Aarogya Setu, the Indian government’s contact tracing app, will soon offer e-passes for movement, MediaNama observed in both the Android and iOS versions of the app today.

And that’s not the only thing. On April 12, we saw that an update to the app created a section asking for donations to PM CARES Fund, a public charitable trust, that has been set up to deal “with any kind of emergency or distress situation, like posed by the COVID-19 pandemic, and to provide relief to the affected”. The Prime Minister is the chairperson of the trust by virtue of his position.

The short section asking for donations via UPI allows people to copy the details to another app, implying that the app also has access to the phone’s clipboard. When we tried the link, it worked easily on Android, but not on iOS.

MediaNama’s take: These two developments show that the government is going well beyond the stated objective of Aarogya Setu, that is, contact tracing to contain the COVID-19 pandemic. In the process, it is violating its own Terms of Service that state, “The App is part of a service designed to enable registered users who have come in contact with other registered users who have tested positive for the severe acute respiratory syndrome Coronavirus 2 (COVID-19) to be notified, traced and suitably supported (Services)”.

This is acutely disturbing given the kind of permissions the app needs to operate (complete and permanent access to Bluetooth and GPS location services). This app can be easily weaponised to turn into a surveillance tool. As it is, the revised guidelines for extended lockdown from the Ministry of Home Affairs, released earlier today, “encourage” “all employees both private and public” to use the app. Certain government employees have already been mandated to download the app. This app could thus easily be made mandatory for 1.3 billion people, or at least its entire smartphone owning population (about 300 million people), thus making it entirely too powerful to operate without independent security audits and transparent processes in place. Its Terms of Service forbid people from reverse-engineering it, thereby inhibiting any scope for external cyber security and privacy audits.