Indian authorities have made a contact-tracing mobile app mandatory for all public and private sector employees, raising concerns among digital rights experts about privacy and increased surveillance.
Aarogya Setu, the app launched by the Indian government earlier this month to stem the novel coronavirus outbreak, evaluates users’ risk of infection based on location, and their medical and travel history. It uses Bluetooth and location services to trace a user’s contacts.
“Use of Aarogya Setu app shall be made mandatory for all employees, both private and public,” a directive issued by India’s Ministry of Home Affairs said on Friday.
The fresh guidelines came as India extended its coronavirus lockdown for another two weeks after May 4.
“It shall be the responsibility of the head of the respective organisations to ensure 100 percent coverage of this app among the employees,” the ministry said.
— Shereen Bhan (@ShereenBhan) May 1, 2020
The app had already been made mandatory for food delivery workers and some other service providers, as well as all federal government employees.
It may also be needed to access public transit and airports when a nationwide lockdown lifts, according to local media reports.
Digital rights organisation Internet Freedom Foundation called the app a “privacy minefield”, adding “it does not adhere to principles of minimisation, strict purpose limitation, transparency and accountability”.
“The app runs very palpable risks of either expanding in scope or becoming a permanent surveillance architecture,” said executive director Apar Gupta.
Deepinder Goyal, founder of food delivery firm Zomato, said, “Being on the front line exposes our delivery partners to catching the infection, and therefore, any customers that they get in touch with for those few handover seconds.”
By mandating all its delivery staff to use Aarogya Setu, “the idea is to keep individuals, as well as authorities, informed in case they have crossed paths with someone who has tested positive for coronavirus – to prevent further spread,” he said in a statement.
India has recorded more than 35,000 cases of the coronavirus, including about 1,150 deaths, according to Johns Hopkins University statistics.
About 80 million downloads of Aarogya Setu – meaning “health bridge” in the Sanskrit language – have been reported, a small fraction of the 500 million smartphone user base in a population of more than 1.3 billion.
India is among a growing list of nations using mobile apps, facial recognition cameras, drones and other technologies to track the virus, monitor people under quarantine, and determine who can work and take public transit as lockdowns are eased.
A spokesman for the information technology ministry did not respond to requests for comment.
Digital rights experts have warned that use of such technologies increases the risk of surveillance, and that some of these measures will persist even after the situation eases.
At the time of the launch of Aarogya Setu, officials had said: “The personal data collected by the app is encrypted using state-of-the-art technology and stays secure on the phone till it is needed for facilitating medical intervention.”
Like China’s Health Code app that shows a user is symptom-free to board the subway or check into a hotel, federal government employees in India must have a “safe” or “low risk” status on their Aarogya Setu app to go to work, according to a notification dated April 29.
The app may soon be installed on all smartphones by default, according to local media reports.
Bluetooth phone apps for tracking the coronavirus have seen modest early results, although more countries are rolling them out. Luxury carmaker Ferrari has a voluntary contact-tracing app as part of its plan for reopening its factories.
About 600 scientists and researchers from around the world, in a joint statement earlier this month, said GPS-based contact tracing apps lacked “sufficient accuracy” and carried privacy risks.
Some of these apps enabled government or private surveillance through “mission creep”, they said, a shift from the stated objectives.
Countries are addressing privacy concerns differently, said Anirudh Burman, an associate fellow at Carnegie India.
“What we are seeing so far is that most of these applications are designed for pandemic prevention,” he said.
“We are not yet seeing any significant evidence of the scope of these applications increasing. It is not clear yet that there is a significant function creep,” he said.
But the risk that this may happen is high in India, which has neither a data protection law nor a data protection authority, said Suhrith Parthasarathy, a lawyer.
“Aarogya Setu is framed as a necessary technological invasion into personal privacy to achieve a larger social purpose,” he told the Thomson Reuters Foundation.
“But without a statutory framework, and in the absence of a data protection law, the application’s reach is boundless.”