Aarogya Setu App: A Threat to Privacy?

Introduction-

From March 11, 2020 since the WHO declared Novel Coronavirus Disease (COVID-19) outbreak as a pandemic the number of positive cases is only snowballing with each passing day, with 6,876,125 positive cases around the world, there is a heightened responsibility on the Government of every country to deal with this public health crises competently. It is their duty to come up with most effective and least- restrictive plans towards the civil liberties of its citizens. In today’s digital age the usage of technology for disaster management cannot be denied, but the regulatory lacunae with regards to such technology means one must be very vigilant while using such technology.

Contact- tracing has emerged as an effective way to prevent the spread of this deadly virus and make people more aware. Such applications have been introduced many countries including India, which launched its Aarogya Setu application in the month of April. Since its launch there have been a lot of conjectures against the app, one of the core disputations is that it infringes the Right to privacy of the citizens guaranteed under Article 21 of the Constitution of India. However, in the tussle between public health crisis distressing society at large and privacy of few people, the former prevails over the latter.

What is Arogya Setu App?

India currently has the largest number of confirmed cases in Asia and has the third highest number of positive cases in the world after the US and Brazil with the total number of confirmed cases rupturing 100,000 mark on 19th May, 2020 and 2000,000 on June 3,2020.  On 29th August 2020, India chronicled the global highest spike in COVID-19 cases on a day with 78,761 cases surpassing the previous global highest daily spike of 77,368 cases which were recorded in the US on 17th July.[1]

The government of India has taken a number of steps to curb the spread of this virus since the first case was recorded in India in March. The Arogya Setu app is also one such step taken by the Government. It is an Indian open-source COVID-19 contact tracing mobile application, developed by the National Informatics Centre under the Ministry of Electronics and Information Technology (MeitY). It augments the initiatives of the Department of Health to spread awareness about COVID-19 and shares best practices and advisories to connect essential COVID-19 related health services to the people of India.

The app uses the smartphone’s GPS and Bluetooth features to track the coronavirus infection. With Bluetooth, it tries to determine if a person has been near a COVID-19 infected patient, by scanning through a database of known cases across India. By using location information, it determines if the location is a contaminated zone based on the available data.

Amidst this pandemic, social distancing has become a new normal for every Indian as well as people around the world, at such a time this app helps people to stay updated regarding containment zones, virus hotspots, etc. This application also provides the E-pass facility, that provides the essential services and commodities providers some relaxation from the lockdown.

In essence, this application is just an initiative by the NAMO government to ensure utmost safety of its citizens. This digital application may reduce hassle, helping the country to return to its pre- lockdown conditions with greater ease.

But the main question is with more than half of the Indian population consisting of non-smartphone users how will people avail the services that the government wants to provide through this app.

Arogya Setu app: one app too many glitches –

The terms of privacy of the Arogya Setu app have always created a storm among the legal activists for not complying with the data protection principles and the aspects of Article 21 of the Indian constitution (the Right to Privacy).Various loopholes of the app, that are always a point of debate for people, are mentioned below-

  • Who will be held liable?

One of the major problems with Arogya Setu app is that it collects personal data of the users, which remain stored on the government’s database till 30 days after the user cancels the registration or uninstalls the app. The main point to be noted here is that the collection of the data is not authorized by law and is done only on ad-hoc basis. The absence of any such legal sanction gives the government more freedom on how to process and manage the personal data collected from the citizens.

The terms and service of the application makes it clear that the Government cannot be held liable for any claims regarding unauthorized use of personal data collected from it.The app also exempts the Government from any liability if the it shows any inaccurate or false information. This excludes the data collection process from any legal scrutiny and prevents the citizen from taking any judicial remedy to ensure if the government’s processes in relation to this app is in compliance with the right to privacy.

Justice Srikrishna in an interview with Indian Express said that, “It is good that they are keeping with the principles of the Personal Data Protection Bill but who will be liable if there is a breach? It does not say who should be notified.[2]

  • Making the app mandatory

India is currently the only democratic nation that has made its coronavirus tracking app mandatory for people.[3] Despite of a lot of eyebrows being raised regarding the security service of the app, Arogya Setu became the most downloaded application in the month since its release. Over 100 million people have registered with the app so far. The government launched the app on April 2,2020, since then various startups like Swiggy, Zomato, Urban Company and Grofers had made it mandatory for their staff to use the app. Even the Indian Government made it mandatory for citizen’s living in contaminated zones and all public and private sector employees to download the app.

However, since no law is passed by the parliament authorizing to make the app mandatory, such steps taken by the government or private companies will be in contravention to the Information Technology Act,2000. So, while it could be used as an emergency provision in the current pandemic situation for tracing the Corona positive patients, it can open up a pandora of litigations against the policy of the app later.

Since its launch the app is raging a number of debates in relation to its various policies. In just a month, an app once touted as voluntary has become almost ubiquitous.

Former Supreme Court Judge BN Srikrishna, who was a part of the committee came out with the first draft of the Personal Data Protection Bill, said that making the app mandatory was utterly illegal.[4]

  • Collection of additional information than required-

As per the proportionality test, any infringement on the privacy of the individuals must be achieved by least restrictive measures. The main objective of the app is to trace COVID-19 positive cases, support them with necessary commodities, and notify others in order to prevent the virus from spreading.

However, the terms of security or the provisions relating to app do not clearly specify as to why the data is collected from the people or how does it use the personal data provided by people. When one downloads the app, they need to provide their personal information such as name, age, gender, sex, profession, travel history and if they have had any relation with the COVID-19 positive patient.

The main issue in this regard is that people are required to submit more data than is required for contact-tracing by any app. The need to provide one’s gender or profession has no relation to the disease. There is no proper justification given as to why such data is collected from the people. This is incomplete contradiction with the principle of data minimization in the PDPB, 2019.[5]

  • Lifespan of the data collected-

According to the ‘Aarogya Setu Emergency Data Access and Knowledge Sharing Protocol’ the data collected from the people will be retained for 180 days from the date of its collection. If any individual requests for deletion of the data, it will be done within 30 days.

The Internet Freedom Foundation has said researchers and individual users cannot actually check if the government has deleted people’s personal information and there is no means of transparency auditing what the app is doing in the backend.[6]

The privacy policy of the app states that the data collected by the app, once uploaded to the government server, can be provided to the persons carrying out “necessary medical administrative interventions” in relation to COVID-19. It also states that the personal information collected from users can be used for legal requirements. These provisions mean that data collected through app can not only be retained for a period longer than the one mentioned in the provision but can also be shared with a third party engaged in administrative or medical field.

Moreover, the privacy policy of the app nowhere mentioned that the app is used only during the pandemic. This suggests that the government can use the application for other government purposes later.

  • Using GPS and Bluetooth-

The Aarogya Setu app uses GPS and Bluetooth of a person’s smartphone to track corona positive patients. The application continuously monitors the user’s GPS location and saves it on the device so that it can be used in a situation if the person tests positive for corona virus. As per the norms of the government the app can also collect demographic, contact, self-assessment and location data of persons infected by corona virus or of those who come in contact with infected people.

However, the other contact tracing app resort to the use of Bluetooth to develop their contact records. This shows that the methods adopted by Aarogya Setu app are in complete contrast with the ones adopted by other apps. According to live mint, other apps collect just one data point which is later replaced with a scrubbed device identifier, but Arogya setu[7] app collects multiple data points for personal and sensitive personal information which increases privacy risks.

Continuously tracking movements of people is a complete infringement of their privacy. Also, such location tracing can be used to gather various other information like one’s address without their consent, making it more invasive than other such apps.

  • No open source-

“If you force people to install an app by law, the bare minimum is to open source this code,” said cyber security researcher, Elliot Alderson.[8]

Despite government’s prevailing policy on open source, Aarogya Setu’s source is not made available to people. This means that the standards of encryption followed in anonymization of data are unknown. Open source codes enhance the transparency and leads to greater security. In absence of open source there is no way to ensure that the data is anonymized and not used for any other purpose.

Reference to Puttaswamy Judgement (Aadhar Card case)-

Puttaswamy case[9] (landmark judgement of Supreme Court), in regards to right to privacy. In this case SC held that the right to privacy is fundamental constitutional right under Articles 14, 19 and 21 of the Constitution of India. SC also said that data protection is an essential part of information privacy.

In this case the honorable court laid down requirements that must be satisfied to be treated as infringement of privacy. The three requirements are as follows-

  1. LEGALITY– there should be existence of a law.
  2. LEGITIMATE GOAL– the law should seek to achieve a legitimate state aim.
  3. PROPORTIONALITY– there should be a rational nexus between the objects and the means adopted to achieve them.

Any measures adopted in order to achieve state interest can be considered proportional only if it is least- restrictive of rights of the people, and does not have a disproportionate effect on the people or society at large.

Based on the proportionality principle propounded by the SC in this case, the Aarogya Setu app can be considered a proportionate infringement of an individual’s right to privacy guaranteed under Article 21 of the constitution of India.

Conclusion-

The use of emergency measures adopted by any government must stay in the ambit of emergency provision only or else we put the rights of individuals at risk. The intention of the government behind launching the app is noble, but the vagueness of its privacy policy is in contrast with the prevailing information privacy framework. Even in the time of such crisis the right of privacy of individuals cannot be compromised completely. It’s the duty of the government to tackle the virus in such a manner that the rights of citizens of both health and privacy are protected at the same time.

 

[1]Source- https://www.reuters.com/article/us-health-coronavirus-india-cases-idUSKBN25Q06A.

[2]Apurva Vishwanath, Mandating use of Aarogya Setu App is illegal, says Justice Srikrishna, The Indian Express, (May 13, 2020), https://indianexpress.com/article/india/aarogya-setu-app-mandate-illegal-justice-b-n-srikrishna-6405535/.

[3]Source-https://www.technologyreview.com/2020/05/07/1000961/launching-mittr-covid-tracing-tracker/.

[4]Apurva Vishwanath, Mandating use of Aarogya Setu App is illegal, says Justice Srikrishna, The Indian Express, (May 13, 2020),https://indianexpress.com/article/india/aarogya-setu-app-mandate-illegal-justice-b-n-srikrishna-6405535/.

[5]Personal Data Protection Bill, 2019.

[6]Is Aarogya Setu privacy-first? Nope, but it could be– If the government wanted. #SaveOurPrivacy, Internet Freedom Foundation, https://internetfreedom.in/is-aarogya-setu-privacy-first-nope-but-it-could-be-if-the-government-wanted/.

[7]Aarogya Setu: Govt’s coronavirus tracker app gets 5 crore users in 13 days, Livemint, (April 16, 2020).

https://www.livemint.com/news/india/aarogya-setu-govt-s-coronavirus-tracker-app-gets-5-crore-users-in-13-days-11587021032271.html.

[8]Source- https://twitter.com/fs0c131y/status/1259748063553470465?s=20.

[9]Justice K.S. Puttaswamy (Retd.) vs. Union of India, 2017 10 S.C.C.1.

Author –

Gauri Pandey
BBA LLB, 3rd Year
BVDU, New Law College