Arogya Setu (COVID-19) App

Not A Body Guard To Data Privacy

This Blog is inscribed by Anuj Agarwal.

Introduction

As the whole world is suffering from the Corona pandemic, in terms of WHO COVID-19 is indomitable. Covid-19 has been pressing the public health systems to the verge of collapse forcing many countries around the world to switch over to the lockdown. Absence of potential vaccines or drugs turned the governments to employ alternative tools and techniques to stop the spread of the virus. One such tool developed and deployed is the contact tracing software to discover the movement of an infected person and to warn about a nearby infected person. This software tool is governed by five technological principles they are (a) voluntary (b) Limited (c) data destruction (d) minimized (e) transparent.

One such tool developed by the National Informatics center working under the Ministry of Electronics and Information Technology is called as “Aarogya Setu” App.

Arogya Setu App

An initiation of the government of India to connect essential health services to fight against COVID-19. It is aimed at reaching out to and informing the users of the app regarding risks, best practices, and relevant advisories pertaining to the containment of Covid-19. The functioning of the app was well appreciated by many but the operational procedure of this app has led the controversies surrounded it of the data privacy. But before venturing into intricacies of the issues of privacy let’s have a look at the current state of the data privacy laws. As of today, there is no concrete piece of legislation in India that specifically guards the healthcare data or personal data but the recent judgment of the supreme court in Justice K.S. Puttaswamy (Retd) vs Union of India[i] is a resounding triumph of privacy.  The judgment declares privacy is an ingrained part of Article 21 of the Constitution.    

In fact, what we have are a handful of laws like the Informational Technology Act 2000 and Information Technology (Reasonable security practices and procedures and sensitive personal data or informational Rules, 2011) both of which are not properly armed to tackle the current situation. One of the major setbacks is the applicability of the current law which is limited to the corporate entity and not the state.

So in the need of the hour, there are two draft legislation: one, the Personal Data Protection Bill 2019 in short (PDPB) which is hanging in the parliament to decide its undecided fate by the parliament and second, draft Digital Information Security in Healthcare Act (‘DISHA’) rolled out by Ministry of Health for the public consultation. Both of them may lead to the controversies in future.

Data Privacy Issue w.r.t Arogya Setu App

Now moving back to the Data privacy issue of Arogya Setu App, from its launch on April 2, 2020, it got caught in the clouds of question like is it safe? Or will there be any privacy issue? Or what will be the aftermath of the ‘Application” when once PDPB will convert into an Act and enforced as a Law.

If we reiterate the PDPB, Data Fiduciary entitled under clause 2(13) of the PDPB as:

 “any person (natural or legal), including the State, a company, any juristic entity or an individual who alone or in conjunction with other determines the purpose and means of the processing of personal data[ii]. The Government of India being the Data Fiduciary has to abide by the obligation.

This write-up will give you the basic overview of the data protection constraints under PDPB in healthcare exigency and is the privacy policy of the app is in accordance with the proportionality principle ordain under K.S. Puttaswamy judgment, along with Personal Data Protection Bill, 2019 (PDPB 2019).

Overview of PDPB 2019 and Proportionality Principle

The PDPB 2019 panoramically laid down the rights and duties of the Data Fiduciaries, Data Principle, Data Processors, to make it lucid if any provision of the bill is violated, the state being the data fiduciary will be held accountable. On the same note mentioning some of the processes that the above-mentioned player plays e.g. Permitting access to Data, processing data, withholding of data, the purpose of usage of data, and transparency in the processing of data. All these processes are being compromised by the application, which no doubt turns the application to be more of a violator of the right to privacy, if it comes under the watchlist of PDPB and principles of data protection.

Further, throwing some light over the principle, in the recent K.S. Puttaswamy judgment, the apex court beholds that protection of data is an inseparable part of information privacy. Any violation of that must fulfill three conditions which are- the presence of valid law, the state interest in pursuance of the act, and violation of privacy which is similar to the object.

Modus operandi of the Application

Working of this application also led to the debate as it uses the GPS location to find out whether a registered user comes in contact with a user who might be Covid-19 positive and the user will be cautioned about the interaction with the host, isn’t it surprising that every Indian got his/her bodyguard which save them from having a potential health risk, but this bodyguard doesn’t save the users privacy as it sounds. As initially, the application privacy policy explicitly mentions that “your data will be shared only with the government of India” keeping in mind the legal backing of this app is its privacy policy and no other law, had it PDPB was there then the situation would be different but recently the Ministry of Electronics & Information Technology issued some guidelines[iii] on ‘data-sharing and knowledge sharing protocol for the Aarogya Setu app, which includes sharing of data with government agencies and third parties.

This sharing of personal data to the third party can create a shady situation; this is where the people are worried about and questioning the integrity of the App. Now the question is what type of personal data the Application collects, does the data that application collects falls under the purview of personal data?

Answer to this is that the application collects data such as Name, Phone number, Sex, age, profession; international travel history in the last 30 days, and all-time location access of the user. Collection of the data is to be done by abiding the principles mentioned earlier, one of which is voluntary extraction of data, other than the mobile number and location sharing service which is requisite but in fact, it looks like a mandatory in nature than a voluntary, according to the government circulars dated 01/05/2020 use of Aarogya Setu App was made mandatory to every employee working in both the private and public sectors till the lockdown 3.0. However, in the recent judgment of the Kerala High Court challenging Mandatory use of this app made the central government rethink its earlier guideline of mandatory to the “best possible practice”

Further, the data collection comes into play as data is stored on the government server for 30 days after the user forfeit the registration and all this is not been sanctioned by law, the only tool that government is using in this present emergency is Disaster Management Act, 2005 and that too without any assisting provision for collection of personal data in a current emergency, to make it more simple if we look from the purview of PDPB 2019 there must be some law backing the act of data fiduciary so that someone can be made accountable for any wrongdoing, and absence of such law not only gives the government a rein but also exclude them from judicial scrutiny.

Not having any punitive comeuppance makes the situation even worse. As the application Term of service (TOS) states that the government will not be liable for the claims made while using the application for collecting data. Here TOS is violating the responsibility of data fiduciaries given under PDPB 2019, on the same hand daunt the government not to comply with the data protection principle and face no sanction as well. 

Failure

Further, this application failed to meet another clause of PDPB 2019 which is ‘data minimization’ as it collects data which is not relevant for contact tracing like ‘gender’ and ‘occupation’ which are some of many multiple data points collected by the application whereas its counterpart used by Singapore and MIT which collects one or two data points, subsequently collection of more data points for sensitive personal information could step-up the privacy risk[iv].  

Adding up initially the source code of the application was not accessible to the general public but after huge criticisms by experts and people of the legal fraternity, IT Ministry on 26/05/2020 made the application opensource on ‘GitHub’. Before making the application opensource there was some alteration made in TOS of the app allowing tampering and reverse-engineering which were restricted previously[v].

Although there were some incidents which surely compromise with privacy such as an ethical hacker named Elliot Anderson who pointed out a security flaw in the app and another one is from Bangalore where a person bypassed all the information that Application asked, he was even marked healthy but after releasing it as opensource it might make the application more vulnerable to hackers, the application is not truly open-source according to some experts as it is not allowed for server-side open-sourcing[vi].

Further, the application failed to comply with another principle which is purpose limitation, it collects, process and upload the data on the government server which can be provided to the third party doing research or medical work, this surely raises the eyebrows as to the authenticity of third parties and what type of data is been given. Adding up to this an always-on location service which is continuously tracking the whereabouts of an individual is against the right to privacy, this not only giving the data fiduciary information such as address without the permission of an individual at the same time giving information about lockdown compliance which is clearly against the purpose of the App, as well as the principle of purpose limitation under PDPB 2019.

Now, what will happen after once this pandemic gets over, will the Application cease to operate or the government could use it for some other purpose like monitoring people’s movement? As of now, this is unknow and the application from its inception fetches controversies regarding privacy breach and it continues till now.

Conclusion

Creation of anything, however good the cause may be, there is a necessity to have checks and balances. As Aarogya Setu compromised the principles of privacy and PDPB 2019 making it mandatory without any protective measures goes against the established principles of the right to life embedded in the fundamental rights of the Indian Constitution. It is necessary for the government to evolve a concrete mechanism to protect individual personal data.


[i] Justice Puttaswamy (Retd.) and Anr. v Union of India and Ors, (2017) 10 S.C.C 1

[ii] Meity, Personal Data Protection Bill,2018  available at: https://meity.gov.in/writereaddata/files/Personal_Data_Protection_Bill,2018.pdf.

[iii] Meity, arrogya setu data access and knowledge sharing protocal,2020 avaliable at: https://meity.gov.in/content/aarogya-setu-data-access-and-knowledge-sharing-protocol-2020

[iv] Internet Freedom Foundation, Is Aarogya Setu privacy-first? Nope, but it could be– If the government wanted. #SaveOurPrivacy, available at:https://internetfreedom.in/is-aarogya-setu-privacy-first-nope-but-it-could-be-if-the-government-wanted/

[v] IshanPatra , Aarogya setu app is known opensource what does it means?,  The Hindu, available at: https://www.thehindu.com/sci-tech/technology/aarogya-setu-app-is-now-open-source-what-does-it-mean/article31689459.ece (May.28,2020)

[vi] Prasid Banerjee, jury is still out on privacy concern in Aarogya Setu , Livemint.com, available at : https://www.livemint.com/news/india/jury-is-still-out-on-privacy-concerns-in-aarogya-setu-11590598792464.html (May.28,2020)

Leave a Reply

Your email address will not be published. Required fields are marked *