Aarogya Setu, Reading list on Contact Tracing

Summary of Discussion on Aarogya Setu Application, Reading list on Contact Tracing

A virtual discussion on the Aarogya Setu Application was conducted by HasGeek’s Kaarana community on 8th April, 2020. The video recording of the event is available on YouTube

Kaarana discussion on Aarogya Setu and Contact Tracing

In this discussion, Riddhi Shree, a security researcher working with Appsecco analysed the android application source using standard de-compilation tools, using which she explained the inner workings of, and the data being collected by the AarogyaSetu application.

Following this, Srikanth @logic— a member of the Kaarana community — provided an overview of other COVID mobile applications that have been launched since the crisis began. Srikanth’s analysis was based on the MobSF framework. He commented on data minimization — claims made by the government and individuals involved in building the applications, and the confusion on how the applications will help solve the epidemic. He highlighted concerns of metadata collected along with personal data, the lack of a provision to delete data, recent changes in data policies in India, and the possible sale of data. His MobSF analysis is available at: https://bit.ly/2RnnQai

Lastly, harishpillay spoke about TraceTogether — a bluetooth-based contact tracing application used in Singapore. He explained its architecture, specifically the cryptography and public private encryption behind it, and the challenges it posed. TraceTogether allows a health worker to trace an individuals’ contacts (only after their consent), and provides an individual the option to delete his/her personal data. The TraceTogether application, unlike the Aarogya Setu does not collect geolocation data. The TraceTogether application and the protocol can be accessed here https://bluetrace.io. An open source implementation of the protocol is being shared under as a new project Open Trace is available at https://github.com/OpenTrace-Community.

During the Q&A session, questions about the claims by various application builders and their reliability were raised. Questions ranged from legal aspects of data collection, to the technological limitations of the applications, mobile devices and sensors, as also the risk to individual privacy as the data collected could potentially be used for other purposes. The issue of purpose limitation and surveillance cannot be verified and have been communicated in various contexts. Concerns about healthcare interventions and potential errors with the application were also discussed, as no instruction manuals are available.

Post-event, a recommended reading list was shared with the participants via email. Newer protocols for contact tracing are being announced regularly.

Protocols / Frameworks

• BlueTrace Protocol which powers TraceTogether, Singapore
• Privacy-Preserving Contact Tracing by Apple & Google
• PACT — Private Automated Contact Tracing Protocol, MIT
• D3PT — Decentralized Privacy-Preserving Proximity Tracing
• List of frameworks from Wikipedia

Apps

• OpenTrace — Open source application used in Singapore contact tracing effort
• Aarogya Setu — India’s contact tracing app
• List of COVID apps deployed in India
• Global COVID19 response apps by country — Wikipedia

Papers

• Outpacing the Virus: Digital Response to Containing the Spread of COVID-19 while Mitigating Privacy Risks, Edmond J. Safra Center for Ethics
• Apps for COVID: to do or not to do — Dr. Subhashis Banerjee IIT Delhi, Dr.Bhaskaran Raman IIT Bombay, Dr. Subodh Sharma IIT Delhi
• Privacy prescriptions for technology interventions on Covid-19 in India, Working paper by Siddharth Deb, wikipedia:Internet Freedom Foundation

Blogs / News Articles

• Automated contact tracing is not a coronavirus panacea — Jason Bay, Senior Director (Government Digital Services) at the Government Technology Agency, Singapore. Product lead for TraceTogether
• Tracking quarantine, tracing cases, sharing info: Can these govt-issued apps help fight Covid-19?
• Coronavirus is Pushing Mass Surveillance in India, and It’s Going to Change Everything
• Fishing with dynamite: India’s contact tracing overreach, The Ken, 14 April 2020
• Updates to Aarogya Setu privacy policy, Medianama, 14 April 2020
• The Covid-19 Tracking App Won’t Work — Cathy O’Neil, 15 April 2020

Videos

• Kaarana event series: Analysis of Aaroga Setu app
• Privacy implications of Aarogya Setu — Apar Gupta⁩ of Internet Freedom Foundation and Nikhil Pahwa of Medianama
• Conversation on Aarogya Setu app — Govindraj Ethiraj with Raman Chima⁩, Access Now and Lalitesh Katragadda, iSPIRT, Team AarogyaSetu
• Should you download the Aarogya Setu app? — Nikhil Pahwa, Medianama

You can follow the page https://wiki.kaarana.org/wiki/Contact_Tracing for updates to all the activity around contact tracing, both in India and globally.