Our Analysis of the Indian COVID-19 Apps
The Central Government had recently launched the Aaryogya Setu app, a surveillance application developed for tracing users who might have come within the proximity of people who have tested positive for COVID-19. In addition to this Central Government developed app, there are other active applications that have been developed by various State Governments and local authorities pertaining to personal and other data collection, and monitoring in relation to the COVID-19 pandemic.
While we applaud the efforts taken by each State/UT government and the Central Government in combating this deadly disease, we are also concerned with the arbitrary use of state power in different situations in conducting excessive collection and processing, and unauthorised sharing of personal data, unbridled surveillance and tracing of people during this pandemic spread in India. Earlier, we had joined hands with different organisations and concerned citizens in sending a joint letter expressing our concerns regarding the collection and processing of personal data during this time to various heads of the Central & State Governments. You can read the letter here.
- Closed Source: We had mentioned this issue in our analysis of the Aarogya Setu app. Not every state in India has an open source software policy in place. However, it is important for the State to make the source code of the software that it develops open source when these are aimed at citizen welfare and when it purports to handle health and travel information pertaining to citizens. This increases the trust of the citizens in the software and increases its usage. Moreover, open source software security is further strengthened when there exists the possibility of community audit by independent security researchers and developers.
- Excessive Permissions: The Indian COVID-19 apps also implement the surveillance feature of excessive permissions for accessing and controlling various elements of the smartphone in which the app is installed. Excessive permissions are required by applications that undertake tracing and surveillance through capturing information from different internal broadcasts from components of the device. In some cases, apps which are only informative and intended to issue advisories have sought permissions for location, photos, storage and camera.
Comparative Table of Observations of the Various COVID-19 Apps in India
|GovernmentName of the App (link)||Policy DetailsTerms/Privacy/FOSS||Permissions||Data Collected||Remarks/Concerns|