India’s Mandated Contact Tracing App Is An Invasive, Insecure Mess

India’s Mandated Contact Tracing App Is An Invasive, Insecure Mess
Photo: Getty

No matter how you feel about contact tracing, it’s been openly embraced by federal authorities around the world, from the UK, to Germany, to, well, you name it, as a way to curb the spread of the current pandemic. And while every country grapples with the long-term privacy implications of downloading this sort of tracking tech onto their phone, one country—India—has drawn more than a few raised eyebrows over its app, which is reportedly not only invasive but quickly becoming a mandatory download for the millions of people currently residing there.

That’s according to a new Buzzfeed News report about the app, called Aarogya Setu—literally “a bridge to health,” in Hindi. Per the report, though Indian authorities initially offered citizens the opportunity to opt-in voluntarily, it’s quickly becoming a required download for gig workers and federal officials alike. Meanwhile, an independent analysis of the app by Gizmodo revealed that this increasingly mandatory app didn’t only enable federal surveillance on a massive scale, but was a battery-drainer that opened these devices to a buffet of hacks as well.

Aarogya Setu initially rolled out at the start of last month and gained steam at a breakneck pace, reaching 50 million downloads in less than two weeks of its launch, with those numbers continuing to skyrocket as the month went on. Like many of the contact-tracing apps we’ve seen internationally, the idea here was that people could download it voluntarily—last month, India’s Prime Minister Narendra Modi sent out a tweet urging people to download the app, calling it an “important step” fighting a pandemic that claimed more than 1,000 lives across the country to date.

Screenshot: Gizmodo

Since then, it looks like the country’s stance on “voluntary” took a turn. This week, the app became a mandatory download for all central government officials in the region, following reports from the previous week that multiple startups are requiring similar downloads for their employees. Meanwhile, local sources have recently claimed that federal officials are asking smartphone makers to preinstall the app onto devices.

The app requires an India-based phone number to function, so while we were able to download the app, we couldn’t see the personal information it siphoned first-hand. But according to the India-based financial newspaper Livemint, users are asked to offer basic information—like age, gender, health status, and a brief travel history—along with being told to allow the app to access their location data at all times. The app also perma-flips the device’s bluetooth to constantly monitor their surroundings for other app-downloaders, and offers handy labels—from “low risk” to “high risk”—depending on their proximity to someone that counted themselves as infected.

Though we weren’t able to try out the app, Aarogya Setu’s APK—essentially a package detailing the nut and bolts of an android app—is freely available, meaning that we can browse the exact permissions the app asks of the folks that download it. Aside from asking for access to a downloader’s entire contact list, the app monitors their location at all times—even if it is running in the background. Aside from tracking this locale through the phone’s internal GPS, this app also accesses what’s known as the user’s “coarse location,” which is pulled from data like the wi-fi networks they might be connected to at any given time.

India is no stranger to federally-funded surveillance tech, and the fact that this data is being funneled straight into the government’s hands means that the location of millions will now be delivered straight into the already sprawling dossier India’s government has on each and every citizen. Keep in mind that these are the same authorities that have, in the past, openly spoken about their right to freely snoop on the texts and calls on citizen’s devices. This also the same government that has been moving towards in an increasingly disturbing form of Hindu nationalism that inflicts violence on its Muslim population—in other words, it’s not the greatest environment for microtargeted surveillance overreach to blossom.

And because Aarogya Setu permanently flips a downloader’s bluetooth into the “on” position, the app doesn’t only turn into a massive battery drain, but also opens a person’s phone to all sorts of hacks that could be easily prevented otherwise. Put another way, by mandating that millions download this app, India’s government isn’t just siphoning this data for themselves, but likely for an untold number of hackers along the way.

There are all sorts of reasons that contact tracing is unlikely to be the magic bullet some federal authorities are hoping for, and lack of adoption is certainly a concern. Mandating the download of an invasive, insecure app might halt the virus’s spread to some degree, but it’s far, far more likely to get these people snooped on, hacked, and spammed. And when governments insist on ignoring proper security measures, it makes everyone wary of even the most ethical apps.