HomeNewsGuidesReadsPodcastsTRANSFIN. EOD
  1. News
  2. Explained

Aarogya Setu App: A Debate on Right to User Privacy as India Fights COVID-19

May 12, 2020 5:03 PM 4 min read

Aarogya Setu, a Government of India-supported mobile app used for contact tracing in India in its fight against COVID-19, rolled out in the first week of April.

Having quickly achieved 50m downloads in just 13 days after launch, the app’s “popularity” increased exponentially (no pun), achieving 100 million downloads by May 7th.

Whilst starting its journey as a voluntary tool, it has in all real terms become “mandatory”.



The Weapon Draws Flak

However, India’s latest weapon against the pandemic came under public scrutiny thanks to a French ethical hacker operating under the pseudonym Elliot Alderson...

(real name: Robert Baptiste a.k.a. The same fellow who flagged data leaks under Aadhaar and security issues on

...who claimed that "a security issue has been found" and that "privacy of 90m Indians is at stake".

The issue at hand was an allegation that “an attacker [of the app] can potentially know who is infected anywhere in India, in the area of his choice” and do it at scale. The team behind Aarogya Setu was prompt to respond, denying the presence of any vulnerability


Alderson did not agree, publishing his reasons through a blog.


Rise to Resist

The argument nevertheless stuck, with civil liberty advocates, privacy proponents, and certainly enthusiastic political each one of them some notion of a field day (indoors).


Meanwhile, the directions issued by the Centre to make the app mandatory for all employees, adding punitive actions to ensure 100% compliance, did not certainly help. In fact, Former Supreme Court Judge B N Srikrishna, who Chaired the Committee that came out with the first draft of the Personal Data Protection Bill, termed the Government’s push mandating the use of Aarogya Setu app “utterly illegal”.



Aarogya Setu App: A Debate on Right to User Privacy as India Fights COVID-19


APPtitude Test

A review by MIT University shows that Aarogya Setu is a unique all-in-one undertaking that far exceeds what most other countries are building.

It tracks Bluetooth contact events and location, as many other apps do, but also gives each user a color-coded badge showing their infection risk.

It is “whitelisted” by all Indian telecom companies, so using it does not count against mobile data limits.


The Case of Privacy Overreach

The review suggests the most worrisome part of the app is that one doesn't know who has access to the database, and absence of transparent terms of use. Critics have expressed concern about it not being open source, going against the Government’s own preference of open source code.


Government Response

As per Arnab Kumar, Niti Aayog’s programme director and part of the app’s project team, Aarogya Setu was built to the standards of the Government’s Draft Data Privacy Bill, insisting access is strictly controlled and that the Government is not far from open sourcing the app.

He also confirmed that data of sick individuals is deleted in 60 days and for healthy people in 30 days.


Privacy Amidst a Pandemic

Aarogya Setu isn’t a unique concept. In fact, Singapore’s TraceTogether app was launched on March 20th. While TraceTogether only requires a user’s mobile number, Aarogya Setu seeks data that goes well beyond contact tracing - collecting everything from smoking preferences to occupation and GPS data.

TraceTogether scans and logs nearby devices and this data remains on the phone itself. In case the user tests positive, the healthcare professional at the testing facility - with the permission of the user - generates a one-time password. Only then are the log files transferred to a central server.

Based on this information, Singapore’s health ministry alerts all users who came in contact with corona-positive people. Most importantly, TraceTogether doesn’t need or collect location data.

On the other hand, all data collected by Aarogya Setu is uploaded to a central server.



Contact tracing apps are being used around the world such as Corona 100m and Corona Map in South Korea, Covidsafe in Australia and HaMagen in Israel. But all these countries have kept the use of their apps voluntary, except in China where citizens are mandated to use the Health Code App which requires citizens to give up their national identities along with their phone number.

During unprecedented times like these, a debate on privacy could have one treading on a slippery slope but as arch rivals Apple and Google, previously accused of prying on people’s personal data, team up to develop contact-tracing technology, the debate and the need to develop a legislative framework around the implementation of such apps becomes more important now than ever before.


Congratulations! You've made it to the end. Looking for more takes on Business, Finance, Markets, and Investing? Subscribe to our Wrap Up Newsletter for informative and insightful daily news updates, smartly curated from the top sources, delivered straight to your inbox.