Should you download Aarogya Setu?
Yes. Its updated privacy policy is a marked improvement on the previous one. But the app needs an end date so it does not set a new normal.
This week of the pandemic has focused significantly on around Aarogya Setu and contact tracing. So much so that during his speech extending the lockdown, PM Modi urged people to download the app.
The idea is for the Government to use the app to know where you are and who you have been in contact with, enabling contact tracing.
The app’s privacy policy has been under fire since its release and has been updated recently with improved protections. Because the app is to be used for contact tracing as well as quarantine enforcement, it will collect huge amounts of personal and sensitive data. For instance, signing up to the app requires you to put in your name, age, gender, phone number, and profession.
Once you have registered, the app will begin to use Bluetooth to check who you have been in contact with. In case you test positive, the information might come in handy to notify people who may have also been infected. However, the Bluetooth itself does not give away your location.
The way it works is if the Bluetooth on your phone detects another phone in range, the pair will exchange keys and keep a record of the interaction.
The app will use the GPS inbuilt on your phone to monitor your location, enabling it to determine whether you are adhering to the quarantine with significant accuracy. The phone will take note of your location every 15 minutes and only share the information with the Government server if you test positive.
Normally, you would have found the data collected by the app to be extremely invasive. But then again, these are not normal times. You could make the argument that the measures are necessary and proportional.
There are some technical shortcomings and slightly concerning macro trends with the concept. Firstly, the usage of Bluetooth. Bluetooth is fairly trustworthy over 6 ft (the norm for physical distancing). However, the same things that stop coronavirus from spreading do not apply to Bluetooth. As put by Casey Newton, Bluetooth can recognise two devices kept 10 ft and an apartment wall apart while the coronavirus may not transmit through walls.
Situations like these are likely to lead to a lot of false positives. Secondly, the context here matters. India faces different challenges as compared to the developed world. Earlier this month, when Apple and Google came up with the idea to enable contact tracing, it led to plenty of debate around wealth distribution being strongly correlated with OS distribution.
The idea is that if you wanted to check where in the world wealth was concentrated, you could look at a map of iOS users around the world. Android, on the other hand, runs on a lot more smartphones than iOS, and not all of them have Bluetooth-LE, which is needed to enable contact tracing. Here, it is the poor who lose out.
In India’s case, the poor currently lose out because they own feature phones and not smartphones. While Medianama reports that the Government is working on a feature phone version of the app, the poor will continue to remain at a disadvantage until it is released.
Should you download the app? Yes. The updated privacy policy is a marked improvement upon the previous one. Most data collected by the app is stored on the device locally or 30 days, after which it is deleted. Data that is shared with the Government will be deleted after 45 days.
However, in case you are unfortunate enough to test positive, the information shared with the Government will be deleted two months after the individual is cured.
Broadly speaking, this policy is a step towards better data management practices. While protections could have been made better through open sourcing the app and disclosing the encryption, the current version of the app is reasonable in its approach and mandate. More importantly, perhaps, in last week’s column, I made the point that the liberties we give up today may end up becoming the norm tomorrow.
This very much applies to Aarogya Setu. Even with an updated privacy policy, in regular times, the app would have been considered invasive to personal privacy.
The hallmark of a good policy/programme is that it ceases to exist once it has achieved its goal. What the app does need is an end date so that it does not inadvertently set a new normal. This also applies to measures such as facial recognition techniques being used to enforce quarantines as well as any other means that collect, store or process data.
The pandemic will hopefully come to an end sometime. Keeping that in mind, so should the technology measures that are used to contain it. In that regard, Aarogya Setu should lead the way. A new, worse normal in privacy is the last thing the world needs.