming malware,” mentions Gandhi’s senior party colleague Digvijaya Singh. “The IT [Information Technology] minister GOI [Government of India] must clarify.”
Internet Freedom Foundation (IFF), an Indian digital liberties organisation “that seeks to ensure that technology respects fundamental rights”, notes, “Other apps just collect one data point which is subsequently replaced with a scrubbed device identifier, but India’s Aarogya Setu collects multiple data points for personal and sensitive personal information which increases privacy risks.”
SAROSH BANA, APSM Correspondent
