The world has never seen anything quite like Aarogya Setu. Two months ago, India’s app for coronavirus contact tracing didn’t exist; now it has nearly 100 million users. Prime Minister Narendra Modi boosted it on release by urging every one of the country’s 1.3 billion people to download it, and the result was that within two weeks of launch it became the fastest app ever to reach 50 million downloads.

“We beat Pokémon Go,” says a smiling Arnab Kumar, who is leading development of the service for the Indian government.

But although the app’s growth is unprecedented, it is extraordinary in an even more important way: if you don’t install it, you might lose your job, get fined, or go to jail.

India is currently the only democratic nation in the world that is making its coronavirus tracking app mandatory for millions of people, according to MIT Technology Review’s Covid Tracing Tracker, a database of global contact tracing apps.

While official policy is that downloading the app is voluntary, the truth is that government employees are required to use it, while major private employers and landlords are mandating it as well. The city of Noida is now reportedly fining and even threatening to arrest anyone who fails to install the app on their phone.

It’s a dramatic step generating fierce criticism from civil liberties experts nationally, and from all over the globe.

Rahul Gandhi, a prominent member of the Indian parliament and former leader of the opposition Indian National Congress, is among those who have criticized the app, charging that it has “no institutional oversight” and raises “serious data security and privacy concerns.”

“Technology can help keep us safe,” Gandhi recently tweeted. “But fear must not be leveraged to track citizens without their consent.”

“There is an infringement on human rights that is not justified here,” says Estelle Massé, a senior policy analyst at the digital rights group Access Now. “There is a risk of initiating a tool that can be repurposed for surveillance after the pandemic.”

A massive all-in-one undertaking

MIT Technology Review’s database shows that India’s app is unique in a number of other ways, too. Many countries are developing limited services that use Bluetooth or GPS to give “exposure notifications” to people who have interacted with someone found to have covid-19. India’s app, though, is a massive all-in-one undertaking that far exceeds what most other countries are building. It tracks Bluetooth contact events and location—as many other apps do—but also gives each user a color-coded badge showing infection risk. And on top of this, Aarogya Setu (which means “a bridge to health” in Hindi) also offers access to telemedicine, an e-pharmacy, and diagnostic services. It’s whitelisted by all Indian telecom companies, so using it does not count against mobile data limits.

What the app lacks also sets it apart. India has no national data privacy law, and it’s not clear who has access to data from the app and in what situations. There are no strong, transparent policy or design limitations on accessing or using the data at this point. The list of developers, largely made up of private-sector volunteers, is not entirely public.

Kumar stresses that the app was built to the standards of a draft data privacy bill that is currently in the country’s parliament, and says access to the data it collects is strictly controlled. But critics have expressed concern because it is not open source, despite an Indian government mandate that its apps make their code available to the public. Kumar says that this is a goal for Aarogya Setu and will happen down the line, but he could not confirm a timeline or expected date.

When Aarogya Setu was first announced, the Indian government did seek consent, and using the app initially sounded voluntary. Today, at least 1 million people have been given orders to use it, including central government workers and employees of private companies like the food delivery services Zomato and Swiggy. It’s a well-practiced tactic in India, where “voluntary mandatory” technology has a history of being used as a gatekeeper to certain important rights.

While India is the only democracy to make its contact tracing app mandatory for millions of people, other democracies have struck deals with mobile phone companies to access location data from residents. In Europe, the data has largely been aggregated and anonymized. In Israel, law enforcement focused on the pandemic has used a phone tracking database normally reserved for counterterrorism purposes. The Israeli government’s tactics have been the subject of a legal battle that made its way up to the country’s Supreme Court and legislature.

Not transparent

Many of these difficulties can be traced to a lack of transparency. Neither the privacy policy nor the terms of service for the app were publicly accessible at the time of publication, and the developers have not shared them despite requests. Since the app is not open source, its code and methods can’t easily be reviewed by third parties, and there is no public sunset clause stating when the app will cease to be mandatory, although Kumar says data is deleted on a rolling basis after, at most, 60 days for sick individuals and 30 days for healthy people. And there is no clear road map for how far India’s national and state governments will go: one recent report said the government wants Aarogya Setu preinstalled on all new smartphones; another said the app may soon be required to travel.

In the early days of the app’s development, Kumar said it would leverage the technology being jointly developed by Apple and Google for iPhone and Android. That system will be released in just a few days, but it now comes with rules that include requiring user consent and banning location tracking—neither of which Aarogya Setu complies with. Kumar says Google engineers have been in close contact with Aarogya Setu’s developers, and his team will evaluate whether they can still implement the decentralized Silicon Valley system, which is intended to preserve privacy. Google and Apple have fast-tracked the app into both the Android and iOS app stores.

But there are still deep concerns that blurring the line between voluntary and mandatory, and between privacy-preserving and privacy-invading, will have long-term consequences.

“There is no effort made by the state to earn citizen trust,” says Anivar Aravind, executive director at the civic-technology organization Indic Project. “Here are a set of private-sector corporate volunteers, with no accountability, that built an app for governments that is forced to personal devices of everyone.”