Aarogya Setu: Compromising Data Privacy in COVID19?

The pace of COVID-19 infections simply doesn’t appear to be slowing down. Consistently, the graph just seems as tough as a trekker ascending Mount Everest, with the highest point no place in sight. With a majority of the 1.3 billion individuals confined to their homes and under lockdown, things don’t appear as they will change at any point in the near future. The government reported new measures from 3 May onwards in regards to new changes in the as of recently characterized red, orange, and green zones.

Aarogya Setu is an Indian open-source COVID-19 “Contact tracing, Syndromic mapping, and Self-assessment” digital service, primarily a mobile app, developed by the National Informatics Centre under the “Ministry of Electronics and Information Technology” (MeitY). The app reached more than 100 million installs in 40 days. On 26 May, amid growing privacy and security concerns, the source code of the app was made public.

Aarogya Setu (meaning: the bridge for liberation from disease) has gotten one of the most downloaded applications in the nation in a range of about 14 days of its launch with 90 million downloads. What’s more, one reason for its notoriety is on the grounds that Prime Minister Narendra Modi encouraged 1.3 billion individuals of the nation to utilize it. While the application was recommended to be voluntary at the hour of launch, recently numerous private and public associations made it mandatory for their employees to install the app.

The application has confronted flak for its potential privacy and security flaws. As of late, French hacker Robert Baptiste, who goes by the name Elliot Alderson on Twitter also raised concerns about the app’s privacy. On 6 May, Robert Baptiste tweeted that security vulnerabilities in Aarogya Setu permitted hackers to “realize who is tainted, unwell, [or] made a self-evaluation in his preferred region”. He additionally gave subtleties of what number of individuals were unwell and contaminated at the Prime Minister’s Office, the Indian Parliament, and the Home Office. The Economic Times pointed out that a clause in the app’s Terms and Conditions stated that the user “agrees and acknowledges that the Government of India will not be liable for any unauthorized access to your information or modification thereof. In response, several software developers called for the source code to be made public.

Now, MIT University has reviewed the Aarogya Setu app to understand how effective the app is, is it safe to use, and how it compares to other contact tracing apps that are being used in different parts of the world.

As opposed to the ongoing practice of threats to arrest and fine in the country for people who don’t have the Aarogya Setu application installed on their mobile phones, the survey proposes that the approach of the application says it is voluntary to use. The MIT likewise asserts that India is the only democratic nation in the world that has made it mandatory for the residents to use the app.

Aarogya Setu seeks persistent access to location information for its social movement graph and uses Bluetooth technology to caution individuals when they interact with a COVID-19 positive individual. Most contact-tracing applications deal with a similar rule. Be that as it may, what mists the account around Aarogya Setu is the ambiguous privacy strategy and silence on security practices.

“The privacy policy of the application is totally silent with regards to what security practices are being followed. Merely saying that information is kept secure through encryption is only lip service. They have to offer more subtleties on the security systems and respond to what level of encryption is being utilized,” said Pavan Duggal, a cyber law expert.

Prasanto Roy, a tech policy analyst, isn’t simply worried over the way that the application is catching his personal information, location, and health data. He is additionally concerned about what will be shared, with whom, and for what reason. Notwithstanding being quiet on the handling of data, the application itself has been shielded from scrutiny by keeping its source code a secret. Prasanto Roy wants to accept that the government’s expectations are acceptable, and it wants to utilize the app for contact tracing alone and not to spy on residents, adding, “Assuming this is the case, there is no compelling reason to make the applications’ source code a state secret. Just open-source it (make the code accessible for general visibility and investigation), as other nations like Singapore have done with their contact tracing apps.”


Privacy watchdog Internet Freedom Foundation (IFF) has likewise appealed to Prime Minister Narendra Modi to not make the use of application mandatory as it can damage or affect privacy, autonomy, and dignity of laborers. It has just sent a joint portrayal endorsed by 45 organizations including Amnesty India, Access Now and Red Dot Foundation, and more than 100 people.


The joint representation contends that to fulfill the proportionality standard adopted in K.S Puttaswamy v. Union of India (privacy) judgment, the utilization of any privacy infringing technology must fulfill five criteria: First, it must have a legislative premise. Second, it must seek a legitimate aim. Third, it ought to be a judicious strategy to achieve the intended point. Fourth, there must not be any less prohibitive alternatives which can likewise accomplish the intended point. Fifth, the advantages must outweigh the damage caused to the right holder.


This is going to open a Pandora’s box of legal issues and litigations. It violates a fundamental right, now that the SC (Supreme Court) says privacy is a fundamental right, and it can only be deprived in accordance with the procedure established by the law. There is no act passed by the parliament, which authorizes making this app mandatory.


The Airports Authority of India (AAI) also released some guidelines for post lockdown air travel, asking all passengers to compulsorily download the Aarogya Setu app to be eligible to fly. This move adds flight passengers to the ever-increasing list of Indians for whom downloading the Aarogya Setu app has been made mandatory by the Union Government. 


Managing the tussle between individuals’ privacy and public health during a pandemic requires a tough balance. The government’s decision to make Aarogya Setu voluntary, open-source, and subject to public scrutiny are encouraging steps.

Nevertheless, the government’s responsibility and liability in case of a data breach remain uncertain. Further, the app’s source code is now under the Apache 2.0 open source license, which allows the creation of derivative works freely. It remains to be seen whether such derivative apps will be allowed on mobile platforms without the government’s approval especially if they relate to COVID-19.

Lastly, we have come across a lot of benefits of mHealth and understood this aspect clearly. The future of mobile technology looks promising enough as the technology is forging ahead with a faster pace. With this in mind, there is no hard and fast rule when it comes to using these health applications. A patient as per his preference only should use the apps otherwise go ahead with physical care or traditional care. But, it is of no harm to be in touch with these apps as they provide extra information and care which serves for the best of patients. 

Spread the word

Share on facebook
Share on twitter
Share on linkedin
Share on whatsapp
Share on email