Aarogya Setu app to come pre-installed on new phones, registration will be mandatory: report

Aarogya Setu app is India's official contact tracing application for COVID-19.

Highlights
  • All new smartphones will reportedly come with Aarogya Setu app pre-installed after the lockdown
  • Registering on the app is said to be compulsory for all users, with no option to skip the registration
  • A similar approach is also expected to follow for feature phones

Aarogya Setu app might become a mandatory feature for all smartphone users. The app, launched by the government of India to keep track of the pandemic coronavirus (COVID-19), will come pre-installed on new devices sold after the lockdown is lifted, according to multiple media reports. One of the reports even says the registration process will be compulsory for all users and cannot be skipped. “All new smartphones to be sold in India post lifting of the lockdown to not just have the app as a pre-installed service, but also ensure that individuals register on it and set it up, before beginning to use their new smartphones,” reported News18, citing government sources.

It’s another step from the government to make more and more people use the COVID-19 contact tracing app. To enforce this decision, the government of India looks set to appoint nodal agencies that will be the point of contact for smartphone companies, and will be responsible to have the app installed without a skippable step for all new devices. This will make the Aarogya Setu app an inbuilt feature on all new smartphones, that will be sold in India going forward,” added the report. For starters, the Aarogya Setu app will only be mandatory for smartphones, but the government is reportedly working on a way to enable contact tracing on feature phones as well.

Additionally, the government is also promoting the app for existing smartphone users. All government employees had been asked to download the Aarogy Setu app and should come to the office only if their status in the app shows “safe”. It’s also mandatory for all delivery and service executives, and there are reports that the app will be used by Central Industrial Security Force (CISF) and Delhi Metro to screen people who wish to use the mass transportation service once lockdown is lifted.

Since its launch, the Aarogya Setu app has been downloaded over 75 million times. The numbers are likely to increase when the restrictions induced by coronavirus are lifted and the government makes it mandatory for all new smartphone users. Aarogya Setu uses Bluetooth and location data to inform users if they are at risk of coronavirus through contact tracing. It also keeps a record of all the COVID-19 cases, symptom checker for possible infection, instructions on how to self-isolate, and official information portal for government communication pertaining to the pandemic.

Aarogya Setu privacy concerns

However, security concerns around the Aarogya Setu app have been raised by multiple organisations. The GPS and Bluetooth data give away the app’s users’ location and device identity to hackers. Other details the app seeks from users (and stores in government servers) are name, age, phone number, sex, profession, smoking status, and countries visited. Details such as the name, age, sex, profession, phone number, and GPS location are considered a goldmine for any hacker, any organisation aiming to monetise users without their permission, or any surveillance agency tracking users.

Developers and privacy activists point out that there is no clarity over who can access the users’ data that is collected from the app. The app’s official privacy policy just saying “persons carrying out medical and administrative interventions necessary in relation to COVID-19” can access users’ data. The Internet Freedom Foundation calls this access of data “excessive.” Further, the app is not open-source, meaning there is no transparency and community audit of the app is not possible.

Moreover, there are concerns that the static number used by the app to identify users can lead to identity breaches. In contrast to this, Apple and Google’s contact tracing app uses a dynamic number that keeps changing periodically to identify users; this approach is safer from hacking attempts.

Just recently, The New York Times reported that some Aarogya Setu users’ data was exposed to YouTube. The data here was the location of the user, but not their identity. This issue has been fixed after the report was published, the government says.