Aarogya Setu Privacy Issues. Are they real? Or just imaginary?

There have been many controversies associated with the Aarogya Setu application ever since its launch in April. The application collects personal data of millions of people, so concerns must arise. Issues like hacking of database have also taken the center stage at times, only to be rebutted by security professionals and experts. So from a legal perspective, are the Aarogya Setu App Privacy Issues real, or just imaginary?

The procedure must be just, fair, and reasonable.” 

But what if there is no procedure? 

Brief Summary

No fundamental right is absolute. There are always reasonable restrictions. In the case of Aarogya Setu, the government definitely has compelling public interest. Further, the government also possesses the capability to preserve the anonymity of the individual to legitimately assert a state intervention into the privacy of an individual. Privacy and anonymity prevent others from gaining access to pieces of personal information- privacy involves hiding information whereas anonymity involves hiding what makes it personal. If the state preserves the anonymity of the individual, it could legitimately assert a valid state interest in the preservation of public health to design appropriate policy interventions on the basis of the data available to it. 

The procedure, like ensuring anonymity, must be an established one, protecting against arbitrary action. The ‘Empowered Committee 9’, whose existence is in question, makes the procedure with regard to collection, processing sharing, and disposal of data acquired through the Aarogya Setu Application. The data sharing knowledge protocol, laid down by the Empowered Committee, leaves too much at the discretion of NIC. There are also several issues which the privacy policy does not discuss.

Until recently, the application was in the news for being mandatory. The Minister of Law and Justice even claimed that millions of people have downloaded the app showing reposing their faith in the government. But would millions of people not download it if the government openly says that not downloading it would be a criminal offence resulting into imprisonment? Although, this requirement for outgoing people was relaxed through the MoH order dated 17.05.2020, several issues regarding the procedure of data collection, its processing, storage, and disposal remain unanswered. Therefore, despite the force of compelling circumstances, the government must protect the data of its citizens, make the privacy policy sufficiently lucid, and take steps to improve and earn the trust of the public with regard to the Aarogya Setu privacy issues. For whenever the people are well-informed, they can be trusted with their own government.

Dealing with coronavirus 

On 11^th March 2020, the Director-General of the WHO declared the highly communicable coronavirus, a pandemic. Many countries soon went into total lock down, including India, in an attempt to contain the spread. However, managing a huge population and contact tracing, especially in megacities, is not an easy task. To keep the essential services, supply chain management, and the administration functioning and at the same time containing clusters of infections, the government came up with ‘Aarogya Setu’. The idea behind the application is tracking the contacts of an infected host, catering to people who assess themselves as ‘unwell’ and advising a person to quarantine if he comes in contact with an infected person.  But more than the positive effects of the application, Aarogya Setu privacy issues have occupied people’s attention.

Aarogya Setu Application 

The application became the highest downloaded app in the world shortly after launch. 50 million users downloaded the app within 13 days of its launch- fastest to reach the feat while it was not mandatory. But many privacy activists denounced the app as “a tool of mass surveillance”. On 01.05.2020, the government made the app mandatory for people employed in public and private sector; and everyone residing in the red zone areas.  At the time of writing, 11.05.2020, the Govt. Of India notified the ‘Aarogya Setu Data Access and Knowledge Sharing Protocol, 2020’. The new protocol builds upon the previous privacy policy and clarifies certain issues. In this article, we would try to address three concerns: 

1. What are the present rules controlling the collection of data by the Government? 
2. Is information privacy even important for a common man? 
3. Is Aarogya Setu application intruding upon your privacy? 

How does Aarogya setu work? 

The application is a ‘contact tracking’ application. It figures out if one person has come in close contact with another person by using Bluetooth and GPS. The application requires its users to set the location and Bluetooth of their devices to always on so that if two persons come in proximity, their Bluetooth signals can communicate and make a log of their contact. This log contains a DiD (Digital Identity), GPS location, and timestamp. The location data is collected every 15 minutes and the log of this information remains stored on the mobile device of both the users. 

Data belonging to a person is uploaded to the NIC server if a person is tested positive. The application also provides an option for ‘self-assessment’ test which analyses the symptoms mentioned by the users and tells the probability of infection. User data is also uploaded if a person assesses himself as ‘symptomatic’. Through the collected data from other users, the application shows a ‘dashboard’ which displays the number of users who have tested positive, or are unwell, or are completely healthy. This information is displayed based on the location of the user, and covers users within 500m to 10kms of area. 

Other than the end user services, the application also allows the government to aggregate datasets, generate reports, heat maps, and other statistical visualizations for the purpose of management of COVID-19. The government may also contact an infected person using the data collected through Aarogya Setu. 

What data does it collect? 

 During logging in to the application for the first time, the user is asked for these details: 

1. name, 

2. phone number, 

3. Age, 

4. sex, 

5. profession, 

6. countries visited in last 30 days. 

The app also collects location data and uploads it on the server at the time of registration. 

All of the collected data during registration is hashed with a unique DiD. After hashing, the application encrypts the data and uploads it on the server. The DiD then becomes the identity of the user and the server information is identified with this DiD.  Subsequent to registration location data is collected every 15 minutes, which is stored locally and uploaded to the server in case the user contacts with an infected person. 

What does the IT Act say on protecting your data? 

The Information Technology Act, 2000, is silent on the subject of data protection vis a vis data collection by the government. The IT Act protects against breach of privacy, but only with respect to the powers conferred under the IT Act, rules, or regulations. The IT Act confers no power to collect sensitive personal data of citizens, and hence cannot protect against a breach of privacy in this case. The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, impose a duty to protect personal data of users only on the body corporates and persons located in India but the government. It is silent on how government may take collect or secure data.  Thus, the IT Act cannot be referred to if one needs to dig out the Aarogya Setu privacy issues.

Should you even care about your privacy? 

1. What is the objective of guaranteeing privacy of an individual? 

Privacy is the condition or state of being free from public attention. It can also be referred to as ‘the right to be let alone’. The constitution guarantees every individual to perform his actions in private, without being observed or spied upon. In the context of informational privacy, the right to privacy deals with a person’s mind. It allows the person to control over the dissemination of material that is personal to him. Unauthorized use of such information may lead to an infringement of the right to privacy. 

To sum up, privacy safeguards individual autonomy so that an individual is able to control vital aspects of his life. 

2. Why your privacy extends online? 

Every visit to the internet leaves electronic tracks, knowingly, consensually, as well as unknowingly. These electronic tracks are the information which reveal the interests and personality of a person. 

In short, if a state is able to profile its citizens using the electronic tracks, there is an apprehension of discrimination based on religion, ethnicity, and case. But this profiling can also be used to further public interest or national security. In this environment, the growth of an individual is indeed going to be inhibited. 

So, if privacy is so important, is Aarogya Setu infringing upon your privacy? 

The IT Act, 2000, is silent on the subject. The Personal Data Protection Act is yet to be enacted. So, the only recourse left to scrutinize Aarogya Setu privacy issues, is the constitution, which also happens to be the toughest test to pass. This brings us to Article 21 of the constitution, through which the fundamental right to privacy flows. 

Article 21- “Protection of life and personal liberty. No person shall be deprived of his life or personal liberty except according to procedure established by law”. 

Now as per the constitution, the state has an obligation to take all necessary measures to protect the privacy of its subjects. However, the state can also intrude upon the privacy if state interests warrant so. 

Now two propositions come out clear from Article 21. First, there must be a law to curtail privacy. Second, there must be a procedure in place to curtail privacy. We would discuss the legal part with respect to the Disaster Management Act, 2005. The procedural aspects would be dealt as per the privacy policy of the application, for a specific reason which has been addressed below. 

The first requirement- Is the app legitimate? 

It depends. 

1. Is the application backed by any law? 

“The balance between data regulation and individual privacy raises complex issues requiring delicate balances to be drawn between the legitimate concerns of the state on one hand and individual interest in the protection of privacy on the other.” 

When the government interferes with the privacy of a person, it must do so using a law in existence, to justify an encroachment on privacy as express requirement of Article 21. In the case of a disaster, the Disaster Management Act (DMA) empowers the Central Government to plan for effective mitigation of disasters, monitoring with various departments and agencies, as well as evaluate the preparedness to deal with a disaster at all government levels.  

Given the nature of the DMA, one may argue that the Act cannot be supposed to have a clearly defined what the government may do and may not do to mitigate a disaster. But, the least the government could do was to put out a notification telling people about the legality of Aarogya Setu or even better, an ordinance perhaps. The government has published dozens of notifications, guidelines, circulars on multiple websites, and issued multiple press releases. Apparently, no notification or circulars are available on the portals of Ministry of Health and Family Welfare (MoH&FW), Ministry of Home Affairs (MoH), National Informatics Centre (NIC), National Disaster Management Authority (NDMA), or even the Integrated Disease Surveillance Program (IDSP), regarding Aarogya Setu. 

Interestingly, in its ‘New Guidelines on the measures to be taken by Ministries/ Departments of GoI…’, dated 01.01.2020, the guideline number 3 (iii) says, “Intensive surveillance mechanism as outlined in the Standard Operating Protocol (SOP) issued by MoHFW is to be estimated within the Containment Zone.” The order also mandates 100% coverage of Aarogya Setu application in the containment zones. However, to one’s utter surprise, the SoP issued by the MoHFW does not mention ‘Aarogya Setu’ for even once. IDSP doesn’t even enlist the SARS_COVID-19 as a disease under surveillance. 

Does that inspire any confidence in you about the government? Maybe the next point would. 

2. What is the ‘Empowered Group 9 on Technology and Data Management’? Can it make rules and policies regarding data collected through Aarogya Setu? 

The DMA provides for a National Authority. The National Authority then appoints a National Executive Council (NEC). The NEC then assists the National Authority in mitigating disasters. The NEC’s purpose, generally, is ‘implementing the policies and plans of the National Authority to ensure compliance of directions…’. The NEC may prepare the ‘National Plan’ to be approved by the National Authority, as per Section 10 (2) (b) of the DMA. The NEC may also give directions to Ministries or Departments of agencies (e.g. NIC). 

But where did the ‘Empowered Committee’ come from? The MHA Order dated 29.03.2020 mentions that the NEC hereby constitutes ‘Empowered Groups of Officers’ as per section 10(2)(h) and (i) of the DMA. But do such powers exist under these sections? NO! The NEC has powers to constitute sub-committees under Section 9. These sub committees can discharge the functions of the NEC. But Empowered Committee? The DMA is unfortunately silent about them. 

The issue gains more importance since the Empowered Group 9 has become the authority laying down the privacy policy of Aarogya Setu, and the manner in which the whole infrastructure supporting Aarogya Setu functions. 

The second requirement- Is the procedure just, fair, and reasonable? 

The procedural part postulates that even if the state intervenes to advance state interests, it must nevertheless put into place a robust regime that ensures the following: 

• Legitimacy: There must be a law in existence to justify an encroachment upon the right to privacy. No person can be deprived of his life or personal liberty except in accordance with the procedure established by law. (Already discussed, refer to ‘is the app legitimate?’) 

• Need: There must be a legitimate state aim, meeting the reasonable threshold as per Article 14. 

• Proportionality: The law must lay down procedures which are proportional to achieve the object of the law. 

• Procedural Safeguards: There must be procedural safeguards against abuse of state interference. 

Now coming back to the reason which forces us to test the privacy policy with regard to the procedural requirements. ‘Empowered Committee 9’, as already discussed, is the agency overlooking the collection and processing of data. The committee has issued ‘Notification of the Aarogya Setu Data Access and Knowledge Sharing Protocol, 2020’, (protocol) through a notification dated 11.05.2020. The protocol has been issued ‘in order to ensure secure collection of data by the Aarogya Setu mobile application, protection of personal data of individuals, and the efficient use and sharing of personal or non-personal data for mitigation and redressal of the COVID-19 pandemic…’ Imperatively, this protocol is the guiding light for the privacy policy of the application and therefore, the privacy policy of the application would be tested against the mandate of Article 21. 

1. Is the application needed for serving a legitimate aim? 

The Principle 

The answer to this question must be given in affirmative. There is no denying that given the highly contagious nature of the coronavirus, it would be criminal to not trace infected persons and quarantine them. It is indeed a matter of compelling state interest. A neglect in restricting the outbreak is bound to have serious repercussions, especially in areas where the population density is skyrocketing. However, just saying that yes, it is indeed required in a given circumstance, does not absolve the state of its obligation to intrude into privacy of people only according to the procedure established by law. So, the crucial aspect of legitimate aim could be balanced through ‘purpose limitation’. 

Privacy Policy of Aarogya Setu 

On the issue of purpose limitation, the privacy policy specifically mentions that the personal data collected by the Aarogya Setu would be used for two purposes. Firstly, for generating reports, heat maps and other statistical visualizations for the purpose of managing COVID-19. Secondly, to provide general notifications to the users as required. It also says the data collected will not be used for any other purpose. 

To ensure that the data is not exploited for any other purpose, the policy also establishes limitation on the time period of data storage on the user devices and servers. The data on mobile would be deleted on the 30th day from the date of collection. The data sent to server will be removed on 45th day from the day of the upload to the server. If someone founds to be positive with coronavirus, his data will be deleted on 60th day from the day of his discharge. The data collected from registration will be deleted on the 30th day from the date of deletion.  

Issue 

Recently, the Aarogya Setu application has inserted additional facilities such as e-pass, which exceed the purpose for which data was initially collected. 

2. Is the data being collected proportional to the objective to be achieved? 

The Principle 

The collection of personal data must not exceed from the threshold of what is necessary to achieve the legitimate aim. Any excess data accumulated would frustrate the principle of proportionality. 

Privacy Policy of Aarogya Setu 

The privacy policy of the application does not explicitly talk about proportionality of collected personal data. However, the protocol does talk about it and lays down that the collected personal data should must be necessary and proportionate to formulate or implement appropriate health responses. 

Issue 

The application asks for name, sex, age, phone, profession, travel history of last 30 days and location of the user. Given the principle of proportionality, the application shall gather only required information. First of all, neither the privacy policy nor the protocol sheds light on the reason for asking these classes of data. Secondly, the relevance of ‘profession’ is unestablished. Further, the principle of proportionality recommends the usage of classes instead of exact details. 

e.g. Australia’s contact tracking application asks for age range. Rather than the exact age of an individual.

3. Procedural Safeguards         

Is the integrity and confidentiality of data being maintained? 

The Principle 

Integrity and confidentiality of data ensure security and secrecy of data from any third party.  

Privacy Policy 

To achieve this purpose, Aarogya Setu hashes the personal data collected at the time of registration as soon as it is uploaded to the server. The privacy policy further claims that the data collected and uploaded to the server at the time of registration, will only be used by the Government of India, in anonymised and aggregated data sets. 

Issue 

Despite the claim of anonymization, it does not mean that the government cannot de-anonymise the data. The reason for this is that the government also claims that at any stage, they can identify a person using their DiD. The fact that the government would be able to re-identify a person means that they are maintaining more than one data sets, one for identification of a person as and when required and another for statistical purposes. Moreover, the data protocol allows sharing of de-anonymised as well as the personal data with all the stakeholders. The privacy policy does not disclose or explain anything about the ‘standard security feature’, e.g. which industry standard they are using, or the encryption that the application is using. 

Accountability 

The Principle 

To make any organization, collecting personal data (especially government organizations) process and handle such data with responsibility, respect to the data subject’s privacy, requires some legal obligation and accountability. 

The policy 

When the application was introduced, the government explicitly refused to take responsibility of data breaches but later in the updated privacy policy government changed its stance, to a certain extent. The government claims that, ‘we are committed to protecting the security of this information and safeguarding your privacy’. 

Issue 

Who will audit the Aarogya Setu database, the documentation, the sharing history, etc.? Also, who is responsible in case of a data leak, especially in cases when the data leak happens through any agency/ state government/ department the database was shared with? The privacy policy and the protocol are still silent about it.  

Fairness and transparency 

The Principle 

Fair collection of data means users must be aware of the fact that how their personal data is being processed, how is it being stored, who has access to the data and allows the users to make an informed choice.  

Privacy Policy 

The data is used by the Government of India and the data collected through the Aarogya Setu application is not available in the public domain. The privacy policy does not shed any light on how the data is shared between different departments, governments, agencies, etc. The details regarding this have only been clarified in the knowledge protocol. The protocol clarified that when the government will consider it strictly necessary to directly formulate or implement an appropriate health response, user’s personal data can be shared with states governments, local governments, NDMA, SDMAs, and other public health institutions of the government of India. 

Issue 

The government does not specify that what is the meaning of ‘strictly necessary’, ‘appropriate necessary health response’, and ‘critical health response’. Further, are the multiple agencies receiving and processing data are trained sufficiently to process the data while maintaining its integrity and confidentiality? The most critical issue is that the government specifies the working of Aarogya Setu within the guidelines of the protocol as well as the privacy policy. Only a few of the guidelines disclosed under the protocol find a mention in the privacy policy, which is the tool based upon which a user gives his consent to install the application. Therefore, it fails to provide optimum information to the user and bypasses the principle of fairness and transparency. 

But every other app has our data, they also do whatever they want, why should the government be questioned?

This article was co-authored with Adv. Rohit Ranjan Praveer.

---

Do subscribe to our Telegram channel for more resources and discussions on tech-law. To receive weekly updates, and a massive monthly roundup, don’t forget to subscribe to our Newsletter.

You can also follow us on Instagram, Facebook, LinkedIn, and Twitter for frequent updates and news flashes about #technologylaw.

Relevant Orders:

The Order constituting the empowered groups can be found here.

The Ministry of Health- SOP for Intensive Health Surveillance can be found here.

The Ministry of Health order dated 01.05.2020 can be found here.

Wondering if you should use Zoom or not? Check out our article!