India's contact tracing app made open source, but will this thwart a surveillance state?

Only until recently were Indian citizens forced into downloading Aarogya Setu under fear of arrest. However, without data protection laws, the government in cahoots with private entities will still be able to do whatever it wishes under the guise of national security.
Written by Rajiv Rao, Contributing Writer

Two days ago, the government of India announced, in a seemingly miraculous turn of events, that it would publicly release the source code for its coronavirus contact tracing app, Aarogya Setu, which has already had close to 120 million downloads.

The app, which uses Bluetooth to locate infected phone users, was rolled out soon after the COVID-19 outbreak began as part of efforts to both track people afflicted with the disease and make aware those that were in close proximity to them.

Following the decision to open-source the app, there must have been a collective, audible sigh of relief amongst those who were terrified that the app, which roughly translates to "Bridge to Health" in Hindi, would become a surveillance weapon.

Siddharth Vardarajan, founder of online news publication theprint.com, was one of those worried souls. Vardarajan has long been in the crosshairs of the Indian government for being one of the few people who have dared to criticise the current and previous bunglings of Indian Prime Minister Narendra Modi and his Hindu chauvinist henchmen. He saw the app as yet another example of Modi's dictatorial tendencies. 

Meanwhile, Indian author Arundhati Roy, forever pilloried by anyone right-of-centre in India, said: "The coronavirus is a gift to authoritarian states including India ... Pre-corona, if we were sleepwalking into the surveillance state, now we are panic-running into a super-surveillance state." 

During the buildup to the app's release, India's Communications Minister Ravi Shankar Prasad insisted on several occasions that the data would only remain on the phone, not be shared with anyone, and that it would be anonymised and encrypted. Abhishek Singh, the chief executive of MyGovIndia, which helped give birth to Aarogya Setu, noted that a user's location data would not only be kept anonymous, but all non-risk users' data would be deleted after 45 days while high-risk users would see their data wiped clean after 60 days. 

So far, it seems Prasad and Singh have kept their word. Plus, there has been no proof yet that the government has used the data for surveillance purposes. 

The Indian government, according to Mint, has stated that "it has helped predict 3,000 virus hotspots at a sub-post office level. With 25,000 users of the app who tested positive, the government could contact trace over 400,000 people. Of these, 140,000 were found to be moderate and high risk."  

However, the folks at Massachusetts Institute of Technology (MIT) aren't terribly impressed with Aarogya Setu's safety quotient nor its collection of all manner of data beyond what contact tracing demands. A good app collects as little data as possible so that a user's privacy is protected, but Aarogya Setu have required continuous access to location history and Bluetooth. This, combined with the fact that they run on government servers, theoretically makes them tools that a government could easily use to track and monitor individuals. 

This privacy debate, naturally, falls into the grey territory of what can and should be done in the name of national security and the health and safety of citizens versus their fundamental rights. Ostensibly, one could be abrogated for the other. In being aware of this, a state like Singapore, no stranger to authoritarian impulses, rolled out a similar app that it announced at the start of its release would be eventually made open source. Not only did the government state that its app's specific goal was to control the spread of coronavirus, the only arm of Singapore's government that has had access to app data has been its Ministry of Health.
In India, however, privacy watchdog Internet Freedom Foundation (IFF) has pointed out that the nation's health ministry was minimally involved in the design and implementation of the app, and instead, the app was largely created by other departments, including the dreaded Home Ministry run by Modi's right-hand man Amit Shah, who has been the chief architect of various draconian measures implemented by government in recent years. 

In fact, while the government has stated that all data would not leave the premises of the app, it also conveniently stated that in certain scenarios, the information could be uploaded to its own servers. That's not exactly comforting to know.

The IFF also reminded everyone that the Supreme Court has established privacy as a fundamental right, but this can be abrogated so long as there is a passage of law and legitimate purpose. Yet no data protection legislation has been passed, despite it being what India desperately needs, either in the service of the COVID-19 app, or in general. 

The IFF further maintained that the government was in violation of breaching individual privacy by making the app compulsory from the outset of its release. Those who didn't comply would be jailed, the government said in its earlier diktat. There has also been no clarity on how the app complies with the Information Technology Act 2000. Even the UK government deep-sixed the rollout of a contact tracing app recently because of the absence of legislation to protect collected data.

Ultimately though, is all this brouhaha over India's contact tracing app more noise than substance since it ended up being open source and optional? Maybe. But consider these facts. Narendra Modi was Chief Minister of the state of Gujarat when over 2,100 Muslims were slaughtered in an orchestrated pogrom. For someone like Modi who has tight control over practically every organ of his administration, it would have been laughably impossible for him -- and his police force -- to not be aware of the bloodletting that took place over a span of many days all across the state. 

In the last few years, there have also been various incidents of Muslims being lynched by Hindu mobs fuelled by the BJP; one mini-pogrom in Delhi was stoked by an elected Bharatiya Janata Party officials; there's also the brutal suppression of the Muslim-dominated state Kashmir in what was the longest internet lockdown in recent times; as well as two meticulously planned, sweeping pieces of legislation architected by Shah, to disenfranchise Muslims in India. Given Modi's history, a potential plan to dovetail Aarogya Setu into a surveillance tool to further press the jackboot onto the necks of minorities and critics is not so wildly improbable.

For anyone who has studied the organised elimination of a group of people, whether it was Hitler's holocaust of the Jews, the Hutu slaughter of Tutsis, the Congress party's complicity in the killing of over 3,000 Sikhs as revenge for the assassination of Prime Minister Indira Gandhi by her Sikh bodyguards, the killing of Muslims under Modi in Gujarat, or even the recent murders of over 50 Muslims in Delhi by Hindu fanatics, the one glaring similarity has been the meticulous record-keeping of who lived where. 

In many cases, the victims were well-known to their killers. With an app, itemising a kill list based on GPS coordinates and other data collected by a compulsory, national app would make such an act child's play. As it is, WhatsApp has already played a pivotal role in spreading hate speech against Muslims, which means the contact tracing app could be a neat addition to the already wide arsenal of tools used for discrimination and hate.

Richard Brooks, a computer engineering professor at Clemson University in South Carolina, said it best recently in a conversation with Bloomberg News: "If the ability to track social contacts exists to stop a contagion, I can guarantee you it will be used to track the spread of dissent." 

India's minorities and dissenting citizens will be praying fervently for a data protection law that prevents the next wave of mass murder. Then again, even that may not be enough.


Editorial standards