The Ministry of Home Affairs’ (MHA) directive to make the Aarogya Setu app mandatory for individuals in all workplaces has not gone down well with privacy advocates who feel the app has several security-related blackholes and can eventually become surveillance tool for the government. Aarogya Setu seeks continuous access to location information for its social movement graph and uses Bluetooth technology to alert people when they come in contact with a covid-19 positive person. Most contact-tracing apps work on the same principle. However, what clouds the narrative around Aarogya Setu is the ambiguous privacy policy and silence on security practices. “The privacy policy of the app is completely silent on as to what security practices are being followed. Merely saying that data is kept secure through encryption is nothing but lip service. They need to give more details on the security procedures and answer what level of encryption is being used," said Pavan Duggal, a cyberlaw expert. Prasanto Roy, a tech policy analyst, is not just worried about the fact that the app is capturing his personal info, location and heath data. He is also concerned about what will be shared, with whom and for what purpose. Duggal points out, the app dies not tell how it complies with the Information Technology Act, 2000, and IT Rules, 2011. Also, there is a huge gap in privacy policy, as it does not tell what is being done with the data that is being collected every 15 minutes. It is only talking about data that is being uploaded on the servers. “This can become a perfect tool for monitoring and surveillance in the absence of checks and balances," rues Duggal.