No coronavirus silver bullet: Aarogya Setu endangers privacy even as its usefulness is uncertain

On May 1, the Ministry of Home Affairs extended India’s lockdown by two weeks as part of its strategy to contaib the spread of the novel coronavirus. Since March 25, the government has made use of discretionary powers under The Disaster Management Act, 2005 to impose a nationwide lockdown.

One of the government’s key strategies against Covid-19 has been the adoption of contact tracing methods. This involves identifying, listing and monitoring people who have come in contact with infected persons to limit the spread of the coronavirus. Since April 2, the government has been enhancing its contact tracing capabilities by making use of data collected via a mobile phone app called Aarogya Setu.

Built by the Ministry of Electronics and Information Technology and some volunteer groups under the guidance of the National Informatics Centre, the Aarogya Setu app uses GPS data and Bluetooth technology to determine the location of users and others they come in contact with. It collects personal data such as age, gender, name, health status, travel history, and the user’s contact list to assess the risk status of users and help health authorities manage the break out of the infection.

By Monday, the app had 98 million downloads, supposedly making it one of the fastest downloaded apps of all time.

Voluntary vs mandatory

Touted as a voluntary app, the government has steadily pushed for mandatory usage of the service. In the May 1 order extending the lockdown until May 17, the government has mandated 100% coverage of the Aarogya Setu app within containment zones and for both public- and private-sector employees, making the heads of private organisations liable for non-compliance.

Recently, the Government made the app a pre-
condition for bringing back stranded Indians abroad and latest reports suggest it is now
considering mandating the Aarogya Setu app for all future air travel. Authorities in Noida have made its use compulsory for all its residents. This is a dramatic and potentially unconstitutional shift from voluntary to mandatory.

Though India does not yet have a comprehensive data privacy framework, in 2017, the Supreme Court in a landmark judgment (K.S. Puttaswamy v. Union of India) reaffirmed the right to privacy as a fundamental right. This grants protection against privacy abuses by the state.

Valid arguments may be made that during a pandemic, emergency measures like mandatory usage of an app might be in the public interest. But there are legal and practical challenges to this line of argument that must be considered.

A migrant worker in Bhiwandi, near Mumbai. Credit: Reuters

Privacy by law

It is an established position in India’s constitutional law that fundamental rights are not absolute. The state may, with appropriate safeguards, limit these rights in times of need. For privacy limitations, the Supreme Court in Puttaswamy laid down a four-step test.

If the government wishes to collect and process the personal data of Indians, without their consent, it must show:

That there is a law backing its demand
The measure adopted is necessary for achieving a legitimate state aim and is not arbitrary
That the measure is proportionate to the object of the law
There are procedural guarantees against the abuse of such limitations.

In response to public criticism , yesterday, MeitY released the Aarogya Setu Data Access
and Knowledge Sharing Protocol, 2020 , (the Protocol). The Protocol seeks to provide certain procedural guidelines/ safeguards or the data collection activities under Aarogya Setu and permits sharing of data between various Government departments and third parties to implement appropriate health responses.

The Protocol is effectively issued under orders of the National Disaster Management Authority under the Disaster Management Act, 2005, which does not specifically allow for the collection and processing of personal data as envisioned by the Aarogya Setu app. Thus, it will be far-fetched to say that the Protocol provides sufficient legal backing to Aarogya Setu.

While the Protocol limits data collection by the Government to what is necessary and proportionate, it fails to explain as to why such mandatory collection of data is necessary to achieve the aim of disease prevention. Are such digital contact tracing methods the only and best way possible to manage Covid-19? Is the collection of demographic data such as name, mobile number, age and gender alongside contact data absolutely necessary to fight the epidemic?

The Government could have gone a step ahead and provided answers to such questions in the protocol, which could have demonstrated the necessity of mandating Aarogya Setu. Coming to the proportionality test, a key requirement of which is to exhibit that the method imposed is the least restrictive, the protocol does not illustrate how digital contact tracing through centralised mobile apps is the least privacy intruding method of exposure notification and disease management. Aren’t other decentralized data collection solutions such as DP3T or PEPP-PT more privacy friendly

The Protocol does not have legislative backing as it is born purely out of executive action and comes more than a month after the launch of the Aarogya Setu app. Though, it comes with a sunset clause of six months, reviewed periodically, there is no legislative or judicial determination for its continuance beyond the initial period, skipping essential guarantees against potential abuse of such powers (a slew of petitions have been filed before the Kerala High Court, challenging the mandatory usage of the Aarogya Setu app).

Tech-solutionism and surveillance

Beyond the legal hurdles, the practical failures of the Aarogya Setu app have been widely discussed. For the app to generate reliable results, 60% more of the population must download it. But smartphone penetration in India stood at only 24% in 2019, according to a survey by the Pew Research Centre. Besides, the app can generate false positives and false negatives, it does not take into account people on separate floors or other physical barriers or the possibility of battery drainage; and security failures that could allow unscrupulous parties to collect app IDs, severely hurting user privacy.

Though the Indian government claims that data collected by the Aarogya Setu app gets deleted in cycles of 30, 45, and 60 days, the risk of mass surveillance cannot be ignored, particularly since the app has not been open for public audit and stores data on a centralised server. (Reports suggest that the data might be currently stored on an Amazon Web Services server, raising doubts about the security and privity of the health data of millions of Indians.)

Merging the data collected through Aarogya Setu with other government databases such as the Aadhaar database or integrated databases such as the CMS or NATGRID could result in mass profiling of Indian citizens.

While Indian law does permit the government to conduct targeted surveillance through the Indian Telegraph Act, 1885, and the Information Technology Act, 2000, it does not sanction mass surveillance activities. In light of the push for mandatory use of Aarogya Setu, it is pertinent to mention that with rising digitisation, India is in a dire need of surveillance reform.

Doubts about usefulness

Numerous countries around the world, as well as Apple and Google, are experimenting with contact tracing apps like the Aarogya Setu. But questions remain about the usefulness of contact tracing apps.

Health experts warn that contact tracing works best in situations where infection rates are low and there is widespread testing. Considering most cities in India are red zones, it may not be very useful to notify people about possible exposure when the infection is everywhere.

In addition, an over-reliance on contact tracing apps carries with it the grave risk of impeding peoples’ right to movement and participate in social life. If exposure certification on apps (India is mulling e-passes using Aarogya Setu) is made mandatory for people to move around (for example, to use public transport), the error rates inherent in such technology could give rise to widespread exclusion.

The Singapore government’s contact tracing app TraceTogether. Credit: Catherine Lai/AFP

Protecting civil liberties

However, it could be possible to carry out digital contact tracing without violating the fundamental rights of citizens. First and foremost, the Indian government should share the source code of the Aarogya Setu app in accordance with its open-source policy for independent experts to verify its security (as Singapore has done).

Next, the government should pass an ordinance for the collection and processing of data for the purposes of contact tracing, as the continuation of such an ordinance shall be determined by Parliament and ensures separation of powers between different organs of the State. An independent quasi-judicial forum must be set-up by the government to address grievances arising from using the app. Aarogya Setu must strictly be a voluntary service, with clear options to withdraw consent and have personal data deleted permanently.

A good example of enabling user autonomy over personal data comes from a recent Kerala High Court matter. In its order, the court directed the government of Kerala to ensure that specific user consent should be obtained before sharing health data of citizens with third party service providers and that the data needs to be anonymised before handing it to third party service providers.

Since Aarogya Setu has been developed under a public-private partership model and reports suggest the involvement of volunteer groups in its creation, it is essential for the government to maintain complete transparency on the identity and affiliation of each private player with due regard to the process of selection.

It is vital to protect civil liberties like the right to privacy in times of global emergencies like the coronavirus pandemic because invasive state action has a tendency to expand beyond its initial purpose, severely diluting our rights in the long term.

Governments adopting digital contact tracing technology must necessarily warn users about the limitations of such mobile apps. If apps like Aarogya Setu are hailed as silver bullets in the management of a health crisis, it will shift focus away from proven mitigations strategies such as increasing the capacity of healthcare infrastructure, public awareness campaigns, and citizen-centric solutions like mask wearing and physical distancing.

Shashank Mohan is a tech-policy researcher and a Project Manager at the Centre for Communication Governance, National Law University, Delhi

We welcome your comments at letters@scroll.in.