Aarogya Setu app to be preloaded on phones? Apple’s iPhone likely to be a problem

Contact tracing has become the default digital solution towards tracking potential coronavirus patients. This technique is now being used all across the world, including India. In India, the government’s Aarogya Setu app for contact tracing has already seen 75 million downloads and it has become the most downloaded application on both Google’s Play Store and Apple’s App Store in the country. Now, there is chatter that the government is going to make it mandatory for smartphone manufacturers to not only preload the app but also integrate into the setup process of a new phone. While this wouldn’t be much of a technical issue for Android smartphone manufacturers, this presents a massive challenge — technical and moral one for Apple, which exclusively makes products based on iOS. Chances are that the iPhone will be an outlier to any kind of ruling or advisory by government agencies towards the integration of the Aarogya Setu software, which could pit Apple and the Indian government at loggerheads.

On a fundamental level, the Aarogya Setu app is a contact tracing tool. It leverages Bluetooth beacons, which are granted continuous access, so when the phone comes in the Bluetooth range of another smartphone, which also has the app installed, it shares information. In addition to this, this app also adds GPS trails and this means for the app to be effective, both Bluetooth and GPS need to be turned on a device. When the app is installed, it asks basic questions that seek to build a profile of the user. It will ask things about your health, whether you’re coughing or not, or you have a history of an illness, apart from asking about your International travel history and willingness to help in case of emergencies. Based on the information that it has gathered from you and on the information it has from users in your vicinity, it will mark you as safe, unsafe or susceptible to COVID19.

Apart from this, it also has some educational content for social distancing, news related to coronavirus in India and also acts as an enabler for e-passes for people who need to move around during the lockdown. So prima-facie this is a good tool. That being said, it will likely face resistance from Apple as this app isn’t particularly focussed on user privacy, something Apple takes very seriously. Aarogya Setu is said to be collecting all the user data on a centralised server, which is said to be a privacy no-no and came to head when a security bug in the app exposed user data on YouTube.

“Recently, Team Aarogya Setu was made aware that if a user performed a very specific set of actions, YouTube could access the anonymised latitude and longitude of the user,” a statement by Aarogya Setu noted.

Apple is known to be so fiendishly inflexible on privacy infractions that in 2016 it even took on the FBI and refused to build a backdoor into its software allowing the agency to access a phone extracted from a dead terrorist in an attack in San Bernardino. Even with the Indian government, Apple was at loggerheads for the integration of TRAI’s DND extension on the SMS application in the iPhone OS which at the time it deemed to be a privacy risk.

That being said, Apple and Google who are the custodians and creators of the two major smartphone operating systems (OS) — iOS and Android have also come together and released an initial set of COVID19 exposure notification application programming interfaces (APIs), which are hooks in the OS allowing third-party apps to integrate on a deep level.

Aarogya Setu is an important step in our fight against COVID-19. By leveraging technology, it provides important information. As more and more people use it, it’s effectiveness will increase. I urge you all to download it.https://t.co/VaiPIjhxM2https://t.co/8Irj6ApmOQ pic.twitter.com/L91vaLlCCq

— Narendra Modi (@narendramodi) April 8, 2020

What’s more interesting is the white paper that Apple and Google have released:

• Their solution needs to be manually enabled by the user. It includes a privacy focussed identifier that will change every 20 minutes. This will be solely based on Bluetooth technology for the sake of privacy, which means that the use of GPS will not be allowed as Apple and Google are both against the use of location data. That’s going to be divergent from what’s being done by the government of India.
• Other phones will be listening for these beacons and broadcasting theirs as well. When each phone receives another beacon, it will record and securely store that beacon on the device. Aarogya Setu is recording all the data on a centralised server, which is another divergent path from the solution that Apple and Google have come up with.
• Apple and Google’s APIs will need to contact tracing app to match the beacons stored locally with lists downloaded from a central server provided by the government and it will only trigger when there is a positive match. The Aarogya Setu app is already uploading data to a unified server.
• In its second phase, Apple and Google will provide this technology on an operating system level, but this solution is months away. This will also need a user opt-in for the Bluetooth beacons to listen. More importantly, the fine print says if a contact tracing app like Aarogya Setu isn’t installed, the OS will prompt the user to download one. There is no talk of pre-installation or integration on smartphone setup.
• More importantly, applications that will get access to these APIs are going to need to adhere to the guidelines outlined by Apple and Google. “Apps will receive approval based on a specific set of criteria designed to ensure they are only administered in conjunction with public health authorities, meet our privacy requirements, and protect user data,” says the white paper. The design and architecture of the Aarogya Setu app could mean that it may not qualify.

More than Google, Apple could be the outlier

Apple isn’t the only manufacturer of iOS-based smartphones, but also the creator of the platform. It is a big business in India crucial for Apple’s future as India has been earmarked as its next big market. For Google, this isn’t a huge issue as its own Pixel-branded smartphones aren’t very popular in the country. Google didn’t even bother to launch its flagship Pixel 4 in India last year. Android also is a more flexible platform from a customisation perspective, which is used by ever smartphone vendor outside of Apple.

Any contact tracing issues in Android will be less of a Google problem, more of a smartphone vendor problem. Smartphone vendors keep modifying Android for their own purposes all the time. Integrating Aarogya Setu in the smartphone setup process wouldn’t mean much of a technical roadblock.

Most Android smartphone makers, especially the dominant Chinese ones — Xiaomi, Vivo, Oppo, Realme, OnePlus, Huawei — would also likely bend over backwards as they have huge investments in local manufacturing and retail apart from the fear of the growing anti-China sentiment in the country.

Potentially, a major player like Samsung would also easily come on board as it also uses Android and has deep ties with the Indian government.

Apple will be a different beast altogether. For both the government and Apple, India remains a small market. Apple has limited manufacturing being done with partners and small levels of localisation on iOS, as opposed to Android. Apple prides to market the iPhone as a privacy focussed device.

In fact, a CNBC report claims that this joint effort between Apple and Google was led by stalwarts like Apple’s VP Bud Tribble, who is known to be a big privacy advocate at the company. Even though this joint effort works for both iOS and Android, the stringent privacy protocols of this system have Apple’s signature stamped all over it in-line with its privacy philosophy and pro-civil liberties stance.

Apple is known to not preload third-party applications and yield no quarter on third-party integrations on its own platform. Apple, in fact, didn’t yield to the issues that were there in the TRAI DND solution. Apple’s App Store only gave permission to the extension after some back-channeling, which also included improvements to the app.

Privacy advocates like Apar Gupta of the Internet Freedom organisation yield to the fact that there will be some negotiation, which would also mean that the Aarogya Setu app may not be pre-installed on iPhones.

“I recognise it’s going to be tough for iOS with the pre-install — but for that segment, social participation incentives will be designed with penalties. Likely to be made incrementally as mandatory for use public transit etc, “ he said in a tweet pointing towards reports of the app being made mandatory for the use of the metro public transport service.

Considering the extraordinary circumstances we are in, some believe Apple will yield to the government. Sanchit Vir Gogia, who is the chief analyst, founder and CEO of Greyhound Research, believes a middle ground will be found between the government and Apple after some negotiations.

“Apple will likely allow the government to preload the app (Aarogya Setu) considering the unprecedented situation. It will likely negotiate some assurances with the government so that the app is in alignment with its COVID19 contact exposure APIs,” he added.