Securing the Aarogya Setu app – editorials
The Aarogya Setu app was born out of the need to bring a 21st century technology-based solution to an unprecedented problem. India is not alone in the decision to take advantage of the ubiquitous smartphone to track outbreaks, a strategy that fundamentally involves a commitment to privacy. But it is the only democracy that, without the required legal architecture, has made application almost mandatory for mobility and for resuming work. This commitment is evidence of how Sars-Cov-2 has overturned conventional disease containment efforts, with a greater degree of government oversight and even control, over the lives of citizens than usual. But it is crucial that this need does not lead to lasting change in the way we approach privacy. By design, the application goes a step further than most of the tools developed worldwide. It tracks where people have been, rather than simply determining who they were in close contact with. Although, in theory, such functionality can help to identify the critical points of the disease, it will be necessary to corroborate it with the precision of tracing physical contact.
The other concern comes from the nature of computer programs. They are prone to vulnerabilities, particularly in the first few iterations. This was demonstrated by a French programmer who demonstrated the ability to access parts of the Aarogya Setu application that store a person’s contact records. Common cybersecurity and hacking techniques have been shown to be able to reverse engineer such data to unearth information that was supposed to be hidden. What the investigator demonstrated was the penultimate step before someone can be tracked without the need to enter a government database. An increasing number of countries are discovering flaws, in design or code, and are returning to the drawing board. The UK National Health Service is considering abandoning its version of a centralized contact tracking app, where data is sent to government servers, to switch to the decentralized platform that Apple and Google develop, where the data overlaps. the telephones.
As approaches to such tools evolve, India must look at experiences and experiments in other countries. One of the main demands of privacy and cyber security experts worldwide is to open the code behind these contact tracking applications so that they can be audited for design and programming flaws. At the very least, Aarogya Setu developers should consider doing this, as it will not only be a step towards transparency, but will also help eliminate bugs. After all, the current gold standard for such tools, Trace Together Singapore, is an open source program. Beyond this, India should seriously consider a legal design around the application, which strikes a balance between disease containment and privacy.