'The information is used only to fight the COVID-19 virus and the privacy terms explicitly state that information will be used only for this purpose.'
On April 14, when Prime Minister Narendra Damodardas Modi extended the national lockdown to curb the spread of coronavirus till May 3, he referred to the Aarogya Setu app as a critical link in the fight against the spread of COVID-19 in the country.
Downloading the app was among the prime minister's seven suggestions for his countrymen.
Since being released on April 2, the app has seen over 50 million downloads, and the contact tracing app for COVID-19 has jumped to the top of Google Playstore. That's the fastest download rate for any app in the world -- even faster than Facebook -- said NITI Aayog CEO Amitabh Kant.
Praised by the World Bank as an important voluntary initiative to combat the pandemic, the app uses GPS and Bluetooth technology to alert a user if they have come in contact with a COVID-19 positive patient.
However, the app has also been making news for some wrong reasons, like data privacy concerns, fears that the government will use it as a surveillance tool.
Lalitesh Katragadda -- founder Indihood, who build crowdsourcing population-scale platforms including Avanti for financial inclusion and former country head, Google India Products -- worked on the Aarogya Setu app along with a team of 30 volunteers.
"We are probably one of the first large-scale Internet apps wherein there is no other purpose (behind collecting data) and that is a step further in the protection of users," Katragadda, below, tells Roshneesh K'Maneck/Rediff.com in the first of a two-part interview.
Could you please explain as simply as you can what is the Aarogya Setu app and how does it work?
The Aarogya Setu app does three things. When you download it and first install it, it will ask you a few questions to get your profile which is relevant to COVID-19. The app encourages you to get a self-assessment, which determines if you are fine for now or if you need any help.
The assessment is something you can take at any time -- when you are feeling uncomfortable, not feeling well -- to see if you need to do something or somebody needs to reach out to you. That is the first thing that it does.
It does two other things.
It takes your permission and starts recording your Bluetooth contact history, which other Aarogya Setu app users you have come in contact with recently and also records your GPS history once every 30 minutes.
The GPS location is used for those who are now infected.
When the Indian Council of Medical Research notifies that a particular user is infected, their GPS location data is taken and used to trace all the places they might have been to, that they might have inadvertently contaminated or got it from so that those areas can be contained and sanitised.
The Bluetooth contact history too is used when somebody is infected -- that information is given to determine who else they might have spread it to and then we have a very sophisticated model which is used to figure out to who they might have been in touch with, for how long and so on and so forth and that information is used to determine if the person has to be self-isolated or who s/he needs to reach out to.
How did you get involved in the development of this app? When did the government get involved in the app? Could you please tell me about the core team behind the development of this app?
I am a volunteer, and just like me there are a whole bunch of volunteers helping with this app. I was pulled in by the ministry of electronics and information technology (MeitY) to help more than three weeks ago.
Three or more teams came up with the same idea for the app -- three were private and one of them was within the government itself.
So MeitY took all the ideas, all the teams and combined them together to make this app.
Some of India's finest start-ups such as MakeMyTrip and 1MG have also contributed their engineers to develop this app.
Similar apps have been developed by other countries. Singapore has developed an app named TraceTogether. How different is Aarogya Setu from similar apps?
I haven't studied the Singapore app very carefully. I think I downloaded it once and looked at it. But, I don't think it has the deep government backing that the Aarogya Setu app has.
For instance, when the tracing occurs, the government immediately springs to action, they help figure out if the person needs to be quarantined, or needs to isolate themselves or needs to be tested.
If the person needs to be tested, the test is provided or somebody reaches out to them. That is in the tracing aspect.
When it comes to the self-assessment part, I don't think the Singapore app has it. Self-assessment is very important because we have a billion people -- 1.35 billion to be precise -- and if one of them falls ills and if it is relevant to COVID-19 then it needs to be reported, so that something can be done about it.
The Singapore app also doesn't have the GPS tracing so identification of hotspots is not possible with that app.
That kind of answers my next question, which was why is it that the Singapore app users only have to provide their phone numbers whereas Aarogya Setu users have to provide their GPS and Bluetooth details too.
The Singapore app also uses Bluetooth, but it doesn't use GPS.
How has the app come together? What is the platform which has been used? What is the tech powering the app? How does it collect data? More importantly, where does the data reside?
All the data is collected through the smart phone itself, most of it has been inputted by the user.
As far as the technology is concerned, what we chose to do is use a chat interface. Most of the information, if you use the app, you will notice is collected through a chat interface.
And the reason we used a chat interface is that everybody in India is comfortable with chat systems like WhatsApp and so on.
Even if someone is not a highly sophisticated smart phone user, the average person in India can use chat.
We also took some amount of care to ensure that the fonts are large and the images are big and so on because there might be older people who wish to use this app.
Also, once we have reached out to the upper, middle-class educated part of India, the remaining are semi-literate, which means that they are not used to reading a lot of text.
Hence, we have minimised the amount of text we have used in the app.
As far as where the data is stored, we put everything on the cloud, we have a whole bunch of open-sourced technologies and database we use and it is under the control of the National Informatics Centre, which is part of MeitY.
It is currently using a private cloud, but it is under the control of the Government of India.
Do you think this app will be helpful in the fight against coronavirus? How effective do you think the app will be in helping curb the spread of the virus? How optimistic are you?
I don't think I will speculate, but we are seeing early signs that the app is effective in three different ways.
Just by using the self-reported information we are seeing it is identifying areas where the infection is emerging and it is confirming the areas which the government is identifying.
So, this is where when the government is identifying areas of emergence of infection are strongly correlating with areas where we are seeing where people are self-reporting.
Also, we have early evidence. We don't have conclusive evidence that the GPS information is actually useful in identifying hotspots.
I shall be able to give you a more definite answer in a month's time, because as of now the information is still in very early stages.
When it comes to the Bluetooth information, we have some data, we are still following up on it as we don't have sufficient data. Early signs are showing that it is useful. We will come back in two weeks's time with our discoveries.
The app has been criticised by a few privacy experts, including the Internet Freedom Foundation, wherein they state that 'the app will erode the liberties of the people, and will see its use stretch beyond contact tracing in the current pandemic caused by coronavirus'. What is your response to this criticism?
I don't think it is a fair criticism. Is privacy a concern? Yes, it is. Has it been addressed to the extent possible? Yes, it has been addressed.
I think you should ask the people what the alternative is. Here's a key answer to the main criticisms -- what is the alternative to doing nothing?
There are 2 questions -- have we taken care of privacy to the best possible extent, and in a minute I will tell you what we have done for privacy.
First off, this app is made by volunteers and not the government. The government is only pushing it, because they have liked it and wanted something like this.
Is it useful and have we done the best for privacy?
In terms of usefulness, we have already seen that there is enough data to show that it is effective.
In two weeks's time we shall have the data to prove it. If it is not useful, then we won't continue to do it as there is a lot of effort involved.
The second question is, have we done enough to protect privacy? I think there are plenty of things to do and we are doing so and continue to do more.
But what I want heard from some of the entities you mentioned is, what is the alternative?
I will give you an example -- driving on the roads. Reckless driving kills approximately 20,000 to 30,000 people, but what is the alternative?
When we drive on the roads, it is dangerous so the government has mandated that every person driving should have a licence plate and the number should be displayed in public so we know who you are when you are driving. That too is a loss of privacy.
I don't know if you realise it, but the fact that I have to display my licence plate and the fact that I am not allowed to have dark tinted windows that too is a loss of privacy. But we have done it as a society because there is a balance between the economy and saving lives and what is good for society.
To have certain freedoms, you have to have certain constraints. So that kind of sophisticated conversation is not happening and there is a lot of noise on this issue without any thoughtful conversation about an alternative.
I think the question that should be asked is, what is the alternative? If this app is useful and it's going to save lives, should we do it or not?
I will now tell you about the privacy systems that are in place.
Technically, what we have done is three things -- the information stays on your phone.
In the case of the self-assessment you are submitting the information to the health ministry. Especially when you are unwell, there is an alert on the app that states that this is being shared with the health ministry and basically you are asking for help.
The Bluetooth and GPS information, on what all this ruckus has been created, actually stays on your phone unless one of these two conditions happen.
Either ICMR reaches out to us and says that these people are infected and then we take those people's information and download their data, only those.
Or very high-risk people because they have self-reported themselves as being in close contact with another COVID-19 patient or contact tracing shows that they have been in close contact with someone else infected.
Those are the only two conditions under which we download the data.
And if you look at the numbers, less than 1 per cent of the people who use the app will we ever download. 99 per cent of the users'S info stays on the phone.
All the privacy concerns are about that one per cent and that one per cent is the people who are either infected or spreading the disease.
And the information is used only to fight the COVID-19 virus and the privacy terms explicitly state that information will be used only for this purpose.
And the final technical thing we do is that we wipe out the data from your phone; on a 30-day basis we wipe out your phone and any relevant information from the backend. That is, if you are safe -- in the green zone.
However, if you fall in the yellow or orange category, meaning you are at risk, then we keep the data for 45 days because that information is needed to help you and help others around you.
And if you do get infected, the information is kept longer -- up to 60 days -- after you are cured so that analysis can be done and other people can be traced and things like that.
All this is stated in the terms of service, which means that this information is used only for this purpose and is wiped out when it is no longer needed.
It's not like the government is building a surveillance database.
One thing you can do is look at the privacy policy of any Internet company. Most companies tell you what information they are collecting, which is mandated by the law. They tell you some of the things they are going to use it for, but they don't tell you everything they are going to use it for.
We are probably one of the first large-scale Internet apps wherein there is no other purpose and that is a step further in protection of users.
If anything, Aarogya Setu is ahead of anyone else in terms of privacy, but there will always be people who will criticise.
