Legal backlash and user hacks compromise India’s Covid-19 app

When India’s government launched its Covid-19 app in April, the stated aim was  to inform people about the virus, help them to report symptoms and issue alerts about possible contact with infected individuals. 

Downloading the Aarogya Setu app was not a legal requirement, but without the latest version, people found themselves prevented from accessing a number of public services, traveling, visiting public hospitals and entering some commercial buildings. This has raised serious privacy concerns. 

The latest: This week, following a petition by digital rights activist Anivar Arvind, the high court in the southern state of Karnataka ruled that government agencies cannot refuse benefits to people without the app.

Why this matters: Across India — a nation of 1.3 billion — people need Aarogya Setu to travel from airports, on some trains and to access health facilities. More than 150 million downloaded it. But after the app came under heavy criticism over a lack of transparency regarding the collection and management of data, many people figured out a workaround.   

 “I see people, they install the app and then switch off the Bluetooth and data connection, so the app installation becomes merely for compliance of authorities checking it,” said Dr. Prashant Mali, a privacy advocate and a lawyer at Bombay High Court. 

“Often they just check the ‘You are safe’ comment being displayed. Some people even take a screenshot of this and keep it open for the checkers to see the screen and allow them to go ahead”

The big picture: As other nations rolled out their Covid-19 apps, India’s was not the one to come in for criticism. Earlier this year, a rare public backlash broke out in Qatar, which Amnesty described, alongside Bahrain and Norway, as having one of the world’s most invasive contact tracing platforms. Developers in the U.K.’s NHS Test and Trace app were recently forced to explain data security measures, after widespread concern that the app could have been sharing information with police. But the double-whammy in India is that the app didn’t just violate the privacy of hundreds of thousands of people, it did so while failing to perform its basic function: tracing the spread of Covid-19.