Securing Aarogya Setu
Strike a balance between disease containment, privacy
The Aarogya Setu application was born out of a need to bring a 21st century technology-based solution to an unprecedented problem. India is not alone in deciding to leverage the ubiquitous smartphone for tracking outbreaks, a strategy that fundamentally involves a compromise with privacy. But it is the only democracy which has, without the requisite legal architecture in place, made the app almost mandatory for mobility and to resume work. This compromise is evidence of how the SarsCov-2 has upended conventional disease containment efforts, with a higher degree of government supervision, and even control, over the lives of citizens than usual. But it is crucial that this necessity does not lead to a lasting change in how we approach privacy. By design, the app goes a step further than most such tools developed around the world. It tracks where people have been, instead of merely determining who they were in close contact with. While such functionality can theoretically help identify disease hotspots, it will need to be corroborated with the exactness of physical contact tracing.
The other concern stems from the nature of computer programmes. They are prone to vulnerabilities, particularly in early iterations. This was proved by a French programmer who demonstrated the possibility of accessing parts of the Aarogya Setu app that store a person’s contact records. Common cybersecurity and hacking techniques have proven capable of reverse engineering such data to dig out information that was meant to be hidden. What the researcher demonstrated was the penultimate step before someone can be traced without the need to break into a government database. An increasing number of countries are discovering flaws — in design or code — and are going back to the drawing board. The United Kingdom’s National Health Service is considering abandoning its version of a centralised contact-tracing app, where data is sent to government servers, to switch to the decentralised platform being developed by Apple and Google, where data is matched on phones.
As the approaches around such tools evolve, India must look at the experiences and experiments in other countries. One of the main demands by privacy as well as cybersecurity experts around the world is to throw open the code behind these contact-tracing applications so that they can be audited for design and programming flaws. At the very least, the developers of Aarogya Setu must consider doing this, since it will not only be a step toward transparency but also help quash bugs. After all, the current gold standard of such tools, Singapore’s Trace Together, is an open-source programme. Beyond this, India must seriously contemplate a legal design around the app, which strikes a balance between disease containment and privacy.