Aarogya Setu app is based on privacy-first by design principle: Niti Aayog CEO
NITI Aayog CEO Amitabh Kant has assured that the Government’s Aarogya Setu app has a clearly defined protocol for access to data.
Arogya Setu mobile application is based on a "privacy-first by design" principle, clarified NITI Aayog CEO Amitabh Kant on May 11, 2020. He stated that the app has been built to ensure the privacy and security of the personal information collected from people.
The NITI Aayog CEO assured that the Government’s Aarogya Setu app has a clearly defined protocol for access to data. The user data from the app is only shared with few government officials who are directly in charge of containing the spread of coronavirus pandemic in India.
The National Informatics Centre (NIC) is the fiduciary of the data. The data is shared on a strictly need-to-know basis and limited in scope to the direct work of the concerned government officials.
• The NITI Aayog CEO reiterated that the Aarogya Setu app is designed to respect the privacy of COVID-19 positive patients.
• The backend of the mobile app is integrated with the ICMR database through an API and the information about the patients who have tested COVID-19 positive is received in real-time.
• The Aarogya Setu app receives all its information regarding coronavirus positive cases through the ICMR database.
• Amitabh Kant clarified that the personal information of the users is re-identified only when individual medical intervention is required.
• The research team is currently exploring moving from a one-time device identity number (DiD) to dynamically generated DIDs for every user, to further enhance privacy, stated Kant.
• He further said that all contact tracing and location information that might have been uploaded on the Aarogya Setu server is permanently deleted after 45 days if the person has not tested positive for COVID-19 within that period.
• If the person is infected, then all contact tracing and location information pertaining to the patient will be permanently deleted from the server 60 days after he/he is declared COVID-free.
According to the NITI Aayog CEO, the Aarogya Setu application has emerged as a key technology solution in combating coronavirus, as it helped identify several potential emerging and hidden hotspots. The Aarogya Setu engine predicted 130 hotspots across India between April 13-20 at the sub-post office level. Kant informed that each hotspot predicted by the app was declared as a real hotspot and the required action was taken by the Union Health Ministry.
Aarogya Setu Privacy Concerns
Privacy concerns over Aarogya Setu app were raised after an ethical hacker claimed to have accessed the user’s data on the app. He also highlighted security bugs within the app that could have an impact on the security of user data.
Clarifying the concerns of the users related to data security, Kant said that when the user provides his/her phone number for registration, the application assigns an anonymous, randomized unique device identity number (DiD) and associates it with their mobile device.
The user’s mobile number, device identity number and other personal information are safely stored in a highly encrypted server.
Aarogya Setu: Important Features
• The Aarogya Setu app asks for the name and mobile number of the user after registration. It also asks for the age and gender of the user along with profession and countries visited by the user in the last 30 days. All the collected information has a direct co-relation with COVID-19 impact. It also asks regarding the willingness of the person to volunteer in times of need.
• Besides this, the app asks users to share their location. The app does not use location data for contact tracing. The location information is used only on an anonymous basis with the sole purpose of identifying hotspots and increasing testing and sanitization of these locations. The application does not monitor the user’s location continuously.
• The user’s location history is sampled once every 30 minutes and the information collected is securely encrypted using the native key chain of the phone's operating system and is stored on the phone itself.
Aarogya Setu app has about 96 million registered users since its launch on April 2. The contact tracing data was retrieved from only 12,000 users, who had tested positive for coronavirus, which is less than 0.1 percent of all users. The information of the user is only accessed or pushed to a server when the individual is tested positive for COVID-19 otherwise it is permanently deleted from the phone 30 days after it is collected.