When India launched its coronavirus tracing app Aarogya Setu in April, it came with a mandatory download order for public sector workers. That order soon spread to private sector workers and then to people living in designated Covid-19 containment zones — including Rajeev Ghosh, a 50-year old chemist who resides in Noida, a city east of the capital New Delhi. Back in May, he risked a six-month prison sentence or $15 fine for refusing to download the app. Ghosh didn’t care: He had bigger concerns about the future use of his data. “I am not sure how the government will use my data. If they want, they can do surveillance on me forever through location-tracking on the app,” said Ghosh. Ghosh is not alone in his concerns. In Noida, privacy activists mounted a legal challenge to the mandatory download order, and by the end of May it was lifted. They argued that it breached personal liberties protected by a landmark Supreme Court ruling about the right to privacy in 2017. The Indian government maintains that most personal and location data of users is ultimately deleted, but critics say India’s lack of data protection laws exposes millions of people to potential privacy breaches. They also fear that personal information could be sold by the government to private companies, or even used for surveillance beyond Covid-19 concerns. Millions of users The Aarogya Setu app was developed by the National Informatics Centre, an ICT and e-governance body under the Ministry of Electronics and Information Technology, in collaboration with voluntary technical experts from private industry and academia. By the beginning of June, it had been downloaded over 120 million times. Unlike many other countries’ contact tracing apps, Aarogya Setu uses Bluetooth and GPS location data to monitor the app users’ movement and proximity to other people. Users are asked to input their name, phone number, age, gender, profession and the countries they have visited in the past 30 days, as well as prior health conditions and a self-assessment about any Covid-19-related symptoms. A unique digital ID (DiD) is generated for each user, which is used for all future app-related transactions. Through GPS, the app records each users’ location every 15 minutes. When two registered users come within Bluetooth range of each other, their apps automatically exchange DiDs and record the time and location. If one of the users tests positive for Covid-19, the information is uploaded from their phone onto the Indian government’s server and used for contact tracing. In an analysis of 25 apps, the Massachusetts Institute of Technology (MIT) gave Aarogya Setu just two out of five stars, largely because it collects far more data than it needs. For comparison, Singapore’s TraceTogether app earned 5 stars and uses Bluetooth alone. As of June 1st, Aarogya Setu had identified 200,000 at-risk people and 3,500 Covid-19 hotspots, according to lead developer Lalitesh Katragadda, the founder of Indihood, a private firm that builds crowdsourcing population-scale platforms, and one of the private industry volunteers who worked with government agencies on the app. “We have a 24% efficacy rate, that is, 24% of all the people estimated to have Covid-19 because of the app have tested positive,” said Katragadda. This means that only about 1 in 4 people advised by the app to get a test actually tests positive. Subhashis Bannerjee, professor of computer science and engineering at the Indian Institute of Technology, New Delhi, said the combination of Bluetooth and GPS location would likely return a higher rate of false positives and false negatives. For example, GPS is often unavailable or unreliable indoors, and Bluetooth overestimates the risks in large open spaces, across walls and floors, which radio waves can penetrate but the virus cannot. “There seems to be a leap of faith from GPS colocation and Bluetooth radio proximity to estimating a risk score for infection transmission,” he wrote in a report for the Internet Freedom Foundation (IFF), a non-governmental organization that advocates for digital rights, which has mounted a legal challenge against the mandatory download order in Kerala High Court. Government safeguards The Indian government states that enough privacy and protection parameters have been built in to ensure permanent deletion of the app’s data. “All contact tracing and location data on the phone is deleted on a rolling 30-day cycle. The same data on the server is deleted 45 days from the upload unless you test positive. In which case all contact tracing and location information is deleted after 60 days after being declared cured,” said Abhishek Singh, CEO of MyGov at India’s IT ministry. However, the Aarogya Setu Data Access and Knowledge Sharing Protocol states that de-identified (anonymous) data can be shared with any government ministry or institution, as long as it’s for the purpose of tackling Covid-19. Any data received should be permanently deleted after 180 days, the protocol says. But privacy campaigners say there’s no way of knowing if that’s happened. “There is no way to check and verify whether the complete destruction of data has taken place and if any third parties with whom the data is shared has also destroyed it,” said Apar Gupta, a lawyer and executive director of the IFF. In response to calls for more transparency, the Indian government opened up the app’s source code on May 27 and announced a bug bounty program to incentivize software experts to find security vulnerabilities in the app, to rectify lapses, if any. “This is a step in the right direction but to know the full picture of who has access to the data, we need the server code also,” said Robert Baptiste, an ethical hacker who goes by the alias of Elliot Alderson and exposed security flaws in the app soon after its launch. An open server code would enable experts to see what citizen data is stored in the government server and how the data is shared. On June 1, Singh of MyGov, said the government planned to release the server code in a few weeks. However, Katragadda said that even with the server code, access to information on data sharing would be restricted. “It will never be possible to see exactly with whom the data is shared because for that we will have to open source the entire government,” he said. No data protection laws One of the main concerns that activists have is that India does not have a data protection law, though a bill is currently being reviewed by a joint select committee and could be passed later this year. The Personal Data Protection Bill imposes limits on how residents’ personal data is used, processed and stored. If passed, the bill would also establish a new regulatory body — the Data Protection Authority (DPA) — to monitor compliance. Critics say the bill is flawed for a number of reasons, including that it allows the government to exempt its departments from the legislation on the basis of national security. But right now, there are few safeguards for data in India. “No legislative framework means no official level of accountability. So, if any data mishap happens, there will be no penalty, there will be no safeguards,” said Gupta. There’s also a financial incentive for the government to share information. The National Economic Survey of India 2018-19 openly states that the Indian government will monetize citizens’ data and sell it to private companies to generate revenue. “India has made a strategy to sell citizen data and is thus making it a commodity by claiming ownership over Indians’ personal data, which is against Indians’ fundamental right to privacy,” said Kodali, the public interest technologist. Last year, the Modi government sold citizens’ vehicular registration and driving license data to 87 private companies for 65 crore rupees (approximately $8.7 million) without citizens’ consent. This caused a backlash with the opposition party questioning the motives of the government and the price of the sale in parliament. Despite the government’s assurances that all Aarogya Setu data will be deleted, Katragadda told CNN Business that some information from the app will be automatically transferred to the National Health Stack (NHS). The NHS is a cloud-based health registry, currently under development, that will include citizens’ medical history, insurance coverage and claims. “Any residual data from the Aarogya Setu app will automatically move into the National Health Stack within the consent architecture, as soon as the health stack comes into effect,” said Katragadda. Residual data means any data that’s still on the govt server at the time the NHS becomes active. That includes location, health and personal data that has been downloaded to the server but hasn’t yet been deleted in the timeframes laid out by the government, Katragadda said. No date has been set for the release of the NHS, but Gupta of IFF worries, again, that there’s no legal framework to protect the data. “Even though it is repeatedly stated that consent will be the basis of the information sharing, it’s important to note that in both the Aarogya Setu app and NHS, consent is baked into the architecture which is a technical framework rather than a clear source of legal authority.” Ticket to move Like other countries that have introduced a contact tracing app, India says the technology is vital to stop the virus from spreading. As of June 22, the country had confirmed more than 410,000 cases and 13,254 deaths. Air passengers are encouraged to download the app before flights, rail passengers need it for train travel, and some workers have been told they need it to do their jobs. But digital rights activists say the app carries more risks than it’s worth, especially in a country where fewer than 35% of people have the cellphones able to support it. Citizens and activists also fear function creep of the app, meaning that information obtained through the app could be linked to other services. “In the past we have seen that technology interventions by this government such as the Aadhar program, which was initially built to ensure that everyone has a digital identity, became a pervasive system, said Gupta. “Initially built for the purposes of accessing government benefits and subsidies, it was soon mandated for opening bank accounts, availing mobile numbers and going about your business.” Gupta is referring to Aadhaar, a biometric database introduced in 2009, initially as a voluntary program to prevent benefit fraud. Now, it contains the fingerprints and iris scans of more than one billion Indians. Users receive a 12-digit identity number that is used to access welfare payments and other government-controlled services. However, in 2018 a journalist discovered a security breach which disclosed citizens’ personal details. The government introduced new security measures, but the scandal eroded trust in its ability to keep data safe. Before easing off its compulsory download order, India was the only democratic country that made it mandatory for millions of citizens to download the app. The only other countries to impose a similar order were Turkey and China. Campaigners say that alone is cause for concern. “When it comes to technology and public use, the world’s largest democracy is drawing from China’s playbook — using national security or a public health crisis to build a digital model of data-gathering, oversight and surveillance,” said Vidushi Marda, a lawyer working on emerging technology and human rights. China’s Covid-19 app, initially designed for contact-tracing during the pandemic, is now being stitched into a social credit system in some places, where the app is used to track an individual’s exercise, alcohol and smoking intake, and sleep hours. “I would say these kinds of complex technical architectures are not happening in a collective fashion in India, but there is a danger they will be built in through platforms like the National Health Stack,” said Gupta.