Update (6:31 pm): The government of India issued a press release, announcing the launch of Aarogya Setu. Arnab Kumar, the Program Director of Frontier Technologies at NITI Aayog, confirmed its authenticity to MediaNama. As per the press release, the app has been developed through a public private partnership (PPP) under the guidance of National Informatics Centre. Kumar refused to tell us who the private partners for this app are. The app has “privacy-first by design and as an essential element”.

Earlier: As the number of positive cases soar in the country, the Indian government today quietly released a COVID-19 contact tracing app for Android and iOS devices. The Aarogya Setu app — meaning “bridge of health” — uses Bluetooth and location services to track if a user came into contact with a person “who could have tested COVID-19 positive”. If a user of this app tests positive, the government will contact all other registered users that the infected person came in contact with over the last 30 days. According to its terms of use, the government cannot be held liable for the app’s accuracy.

The app was developed by developed by National Informatics Centre (NIC). This might be the CoWin-20 app that NITI Aayog was developing. NITI Aayog refused to comment whether it is the same app and which companies were involved.

The government is racing to trace contacts of COVID-19 positive people, especially as the Health Ministry has identified 20 existing and 22 potential “hotspots” of the virus in the country. At the time of publication, 1,965 had been diagnosed with the virus and 50 people had died because of it, according to the Health Ministry. Authorities are prepping for Stage 3 (community transmission), even though the government has maintained that community transmission of the virus has not taken place yet.

Other countries, such as Singapore, have developed similar contact tracing apps to contain the pandemic and its spread through community transmission.

A close look at the app

MediaNama tested the app on iOS and here are our observations:

  • Uses Bluetooth and location services: The app recommends that device location and Bluetooth be always switched on. For some reason, the app also wanted us to allow it to connect to Bluetooth accessories. In settings, the app says, “Accessed by GoI only to enable relevant and timely medical intervention for COVID-19”.
  • Personal data stored locally on the device: As per Terms of Use, “all necessary information” about the other registered user is collected and stored on the app on your device. As per the Privacy Policy, this includes name, phone number, age, sex, profession, countries visited in the last 30 days, and whether or not you are a smoker, along with time and exact GPS location. We weren’t asked about smoking when we tested the app. All data stored in the apps of other users is encrypted, and cannot be accessed by the other user.

    The app requires access to Bluetooth and location services to operate. Mobile number is mandatory. Data is only shared with government of India. Screenshots from Aarogya Setu.

  • Only mobile number is compulsory for contact tracing: Giving a mobile number is must for “contact tracing”, but details such as name, age, gender, profession (restricted to essential services such as healthcare workers, law enforcement, delivery, etc.), and international travel history/contact with COVID-19 positive patients are not.
  • On testing positive, advisory sent to all registered user the infected person was in contact with: The mobile number will be used to trace back all the active devices that were in close radius of the person in the last 14 days. If someone tests positive, all such contacts will be sent an advisory on whether they need to self-isolate or get themselves tested. It is not clear what kind of personal information will be shared in the advisory.
  • Self-assessment test can easily be manipulated: The app also allows you to take a self-assessment test through a chat bot. Apart from our phone number (to get the OTP), we did not submit any personally identifiable information and were still able to take the test. Depending on your gender, age, symptoms, medical history, and potential exposure to the virus (as a healthcare worker, or via international travel, or through proximity to a known COVID-19 patient), the app evaluates your risk and recommends if you need to isolate yourself, log temperature, or get tested immediately.

Depending on the responses to the chat bot, the app recommends further course of action. Screenshots from Aarogya Setu.

  • Device must be with the person at all times as per the Terms of Use. They cannot not share it with anyone else, or allow them to use it.

Anonymised data shared with the government of India, except in COVID-19 positive cases: The app states, “Your Data will be shared only with the Government of India. The App does not allow your name and number to be disclosed to the public at large at any time”. As per the Privacy Policy, all personal information is stored locally on the user’s device, and will be used by the Government of India (via the cloud) “in anonymized, aggregated datasets for the purpose of generating reports, heat maps and other statistical visualisations for the purpose of the management of COVID-19 in the country” or if the user tests positive for COVID-19, or comes in contact with someone who has tested positive. In the latter case, personal information may she shared with other people “to carry out necessary medical and administrative interventions”. Data is not shared with any other third party.

Use of data limited to medical reasons: The Privacy Policy makes it clear that personal information will not be used for any other purposes except to “comply with a legal requirement”.

Data deleted after 30 days, but with caveats: The Privacy Policy says that data will be deleted 30 days after deletion of account. However, it is not clear how the account can be deleted. Is deleting the app enough? Location information of other registered users who come in contact with will be deleted and “purged from the App” after 30 days, so long as neither of the users test positive for COVID-19. This data retention policy does not apply to anonymised/aggregated data or reports/heat maps/visualisations created through anonymised data.

***Update (6:31 pm): Updated with press release from the government.

***Update (4:48 pm): Prashant Tandon, the co-founder of 1mg, has categorically denied the involvement of the company in the development of Aarogya Setu. The story has been edited accordingly to reflect this. The headline has also been updated. Originally published on April 2 at 3:09 pm.