The Mystery Behind the Aarogya Setu App

The creation of an exclusive, State-driven, contact tracing enhancer for smartphone users in India during Covid times has multiple faults. The primary one is that there is considerable mystery about where the data is being stored and to what extent it is protected. Some code has been released relating to the working of the app, but it has not brought any clarity as it falls short of both completeness and openness, reveals VICKRAM CRISHNA.

——-

On May 1, 2020, the government notified the release of an app called  Aarogya Setu (“health bridge”) in response to Covid-19. It was touted as an “intelligent solution”, but it is anything but that, as per reviews. The technical premise that smartphones are capable of authoritatively detecting risky physical proximity to potentially infected persons is specious.

Apart from the flaky claims about the technical capabilities of the phones themselves, there are troubling lacunae concerning opacity around the creation of the software code. It is the code that determines the routing of extensive data collection from users of the tool. As a result, there is considerable mystery about where the data is actually being stored and to what extent it is protected from any use outside of this particular health crisis.

The Supreme Court judgment affirming the right to privacy, on August 24, 2017, clearly lays down the means by which the fundamental contract between citizen and the State is to be handled, and this applies to data collection also.

Opaqueness about the app

The lack of clarity about the writing of the app claimed and denied with equal enthusiasm by the alleged team and the organs of the State allegedly charged with responsibility for it, further confounds the situation.

Apparently, a software businessman put together a team, drawing contributors from companies with which he is associated with or controls, calling them “volunteers”, although they apparently continued to draw salaries while working on the code.

Neither the team nor any individuals who are claiming credit for the work are actually contracted with the government for this effort, or, at least, no such contract has yet come to light.

If they are indeed volunteers, it may seem laudable at a glance. Except that, sans a contractual relationship, there is complete and total deniability of accountability for breaches of the Constitution implicit in the collection and use of data by the software packages.

Apparently, a software businessman put together a team, drawing contributors from companies with which he is associated with or controls, calling them “volunteers”, although they apparently continued to draw salaries while working on the code. Neither the team nor any individuals who claim credit for the work are actually contracted with the government for this effort, or, at least, no such contract has yet come to light. 

Unfortunately, there is no way, short of full investigative access to both the code and to transactions between the State and private players, to determine whether such breaches have taken place or will do so in future.

The State itself has put out equivocal statements about the possibility that some data might be held for future use.

On the one hand, the entire exercise has been conducted in flagrant breach of long-standing publicly declared government policy on the use of Free Software for public service projects.

To further muddy the waters, the minutes of crucial meetings of an Empowered Group to handle the data, among other responsibilities, have been obtained with considerable difficulty through the Right to Information Act and published on December 3, 2020. They reveal that it has all along been the intention to widely disseminate tracking data to various State players. As the authors of the report stress, such an Empowered Group itself does not have any legal status under the Disaster Management Act, 2005.

The State itself has put out equivocal statements about the possibility that some data might be held for future use. On the one hand, the entire exercise has been conducted in flagrant breach of long-standing publicly declared government policy on the use of Free Software for public service projects. 

Free Software means that the code is open to inspection for anybody (and is, therefore, sometimes called Free and Open Source Software), not that anybody pays for it. Software (computer or digital) is one of the most vibrant and accessible forms of technology of the modern world, except when it is done opaquely.

Two software tools

In this case, there are two broad kinds of software tools involved in making this app work. One is a piece of code that runs on the phone (smartphones are wireless telephone instruments that work on inbuilt computer chips), and the second is a code that runs on a server connected to the internet. Smartphones are usually also enabled to connect to the internet by telecom service providers in India.

Some code has been released, over time, relating to the working of the app. Very ominously, the release has not brought clarity, for the simple reason that the code is not clear.

Neither the code originally released for the app nor for the server was published in a professional manner, as revealed by competent technical analyses.

The minutes of crucial meetings of an Empowered Group reveal that it has all along been the intention to widely disseminate tracking data to various State players. As the authors of the report stress, such an Empowered Group itself does not have any legal status under the Disaster Management Act, 2005.

Code releases for the smartphone apps began six months ago in May and are being tracked and published regularly as a public service. The backend server code was only released on November 20, and, as with the preliminary releases of app code, falls short of both completeness and openness. There is no explanation for the lengthy delay in releasing what turns out to be some incomplete and obfuscating sections of server code.

It is, therefore, still not possible to state firmly that the data collected is being deleted from both the phone (after 30 days, the phone data is removed) and from the server (claimed to be hosted within Amazon cloud servers located in Mumbai). Somewhat grimy thumbprints on the code fragments, now in the public domain, demonstrate that the coding teams continue to use privately owned servers to route data, not exactly a shining mark of good faith.

Rather, the Indian public is expected to vest confidence in the intentions and abilities of the coders and the State itself regarding tracking data collected from users and whether it will be handled in accordance with the law. These users include those who have been compelled and coerced to install the app by both private and public entities (public coercion was reluctantly withdrawn after extended protests).

(Vickram Crishna is a trained engineer and manager. The author’s case against the Union of India and Others, opposing the operation of the state-operated technology-based national identification scheme, also resulted in a definitive judgment affirming the fundamental right to personal privacy. The views are personal.)