A contact-tracing application, Aarogya Setu (meaning ‘health bridge’), was launched by the Central Government on April 2, 2020, for effectively tracking COVID-19 infected persons and alarming the application users about the same. However, the app has attracted much scepticism from cyber experts who worry that this might turn into an instrument for mass governmental surveillance, infringing users’ privacy.

The app, developed by the National Informatics Centre (NIC), under the aegis of the Ministry of Electronics and Information Technology (MeitY), uses a smartphone’s Bluetooth and GPS to detect any encounters with an individual tested positive for COVID-19. Both these features are required to be kept active throughout the day. Bluetooth detects if one has been in the vicinity of an infected person (has to be a registered user of the app). At the same time, the location determines the infected area in which the user is present. In addition to this, the app requires the following personal details of the users to be filled: (i) name, (ii) phone number, (iii) age, (iv) sex, (v) profession, and (vi) countries visited in the last 30 days.

The Privacy Hazards

The Hon’ble Supreme Court, in the case of Justice K.S. Puttaswamy v. Union of India, while recognising the right to privacy as a fundamental right, ascertained that any curtailment of the same has to satisfy four requirements:

• Legality,
• Necessity,
• Proportionality, and
• Safeguards.

Though the app seems to be necessary and proportional, it heavily lacks any legality and safeguards. India, as of today, does not possess any distinct personal data protection law as the Personal Data Protection Bill, 2019 is still under analysis by the joint parliamentary committee. In the absence of any legal framework governing the app, there are high risks of data breaches, lack of accountability and enforcement, no regulation of the data collected and its use and unavailability of requisite remedies. The app does not mention any existing law under which it is administered.

The continuous location surveillance (every fifteen minutes) of the app is a major point of concern as recording individual’s whereabouts, regularly, has grave repercussions for data protection and human rights principles. It is cardinal to understand that if there is any need for recording location data, at all, for detecting the spread of the virus. The Centers for Disease Control and Prevention (CDC) states that the primary mode of spreading of the coronavirus is from person to person who are in close contact with each other (within about six feet). Thus, large public gatherings, as well as indoor environment, can be highly risky. GPS tracking merely gives an estimate of the location of the user and not the six feet proximity information, which is essential to measure the levels of exposure to the virus.

Further, location data is not very reliable for indoor regions. The Internet Freedom Foundation (IFF) has also pointed out in its report that the Bluetooth based technology was ample for tracking purposes, as has been suggested by the Massachusetts Institute of Technology and adopted by Singapore in its TraceTogether app. Pairing it with location data considerably deviates it from “privacy-focused global standards”. The app fails to provide any explanation regarding the necessity of the use of both these features together for tracking, without it compromising the users’ privacy.

The privacy policy of the app states that the personal information of the user and the location record, in case of an infected user, are stored securely on a server operated by the Government of India. It makes no mention of the department, which is in control, or the concerned authorities accessing the data on the server. It also states that the data uploaded on the server is in an “anonymised and aggregated” form. However, what the Government views as “anonymised” is still unclear. The mechanism and kind of safeguards adopted for the protection of a large amount of “aggregated” data are also not disclosed by the developers or the Government, further strengthening the obscurity.

In a recent interview, Mr Lalitesh Katragadda, one of the developers of the app, stated that the data is controlled by NIC, although the servers are not yet managed by it. Currently, all data on the server is hosted by the Amazon Web Services. Will the hostage be ported? If yes, how and when will it be done? Once ported, who will be in charge of it? What kind of data is stored there? How exactly is the data “secured” on the server? Which authorities will be granted access to it? These questions remain unanswered.

The personal information collected is claimed to be erased in thirty days once the account is deactivated or the user is not shown to be at risk. However, it can be retained “for such period thereafter as required under any law for the time being in force”. This brings in a lot of ambiguity regarding the period of such retention and suggests its possible use even post-pandemic, thereby, going out of the scope of the app. Moreover, the erasure of data in no way applies to the anonymised, aggregated data uploaded on the server, making it a permanent resource of the Government. The application makes no provision for the users to explicitly request the deletion of their data except by completely removing the app from the phone. Further, no means are provided for the users to inspect the status of their particulars being deleted or stored.

Although there is no formal notification regarding the composition of the committee for this app, reports suggest that Principal Scientific Advisor Vijay Raghavan is leading the committee. Its members comprise of IT and Telecom officials along with renowned tech leaders. For an app solely developed to tackle a global health hazard, the absence of any healthcare official in the concerned committee is unnerving. Recently, it was also stated that the Ministry of Health is merely a stakeholder in the app while the entire responsibility of its functioning is carried out by the NIC.

The Terms of Service of the app make it crystal clear that the Government would not be liable for any errors or inaccuracies in findings of the app. It also absolves the Government of any liability even in the case of unauthorised access to the users’ information or modification thereof. This brings us to the principal question of who is the user supposed to hold accountable in case of any violation of rights due to the usage of app with no remedy at its disposal. The app’s source code has not been made openly available despite the Government following a well-formulated policy on adoption of open-source software. Furthermore, the terms also forbid any form of reverse engineering of the app. These aspects pose big question marks on the transparency of the application while also restricting community auditing.

Another hurdle that this app faces is the exclusion of non-smartphone users which constitute two-thirds of the country’s population. In a country with an enormous population of 137 crores, a mere 7.5 crores registrations on the app will not make much of a difference. Moreover, the developers themselves have stated that for a powerful impact, at least 50% of the population needs to download the app. The Government on April 29, 2020, made it compulsory for all the central government employees as well as those of the public sector units to download the app. In addition to this, it has been made mandatory for all smartphones to pre-install the app and to ensure that buyer can set up and use the device only after registering on the app, post lockdown. This expands the scope of operation of the app from contact tracing to possible geo-fencing later on.

Conclusion

Large numbers of users are already registered on the Aarogya Setu application, and the numbers are only bound to rise in the future with the compulsions made. In such a scenario, it is the need of the hour to lay down appropriate safeguards for personal data protection and provide adequate remedies in case of any breaches. The Government, as well as developers, need to be more open about the entire process, the algorithms used, the platforms made etc. and properly educate the masses of the same. Users should be completely assured that their data is secured while also informing them of the mechanism in which it is done and that it would not be integrated with any other repositories of information. They should be given considerable control over their data and proper clarification as to which authority will be accessing their information. The app is, no doubt, a great initiative for trying to prevent community spread and detecting cases more efficiently. However, more cautions need to be taken when the privacy of citizens is at stake. As a result, the app should be made a “privacy-first” contact-tracing technology as is done by the other countries around the globe.

This article has been written by Anwesha Singh. She is currently in the penultimate year of her B.A. LL.B. (Hons.) degree at ILS Law College, Pune.

Disclaimer: Views or opinions expressed in this article, whether impliedly or explicitly, are personal.

Edited by Raj Pagariya