Why India’s contact-tracing app is still a work in progress, eight weeks after national rollout

India was among the first countries in the world to order a national rollout of its contact-tracing app on 2 April, just a week after it went into lockdown, to stem the spread of coronavirus.

The initial launch was a quiet affair, but attention built around the app as it was increasingly highlighted during prime minister Narendra Modi’s addresses to the nation.

Almost two months and nearly 120 million downloads later, the app has become a key part of the Indian government’s plans for reopening the country, with employees expected to download it before returning to offices and passengers barred from flying without showing the app on their phone.

Yet despite the app’s growing importance, key concerns surrounding data protection and privacy are only just being addressed, and rights activists say many problems are still outstanding.

While the UK is yet to roll out the NHS’s version of a simplified contact-tracing app that will perform just one or two key functions, India rushed out a program that actually provides a host of services in one.

The app, known as Aarogya Setu (“bridge to health” in Hindi), uses Bluetooth and GPS to track when users come into close proximity with people who have tested positive with Covid-19 and warns them they may need to get tested.

But one of the biggest concerns for digital rights groups has been the fact that users’ location data will be transmitted at regular intervals, shared with a government agency and stored in a centralised location.

Sidharth Deb from the Internet Freedom Foundation called this use of GPS tracking “a clear departure from other [countries’] exposure notification models, which have barred it due to its incompatibility with people’s fundamental right to privacy”.

India, he told The Independent, has no data protection or informational privacy law in place to “reign in the government’s appetite to collect data”. “Our concern is this is a mass deployment of an experimental technology which without limitations may morph into a permanent system of health surveillance,” he said.

Another issue raised with the app is the way in which the government transitioned from insisting it was voluntary to making it mandatory in practice.

This was done through a combination of measures, including a clause in the home ministry’s emergency lockdown rules on 1 May that stated: “The use of Aarogya Setu app shall be made mandatory for all employees, both private and public. It shall be the responsibility of the head of the respective organisations to ensure 100 per cent coverage of this app among the employees.”

Later this month, when it was announced that a limited number of domestic flights would resume, the government said that passengers would be required to show the Aarogya Setu app on their phones before they would be allowed to enter airports.

An article in the MIT Technology Review highlighting some of the concerns with Aarogya Setu noted that, according to its data, India was “currently the only democratic nation in the world that is making its coronavirus tracking app mandatory for millions of people”.

It must be said that since the MIT Technology Review piece was published, the government has taken remarkable notice of public privacy concerns and enacted some steps to alleviate them.

New guidelines for the most recent phase of the lockdown ending 31 May stated only that employers “should ensure” uptake of the app among their employees “on a best-effort basis”.

The app’s terms and conditions were also changed, removing a clause that would result in immediate suspension if users “fail to comply with the terms of service” and introducing a significant admission – that the government can be held liable for “unauthorised access to your information or modification thereof”.

And just this week, the government announced a major U-turn by agreeing to demands to make the code of the app open source, allowing developers to check it for bugs and potential privacy risks.

There are still objections, of course. Ray Walsh, an expert with the website ProPrivacy, said the ongoing requirement for airline passengers to show Aarogya Setu “turns this app into an immunity passport”. “The inability to travel without giving up essential freedoms is deeply concerning,” he said.

And while proximity tracing might be the app’s most talked-about function, there are broader issues with what Aarogya Setu is trying to achieve from a public health perspective, said Raman Jit Singh Chima of Access Now, a major international NGO advocating for digital rights.

The app also allows users to perform a self-assessment test, to see how many Covid-19 cases there are within a 500m or 1km radius of them, to view nationwide and state-by-state data about cases and deaths, to watch inspirational videos from the likes of Bollywood icon Amitabh Bachchan, to store and display government-issued curfew passes, and to read guides on best virus safety and personal hygiene practices.

“There is no one core function, in effect they have tried to make this seven or eight apps in one,” said Chima. “The problem is that there’s too much there, and that it’s flawed. Bluetooth can be really approximate, it was never intended for proximity tracking.

“And I understand the government’s concerns about the limited number of test kits available, but you can’t use an algorithm and a self-assessment test to replicate what actual testing can do. It is trying to use technology to make up for failures of public health infrastructure.

“The issue is that you’re not just using all this to inform people, but to offer public health response. And that’s what’s deeply troubling. You are declaring hotspots based on a data set that is full of potentially false positives and negatives.”

When they announced that the app was going to be made open source on Tuesday, officials from India’s IT ministry also unveiled a “bug bounty” system, where users who spot issues with the code of the app will be paid to report them to the developers.

Senior official Ajay Prakash Sawney called it a “major step”, saying the government was “opening the heart of this functional system used by (then) 115 million people”. It was a remarkable admission – that the authorities were still hoping for the support of ethical hackers on a system that has been informing the country’s health response to a pandemic for more than eight weeks.