India rolled out its controversial contact tracing app, Aarogya Setu, for five million Jio Phones, the feature phones sold by Reliance Industries’ telecoms unit, the Ministry of Electronics and Information Technology (Meity) said on Thursday.
While India currently has half a billion smartphone users, it has an equivalent number of feature phone users. Even if every smartphone user downloads the app, India will still have half a billion Indians without it. To bridge that gap, Reliance Jio, one of the largest feature phone makers in India, had been working with the government to create a version of the Aarogya Setu app that would work on its internet-enabled feature phones. Reportedly, there will be a roll out for different models of Jio Phones, which will cover the remaining roughly 95 million Jio Phone users.
Last month, Mukesh Ambani, Chairman, Reliance Industries, had appointed a team to work with the government to build an Aarogya Setu app for Jio Phones.
Since not all feature phones may support apps, the government is reportedly working with telecom operators Bharti Airtel and Vodafone-Idea, as well as Reliance, to enable calls to their subscribers in local languages. The idea is to use an Interactive Voice Response System (IVRS) from a central helpline number – 1921 to check if users exhibit any coronavirus related symptoms, and consequently, alert local health authorities about such users.
While the primary aim for Aarogya Setu is to track people who may have come in contact with COVID-19 positive persons to prevent further spread, it has rapidly evolved into a one-stop-platform for anything and everything related to the novel coronavirus including information on how things will be done in the post-coronavirus world.
Using Bluetooth and GPS data from smartphones, the app lets users know if there are any coronavirus cases in their vicinity, or if they have come in contact with a COVID-19 positive person, and guides them on what to do, in case they have. Apart from that, the app offers a self-assessment test for users to check whether they exhibit any COVID-19 symptoms.
The app introduced a new feature called Aarogya Setu Mitr (AarogyaSetu friend) for online consultations, doorstep collection of samples for testing, and medicine delivery earlier this month.
The evolution of the app didn’t stop there. The app, which till last month doubled as an electronic pass only for food and grocery deliverymen, was made compulsory earlier this week by the Indian Railways for passengers traveling by trains. The aviation ministry is also looking to make it a necessary requirement for air travel. Reportedly, the app is likely to be used for self-certification by people for traveling in the country, which is gearing up to ease the lockdown later this month. It’s no surprise then that the app, which was made mandatory for the employees of private and public companies starting this month, crossed 100 million downloads on May 13, mere six weeks after its roll-out.
On the flip side, the privacy and security concerns regarding Aarogya Setu have been mounting in the country.
In the first week of May, ethical hacker Robert Baptiste, who goes by the name Elliot Alderson on Twitter, warned the Indian government about the security lapses in Aarogya Setu. He said it was possible to see “who is infected, unwell, made a self-assessment” in the area of his choice.
“Basically, I was able to see if someone was sick at the PMO [Prime Minister’s Office] or the Indian parliament. I was able to see if someone was sick in a specific house if I wanted,” he said in a tweet. He added, that access to such information could become a major security lapse.
Responding to Baptiste, the Aarogya Setu team said the app fetched user location on few occasions “by design” and that “no personal information of any user has been proven to be at risk by the ethical hacker.”
Earlier this week, the government issued a set of guidelines for the collection, processing, storage, and sharing of the user data. It clarified the procedure for handling of data by various government agencies involved in controlling the COVID-19 spread. The government said the data can also be shared with universities for research purposes but only in the anonymized format, after delinking personal details that can reveal the identity of the individuals using the app.
The guidelines barred storing data for more than six months and specified jail term for those violating the rules. It also provided an option for individuals to seek the deletion of their data from the record within 30 days of making such a request. According to the government, Aarogya Setu usually deletes data of non-infected persons every 30 days, those who undergo tests in 45 days, and COVID-19 patients every 60 days.