As India settles into an extended coronavirus lockdown, the government wants to ensure it fervently pursues contact tracing. To this end, the Narendra Modi government launched the Aarogya Setu – Hindi for a bridge to healthcare – mobile app on April 2.

The app is meant to alert users if they have come in contact with a Covid-19 positive patient, and what measures they need to take in case that happens. But cybersecurity experts worry that Aarogya Setu could violate its users’ privacy and be a surveillance tool in the hands of the government.

“As such, the Aarogya Setu application appears to clearly be inconsistent with privacy-first efforts which are being considered by technologists and governments,” wrote Sidharth Deb, policy and parliamentary counsel at Internet Freedom Foundation, in a paper. The paper evaluates Aarogya Setu on various privacy and safety parameters against two similar apps specific to Covid-19 – the TraceTogether app from the Singapore government, and Massachusetts Institute of Technology’s Private Kit: Safe Paths project.

Despite glaring flaws, Prime Minister Modi, on April 14, recommended that citizens download the app while announcing an extension of the national lockdown till May 3. Several government agencies have also been spreading awareness about Aarogya Setu through different social media and other channels.

One reason for this could be that for the app to successfully undertake contact tracing for Covid-19, at least 50% of India’s population needs to download the app. That in itself may prove a challenge given that only over 500 million people among India’s 1.3 billion have smartphones.

But privacy concerns are still at the heart of all issues with Aarogya Setu.

All intents and purposes

Purpose limitation, which predefines the end to which data collected will be used, is a key factor in privacy agreements. Vague language in Aarogya Setu’s privacy agreement leaves it open for the government to repurpose this data for its other agencies. “To protect people’s right to privacy, countries, including Singapore, say that contact tracing will be used strictly for disease control and cannot be used to enforce lockdowns or quarantines. Aarogya Setu retains the flexibility to do just that, or to ensure comply legal orders and so on,” says Internet Freedom Foundation’s explainer about the app.

Singapore’s TraceTogether, for instance, explicitly states that the data collected through the app can only be used by the country’s health ministry. Curiously, the committee that designed India’s app “lacks any representation from the ministry of health and family welfare, or any independent involvement of persons with a medical or epidemiological background,” according to the Internet Freedom Foundation paper.

Unlike Private Kit or TraceTogether, the Indian government has not released any information about the source code of the app. “The only information we have of the app is its frontend and its rather pedestrian terms of service and privacy policy. Other projects release as much information as possible in pursuit of transparency,” reads the explainer.

This, in effect, prevents ethical hackers from identifying security threats in the app, and makes it potentially more vulnerable to malicious attacks. Both TraceTogether and Private Kit’s respective source codes are available on GitHub. Each has its own frequently asked questions section and detailed videos on how data is collected and used. Aarogya Setu has neither.

How it works

Once you download the app, it walks you through the information it will provide you. The user then has to enter their mobile phone number, verified with a one-time password. After this, the user enters their name, age, gender, profession, travel history, and known contact with a coronavirus patient.

After this, the app takes the user to a dashboard that has basic information about Covid-19, including hygiene and social distancing protocols. It also has details to on how one could donate to the prime minister’s coronavirus-specific relief fund, PM-Cares.

Future iterations, perhaps, will see this app do more than just contact tracing and act instead as a central source of information.

Too much information

Aarogya Setu also asks its users to provide both Bluetooth and location services access. This, in effect, is meant to help the app identify contact traces of a Covid-19 positive patient. This happens through data sharing between devices with the app when they are in each other’s proximity.

What the terms and conditions do not specify is what information is exactly shared if one’s smartphone comes in the proximity to the device of a coronavirus patient. For apps that are hailed for their privacy metrics, such information is first obfuscated and then anonymised before being shared. This is not explicitly specified by Aarogya Setu, according to the Internet Freedom Foundation.

The app is also more invasive. “Other apps just collect one data point which is subsequently replaced with a scrubbed device identifier. India’s Aarogya Setu collects multiple data points for personal and sensitive personal information which increases privacy risks,” it wrote in its explainer.

Aarogya Setu warns users that should they deny permission to GPS and Bluetooth, it could lead to a false assessment of the Covid-19 situation. But more alarmingly, it asks users to have the device in their possession at all times, and that an exchange of devices could lead to the app reporting false positives.

“How will switching devices lead to a conclusion that someone is falsely identified as Covid-19 positive? Does this mean that people are categorised as Covid-19 positive based on the data collected by the application itself, instead of a formal test result to confirm a positive diagnosis?” asks Deb in the paper. “If this is indeed the case, there is a need to strongly commence dialogue to roll back the application and fine tune the entire process.”

No end

The data collected by Aarogya Setu is stored both on the device and on central servers. And while the terms of service say that time-stamped records of user contact will be deleted in 30 days, but not to anonymised and aggregated data sets. This means that encrypted user data on its own servers could last beyond the purposes of tracing coronavirus.

“This is a first step towards permanent government architectures,” Deb noted in IFF’s paper. The privacy policy, for instance, leaves it open-ended by suggesting that user data can be held longer for purposes “… for which the information may lawfully be used or is otherwise required under any other law for the time being in force.” “This clearly does not suggest intent on the part of the government to destroy these systems. As a result there is a risk the personal information of users may be held for the duration of this public health crisis and beyond,” Deb wrote.

This article first appeared on Quartz.