Pic Credits- https://entrackr.com
AAROGYA SETU: A ROCKY ROAD TO RECOVERY?
The Functioning of the App
In order to comprehend the root cause of the issues related to user consent along with other privacy concerns pertaining to the mandatory installation of the Aarogya Setu App, it is highly essential to understand the functioning of the app. To put it simply, the Aarogya Setu App uses the user’s location data to determine people that have come in close proximity with any Covid-19 positive patient. Post download, the application requests for Bluetooth and Location access at all times. Upon the same being granted, the app requires the users to feed in certain basic personal information to build the users’ database. This personal information includes the age, gender, name, health status and the travel history of the users. Further, the users are required to go through a self-assessment test wherein they are asked about their current health status and whether they are showing any known symptoms of Covid-19. The app proposes to use the Bluetooth range as a proximity sensor within which the user can possibly be infected by another Covid-19 positive patient. When two or more smartphones with the app installed come in each other’s Bluetooth range, the app exchanges information. In such a scenario, if one of the users is positive, the other users in the Bluetooth range will be alerted about the possibility of being infected. These potential cases are further notified to the government for testing and necessary action.
Data Security Concerns and Apprehensions:
On the face of it, it seems to be a perfect contact tracing application with all that is required to effectively detect potential cases. However, cyber security and legal experts argue that there is plenty which is wrong and at risk here. While shedding some light on the glaring inconsistencies of the Aarogya Setu Application with the concepts of data protection, user consent and user privacy, let’s try and understand the data security concerns and apprehensions which have been raised by experts across the globe.
Going into the technical realm; firstly, the usage of a Centralized Approach as opposed to a Decentralized Approach with regard to user data storage, makes the user data more vulnerable to security breach. However, in order to appease the users, the Central government has given a feeble assurance to the users that the data of the users will remain in their respective devices and will only be uploaded to the central server in the event the user gets infected. Such hollow claims of the government remain unverified. Secondly, the use of a Static ID for the users instead of a Dynamic ID renders the app more vulnerable to data security breach. A Static ID is a fixed digital ID allotted to each user, whereas, a Dynamic ID is randomly generated through automation at regular intervals which in turn makes the App more secure and private in comparison to the static ID.
The concerns of cyber security experts and legal experts are intertwined. In addition to the technical concerns, inter alia, the issues raised by legal experts also focus on the disadvantageous terms of service and policies of the Aarogya Setu app. In addition, there is another vice attached to the Aarogya Setu App, which is the Absence of Accountability in case of any data security breach. The Government has capriciously inserted an absolute liability limitation clause into its service agreements and privacy policies. As discussed herein above, this essentially means that the users cannot hold the Government liable in the event of any user data security breach.
Furthermore, there exist serious apprehensions regarding the government’s claim of the user data being automatically deleted from its systems after a certain specified number of days. These concerns draw strength from the fact that the said claims of automated deletion of user data after a stipulated time are accompanied with apparently convenient exceptions which aid government discretion. The privacy policy of the App itself raises doubts about the objectives of the application, wherein it mentions that user data can be held longer for purposes “… for which the information may lawfully be used or is otherwise required under any other law for the time being in force.” This further gives rise to uncertainty and suspicion with regard to user data security and the intentions of the authorities with the user data being collected. Further, the absence of any concrete legislation pertaining to data security and protection renders the users of such applications remedy less and at-risk, lurking with nothing but apprehensions and suspicions with regard to their sensitive information.
Further, the government on 26.05.2020 has made public the source code of the app for Android device users. This has been done in order to provide instantaneous reassurance to the users with regard to user data security and safety, as is already being done by countries like Singapore and Australia. For the uninitiated, the Source Code of any digital application provides technical experts such as ethical hackers an opportunity to look for any loopholes or possible security breaches in the application and report the same to the developers of the application for the betterment of the application itself and in addition for the data security and protection of the users. However, this belated decision comes after the app being in existence for almost 2 months. The source code should have been made public at the time of the launch of the app itself.
The Aarogya Setu Application, if viewed in its entirety, violates the basic principles of data protection and security which, inter alia, include minimization, purpose limitation, transparency and accountability[1], especially in the absence of any legislation providing legal remedy to the users who might be the potential victims of either data breach or unauthorized access and abuse of their sensitive information either by the government itself or any other unscrupulous third party.
JUDICIAL INTERVENTION VIS-A-VIS THE AAROGYA SETU APPLICATION
It is pertinent to highlight the fact that certain individuals have sought judicial intervention through legal recourse to address the concerns pertaining to the mandatory imposition and operation of the Aarogya Setu App. In a petition filed before the Hon’ble Kerala High Court, Jackson Mathew v. Union of India, the petitioner being an employer, has raised a valid concern opposing the coercive action proposed to be taken against the employers in case their employees do not install the Aarogya Setu app as per the guidelines issued by the Central Government. The Hon’ble Kerala High Court while taking notice of the matter has posed certain questions to the Center asking, “How can an employer practically ensure the installation of the application in each of his employees’ phones?”, “How can one make the employer vicariously liable in such unusual times?” and lastly, it has agreed to the petitioner’s argument that it is practically difficult for the employers to ensure the installation of the application in the phones of their employees as many of them do not even possess smartphones. The petitioner further stated that “the mandatory imposition of Aarogya Setu on persons under threat of criminal prosecution making it a condition to the exercise of other basic rights and services, including a right to practice a profession or carry on an occupation, trade, and business amounts to an unconstitutional condition.”[2]
Further, the Internet Freedom Foundation (IFF), an advocacy group has also approached the Standing Committee on Information Technology, a parliamentary panel, against mandatory use of Aarogya Setu App and other contact-tracing Apps citing privacy concerns.[3] Lately, the government through the Ministry of Electronics and IT has attempted to respond to the unceasingly growing concerns pertaining to the imposition of the app with the release of a set of data access and knowledge protocols addressing the issues of data security and clarity with regard to the objective and intent of the app[4]. However, these protocols do not seem very promising to a majority of experts, given the experience we have had with major data security breaches like the Aadhaar data leak or the recent SBI customers’ information leak.
The apprehensions with regard to data security breaches in such applications seem to be so high that a few experts have gone to the extent of calling the Aarogya Setu App and its contemporaries, “Potential Surveillance tools in the hands of the governments or whomsoever, who is able to access the user data available on such applications.”[5]
CONCLUSION
“Digital freedom stops where that of users begins… Nowadays, digital evolution must no longer be offered to a customer in the trade-off between privacy and security. Privacy is not for sale, it’s a valuable asset to protect.”
― Stephane Nappo
In conclusion, the Aarogya Setu App remains a bridge under construction with new directives being issued by the MHA on a daily basis to cover up the lacunas coming to forefront and the slew of writ petitions challenging its legality.The launch of the Aarogya Setu app is definitely a welcome step but unaccountable official surveillance still remains a worry. The users must be given requisite reassurance with regard to the safety and security of their sensitive information, while providing a concrete legal redressal system in the event of any data security breach. In order to give the Indian users such reassurance and more control over their sensitive information through a strict consent mechanism, it is imperative upon the legislature to pass concrete data protection laws, at the earliest, such as the Personal Data Protection Bill 2019 (“PDPB”) which has been pending before the Indian Parliament since 2017. In addition, rather than coercive imposition and use of the application, user consent must be given due consideration. In the present world of digitisation and rapid influx of technological advances, access to data is no less than an access to a nuclear weapon if it falls into the wrong hands. One can argue at length regarding the merits and demerits of this suggestively potential tool of mass surveillance but the fact remains that the app is here to stay.
(This post has been authored by Damanjit Kaur and Shubham Sharma. Damanjit and Shubham are advocates practicing in the courts of Delhi )
References
-
CLARIN, Principles of Data Processing, European Research Infrastructure for Language Resources and Technology, available at: https://www.clarin.eu/content/principles-data-processing ↑
-
Megha Mandavia, New plea in Kerala HC against Aarogya Setu App, Economic Times; ET Bureau, available at: https://economictimes.indiatimes.com/news/politics-and-nation/new-plea-in-kerala-hc-against-aarogya-setu-app/articleshow/75676487.cms?from=mdr (May 11, 2020) ↑
-
IFF Approaches parliamentary panel against mandatory use of Aarogya Setu App, The New Indian Express, available at: https://www.newindianexpress.com/nation/2020
/may/09/iff-approaches-parliamentary-panel-against-mandatory-use-of-aarogya-setu-app-2141129.html (May 9, 2020) ↑ -
ET Bureau, MeitY notifies Aarogya Setu App data access rules, Economic Times, available at: https://economictimes.indiatimes.com/tech/ites/
meity-notifies-aarogya-setu-app-data-access-rules/articleshow/75686823.cms?from=mdr (May 12,2020) ↑ -
Manavi Kapur , The Aarogya Setu App endorsed by Modi to track Covid-19 cases could ramp up government surveillance, Scroll.in, available at: https://scroll.in/article/959364/the-aarogya-setu-app-endorsed-by-modi-to-track-covid-19-cases-could-ramp-up-government-surveillance (Apr.17, 2020) ↑