[itwasntme]

This poll is to assess how many TBHPian's reaction to the Aarogya Setu app. Have you already / are you going to install it?

If yes, why? If not, why?

I voted yes. Reasons:

1. Cannot enter my workplace without it
2. Feel it is worthwhile given the volatile scenario
3. Already share my life with Amazon, Google and Facebook (via WhatsApp)

[v.anand]

I voted 'Yes' since it acts as an effective digital census to the Government and protection to self. A lot of thought has gone behind this initiative, which other countries are now copying from India.

[harry10]

Voted yes.
There are privacy concerns of course. However, the current situation demands to get the information from app. Will delete it as and when Corona situation is dealt with.

[rajivr1612]

Voted Yes for the benefits it offers to the public and government. Regarding privacy issues, once this pandemic is under control, our legal system will take care of it.

[Lobogris]

Voted no. I currently don’t see any need for it and don’t want to share needless data with the government. If ever I am forced to use it, I will download it, use it and uninstall it immediately. Knowing how many covid patients are near me is useless. As it is, we have to follow basic social distancing precautions regardless of what the app shows. If 1 or 10 or 100 people have contracted the virus in an area, it doesn’t impact me at all as the known patients are likely to be quarantined and not working in establishments. By the time the virus has spread like New York where one has to be more careful, I am sure we would have read about in on the news and won’t learn it from this app.

[msdivy]

I have installed the app. It requires location & Bluetooth to be on always. I keep those two off always. So this doesn't work me & planning to uninstall.

For a few days I have used it with location & Bluetooth on. I have met the delivery guys, shopkeepers but the app doesn't seem to do much. I can't see who I met.

If the app is able to figure out who I met & inform me, it will be useful. Otherwise not much use to me.

[theMandarin]

A couple of things to ponder over when you decide :

• Such an initiative where you are using your personal asset should be voluntary
• Similar initiatives which have been started by other countries(which was probably an inspiration for our app) are a lot more transparent in their scope and the governments have made an effort to assuage their citizens that its not going to be a permanent feature in their lives after the pandemic has been handled
• Other implementations are a lot more minimal by design where the app is relying on Bluetooth rather than the more focused use of GPS. Apps used by Singapore and the joint initiative by Apple & Google are prominent examples which proves such a design is feasible. Privacy-Preserving Contact Tracing
  
• Many among us would be comfortable in using it until the pandemic situation subsides, but it is debatable whether the authorities will drop the app later on considering the reach that would have been established in the coming weeks in terms of the installed base. It is a different matter if the Govt. clearly comes out and states a defined shelf life for the app
• While the app was confirmed to be a voluntary initiative initially, it is now becoming a mandatory feature (e.g. it is now mandatory for all public/private employees working at any level/capacity). This can become more and more overarching by the addition of features such as a pass system and more in the coming months
• The more skeptical among us may have concerns about the legitimate usage of this data for only handling the pandemic because of recent events(Government clears policy to sell vehicle registration data)
• Other apps such as FB/Google maybe equally or even more invasive but knowledgeable/conscious users can choose not to use them. Even for those who are not as concerned about the privacy aspect, access to data on these platforms is governed by specific laws and legal mechanisms (e.g. a court ordered data extraction request).
• Going by the prevailing state of paranoia about this disease, the scope of this app is likely to extend beyond being a personal reference tool to a gate pass for different activities (malls, public transport, gated communities, local shops)
• Furthermore, the rules have already made its usage mandatory in specific scenarios without considering people who do not own a compatible device and therefore might end up being excluded(e.g. how does a person who has been hanging on to their old Windows Phone or a basic phone enter their workplace?. I wouldn't want to be on the other end convincing a police officer why my old Blackberry cant run this app.) It is irrelevant how small this group of people may be, an official policy should be inclusive from the start or at the very least, should not be forced when such outliers exist.

I’d further urge everyone to go through the following resource which offers an interesting perspective:
Is Aarogya Setu privacy-first?
For A Billion Indians, The Government’s Voluntary Contact Tracing App Might Actually Be Mandatory


You may not have anything to hide but that doesn’t mean you don’t draw the curtains in your house.

[humyum]

I voted No, I don't trust this government and I will not install it.

[amitk26]

Quote:

Originally Posted by msdivy

If the app is able to figure out who I met & inform me, it will be useful. Otherwise not much use to me.

As per updated description in latest version of app they generate an anonymous id using one way hash function. And this is used to generate social graph. So you won't know whome you met but just that the person whome you met was positive or not and if the place you visited was earlier visited by some positive person.

This is to protect the privacy.

So far so good the question arises how the app is updated to know if person is corona-positive ?

I presume if one is corona positive the authorities may put phone number in some sort of RED list on a server and this server will ping the app to update the status and inform people in social graph of that phone number.

What I am not clear is how the cases such as multiple phone numbers or using SIM cards of family members , or corona positive people leaving phone at home and roaming around etc will be dealt with.

However as no such system can be foolproof until and unless they are putting some sort of BT enabled ankle tags which person can not cut himself off like done in few countries.

The app can be only a good supplementary device with above restrictions.

[Hayek]

I am not a privacy freak (happy to share the locations of my runs publicly on Strava) but I don’t trust Arogya Setu. Why? While I am not a tech expert, a friend who is into Infosec gave me a 5 minute lecture (and he could have gone on for hours) on why it’s architecture was very unsafe compared to similar apps in Singapore or the app that Google and Apple are collaborating to build.

For the foreseeable future, I will be working from home - so this won’t be necessary. If it becomes compulsory, I may look at the possibility of downloading it on a supplemental phone that I will use only while going to work or to places which require that app. I may not have reacted so vehemently under normal circumstances, but the bullying tone of the GOI’s circular yesterday has pushed me in that direction.

[born_free]

I voted no and there are many reasons

(1)The effeteness of the app and similar apps is not proven yet . I would have been more comfortable if the app was built by tech companies like Google/Facebook/Apple because there may be many security loopholes which may be exploited .

https://www.reuters.com/article/us-h...-idUSKCN2232A0


(2) It may wrongly send you to quarantine as reported below.

Quote:

A Mumbai resident, who was moved to a quarantine facility despite an absence of symptoms or medical history, based on an alert generated by the Aarogya Setu App has tested negative and was released from quarantine on Sunday, 19 April.

https://www.thequint.com/news/india/...nto-quarantine.

(3) It will become tool for future governments to spy on its citizens if valid concern are not raised now.

[Sahil]

https://www.huffingtonpost.in/entry/...share_whatsapp

Quote:

An analysis of the app by Defensive Lab Agency, a Paris-based cybersecurity consultancy, offers disturbing insights: The app gathers a user’s identity, tracks their movement in realtime, and also continuously checks if other people who have downloaded the app are in the proximity of the user.

This allows Aarogya Setu to create a social graph of a user by tracking everyone they have been close to. Combining this data with existing government databases — many of which are already seeded with the mobile numbers of citizens — can significantly expand the government’s powers of surveillance, privacy experts said.

[INJAXN]

Voted for yes.
I have installed the app, but have permissioned gps access only when in use. I plan to start the app when I am moving out. Will uninstall it once we get passed covid -19 situation.

[pjbiju]

I have installed it and used it a couple of times by turning on the bluetooth and location services. But in my opinion, it is a very poorly designed app that gives me very little useful information. I do not mind it tracking my location etc. if it would have provided me some useful information like:

1. If it could color code my location (green, orange or red) based on the number of +ve tested patients that are present in that area or had visited the place I am currently at e.g. a shop. It should warn me to be careful if I am moving to an area that is risk prone.
2. If it was integrated with the state level information (daily updates for my ward/locality)
3. If it had utilities like applying for a travel permit etc. as per my state of residence
4. If it had the relevant healthcare contact details for my locality in case of COVID-19 like symptoms
5. If it had information about clinics/hospitals available and open for non-COVID related treatment
6. It should have had an option to see the content in at least most of the major languages spoken in India.

There are a lot more information that could have been made available but unfortunately it is not there. Does it help the government? I have no idea since they have not come forth with any information related to this. And the government had plenty of time since the first case was reported sometime in January in Kerala.

[bj96]

Quote:

Originally Posted by mohansrides

...given a choice, I think that I respectfully won't. Constantly looking at the risk next ....

Very rightly said, Sir. By profession I am a cyber security architect with a leading US company. Before this I was a lead development engineer for a network security appliance used by fortune 100 enterprise. I also hold a US patent in data security. Why I would not like to install this app:

1. It is basically a location tracking app. I don’t know what level of testing it has gone through different versions of OS (android/iOS) and hardware combinations. I also don’t know what permissions it ask before installing or running successfully. Location tracking apps are usually power hungry and precise location demand can drain battery very fast due to constant gps fix.

2. My experiences with other govt portal (except Incometax) and apps like mParivahan App, digilocker and most recently Pune’s eGov portal has not been good. I was able to crash these apps And portals revealing juicy details. As is norm in ethical hacking community, I have notified them with proper disclosure on the email addresses mentioned. Some of the issues are still not fixed.

3. Any client app which needs a persistent network communication with server provides significant attack surface and easy attack vectors for a motivated attacker to abuse the app or compromise it’s integrity and use as a vehicle to inject advance threats. I don’t know what level of penetration or other testing it has gone through considering how hurriedly it has been rolled out.

4. Disclosing security vulnerabilities and dealing with govt agencies is a PITA. Also, there won’t be any possibility for reward or recognition for such disclosures from govt agencies. Hence, such apps may not get enough attention from ethical hackers community leaving undetected zero day exploits.

5. Being a govt sponsored app, there will be enemy state sponsored hackers in constant pursuit to break it. They may succeed but we may not even know of the breach until a long time.

We are going off-topic. In a nutshell I am not confident about security posture of this app. Hence purely on technical reasons I will stay away.

-BJ