On April 17, MediaNama conducted a discussion on Aarogya Setu from a privacy standpoint, and whether the app would even accomplish its stated objectives. On the panel were Professors Subhashis Banerjee (IIT Delhi) and Bhaskaran Raman (IIT Bombay), who were among the co-authors of the paper Apps for COVID: to do or not to do; and security researcher Riddhi Shree, who has studied the studied the technical features of the app. The discussion was moderated by MediaNama’s Aditi Agrawal.

Edited excerpts from the discussion:

Issues with Contact Tracing

  • Bluetooth accuracy issues:Apps like Aarogya Setu primarily use Bluetooth. When two phones come close to each other, they broadcast and attempt to measure distance using the strength of the signal. To avoid noise you have to set a time-bound limit and say that if you received enough exchange of signals in the space of a few minutes, there was a contact,” Prof. Banerjee explained. For proximity to be recorded, typically, devices have to be in range for one to five minutes. At the same time, “if you have a very low Bluetooth interval [that is, Bluetooth signal is sent out too often], it drains the battery. But if you reduce frequency [that is, send out fewer signals in a time period], you get false negatives. What is the right balance is unclear, and the app doesn’t make it clear. This will have a bearing on the reliability of the app”, Prof. Banerjee said.
  • Accuracy of GPS and cellular signals: “Apart from this, you can do location tracing. This can be done with GPS on phones. But this works well only outdoors. It works to the extent that you’ll know you’re in a building,” Prof. Banerjee said. “Although GPS is proposed, its accuracy in urban settings is unavailable 30-40% of the time, and its accuracy is several meters. Cell towers are worse, as that can be half a kilometre or more,” Prof. Raman pointed out, arguing that GPS location data might not be effective for the purposes of contact tracing.
  • Static pseudo device ID is insufficient for protecting privacy: “It’s not the Bluetooth ID that needs to be exchanged. Bluetooth Low Energy lets you exchange a pseudo [device] ID. It can be dynamic, I think that’s how Singapore’s app works. However, Aarogya Setu says that the pseudo [device] ID does not change during the lifetime of the app,” Prof. Raman pointed out. “Research shows that in over 95% of cases, using other outside information, one can guess real identity from pseudonymised data. If you can match pseudo-ID to real ID, the purpose of pseudo-ID is lost. You might as well be announcing your real ID,” he said.

Unclear approach to permissions

  • Different devices have different permissions: Riddhi Shree pointed out that the app was not clear on the permissions it was asking. “The permissions are different in different versions of Android. Why are permissions changing? Even if some devices are old and others are new, why can’t the same minimal set of permissions apply on all devices?” For instance, newer versions of Android request a “Play Referrer API” which provides apps’ developers data on when exactly users visit the Play Store page for the app versus when they download it. “When you click on ‘I Agree’ while signing up, it asks you for location access. If I deny the permission, it keeps asking again and again. The app frequently uses confusing language where people won’t understand what it is trying to say,” she said.
  • Duration of permissions not clear: “After granting permissions, the prompt says that it wants permissions to make your phone visible for 120 seconds. But it is not clear if that’s the only duration for which it needs permissions,” Shree pointed out. The app primarily works with Bluetooth, and requires a high degree of privileges in configuring devices’ Bluetooth settings, so it is unlikely that this permission is required only for those 120 seconds.
  • Bluetooth switched on before permission is granted: Even before users click on ‘I Agree’ to share their location and Bluetooth data, the app turns Bluetooth on, Shree pointed out. That renders consent absolutely futile.
  • Audio permissions?The app also requests permission to use ‘Audio Manager’, maybe because it may want to send audio notifications. Maybe it has the capability to do that,” Shree added. I don’t think this information is really needed if the purpose of the app is just to track COVID-19,” she said.

Privacy policy issues

  • Data collection can be minimised:The clauses in the privacy policy on limitation of data could go further. For instance, it’s not clear why users’ names were asked in the beginning. Age group could be asked instead of age to improve privacy,” Prof. Raman said. Readers should note that in earlier versions of the app, it asked users to provide their name, age, gender, travel history, etc., but this information was not mandatory; in the latest version of the app, no such information is even asked for, yet the privacy policy inexplicably talks about it. On making sure that data is only used for the purposes it is collected, Prof. Banerjee said, “Purpose limitation can be a stated objective. But if it’s just that, it is weak. Enforcement of that objective is unclear. If you say purpose limitation is a best efforts intention, it is not going to happen. These protections have to be built in to the app. There is nothing in the app design that convinces me about the strength of the purpose limitation.”

Termination vs cancellation: “The APK file for Aarogya Setu has a link to CoWin-20’s privacy policy. CoWin-20 is NITI Aayog’s contact tracing app. This policy is better and more well structured than what was in Aarogya Setu,” Shree said. “The current Aarogya Setu privacy policy is a distorted version of this policy. For example, in CoWin 20, under retention of user data, it says that if you deregister, all data will be deleted within 30 days after such termination. Aarogya Setu uses the exact same sentence. But instead of ‘termination’ it says ‘cancellation’. Why this change? This could be because termination ends an existing relationship, while cancellation just ends the services provided. So are we not ending the contract we signed when we installed the app (which is not currently even possible in the first place)?”

  • Accountability of data access: Prof. Banerjee also highlighted the ambiguity around what happens to data of people who are deemed high risk for infection. “Once you are considered positive, the data will go on a server. Who will be alerted? What action will be taken? That is a privacy violation. I would have liked regulatory control,” he said. In addition, Sudhir Gupta, an independent consultant, pointed out, “The self assessment asks demographic information, and whether you have certain diseases, and say that this information would be used for research. That leaves open question of how this data will be used.” Prof. Raman added, “They should have been specific about which government ministries and officials could access it. There were cases in Bangalore and Hyderabad where they released PDFs of quarantined people. It’s unclear if we have protections against this kind of leak for Aarogya Setu.”

Scope creep and de-identification issues

  • Additional services added, with granular access permissions: “When the app was initially launched, it more or less did only what it said it would do. But now with the payment and e-pass features, it seems like it’s trying to do more. We have granted permissions that are not usually granted for other apps. This should not be done given that this app has so much power on your device,” Riddhi Shree said.
  • Data needs to be siloed: “These functionalities [such as UPI payments, e-pass, etc.] should be compartmentalised [within the app]. If they are not, the moment you do KYC, you have strong personally identifiable information (PII) that goes out. From contact tracing, there are two privacy concerns. There is a static [device] ID that doesn’t change. The second is location. With more auxiliary information, it should be fairly straightforward to de-anonymise. If you add KYC [which an e-pass functionality, or UPI payments], you don’t even need a de-anonymisation attempt,” Prof. Banerjee explained.
  • Re-identification is easier with Aarogya Setu: If you look at the Singapore app, there is absolutely no centralisation. Only Bluetooth info is exchanged, and the Bluetooth data periodically changes. Thus, orchestrating a re-identification attack is harder on TraceTogether than on Aarogya Setu. The MIT app, Safe Paths, has rolling identifiers, but tags the location.

De-registering and log-out are not options

  • No de-registration possible: The privacy policy says that data from users who de-register from Aarogya Setu will be removed within 30 days. However, the app provides no option to de-register or delete the account in the first place.
  • Uninstallation is not a complete exit: “Uninstalling doesn’t necessarily lead to de-registration. If you uninstall, you cannot distinguish between a user without network and a user who has removed the app,” Prof. Raman pointed out. “The privacy policy is too confusing, and they indicate that they might keep your data for as much time as they need,” Shree said.
  • The app also doesn’t allow users to log out, Shree pointed out.

Effectiveness of contact tracing

  • Unequal access to smartphones: Aarogya Setu, and all other contact tracing apps across the world, currently work only on smartphones. “Pnly a third of phones here [in India] are [smartphones]. So people who don’t have them are left out of the system,” Prof. Raman said. Bhavna Jha, from IT for Change, pointed out that Aarogya’s Setu’s reach would be very limited, even if everyone who could install it, actually did. “Only 16% of women have access to or use mobile phone internet. That also has an implication on how useful contact tracing through the app would be. Women, for instance, are the ones who go out to do vegetable shopping or congregate at watering holes. Then there is the problem of rural adoption. There are also geographical disparities. Densely populated states like Orissa and Bihar have lesser smartphone internet penetration,” she said.
  • Encounter graphs needed beyond records of proximity: Prof. Banerjee pointed out that since the virus also spreads through surfaces, it’s not enough to just look at people who have been in close proximity, but also to build encounter graphs where their aggregated movements are accounted for. Even when it comes to measuring proximity alone, he argued that the utility was limited. “You can’t distinguish between a handshake and being five feet away. So for this use case, Bluetooth is useless,” he said.

False positives can be dangerous: “I think the app is fairly useless,” Prof. Banerjee said. “Its reliability in terms of false positives and false negatives is poor. False positives in a society like India where airline staff are attacked, the stigma spreads faster than the virus. If I use the app and am told I’m positive, will I get tested? I’ll just call up health centres and waste their bandwidth.”

Fundamental problems

  • No error model: Prof. Banerjee also questioned the theoretical basis of the app itself. “This is a measurement device. When you create a measurement model, an essential engineering principle is to create an error model. That makes it unsound from an engineering perspective,” he said. The government did not publish a white paper detailing how or if the app could be effective in contact tracing.

Contact tracing after community transmission? Prof. Raman brought up an even more fundamental issue: “Contact tracing is of use only when there is no community transmission. But India has long ago entered that phase of the disease’s spread,” he said, arguing that the disease’s spread was too thorough for individual contact tracing to be an effective way of combating it.

  • No clearly established link between contact tracing and disease spread: “What is missing in this whole story is good theory. What is the link between Bluetooth contact tracing and the disease spreading? It is a little too voodoo-science for my liking. If I come in contact with you, there is only a 1% probability of passing the disease to you. There is a lot of techno-determinism going on. A solution lies in biology, sociology, epidemiology, economics, politics. … It’s better to learn a way through these routes than to waste your time on apps without sound theory,” Prof. Banerjee said. A resolution passed by the European Parliament on April 17 demands proof of concept for contact tracing apps.
  • No significant medical use of this app: “There are a lot of reasons to believe that there will not be a lot of significant medical use to this app. On the other hand, there are also possibilities of false negatives. I’m in Bluetooth contact with my downstairs neighbour, but that doesn’t mean we are in risky contact,” Prof. Raman said.

Not open sourced, can’t reverse engineer

“Reverse engineering must not be prohibited,” Prof Banerjee said. The current Terms of Use explicitly prohibit users from reverse engineering the app for any purpose. “In any case, reverse engineering must not be required, it should be an open source app at this scale. The design principles should have also been detailed in a white paper. Without that, it just seems like a red herring that makes people run around without clarity.”

***Update (April 21 10:53 am): Article updated with more information from the event, and lightly edited.