Aarogya Setu Near-By Stats Demystified
Aarogya Setu is a contact tracing app to fight against the COVID19 pandemic launched by Government of India. Do visit https://aarogyasetu.gov.in/ for more details.
It all started with a very basic idea of an automatic contact tracing app, leveraging smartphone Bluetooth proximity. Soon after the successful launch of Aarogya Setu, many new feature requests started pouring in.
Most important of all the new feature requests was realtime information about the situation in and around the user's locality. The only information available to the public during lockdown was the number of positive cases in a state/district, but this information was not enough to deduce the trend or assess the current situation for common people in their locality.
Therefore in order to fulfill this requirement, the data generated through self-assessment flow (where a user can report about their health condition anytime) and Bluetooth proximity data from COVID-19 positive users have been utilized to develop the “Near-By Stats”, which eventually become the most engaging feature of Aarogyasetu app by helping people to get the realtime information about the situation of their locality.
All about Near-By Stats
It provides five key stats around the given location across five available distance range.
- The number of COVID-19 positive users.
- The total number of Aarogya Setu users.
- The number of users who came in Bluetooth proximity to a COVID-19 patient.
- Users count who have taken self-assessment.
- Users count who are tagged “unwell” based on reported symptoms in self-assessment.
The issue of data security has been questioned time and again but Aarogya Setu has stood firm in all parameters. This specific feature raised many questions around users private data getting compromised due to security vulernibilities. Hence this article unveils the technicalities involved behind this feature to further satisfy queries regarding the protection of users privacy.
Technical Implementation
API Endpoint — https://web.swaraksha.gov.in/ncv19/nearby-stats/
Required HTTP header
- Authorization — Auth token of a user, unique to every user, and signed with expiry values.
- Lat — Latitude of the user’s device.
- Lon — Longitude of the user’s device.
- Distance — Radius requested by the user one of [0.5km, 1Km, 2Km, 5Km, 10Km]
Response
{ "infected": <int>, "unwell": <int>, "bluetoothPositive": <int>, "success": <bool>, "selfAsses": <int>, "usersNearBy": <int> }Implementation
API is hosted on a backend that is firing Geospatial queries on a database to determine these values. Below mentioned are the salient points about this API.
- To determine these data, we are leveraging Elastic Search to fire Geospatial queries to get results based on the query.
- Data in the Elastic Search cluster is getting indexed every hour as the numbers that are being retrieved are dynamic, and changes as per the user's behavior, and also the COVID-19 positive patient data is dynamic.
- When we index the data in Elastic Search for users, we round off the latitude longitude values to 3 decimal places. This is to ensure that we don’t keep the exact location of individuals unnecessarily, as that’s not the need of this API since it’s an aggregated information.
- The Elastic Search index is called only when a client request is received on our service leveraging Node.js. This service is hosted behind a WAF & leverages TLS protocol for secure client-server interaction.
- The Function in Node.js, that hits this Elastic Search API, does multiple things such as:
It authorizes the request, using the above mentioned unique token.
Post successful Authorization, API reads the relevant latitude/longitude & distance parameter from HTTP header and does validation. In case the distance value is anything other than [0.5km, 1Km, 2Km, 5Km, 10Km] it defaults the value to 1Km. Therefore, it is not possible to abuse this endpoint against any other random distance parameter.
Once the validation is done on radius value, this function adds a random 10% variance to the distance value. This means, if a user has searched for 500 meters, a random function will spit out any value between 475 meters to 525 meters. Similarly, in the case of a 10Km radius, the request function can spit out any value between [ 9.5Km to 10.5Km]. This is done particularly to prevent any location based security hack.
After the final distance value is obtained, an elastic search is queried to get the relevant data.
The data from Elastic Search is transformed for client consumption & then the response is sent.
The function also adds a cache-control header with a max-age 600 value. So that the client cache this information for a period of 10 minutes.
- Further, this API endpoint has a rate-limit based on IP address as well, which is part of the WAF rule.
- Client after getting this data does client-side validation & styling of this information to finally display aggregated counts to the user.
Thank You
I am fortunate to be a part of the magnificently electrifying @SetuAarogya team. Thanks to the Government Of India to give me this opportunity to work on a project that has an impact on human lives.
I request everyone to download the Aarogya Setu app and be part of this fight against the COVID-19 pandemic.
मैं सुरक्षित, हम सुरक्षित, भारत सुरक्षित!
