India’s Contact Tracing App Is All But Mandatory. So This Programmer Hacked It.
A software engineer from Bangalore was worried about being forced to download Aarogya Setu. So he ripped its guts out.
By Pranav Dixit
Reporting From
New Delhi
Reporting From
New Delhi
Posted on May 12, 2020, at 1:05 p.m. ET
For days, Jay, a software engineer in Bangalore, watched with mounting alarm as people in India were forced to install the government’s coronavirus contact tracing app. Then, he rolled up his sleeves and ripped its guts out.
“I didn’t like the fact that installing this app is slowly becoming mandatory in India,” said Jay, who requested a pseudonym to speak freely. “So I kept thinking of what I could personally do to avoid putting it on my phone.”
Jay started work at 9 a.m. on a Saturday. He chopped away at the app’s code to bypass the registration page that required people to sign up with their cellphone numbers. More pruning let him bypass a page that requested personal information like name, age, gender, travel history, and COVID-19 symptoms. Then, he carved away the permissions that he viewed as invasive: those requiring access to the phone’s Bluetooth and GPS at all times
By 1 p.m., the app had become a harmless shell, collecting no data but still flashing a green badge declaring that the user was at low risk of infection.
“That was my goal,” said Jay. “I succeeded. You can show the green badge to anyone if they ask to check your phone and they won’t be able to tell.”
India’s government released Aarogya Setu (Hindi for “a bridge to health”) in early April. According to India’s IT Ministry, it’s been installed nearly 100 million times — on about a fifth of Indian smartphones. But the app has drawn concerns from privacy experts around the world, who say that in the absence of a federal privacy law, it can be used as a tool for state surveillance after the pandemic subsides since it requires constant access to people’s Bluetooth and location data.
Even though installing the app was initially voluntary, many Indians found that they had no choice. Last month, India’s leading food delivery apps mandated that gig workers install the app. Last week, police in Noida, a city on the outskirts of India’s capital New Delhi, mandated that residents install the app or face jail time. That mandate followed federal ones that required government and private employees to install the app. Indians may also need the app in order to board trains, flights, and public transport, to work for food delivery companies, or visit pharmacies.
Hackers like Jay have been trying to find ways around this. After making his own version of the app, Jay shared it with a close circle of 15 friends. It’s not a large number, but a leak from any one of them could undermine the government’s contact tracing efforts — so Jay is trying to keep it private.
But he’s unlikely to be the only one hacking the app.
Indians who are less tech-savvy than Jay are trying to find simpler workarounds, with some reporting that they have taken screenshots of the green badge to flash instead of putting the app on their devices.
“Will I be booked if I don’t have [the] Aarogya Setu [app] installed on my phone?” someone asked on Reddit earlier this week.
“Make it your wallpaper lol,” someone replied. “Worked for a friend in Delhi.”
“I’m rebelling against the mandatory nature of this app,” he said. “I don’t want to share my location 24/7 with the government.” He said the Indian app fared poorly against what Google and Apple were helping to build, plans that do not store personal information on centralized servers. “If I was coding this app, I would have chosen to keep data points to a minimum,” he said. “If I have your location information for a month, I can gauge a lot of things about your life.”
Jay’s concerns are rooted in the Indian government’s record. Ten years ago when the country rolled out Aadhaar, a biometric ID system that stored the fingerprints and iris scans of 1.3 billion Indians in a single database, signing up was voluntary. But soon, it was all but mandatory, required for everything from getting a cellphone connection to filing taxes
“My concern is that just like with Aadhaar, soon you won’t be able to go to a restaurant or a movie theater without the Aarogya Setu app installed,” said Jay. “Even if the government doesn’t make it mandatory, cinema owners are going to impose it on you. That’s the kind of culture we have.”
To assuage privacy concerns around the app, India’s government released a set of rules on Monday about how the app collects and uses data. Among other things, the order says that the data collected through the app will be anonymized and only used for COVID-19-related purposes, but is scant on details. Still, India is planning to add new features to the app in addition to contact tracing, such as telemedicine and e-passes that states can issue to let people move around once India lifts its national lockdown.
Jay said he was unlikely to stop hacking the app. “I’m going to keep up with them,” he said. “If they make significant changes or updates to the app, I’ll find other workarounds.”
tech A software engineer from Bangalore was worried about being forced to download Aarogya Setu. So he ripped its guts out. By Pranav Dixit Reporting From New Delhi Pranav Dixit BuzzFeed News Reporter Reporting From New Delhi Posted on May 12, 2020, at 1:05 p.m. ET Adnan Abidi / Reuters…
Recent Posts
- Microsoft needs some time to ‘refine’ updates for Copilot AI in Windows
- Sony Xperia 1 VI leak reveals new camera app and more features borrowed from Alpha cameras
- Google bans advertisers from promoting deepfake porn services
- Nearly half of all Steam users are using Windows 11 — but why?
- Luminar, maker of lidar for autonomous driving, lays off 20 percent of its workforce
Archives
- May 2024
- April 2024
- March 2024
- February 2024
- January 2024
- December 2023
- November 2023
- October 2023
- September 2023
- August 2023
- July 2023
- June 2023
- May 2023
- April 2023
- March 2023
- February 2023
- January 2023
- December 2022
- November 2022
- October 2022
- September 2022
- August 2022
- July 2022
- June 2022
- May 2022
- April 2022
- March 2022
- February 2022
- January 2022
- December 2021
- November 2021
- October 2021
- September 2021
- August 2021
- July 2021
- June 2021
- May 2021
- April 2021
- March 2021
- February 2021
- January 2021
- December 2020
- November 2020
- October 2020
- September 2020
- August 2020
- July 2020
- June 2020
- May 2020
- April 2020
- March 2020
- February 2020
- January 2020
- December 2019
- November 2019
- December 2011