Aarogya Setu. I know you've heard of it. And you've also heard that it's *probably* bad for your privacy. In today's free story in @TheKenWeb, @PratapVikramSin and I tell you exactly why. Also, what would have been a better approach. https://the-ken.com/story/fishing-with-dynamite-indias-contact-tracing-overreach/
1) The app asks for too much information. Contact tracing, what the app is intended for, needs just Bluetooth. That's it. Nothing else. No GPS. But the app needs GPS location, which ties people and their contacts to a location. https://the-ken.com/story/fishing-with-dynamite-indias-contact-tracing-overreach/
2) Presumably location data might help in policy decisions. That's something that ET reported about earlier. But better options exist. Take the Covid-19 Mobility Network. Using data from FB, they work with multiple state govts to help understand the situation at the ward-level.
3) Let's consider the self-assessment test in Aarogya Setu. It collects the user's name, travel history, health history, profession and assigns them a risk level. But-this is important-these things have nothing to do with the risk of transmission, only severity of disease!
4) Aarogya Setu isn't open source. Fine. Risk high at this point. But it's a complete black box! No one knows how it works, what it's doing behind the scenes. A white paper both for its software architecture and how the app really works would've been good https://bit.ly/3a6lAej
We tried to decode the app's various risk assessment and with @ShirtShanks's help put them on a graphic. Trust me, figuring this out wasn't easy. And there's no reason it shouldn't have been.
5) I'll end with just one more. The privacy policy. It's not specific. It's difficult to read. Singapore has a similar app and its privacy policy says, as clear as water: This app will only be used for Covid-19 tracing purposes. Aarogya Setu? Nope. https://bit.ly/3a6lAej