Reading time: 8-10 minutes.
Amidst the unprecedented and chaotic pandemic in the country, concerns are being echoed about the usage and efficiency of a contact tracing app named ‘Arogya Setu’, an app designed to trace the spread of Covid-19. The questions that are raised about this app are centred around the right to privacy. Recently, multiple pleas were filed before the Kerala High court challenging the mandatory usage of the app by the public and private sector officegoers and citizens in the containment area. While the Centre denies the vulnerability of the app to data breach and privacy issues, it strongly affirms that the app has a robust framework of privacy policies. In pursuance of this agitation, many cyber activists have put forth their arguments against the app, challenging the inefficient policy framework and the lack of an underlined legal protection.
With the booming doubts and arguments between the Centre and the concerned privacy rights activists, citizens only wish for lucidity regarding the functioning of the app and the assurance of the protection of their private data. Justice B.N. Srikrishna in his latest views about the app expressed that the push for mandating the use of the app is “utterly illegal”. With no robust legislative framework to protect the personal data (as the Personal Data Protection Bill,2019 remains unattended), we are posed with the question of how to safely secure our private data, given the extraordinary circumstances at hand.
What is Arogya Setu?
It is essentially a contact tracing app that tracks our interactions with someone who could have tested positive for Covid-19 through a Bluetooth and Location generated the social graph and is developed by National Informatics Centre of the Indian Government. The app is a part of a service designed to enable registered users who have come in contact with other registered ones who have tested positive for Covid-19 to be notified, traced and necessitated. With the introduction of digital contact tracing apps in the pandemic-affected countries, here, the Indian government opted a similar scheme and conjured up a mobile application that helps in tracking the virus in the country. Previously, it was used under the name of ‘Corona Kavach’ app which was further upgraded and updated to the present form.
The app alerts you if you have come in close proximity of a person, even unknowingly tests Covid-19 positive. The alerts also bring forth instructions on how to self-isolate and on how to access help and support in case of development of symptoms. The Ministry of Electronics and IT estimated the downloads of this app to have crossed 100 million.
The app contains multiple sections which provide our status (regarding the proneness to the risk), a self-assessment test, Covid-19 updates, and an E-pass (if applied and made available). It also tells us how many COVID-19 positive cases are present in a radius of 500m, 1 km, 2 km, 5 km, and 10 km from the registered user.
What is right to privacy?
On the global level, this right is considered to be a fundamental human right recognized by international declarations like the UN Declaration of Human Rights, the International Covenant on Civil and Political Right and in numerous other treaties and conventions. This right co-exists with the elements of human dignity, security, and reserve. Considering this right’s significance, many countries have already recognised the right to privacy in their constitution. In a few countries like the United States, Ireland and India, the apex courts have implied that the right is found in other provisions of their respective constitutions.
The Constitution of India encompasses Right to Privacy under Article 21, which is a requisite of Right to life and personal liberty. The scope of this article is considered as multi-dimensional in our constitutional history. The very first instance of the debate about whether privacy is a fundamental right or not, was in the case of M.P. Sharma v. Satish Chandra [AIR 1954 SCR 1077] where it was held that the right to privacy will not be considered a fundamental right. The same was reiterated in the case of Kharak Singh v. State of Uttar Pradesh [AIR 1964(1) SCR 332]. But after about eleven years, another case before the Supreme Court, Gobind v. State of Madhya Pradesh [1975 (2) SCC 14], it was decided that the right to privacy is implicit in Article 21, bolstered by personal liberty.
A historic turn was taken in this right’s history, associated with the case of K.S Puttaswamy v. Union of India [2017 (10) SCC 1] in which, the judgement was passed by the apex court that right to privacy is a fundamental right and will not lose its significance/status amongst the Golden Trinity of Article 14 (Right to Equality), Article 19 (Right to Freedom) and Article 21 (Right to Life and Personal Liberty).
With the constant expansion of the digital world, the government has been vigilant and particular is securing the privacy of the data of its subjects. “Section 43 of The Information Technology Act, 2000 also includes Right to Privacy which makes unauthorized access into a computer resource as an offence.”Since this right is emerging as one of the most essential rights of this era, it is imperative for the governments to protect the rights of privacy as more and more personal data is being acquired by both governmental and non-governmental organisations for various purposes.
Arguments made against the app in the plea
- Lack of the technological specifications deployed for the Bluetooth technology, algorithms and artificial intelligence systems and no mentioning of the private parties involved in the development of the app. There was no legislative framework released before the launch of the app.
- The app says that it can calculate the risk of infection based on sophisticated parameters if any of the contacts of registered user tests positive for Covid-19. But it fails to provide us with the specificities of “sophisticated parameters” as technological systems of this kind are experimental.
- There is an insufficient demonstration of the privacy-first system that will protect the sensitive personal data of users through security and encryption.
- There was no inclusion of the public health officials in the committee constituted to bring into force the app.
- The order by the centre to require the public and private employees to download the app mandatorily is considered a clear violation of the right to privacy given the absence of any governing law, there is no clarity on the principles of collection limitation, use limitation and storage limitation (recognized in K.S Puttaswamy’s case).
- The time in which the app will remain operational is not listed.
- After the collection of sensitive data regarding the health, how the data is collected, stored, shared, processed is unclear. The manner of anonymisation, as well as the measures taken to protect informational privacy, has been left unascertained.
- The app falls short from a design and governance perspective. Its decision to collect GPS trails/location data is incompatible with generally accepted principles for data minimisation.
- There are no traces of transparency as the source code is not made available to the public.
- The European Commission’s toolbox for the use of technology and data to combat the pandemic provides that the processing of the personal data must be strictly limited for the mentioned purpose and ensure that the data is not used for any other purposes such as law enforcement or commercial purposes.
- There are concerns about the app producing inaccurate results because Bluetooth and GPS technology tend to lack accuracy for virus exposure. There will then be a huge possibility of false positives and false negatives.
- The legislative framework to back the Covid-19 relate surveillance, though not mandatory, should be required.
As discussed, the functionality and the framework of the Arogya setu App is being challenged because the app does not possess adequate legal policy framework and that the App’s firewall is developed in a public-private partnership, hence, raising doubts about the security of the data. Moreover, legal experts have also raised concerns about the aspects of liability in case a data breach occurs within the system.
“Despite serious concerns about the accuracy of COVID-19 surveillance apps, governments across the world have tried to leverage these apps to contain the spread of the virus. For the effective working of the app, India does not even have the level of smartphone and internet penetration required for such apps to even be theoretically effective. Since its launch, the Aarogya Setu app has been mired in controversy about its privacy and security practices. Bluetooth and GPS signals are not an accurate estimate of whether someone has been in close proximity (6 feet or less) with a COVID-19 infected person. This can lead to a high number of false positives and false negatives which end up causing more harm than good. For instance, Bluetooth signals cannot recognize physical barriers such as walls and floors which make virus transmission impossible, and therefore, they may misidentify individuals as COVID-19 positive and send the authorities on a wild goose chase. Similarly, since Bluetooth based apps cannot account for a surface to person transmission, they will also yield false negatives.”
But the government sternly denies any inefficiency or yielding of any negative effects. In the words of K. Vijayraghavan, Principal Scientific Advisor to the Government of India, “Since the disease spreads pre-symptomatically and asymptomatically there is a grave need to enable digital tracking system at least until the invention of a vaccine and there is no compromise of privacy.”
“The Aarogya Setu app anonymizes data by assigning each user a static device identifier. It must be noted that unlike other apps which issue new tokens to be used as a fresh ID after pre-specified time intervals, Aarogya Setu uses a static device identifier. This combined with the fact that Aarogya Setu collects several other data points including metadata makes the app vulnerable to an attack where users can identify other users who have been determined by the app -rightly or wrongly – as risk spreaders.”
The answer given to this could be that there is a kill switch system that purges the data from the user’s device in 30 days and deletes it from the server in 45 days if the individual is not at risk. In case of a person who is at risk, the data will be deleted after 60 days.
“In a recent development, Ministry of Electronics and Information Technology (MeitY) released the Aarogya Setu Data Access and Knowledge Sharing Protocol, 2020. It revealed the Government of India’s National Executive Committee (“NEC”) has constituted an Empowered Group on Technology and Data Management, which is looking at among other things the development and implementation of the Aarogya Setu. The Protocol is not a statute, and nor does it offer any legislative foundation for the Aarogya Setu Mobile Application. A troubling aspect in this regard is that Government authorities have said that there are no plans to create underlying legislation to hold the usage of the app accountable since the priority at present is to deal with the epidemic itself. The Protocol is drafted in a manner, which justifies the centralised collection of data through the new Aarogya Setu platform. It does this without any discussion about the choice of design, and why existing alternatives which exist through avenues like telecom operators, or for that matter anonymised mobility reports developed in an open-source format by researchers and organisations like Facebook/Google, are not enough.”
In the light of this current quagmire about all the privacy issues surrounding the Arogya Setu App, given the urgency of a digital system that helps in tracking the virus, it is of utmost importance to the public that their data is safe and secure. With an elaborate constitutional mechanism to preserve the rights of citizens, the present request for transparency and security must be met with. It would mean a failure on part of the constitutional machinery of the fundamental rights if this right of privacy is taken away from the individuals. Even though Arogya Setu has received a wider acceptance by the public, numerous concerns are also being raised about the usage and storage of this data. It is time for the government to be called for a deliberative clearance of all the existing doubts surrounding the app.
As the latest development in this issue of mandatory use of the app, on 17.05.2020, the installation of Arogya Setu has now been changed to “best effort basis” succeeding multiple pleas filed before the courts.
Author: Sri Abhigna Pillalamarri from Symbiosis Law School, Hyderabad.
Editor: Harinie.S from Symbiosis Law School Hyderabad.