HaMagen uses geo-location data of contacts to cross-reference with that of a COVID-19 patient, and not just bluetooth signals. This is how it works:

• While installing, HaMagen requires authorization to access location as well as internet data.
• It collects location information upon activation, which is stored on the user’s device only.
• The location data is only used for tallying with the tracking information collated on the routes of a confirmed COVID-19 patient. This helps in identifying any overlap in time and place.
• For this tallying, HaMagen downloads a file with anonymous list of locations, dates and times of visit of COVID-19 patients on the user’s phone. The file is downloaded from ministry’s cloud on an hourly basis. Thereafter, it cross-references the COVID-19 patient’s GPS location with that of the user on the device.
• The cross-referencing does not take place in ministry’s cloud, and is not shared with third-party without consent. Further, location data is not transmitted to the cloud.
• If there is a possibility of infection, user receives a notification with details of location and times for potential exposure.
• Such user must quarantine and if they experience symptoms, must connect with healthcare providers.
• Location, wireless connectivity, track of proximity and cross-referred data are retained on HaMagen for 2 weeks.

HaMagen poses a higher risk to globally accepted privacy norms for the following reasons:

• It is likely that geo-location cross-referencing disregards data minimization principle. Proximity tracing and self-care advisory to contacts can be issued using bluetooth data alone, and there may not be an urgency in processing geo-location or internet data. Thus, HaMagen uses a larger pool of personal information to directly monitor movement of users, and this increases surveillance risk.
• There is no consent mechanism and government’s access rights are indirectly inbuilt.
• There is no clarity on whether data stored on device is encrypted.
• While the ministry claims that anonymised data about COVID-19 patients is downloaded, there is always a possibility that user can deanonymize it by combining anonymous information with his own location data.
• There is increased suspicion that Shabak, Israel’s security agency and health ministry are using HaMagen data for surveillance, which if be the case, flouts the fundamental norm of purpose limitation.[2]

Aarogya Setu uses bluetooth signalling as well as geo-location data to identify COVID-19 positive or symptomatic cases, and contact trace. An overview of how it works is below:

• To install and use, user must enable bluetooth & GPS services on the device.
• During installation, Aarogya collects name, phone, age, sex, profession, countries visited in last 30 days, location and internet data.
• The information is transmitted and stored on centralised government server.
• The information is then, hashed with a unique digital ID (DiD) (hashing is a form of encryption), which is pushed onto the user’s device for encryption. All stored and transmitted data on phone and server are encrypted.
• Aarogya collects information continually through various mechanisms. It constantly collects location data at every 15 minutes. Further, it collects location data when user undertakes self-assessment through the app. Furthermore, when a user is in proximity of another user, the DiD is transmitted to the other device and, time plus location are captured on each device.
• Collected information is stored on phone and not transmitted to server.
• Information is uploaded on the server in 3 scenarios, without any consent from the user by correlating the DiD with personal information initially stored on the server – (i) confirmed COVID-19 infection, (ii) symptomatic through self-assessment using the app, or (ii) self-declaration for infection.
• The data uploaded is used for contact tracing, quarantine, care, location sanitization, identification of clusters, generation of heat maps and containment.
• Initial personal data collected is stored as long as one uses Aarogya or as required under law.
• Other data on phone is stored for 45 days, if not uploaded on server. If uploaded, it will be retained for 60 days on server for confirmed cases, and 45 days for others.
• User is mandated to keep the device in their possession and not allow use by anyone. If not, app can identify wrongly and government shall not be liable for such error.
• Government shall not be liable for any claims regarding use of app, inaccurate identification, and unauthorised access.
• Government can use aggregated/anonymous data for containment and statistics.
• No third-party transfer, except healthcare workers and this is without consent of the user.

• Similar to HaMagen, data minimization principle is disregarded as Aarogya collects information such as profession, travelled countries, geo-location and internet data. It is unfathomable as to how profession will facilitate contact tracing and containment.
• There is no consent mechanism for uploading information on server, or sharing with third parties, which essentially means that government can access data, including a situation where Aarogya wrongly identifies the user as symptomatic.
• There is no accountability and transparency, as government has disclaimed all forms of liability.
• While 21 days is argued as the ideal timeframe for identifying potential COVID-19 cases, Aarogya retains initial identified information indefinitely, and other data sets are retained for longer durations. The rationale for such long duration is unclear.
• There is some evidence that hashing is susceptible to hacks and hence, the degree of protection does not commensurate with the kind of information collected and retention period.
• Aarogya gives an opportunity for government to track physical movements every 15 minutes, which appears unreasonable, disproportionate and unnecessary. Thus, there is a high risk for unauthorised surveillance and even heightened risk for function creep.
• Further, it is important to note that government processing is not regulated under the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data) Rules, 2011. This creates a situation where government can exercise unfettered power while dealing with personal information collected without any limitation, unless someone challenges such processing to be in disproportionate breach of privacy right.

• For downloading and installing TT, mobile number and bluetooth permission are essential.[4]
• User does not need internet connectivity after downloading TT, except for ID retrieval as explained below.
• User consent is required for (i) storing mobile number in secured TT registry and (ii) receiving information on contacts and risk.
• Keyed in mobile numbers are substituted by a random permanent ID, and details are stored on TT registry. They are not shared with any other user.
• Data allowed to be accessed shall be solely for purpose of contact tracing.
• Participating devices exchange proximity information using bluetooth signals whenever TT detects another TT enabled device. Bluetooth relative signal strength (poor or strong) readings between devices is key for ascertaining distance proximity and duration of contact.
• When close to another TT enabled device, the bluetooth exchanges a temporary ID generated by encrypting the permanent ID with a private key held by health ministry. This temporary ID can only be decrypted by health ministry.
• Every time a COVID-19 contact is detected, TT sends notification to indicate signals are transmitted and this comes with time stamp.
• All user data is encrypted and stored on user’s device, and data will not be accessed unless user has been in close contact with a confirmed COVID-19 case.
• As per TT’s privacy statement, if the user is COVID-19 positive, user has the option to give government access to TT data. However, the FAQs state that users have a legal obligation to assist in containment plan and must provide information such as location timelines, logs and data stored in other apps.
• Data is stored for 21 days on rolling basis.

• Purpose is identified.
• It follows principles of data minimisation as geo-location and internet data are not collected. Further, retention is for 21 days, which is based on scientific evidence that 21 days is important for mapping symptoms and cure.
• Based on how TT works, and specifically, the FAQs around consent-based data access, it can be argued that consent is not meaningful and “free”, because users have a legal obligation to disclose for containment measures. However, this is limited for those who are COVID-19 confirmed, and not for suspected cases.
• Data collected is stored locally in user’s phone. This decentralised data logging minimizes risks of unsuthorised access and use.
• Data is stored in encrypted format.
• Mobile numbers are not revealed to TT users. They are substituted by a random permanent ID. Further, mobile number and its corresponding user ID are stored in a secured server.

Apple and Google have announced launching of a “comprehensive soluton” that includes APIs and OS-level technology for contact tracing. In first phase, APIs allowing inter-operability between different OSs and applications will be released by May 2020. While the details are yet to be released, it appears that the framework will use bluetooth signalling for tracing. Some of the key features released include:

• One-time tracing key will be generated when contact tracing is enabled on the device.
• Additionally, daily tracing key will be generated every 24 hours.
• These will be stored on the device and not transmitted onward to servers.
• Proximity idnetifier will be derived from daily tracing keys and transmitted through bluetooth on tracing enabled devices.
• When a person tests COVID-19 positive, diagnosis keys and associated daily numbers are uploaded to the diagnosis server.
• The server aggregates diagnosis keys from COVID-19 positive cases and anonymised/aggregated information will be sent to all users who are using contact tracing.
• Key schedule is fixed and defined by OS components.

It is premature to comment on how this technology framework will work and what will be the privacy implications. A lot will depend on how implementing apps work around consent and data access, but, certain aspects available publicly create an impression that the risks will be medium to low:

• Apple-Google claim that API will prevent applications from using static information pools like name, as this could be used for tracking location.
• Since the key schedule is fixed and generated by OS, the privacy risks shall be reduced.
• It will not be computationally feasible for an attacker to find a collision on a rolling proximity ID, preventing a wide-range of replay and impersonation attacks.
• No metdata will be processed.

Similar to TT, COVIDSafe uses bluetooth signalling and works in the following manner:

• For using COVIDSafe, user is required to provide name, age range, mobile, and postal code.
• SMS is sent to complete installation. This infomration is used to generate an encrypted reference code specific to the user.
• Bluetooth access is required for COVIDSafe to work. Location data or internet connectivity is not used.
• When two COVIDSafe devices are in range, the encrypted reference codes are transmitted and stored on devices. The date, time and distance are also generated, encrypted and stored on devices.
• The information on device is not accessible to anyone or transmitted to governement server.
• Only when a person is diagnosed postive, user’s consent will be obtained for uploading information from device to governmet server, who will decrypt and use it further for contact tracing.
• Confirmed patient details will not be shared.
• Data is retained for 21 days, after which they are automatically deleted.
• Data will only be used for contact tarcing and not otherwise.

COVIDSafe was launched reportedly after detailed privacy impact assessment. This follows a necessity-based approach and similar to TT adheres to well-known fair processing principles like data minimisation, limited retention, decentralised data storage, and encryption. Some additional privacy centric checks are below:

• All data is encrypted and inaccessible, except with unique decryption key that government will use only when encrypted data is uploaded.
• Unlike TT which generates a pseudonym ID, COVIDSafe uses encrypted reference code, which further protects stored data.
• Consent is required for uploading the contact information and the chances of obtaining “free” consent in the true sense are higher.

PEPP-PT NTK proximity tracing system is a framework curated for European Union countries factoring requirements under General Data Protection Regulations and EU Privacy Directive.[7] PEPP-PT NTK operates on bluetooth signalling and will work in the following manner:

• Any app imbibing PEPP-PT NTK will work in background.
• It will not collect any personally identifiable or location data.
• Temporary IDs for each bluetooth device during tracing will be generated pseudo-randomly and will change periodically. These temporary IDs do not associate multiple signals to the same device and cannot be used to identify the user.
• Temporary ID will be transmitted via bluetooth signal to other devices. The signal will also include information about bluetooth output power that will help estimating distance and duration.
• Thus, only 3 information set will be collected temporary ID, distance and duration. This will be encrypted and stored on device.
• If a user tests COVID-19 positive, a healthcare professional will provide a code, which when wired by the user will allow data access. This access will be with consent. The data then will be transmitted on to the connected server, where it must be retained for specific duration only.
• Once data is obtained, prevention notifications will be sent to other users depending on physical proximity and duration with the positive user in the past.

The proposed framework definitely trumps our analysis for being the least intrusive of one’s privacy, but a lot will depend when this is actually adopted and put to use. Apart from the privacy protection features used in TT and COVIDSafe, the noteworthy feature that safeguard user’s privacy is that there will be minimal collection of data, mostly without personal identifiers. Further, tracing will happen through temporary IDs and the chances of identification and surveillance of any kind are almost negligible.