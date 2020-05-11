After repeated privacy concerns being raised about the government’s Aarogya Setu app, the Indian government today said less than 13000 users’ data has been moved to government servers from the app so far. The same was confirmed by Ajay Prakash Sawhney, Secretary, Minister of Electronics and Information Technology (MeitY), during the health ministry’s daily briefing about covid-19 today. Sawhney is also heading the technology and data management efforts for the Empowered Group of Officers set up under the Disaster Management Act.

According to Sawhney, these were users who were found to be covid-19 positive or at risk of the disease through the app. Their data will also be deleted from the servers 60 days after they’re cured. He said that while under 13000 users were found to be covid positive, this allowed the government to alert nearly one lakh users. The app currently has over 9.8 crore users.

It’s worth noting that the data Sawhney referred to is about exposure events. The app’s privacy policy states when two users come in close contact, their unique ids (explained below) are stored on the two phones along with the time and GPS location. This is uploaded to the app’s servers (controlled by the government) only if a user tests positive.

The fact that Aarogya Setu has uploaded data to servers less than 13000 times also means that it has identified less than 13000 exposure events so far. One wonders why an app with 9.8 crore users isn’t more effective, if those users are actually using the app.

Further, Aarogya Setu does upload personal information recorded by the user to its servers when one signs up. The privacy policy clearly states that names, phone numbers, age, sex, profession, and countries visited in the last 30 days is uploaded to the server when a person logs into the app. This though is hashed using a unique digital id, which the government calls DiD. It’s the DiD that is shared between phones when determining exposure events.

Sawhney said that when two Aarogya Setu users come close to each other, the app transfers data like GPS location, identity etc. to central servers if a person tests positive for the disease. For those who are not at risk, their data is deleted every 30 days and data for those who are being tested right now is deleted after 45 days. If a user tests positive, then their data is kept up to 60 days after they are cured.

Based on the privacy policy, this covers data about self assessments, exposure events and location coordinates. The first clause, which sends names, phone numbers etc. to the servers on sign ups isn’t covered by this particular part of the policy.

Sawhney reiterated that the data acquired from the app is used only for health-related purposes. He confirmed that while the app is only available on Android and iOS phones right now, it will also be coming to JioPhones soon.

The Aarogya Setu app has come under fire for possible user privacy violations. Ethical hacker Robert Baptiste, who goes by the moniker Elliot Alderson on Twitter, had written an article detailing some ways in which an attacker could take advantage of the app. However, the government responded to Baptiste’s claims saying no user data has been compromised.

