NHS Covid-19 and Aarogya Setu: Contact tracing apps struggle with security hurdles

NHS Covid-19 and Aarogya Setu: Contact tracing apps struggle with security hurdles
8 May, 2020

Governments across the world have fast-tracked smartphone apps to monitor the spread of Covid-19 pandemic and ease lockdown restrictions.

However, these apps-- from Australia’s CovidSafe, UK’s  NHS Covid-19, Singapore’s TraceTogether, to India’s Aarogya Setu-- have thrown up questions about privacy and data security. 

In the latest news, the Joint Committee on Human Rights in the UK has flagged the NHS Covid-19 app for alleged concerns regarding surveillance and the impact on human rights. 

The application currently in the first stage of its deployment has been developed by the NHSX, a UK government unit with the responsibility for setting national policy for National Health Service technologies of the country.

 “The committee was not reassured that current plans for the release of the app sufficiently protect the right to privacy and other human rights,” an article on UK Parliament Committee’s website said.

According to the NHSX, the app could be launched within weeks. However, the committee has raised questions about key choices related to the system architecture it feels could create risks for user privacy.

The NHS Covid-19 app uses bluetooth low energy signals to track social interactions between users, backed by an in-app assessment of user’s infection risk.

The UK parliamentary committee also raised concerns that the NHSX has not been subjected to in-depth parliamentary scrutiny.

India’s Aarogya Setu also uses bluetooth, a self-assessment test by users, combined with a global positioning system (GPS) location tracking every 15 minutes to determine the user’s risk in contracting Covid-19.

Concerns regarding the app were not reviewed or discussed in the Parliament 

The Aarogya Setu app has been deployed by the government under the Disaster Management Act’s legal framework.

Although the Disaster Management Act, 2005, allows the centre to provide guidelines and instructions in order to mitigate the effects of the crisis in-hand, experts pointed out that the Aargoya Setu app does not have legislative backing, nor was it discussed in the parliament.

New Delhi based Internet Freedom Foundation (IFF), a non-government organisation that conducts advocacy on digital rights and liberties for Indian citizens, had sent a report to the Prime Minister’s office expressing similar concerns over potential violation of the privacy of workers and transparency of the app, among other issues.

 NHS makes its source code open to public scrutiny

In response to concerns raised on the potential issues of the UK’s contact tracing app, the NHSX made the source code of the application public on 7 May at Github.com. 

The open-source code is expected to make it available for scrutiny by independent third-party experts, which could help solve security issues or bugs in the application.

Singapore’s TraceTogether, which was released in late March, was made open source in early April, according to media reports. 

In contrast, the Indian government is still mulling over making the app open-sourced. 

“We are very paranoid about security and potential vulnerabilities. We are committed to open sourcing. We are not that far from open sourcing the app,” said Arnab Kumar, programme director of Niti Aayog to Financial Express. Kumar added that the app was built within two weeks and was audited by IIT- Madras in partnership with a large tech-audit firm.

Software Freedom Law Centre, a Delhi-based legal services organisation, had requested the government on April 8 to make the Aarogya Setu application open source to bring in transparency to its usage.

Ethical Hacker Elliot Alderson, who alleged that the Aarogya Setu app had privacy issues, has also called for the app to be made open source to allow for more transparency into its functions.

Contact tracing apps

On April 16, The European Commission (EC) published a report where it described how its member nations had to build an ideal Covid-19 contact-tracing application. 

Pointers by EC include making the source code of the application transparent, allowing an independent audit of such apps, and most importantly not making the installation of the application mandatory, as well as not using a centralised server to store their data.

Last week the Indian Ministry of Home Affairs made the Aargoya Setu app mandatory for government employees, as well as people working in offices and factories to use the application.

NHS Covid-19 app, India’s Aarogya Setu, Australia’s CovidSafe and Singapore’s TraceTogether all work on a centralised model. 

In a decentralised model, data is stored on the device and gives users more control over their information. Technology giants Apple and Google are pushing for a decentralised framework for contact tracing apps. 

As for the NHS Covid-19 app, a report by London based Financial Times said that the NHS had already begun building a second smartphone app which can be used to trace Covid-19 and will use a technology provided by Google and Apple.

The decision to build the app came after pressure within the government and the committees questioning the technical, security and ethical approach of the initial app. 

However, the app is said to run parallel in development with the NHSX and would be helpful if the government wants to make a switch between the two, the media report said.

Like NHS, would India also stand to benefit from an alternative to Aarogya Setu with an app built with private tech giants such as Google and Apple who have the user base and proven technology and security architectures to deliver?