This article is written by Naman Sherstra from Department of Law, University of Calcutta. The arising privacy concern about the aarogya application is depicted in the article.

Introduction

Think how ridiculous it is when a government makes it mandatory to keep a mobile application installed in your phone where the country has only 60 percent of the mobile phone uses. A statistical data shows India has approximately 483 million mobile internet users out of 1.35 billion population. The Ministry of Human resource and Development vide a notification on 3rd April, 2020 informed the students, teachers and the citizens to download a mobile phone application called ‘Aarogya setu app’. It was informed that the application would be useful in fighting the COVID-19. Later, on 1st May the Ministry made Aarogya Setu mandatory for the local authority to ensure the 100 percent coverage of the application in the containment zones. The level of absurdity crossed when the Uttar Pradesh Government in Noida made non-installation of the mobile application a punishable offence. Due to arising privacy issues, such orders is nothing but just arbitrary and unreasonable. 

Background

The “Aarogya Setu” is a COVID-19 tracker mobile application which is developed by the National Informatics centre under the Ministry of Electronics and Information Technology. The word Aarogya setu is derived from the sanskrit which means ‘a bridge to health’. The app is said to be an open source cross platform application which works on “technical solutionalism” means providing solutions to complex social issues. However, the government’s application came in question when a French ethical Hacker Elliot Ander through a tweet raised a serious security concern regarding this mobile application. But, later he stated about disclosure of such concerns to the Government bodies. This mobile application crossed the download limits of 100 million in just 40 days of its launch.[1] Countries like China, Singapore and Russia have also developed their Contact based COVID-19 tracing application. The Government of India through an executive order has made it mandatory to keep the application installed in the cell phone. Any violation of such order shall attract the punishment under the provisions of the Disaster management Act and the several provisions of the Indian Penal code and Epidemic Disease Act.

Salient features of the app

• The Aarogya app is equipped with the techniques of tracing with the help of cell phone bluetooth and GPS.
• The application warns the application user if they have ever been in contact with the COVID-19 patient or containment areas nearby according to the patients statistical data maintained by the Government.
• In case, if the application finds the user to have been in touch with any COVID-19 patient or visited nearby containment areas it shares the user’s data with the Government.
• This application also provides a self assessment to their user. The user can know the infection risk.
• The application also monitors the health of the user from time to time.
• The application also provides data of the COVID-19 patients across India in state wise mode.
• The application also contains awareness videos as well as quarantine measures for the persons having high risks of the COVID-19. 
• The pass accessing feature is also available on the app. Despite it, the government helpline number is also provided for any kind of help or query.

How does the app work

The application is based on the Bluetooth and Geopositioning contact tracing. One has only to ensure that the bluetooth and the location sharing of the cell phone is turned on always. The application contains the QR code which provides the health states of the user. At first the user needs to install the application “Aarogya setu”. The application is available on the Google play store for Android platform users and on App-store for the IOS platform users. After installation the user has to make registration by entering mobile number. 

The registration shall proceed by inserting the One time Password in the application. The registration is completed by filling some questionnaire which includes personal details followed by the foreign travel history details. At last the user has to take his self assessment test by answering health related questions followed by his desire of volunteering. On the basis of answers the application shows the level of risk of the user. The application detects the nearest mobile phone which has the application installed and calculates the risk on the basis of AI algorithms if the nearest user has been tested positive. 

Issues and controversy raised

The novel COVID-19 tracker app has been slammed due to various issues including safety, data privacy, legal issues and many more. The application breaches the right to privacy as it has been imposed through the executive order instead of legislative sanction. The safety issue arose first time when a french ethical hacker warned the Central Government regarding the data safety issue due to bugs in the application. Nevertheless, the hacker after 49 minutes in his tweet claimed the issue as resolved as the National Informatics Centre (the developer of aarogya setu application) had contacted him.[2] Despite it, the other concern was found when the UP government took an arbitrary decision of punishing those ones who are found to have Aarogya app not-installed in their cell phones.

Liability concerns with Aarogya Setu

The Aarogya setu application collects the data of its user and promises to delete such data within 30 days. It attracts several concerns of liability as the user has no control over his personal data. The liability terms of the application provide a blanket liability on the government as if the application fails to produce accurate results or if the user provides inaccurate details. So the terms of liability acquits the government from its liability if the personal data of the person is leaked.[3] However, the users would not have any legal options available with them in case of data breach, as once the user ‘agrees and acknowledges the terms and conditions’ of the application he is contractually bound by such terms and conditions. Countries like SIngapore have implemented such applications with proper protocols of liability making the source open to its users.

Is the app perplexing our privacy rights

The Aarogya setu app has been imposed in such a manner by executive order of the Government that it violates the fundamental rights of data privacy. Till today, we don’t have any laws on data privacy as “Personal data protection bill” was tabled in the parliament in December 2019 and was analysed by the Joint parliamentary committee. However, Information and Technology Act, 2000 provides the provisions for the data security and legal liability. It states that the app service provider shall fall under the ambit of intermediary and it is obligated to protect the data of the user and holds liability for any kind of data losses. The major glitch in the privacy policy of the app is that it picks up the data of the user in every 15 minutes but it doesn’t provide information about what is done with the data of the user rather than storing it in servers. Earlier, the application code was not open source but later when the software watchdog institute Software Freedom Law Centre in its article raised the transparency and security concerns the government later made the source of the app as open.

If we go through privacy policy of the collected under Clause 2(a) of the Aarogya app[4] it is states as follow:

The personal information collected from or about you under Clause 1(a) above, will be stored locally in the App on your device and will only be uploaded to and used by the Government of India (i) in anonymized, aggregated datasets for the purpose of generating reports, heat maps and other statistical visualisations for the purpose of the management of COVID-19 in the country and/or (ii) in the event you have tested positive for COVID-19 or have come in close contact with any person who has tested COVID-19 positive. Any personal information uploaded to the cloud will only be used for the purpose of informing you, or those you have come in contact with, of possible infection. Such personal information may also be shared with such other necessary and relevant persons as may be required in order to carry out necessary medical and administrative interventions.”

The above stated clause clearly mentions the Government shall share the data of the user with the medical and administrative agencies whenever it is required. It is clearly absurd that the data may be shared to an inappropriate hands on the name of medical and administrative purpose and any breach of data will not make the government liable due to its negligible liability policy under the terms of use.

Judicial Perspective

Recently, retired Justice B.N. Srikrishna who is one of the architects of the Data Protection Bill during his lecture in Daksha Fellowship raised several objections over the privacy issue of the application and government’s autocratic nature action of implementing the application through the executive order. He said that the order must be backed up by the legislative implementations as the Supreme Court has considered “Right to Privacy” under the ambit of Fundamental Rights provided in Article 21 of the Constitution and the executive cannot implement it without the proper law passed by the legislature.[5] 

In famous Aadhar Judgement known as “Justice K.S Puttaswamy (Retd) vs Union of India” the bench comprising of nine judges of Supreme Court held Right to Privacy as an intrinsic part of the Right to Life and Personal Liberty under Article 21 and the part of freedom guaranteed under Part III of the Constitution Of India.

On the issue of rising privacy complexities of the Aarogya Setu App the Judicial institutions have looked at it with different lenses.The Kerala High Court and Karnataka High Court while deciding on the petition challenging the Central Government’s order on making the use of application mandatory for the employees (public and private) as well as inter-state travel, issued the notice to the central government asking the reply for privacy guidelines.

At another instance Madhya Pradesh High Court in almost 20 bail applications provided bail on the Condition of installing Aarogya application in the cell phone.[6] SImilarly, Patiala House District Court released the Person on the bail condition of installing the Arogya Application in the Cell Phone and use it ensuring that the bluetooth is turned on always. The Discretionary power used by the Courts in such cases always mark a stain on the Judicial System as Judges extend their support to the executive order, nevertheless knowing the fact that application clearly hampers the Privacy of the user. However, the Government of India had eased off its mandatory provision for the usage of the application.

Accuracy of the Application

The accuracy of finding the COVID-19 cases is one of the most important issues that needs to be addressed. Jason Bay, one of the developers of Tracetogether app (a contact based tracing application like arogya) in his Article on Medium said that the bluetooth based contact tracing application can never be a substitute of the manual based tracing in the coming future. A report of Oxford University pointing question over the accuracy of the app said that the application will bring proper results if more than 60 percent people actively use it in their cell phones. India has only 100 million downloads of the Aarogya app which stands only 8 percent of the total population. So, with such a small proportionate user bring the accuracy and reliability of the application in question.

Conclusion

Like several countries, India’s step of developing a contact tracing application is a praiseworthy step indeed as it well helps in discovering the hotspots areas in such a large population. But, the inadequacies over the forceful implementation of this application and the unaddressed privacy issues brings this application standing unsafe to use. An article on BuzzFeed News claimed a Bangalore based software engineer Joy to overpass the registration page of the application by hacking the application. The Government agencies have always been refuting such claims by stating the application is safe for the users. The loosen privacy policy of the application and the blanket liability of the government regarding any kind of data breach leaves the application usage decision over the self-conscience of the user.

LawSikho has created a telegram group for exchanging legal knowledge, referrals and various opportunities. You can click on this link and join: