This article is written by Mayank Bansal. In this article, the author discusses the nitty-gritty of the mobile app launched by the Government of India, Aarogya Setu in the time of this global pandemic.
When our Prime Minister addressed the nation and urged every citizen to install the Aarogya Setu App, my WhatsApp chat box was flooded with the links to install this app and even my telecom service provider has texted me thrice today in an urge to install this app. Therefore, this urgent move of the nation to install this app has made me curious to unpack the details of this app such as, how this app works and the level of security implemented by the government for respecting our privacy.
So, Let’s unpack everything about this app one by one.
What is Aarogya Setu App?
In the first week of April, the Ministry of Electronic and Information Technology launched its app “Aarogya Setu” which translates as ‘a bridge of health’ for both the android as well as the iOS platform. The app aims at providing its user a piece of information concerning whether they are prone to the pandemic which is currently spreading throughout the world by analysing the proximity of the app user to the Corona infected individual.
How does this App work?
This app works by gathering the user identity, tracking the Realtime movement of the user and continuously examining if the user of the app has come in the close proximity of any other user. For tracking the same it makes use of Bluetooth technology and GPS location. Further, this app has access to the Government of India database in which information regarding corona positive individuals is stored, through this access the AI of the app determines and notifies the app user whether they have come across any corona positive individual or not.
Data and Permission required for the Signup of the App
The above part of the paper clarifies the purpose and functionality of the app. Now in this part, let’s unbox the crucial aspects of this app, which is undoubtedly the privacy of the users. But before, heading further let me tell you what kind of your data and permissions is required for signing up on this app.
While registering an account, there is an “App Permission” pop up in the app, wherein there is an explicit acknowledgement of “sensitivity of permission” collected by the app. This acknowledgement specifically states, “the Government understands the nature and sensitivity of this topic and has taken strong measures to ensure that your data is not compromised.” Below this acknowledgement, the app discloses that it requires three permission to function, which are as follows:
- Device Location: this application by default “always” has access to the location of a device and recommends that this permission should not be changed by a user. However, the user has an option to change this setting.
- Bluetooth: Bluetooth is supposed to be used for monitoring device proximity with other Aarogya Setu installed devices. Again, the developer recommends that users always keep their device Bluetooth turned on.
- Data Sharing: It states that the data generated through the app shall only be shared with the Government of India. Further, it also clarifies that the app does not allow the disclosure of username and number to the public at large at any time.
After these permissions are granted, users are required to fill self-identification form, in which he is required to fill his sensitive and personal information such as:
- Phone number;
- Countries visited in the last 30 days;
- Whether or not you are a smoker.
Concerns with Aarogya Setu App
High Possibility of Inaccurate Results
As a matter of fact, every user would be willing to install this app with the intention to get notified if he has met with any corona positive user. But do you think, what could happen if the app provides an inaccurate or wrong result to a user? I believe that such a situation could create a lot of panic among the already anxious users. Especially, one could see the unnecessary people approaching for testing, with already scarce testing kits available in the country.
Clause 2 of the terms and conditions of the app require every user to always allow the app to have access to the Bluetooth and GPS service of their device. It further acknowledges, that in case a user denies access to these permissions, the app may lead to inaccurate or incomplete results. Further, this clause also forbade the users to share their device with anyone else, as such situations may lead to a risk of the user being wrongly identified as Corona positive by the app. Therefore, even though you have properly followed the T&C of the app, it is not necessary that people you contact with might also have followed the same properly, leading to the wrong result by the app.
Very Limited Liability of Government
Clause 6 and 7 of the terms and condition limits the liability of the government to a great extent. The conditions mentioned under this clause, immunes the government from any kind of liability, even which may arise due to an inaccurate result generated through the app or in case the app fails to generate a true corona positive case. In simple words, this clause acquits the government, in case of any kind of harm generated through the inaccuracy of the app.
Further, this clause also safeguards the government from any kind of liability arising in the event of “unauthorised access to the user information or modification thereof.” Considering the nature of the clause, one may assume that “Aarogya Setu” is a gimmick of the government to collect the personal data of the citizen, in the name of a pandemic spreading throughout the world. As these conditions indirectly enable the unaccountable compromise to our information privacy and security.
Lack of Reverse Engineering
There are cybersecurity researchers and ethical hackers in the country, who work in finding security loopholes in the system and applications. However, clause 3 of Terms and Condition, specifically prohibits the individuals from tampering and reverse engineering the application in any kind. Although, since the “Aarogya Setu” app is working with the sensitive information of the users. Therefore, the government should have opened the source codes of the app as the Singapore Government did with their similar app. So, security experts and app developers could check the level of security implemented in the app.
How is your Data Used?
there is no doubt that the “Aarogya Setu” app is working with a lot of our sensitive and personal information. Adding to this, the app is continuously collecting its user location data and is maintaining a record of the places where its users are coming in the contract with another user.
The personal information collected from you at the time of registration under Clause 1(a) above, will be stored on the Server and only be used by the Government of India in anonymized, aggregated datasets for the purpose of generating reports, heat maps and other statistical visualisations for the purpose of the management of COVID-19 in the country or to provide you general notifications pertaining to COVID-19 as may be required. Your DiD will only be co-related with your personal information in order to communicate to you the probability that you have been infected with COVID-19 and/or to provide persons carrying out medical and administrative interventions necessary in relation to COVID-19, the information they might need about you in order to be able to do their job.
One can find two issues in this clause. Firstly, the upper part of this clause states that the user information could be used by the government in creating aggregated datasets of “anonymized” data to generate reports, heat maps and other similar statistical visualisations for the purpose of COVID-19 management. However, unfortunately, the whole policy lacks the definition of term “anonymized” data, which make it nearly impossible to predict that how is the information collected by the user is stored by the government, as just by using a term “anonymize” one could not predict that the data of the user is stored by the government with the highest level of security.
Secondly, the later part of this clause (highlighted above) allows the Government to share the sensitive information stored on the servers in order to “carry out medical and administrative interventions necessary in relation to COVID-19 management.” This is a very broadly worded statement, which could allow the Government to share the sensitive information of a user with practically anyone they want (even with private individuals). Therefore, the Government must provide supporting texture to this clause. Otherwise, this opacity in the clause would empower the government to misuse the sensitive information of the user. A classic example of this could be seen through the launch of “Aadhaar” in India, we all remember the purpose behind launching the Aadhaar and the way it was later used in India.
Data Retained by the Government
Question of Proportionality
There is no doubt that the situation of India is completely different from other countries such as Singapore, where a good proportionality of individuals is having a smartphone. But in India still today, two-third of the population do not hold smartphones and are excluded from taking the benefit of the “Aarogya Setu” app. Interestingly, even the developer of the app in the initial phase of development have stated that at least 50% of the population must download this application to make it an effective solution in the country. But considering the Non-Smartphone population in India, it may be considered that the App might not get success in achieving its purpose.
Violation of Right to Privacy
Supreme Court in the year 2017, has passed a landmark judgment in the case of K.S Puttaswamy V. UOI, wherein the nine-judge bench of SC has recognized the Right to Privacy as an integral part of Fundamental Right to Life and Personal Liberty protected under Article 21 of the Indian Constitution. but still, until today India lacks a Personal Data Protection Law, which may help in limiting the collection and processing of any kind of our Personal Data. On the contrary, the Government is trying to maximise the data collection of personal information, at the cost of privacy rights of individuals.
On the other hand, since Europe is already having Data Protection Laws (GDPR). Therefore, Mr. Wiewiorowski, European Data Protection Supervisor, stated that they are in a process of developing an App for tracking Coronavirus for whole Europe by following a strict principle of “Data Protection by Design” where he specifically told that any measure implemented in their app that infringes upon privacy must be:
- Temporary and “not here to stay after the crisis”.
- Limited in purpose, to what is needed.
- Have restricted access to data, and know who has access.
- Have a purpose, or “know what we will do” with the raw data and its results.
Although Aarogya Setu App was launched by the Government in the first week of April. However, I was shocked to see that after our PM addressed the nation, in less than 24 hours around 40 million people have downloaded this app, without knowing the consequences of this app on their fundamental right to privacy.
Considering the situation of this Pandemic, I believe that people are forced towards choosing their survival, thereby leaving behind the fundamental Right to Privacy, but right now, they are not realizing the long-term effect of such decisions. I think during such a pandemic situation, the Government is the one, who shall respect the Fundamental Right of their Citizen. Unfortunately, I am afraid to say that the Indian Government has failed to respect the same.
LawSikho has created a telegram group for exchanging legal knowledge, referrals and various opportunities. You can click on this link and join: