Over the weekend, Aarogya Setu released a new feature for Android users that allows users to find out the number of other Aarogya Setu users they have been in close proximity with since they installed the app or in the last 30 days. Under the health status on the home screen of the app, users can choose to view their Bluetooth contacts. This feature was formally released on Sunday but a Twitter user spotted it on Friday night. It is not available for iOS devices yet. The open-source Android code on GitHub has not been updated to show the code for this feature; the last update there was made a month ago.

New Aarogya Setu Feature

Android version of Aarogya Setu allows users to see the Bluetooth contacts. | Credit: Aroon Deep

As per the official Aarogya Setu Twitter account, to see the “indicative status” of the Bluetooth contacts, users must consent to upload their Bluetooth and location data, which is what was required. Without uploading the data, we could only see that we had 10 Bluetooth contacts, not their indicative status. “Indicative status” lists the number of Bluetooth contacts that are infected (red text), or at high risk (orange text), or at moderate risk (yellow text), or at low risk/healthy (green text). The indicative status of some users is marked as “unknown” (grey text) but it is not clear why. It could be because those users have not taken the self-assessment test on the app, but that is speculation at this stage.

(Right) On July 4, we were initially shown that we had 10 Bluetooth contacts. To see their “indicative status”, we were told to upload our data to the “govt servers”. (Centre) On doing that, we got status details of 7 people; we are not sure why the indicative status of 3 people is unknown or why it asked us to upload the data again. (Right) On July 6, our Bluetooth contacts dropped to 9 and we weren’t asked to upload our data again. The former is probably because that one contact came in our proximity before 30 days. | Credit: Aroon Deep

The option to know the date, time and approximate location and duration of a Bluetooth contact is only available to users whose status has been assessed as “Moderate Risk” (yellow screen) or “High Risk” (orange screen), as per the official Twitter account. Since we were marked safe/low risk (green screen), we couldn’t access this extra information.

What’s unknown?

How old are these Bluetooth contacts? Do the Privacy Policy and Terms of Use permit such data sharing? It is not clear how old these Bluetooth contacts are since the new feature says “through Bluetooth proximity since you installed the app or the last 30 days”. It is not definitive. As per the app’s Privacy Policy, if the data stored on the device — which includes the data of Bluetooth contacts and location data collected at the time of proximity tracing — is not uploaded to the server, it is automatically deleted in 30 days. Such data is uploaded to the server (without the user’s consent) only if the algorithms at the back end calculate a higher probability of infection for the user, or if the user is diagnosed with COVID-19 through an actual test. Moreover, once the data is uploaded to the server, in case the user tests negative for COVID-19, their data is deleted from the server 45 days after upload, but if they test positive, it is deleted 60 days after they are declared free of COVID-19.

Whom will this information benefit? Since this information has been available to authorities since the app was launched, it is not clear whom this will benefit. Multiple media reports have shown that it is not easy for citizens to get tested, hospitals across the country are getting overwhelmed, and private labs and hospitals are scamming people by declaring them COVID-19 positive to extort money from them. In such a situation, where Bluetooth proximity cannot be accurately measured and a digital handshake does not actually mean contact (what if people were on two different floors or rooms or were in two cars in a traffic jam?) — something the Aarogya Setu Twitter account also acknowledges —, this may actually spread paranoia amongst people more than anything else instead of allowing users to “assess their risk”.

Read more: Aarogya Setu’s privacy risks and challenges to effectiveness

The National Informatics Centre (NIC), which is now handling the app and its backend instead of NITI Aayog, has thus far not defined when the iOS version of the feature will be released, or what caused the delay. The Privacy Policy and Terms of Use have not yet been updated to account for uploading this data or displaying such information to users even though the Deputy Director-General of NIC and the app’s grievance officer R.S. Mani had told MediaNama last week, after the app ran into some unidentified issues on its 90th day of release, that the Privacy Policy and Terms of Use might be updated in the next few days. We have reached out to Mani and NIC for more information.