Logo

Defender of your Digital Freedom

All Posts | Apr 08,2020

Our Concerns With The Aarogya Setu App

Our Concerns With The Aarogya Setu App

Recently, the Ministry of Electronics and Information Technology (“MEITy”) rolled out its “Aarogya Setu" application (“the App”) for Android and iOS platforms. The app aims at providing users information as to whether they are prone to a COVID-19 infection by analysing their proximity to COVID-19 positive persons. The app requires the user to submit the user’s geodata. It also uses bluetooth to connect to other registered users and from the network thus formed, analyse whether the user has come in contact with anyone who has been tested positive. The app, as per its terms of service is intended to “notify, trace, and suitably support” a registered user regarding COVID-19 infection.

We, at SFLC.IN, went through the software’s features and also took a look at its terms of service and its privacy policy. The application collects personal information some of which are sensitive personal data such as a person’s gender, and travel information. So, it was necessary to scrutinise the App in these testing times. And we do have some concerns with the App. They are as follows:

1. Violation of the law laid down by the Supreme Court– It is important to note that the Aarogya Setu app has been launched in the time of an ongoing pandemic, when the Governments are trying to maximise data collection, often at the cost of privacy rights of citizens. India does not have a law dealing with personal data protection which should be limiting data collection and processing. SFLC.IN, along with a coalition of lawyers, social activists, entrepreneurs, and concerned citizens, had recently sent a joint letter to various ministries of the Central Government and also the heads of states and union territories expressing concerns over the unwarranted and excessive collection of personal data during the ongoing COVID-19 pandemic urging the various governments to follow law enunciated in various Supreme Court judgments. If you haven’t signed on the campaign letter, you can do so by clicking here.

2. “Aarogya Setu” is not open source – Though the Central Government has a prevailing policy on adoption of open source software the Aarogya Setu app’s code has not been made open source. Making the source code available enhances transparency and this also improves security as the code is open to community audit. The app primarily collects personal data from user cellphones and cellphones are an immense repository of personal data of users and sometimes, of a user’s contacts and acquaintances. In this scenario, keeping the source code of such an app proprietary is not advisable.

3. Personal Data Collected and its Use – The app, as per its privacy policy collects the following personal information during registration and stores it in the cloud: (i) name; (ii) phone number; (iii) age; (iv) sex; (v) profession; (vi) countries visited in the last 30 days; and (vii) whether or not you are a smoker and a person’s current medical condition collected through a series of questions when the app is run for the first time to asses the condition of the user. Moreover, the App continuously collects the location data of the registered user and maintains a record of the places where the user had come in contact with other registered users.

Clause 2 (a) of the Privacy Policy states, concerning the use of collected data, that:

 “The personal information collected from or about you under Clause 1(a) above, will be stored locally in the App on your device and will only be uploaded to and used by the Government of India (i) in anonymized, aggregated datasets for the purpose of generating reports, heat maps and other statistical visualisations for the purpose of the management of COVID-19 in the country and/or (ii) in the event you have tested positive for COVID-19 or have come in close contact with any person who has tested COVID-19 positive. Any personal information uploaded to the cloud will only be used for the purpose of informing you, or those you have come in contact with, of possible infection. Such personal information may also be shared with such other necessary and relevant persons as may be required in order to carry out necessary medical and administrative interventions.”

This clause enables the Government to share personal information uploaded to the cloud with “such other necessary and relevant persons” in order to “carry out necessary medical and administrative interventions. This is problematic as the clause is broadly worded allowing the data to be shared with practically anyone that the Government wants.

Moreover, the promises made in the privacy policy can also be detonated through the vagueness of Clause 2 (c) which states:

The personal information collected will not be used for any purpose other than those mentioned in this Clause 2 save as required in order to comply with a legal requirement.” [emphasis supplied]

Nowhere in the policy documents is the phrase “legal requirement” defined. It is not unreasonable to think that this could be defined as whatever the Government wishes. This can lead to excessive collection and use of sensitive personal data. Moreover, true anonymisation of personal data has been debated by technologists and the Government has to prove that it has anonymised the data properly.

4. Very “Limited Liability” - The liability limitation clause of the Terms of Service limits the Government's liability even if inaccurate information is given by the App or in case of failure to generate true positives. It is pertinent to note that this acquits the Government’s liability in case of any harm caused due to incorrect information. Therefore the App’s policies render the App as nothing but another data grabbing exercise.

Moreover, the liability clause also exempts the Government from liability in the event of “any unauthorised access to the [user’s] information or modification thereof” (emphasis supplied). This means that there is no liability for the Government even if the personal information of users are leaked.

5. Restriction on Reverse Engineering

Section 52 clauses (ab) and (ac) of the Copyright Act, 1957 states:

“(ab) the doing of any act necessary to obtain information essential for operating inter-operability of an independently created computer programme with other programmes by a lawful possessor of a computer programme provided that such information is not otherwise readily available;

(ac) the observation, study or test of functioning of the computer programme in order to determine the ideas and principles which underline any elements of the programme while performing such acts necessary for the functions for which the computer programme was supplied;”

Through the aforementioned provisions a Central Act enables a lawful possessor of a computer programme to do any act to obtain information essential for inter-operability of an independently created computer programme and to determine the ideas and principles which underline any elements of the programme. Essentially, these provisions enable reverse engineering of a lawfully obtained computer programme.

However, the Aarogya Setu app, through Clause 3 of its Terms of Service, restricts the user from reverse engineering the App.

“...You agree that you will not tamper with, reverse-engineer or otherwise use the App for any purpose for which it was not intended including, but not limited to, accessing information about registered users stored in the App, identifying or attempting to identify other registered users or gaining or attempting to gain access to the cloud database of the Service.”

(emphasis supplied)

Reverse engineering a process through which one is able to study a computer programme and understand how the programme functions and whether the programme is doing only what it is supposed to do or what it was promised by the developers that the app would do.

It is indeed essential for security researchers to study and examine the working of an app like Aarogya Setu which is potentially a surveillance tool that collects the movements and geolocation data of its users.

A provision in a Terms of Service cannot take away a statutory right provided by a Central Act. The former is a violation of the latter. Therefore, this provision within the Terms of Service must be taken off.

Note: We are also doing a technical analysis of the Aarogya Setu app. We will upload more information if we find any more issues.

All Posts | Jan 15,2020

Our Submission to the National Cyber Security Strategy 2020

Our Submission to the National Cyber Security Strategy 2020

The National Security Council Secretariat had invited submissions/comments for the proposed National Cyber Security Strategy, 2020 recently. SFLC.in had submitted its comments which are published hereunder. The 2020 strategy is an attempt to revise and strengthen the National Cyber Security Policy 2013 and was based on the following vision to "ensure a safe, secure, trusted, resilient and vibrant cyber space for our Nation’s prosperity."

The Secretariat sought comments based on the following "Pillars of Strategy"
      a. Secure (The National Cyberspace)
      b. Strengthen (Structures, People, Processes, Capabilities)
      c. Synergise (Resources including Cooperation and Collaboration)

SFLC.in's submissions were as follows:

 

India ranks second among the top countries that were affected by targeted cyber attacks during the period 2016-2018 as per Symantec's Internet Security Threat Report 2019. At the same time, it is a matter of great concern that India’s rank fell from 23 (in 2017) to 47 (in 2018) in the Global Cybersecurity Index (GCI) 2018 published by the International Telecommunication Union. Five designated areas form the basis of the indicators for the GCI which are legal, technical, organisational, capacity building, and cooperation. Therefore, a ‘whole-of-nation’ strategy demands nothing but state-of-the-art infrastructure which includes hardware and software components that constitute the cyberspace within the regulative control of the State; strength of internal and external co-operation within and among agencies and entities involved in national cybersecurity; and a comprehensive legal and policy framework.

 

India faces the following challenges in formulating a robust, and futuristic cyber security strategy:

1. Low awareness among stakeholders

With the proliferation of digital devices in the Indian market and with the lowering of charges for Internet connectivity, people from economically lower backgrounds have been able to use smart devices and 4G connectivity. However, there is a need to raise awareness among these users to use the devices securely. This is sometimes also the case with educated and affluent consumers, who have low awareness in cyber/digital security. This calls for grassroot level awareness and training for consumers of digital devices and services. Similar is the case for government offices (whether Central or State) where best practices are not followed when it comes to secure use of digital devices and the Internet. When treading into grassroot levels, language is also a barrier in conveying concepts to consumers. So, any awareness or training programme must be delivered in vernacular languages.

2. Emerging Technologies

The 2013 National Cyber Security Policy lacked due concern to emerging technologies such as Blockchain, Internet of Things (IoT), 5G and most importantly, Artificial Intelligence. With IoT products slowly creeping into the market, India awaiting 5G connectivity, and artificial intelligence being relied on, there are greater challenges in securing the cyberspace. It is also alarming that with IoT standards easily available, these may be implemented by mid-level enterprises which do not give much care to security, or cannot implement strong safeguards because of lack of expertise or resources. The cyber security strategy must consider including highly secure technical standards for digital devices and services which employ emerging technologies.

3. Lack of Wider Public Private Partnerships

The 2013 Policy spoke of public-private partnership to facilitate collaboration and cooperation among stakeholder entities; however such partnerships should not be maintained only with private sector entities but also with academia, civil society and independent security researchers. This should lead to formulation of policy encouraging independent security researchers, white hat hackers and ‘bounty hunters’. Wider engagement with the community can also be increased by engagement with communities involved in free and open source software (“FOSS”). Moreover, the adoption of FOSS into the national cyber security framework will increase contribution from the community. Opening up the source code of abandoned projects/products by corporates needs to be encouraged to better understand legacy systems and products and their vulnerabilities.

4. Lack of Comprehensive Legal Framework

Perhaps the biggest challenge is the lack of a comprehensive sector neutral legal & regulatory framework in India pertaining to cyber security. The Data Protection Law is still in the draft stage. However, even the enactment of the Data protection law would not satisfy the need of a legislation specific to cyber security. The present Personal Data Protection Bill does mention reporting cyber incidents in the form of reporting data breaches. However, there are other issues pertaining to cyber incidents which needs addressing such as post incident investigation (forensics), evidence acquisition etc. which are nascent in terms of being regulated by law or policy. This also calls for revision of the existing rules under the Information Technology Act, 2000.

 

Recommendations

1. Steps should be initiated to roll out comprehensive cyber security awareness programmes for all stakeholders.

2. A comprehensive legal framework should be planned with a data protection law and cyber security specific legislations.

3. Partnerships should be planned with various stakeholders including private sector entities, academia, civil society and independent security researchers.

4. Government should adopt FOSS software and open standards so that the software used is auditable and verifiable.

5. Government should place special emphasis on protecting critical infrastructure.


Note: Minor edits, such as modifications to words and deletion of certain characters within the text were made at the time of submission to cater to the requirement of the Secretariat to keep the submission within 5000 characters. However, no substantial changes were made to the arguments and recommendations made.