NEW YORK: Pushing back against the steady hum of privacy concerns from critics of India’s Aarogya Setu contact tracing app, MyGov CEO Abhishek Singh emphatically defended the app as the safest across all mobile apps that Indians currently use and a digital public good that Indians should be “proud” of.
MyGov developed the Aarogya Setu app and launched it in April. “There is no other app that anyone in India is using today that has greater privacy features than what Aarogya Setu has“, he told IANS in a video interview Tuesday. “Critics will be there, we welcome them. Sometimes what they say makes us strive harder and ensure(s) that what we do is in the best interests of the people of India.”
Baptiste Robert, a French security researcher, in a May 6 Medium blog post under his online pseudonym Elliot Alderman, said he was able to spoof his location and zoom in on the location of infected users.
MyGov responded pointwise to Robert’s security concerns and cranked up its communication around privacy FAQs and the small details. On May 11, for instance, when Aarogya Setu had 98.5 million downloads, it pushed out information that data of “only 0.013 per cent” of all users were uploaded to the server to identify Bluetooth contacts and alert them.
Singh’s remarks to IANS come on a day when the app at the heart of India’s contact tracing effort has been downloaded 107 million times in a country with a smartphone user base of about 500 million.
Singh said Bluetooth contacts of confirmed COVID19 cases on the Aarogya Setu app have begun to turn up a 23 per cent positivity rate for the coronavirus and are helping identify hotspots “seven days faster” than what’s possible without the app. “Among those who have been identified as bluetooth contacts of COVID19 positive, when we do the testing, the positive rate we are getting is almost 23 per cent.”
Aarogya Setu’s GPS and Bluetooth mix has sparked intense scrutiny among critics about potential data breaches and government leverage. Singh explained that encryption and anonymity are hardwired into Aarogya Setu. Personal details are taken “only once”, at registration, and then anonymised via a device ID, he said. Singh said Aarogya Setu’s privacy standards conform to the draft privacy bill pending in Parliament and the app’s focus is “on saving lives”.
“This device ID is the one with which all other interactions take place subsequently.”
Singh said only information essential for “medical interventions” like making quarantine decisions or sanitising of public areas is shared. “That too, only with government health representatives”, Singh stressed.
At least 25 countries around the world, including India, have deployed contact tracing apps to help contain infections by identifying and notifying all those who come into contact with a carrier.
India’s Aarogya Setu uses a mix of location and Bluetooth technology. Bluetooth, which is easier to anonymise, is considered several notches above location data in the context of privacy.
On a sliding scale of 30 days to 60 days, depending on the user’s COVID19 risk profile, data is destroyed, according to Singh. Data destruction on the Aarogya Setu app happens 30 days from creation of data for zero risk users and 60 days post recovery for COIVID19 patients.
Aarogya Setu’s data analysts at Indian Institute of Technology, Madras and Indian Institute of Science Bengaluru calculate the cumulative hours of contact with an infected person “at the sub pin code level”, Singh told IANS.
This is “huge potential as an early warning systema, Singh said, speaking to Setu’s role as a public good in a health emergency.
MyGov’s former chief Arvind Gupta, in a recent conversation with IANS, called for a change in how the public thinks about privacy in the context of digital public goods in the post-COVID19 era.
India’s COVID19 caseload has surged past the 100,000 mark, more than 3,300 have died from the virus, according to official data.