By Smriti Parsheera, Nikhil Narendran, Swati Muthukumar and Aparajita Lath[1]
Aarogya Setu, which translates to mean ‘health bridge’, is a mobile application that was launched by the Indian government in April, 2020. The purpose of the app is to carry out self assessment of one’s health status, contact tracing and provide health related information. The smartphone version of the app relies on the use of Bluetooth and GPS location data for the purposes of contact tracing. By mid July, over 127 million Android and iOS users had downloaded the app, which made it the most downloaded government-endorsed contact tracing app in the world.[2] In addition, a KaiOS version for users of the low-cost JioPhone and an Interactive Voice Response System (IVRS) mechanism for landline and feature phone users have also been developed.
At the time of installation, a person shares their phone number, name, age, sex, profession and travel history with the app. Sensitive data relating to one’s health status and preexisting conditions may also be shared during the self-assessment process. In addition, the contact tracing function requires continuous access to bluetooth and location permissions. This is used to capture the identity of any other devices that come into close proximity with the user’s phone. If any such person later tests positive for COVID-19, the data will be transmitted to a central server, which will then inform the user of their risk of an infection. In addition, the contacts and location data collected by Aarogya Setu are also being used to identify potential hotspot areas for targeted policy interventions.
Ever since its release in early April, Aarogya Setu has been mired in several controversies. Questions have been raised about the transparency of the app’s code and development process; its mandatory application, in certain contexts; and the implications for user privacy. Some of these concerns have, at least partially, been addressed since then, while many still remain unanswered.
Absence of a statutory framework
The Aarogya Setu app bears significant implications for users’ right to privacy, which was declared to be a fundamental right by the Supreme Court of India in August 2017.[3] This decision paved the way for the introduction of the Personal Data Protection Bill, 2019, which is currently pending before the Parliament. However, until this new law is put in place, individuals in India do not have the benefit of any statutory protections against data protection violations by state agencies.[4] These concerns are only compounded by the fact that the Aarogya Setu app does not have any legal backing of its own.
Much of the pandemic response in India has drawn its basis from the broad powers contained in the Disaster Management Act, 2005 (DMA), and the Epidemic Diseases Act, 1897. These legislations do not contain any specific provisions relating to the use or protection of personal data. Criticisms about the data protection risks posed by Aarogya Setu eventually led an Empowered Group constituted by the government to release a Data Access and Knowledge Sharing Protocol, 2020.
The Protocol clarifies that the data collected by Aarogya Setu can be used (i) to directly formulate or implement a health response, (ii) to assist in the formulation of critical health responses, or (iii) for research purposes. As the app strives to achieve multiple purposes, such as aiding both users and government authorities in responding to the COVID‑19 situation, it becomes difficult to determine whether the data collected is necessary and limited to each purpose.
The Protocol also lays down certain other basic principles for the collection and processing of the data. This includes requirements of fair, transparent and non-discriminatory processing and a specified period of storage of the data. However, one must bear in mind that the Protocol itself does not have any specific legislative basis and can be modified at any point by the Empowered Group that notified it. Further, the manner in which compliance with the Protocol is being monitored and the likelihood of action being taken against any government agency for its breach also remains questionable.
Mandatory versus voluntary adoption
In the first few weeks after its launch, there was a significant policy push towards the mandatory adoption of Aarogya Setu. This included a notification from the Ministry of Home Affairs that use of the app would be mandatory for all employees, both in the private and public sector, and that it would be the employer’s duty to ensure full compliance. Following a significant push back, this was subsequently diluted to state that adoption by employees would be on a ‘best effort basis’.
Despite this change in position, the use of the app still remains mandatory or ‘quasi-mandatory’ in several contexts. For instance, many delivery-based services have made the use of the app mandatory for their personnel. Certain State Governments require its use as a precondition for seeking travel permissions. Air travellers are also required to either have Aarogya Setu installed or submit an alternate self declaration form. Any sort of forced use of the app negatively impacts human agency and autonomy, with corresponding implications for the right to privacy.
Transparency around the app
At the time of its launch, the government announced that the Aarogya Setu app had been developed using a public-private partnership model. There was no opportunity for broader public consultations in this process. In the initial period, even the details of the private individuals and organisations that had assisted the government in this initiative were not known. This information was subsequently released at the time when the client-side code of the app (for Android only) was put out in the public domain.[5] At around the same time, the government also launched a bug bounty program to encourage improvements to the code and revised its terms of service to remove a restriction on reverse engineering of the code. All of this happened almost two months after the launch of the app.
These changes were prompted by pressure from citizens, researchers and civil society groups against the lack of transparency around the development and functioning of the app. And while these are all positive moves, one cannot fully assess the system’s architecture and application unless the app’s server side code is also released in the public domain. The government had announced in May that this would soon be done, along with release of the iOS code, which ultimately happened in August. However, the server-side code forAndroid and iOS has not yet been released.
Pending such a move, several researchers have pointed to flaws in the design of Aarogya Setu, which have then been rebutted or dismissed by the government. Complete openness in the app’s code, therefore, becomes necessary to facilitate independent audits into the functioning of the app. This would include an assessment of whether the data collected by the app is indeed being processed and secured in the manner indicated by the government.
Accountability for the app’s outcomes
Limitations of bluetooth technology for contact tracing purposes, particularly the possibility of false negatives and positives, also give rise to accountability concerns. The app’s terms of use state that the government will make best efforts to ensure that the solution performs as described. However, it also states that the government will not be liable for (i) the failure of the app to accurately identify persons who have tested positive to COVID‑19; (ii) the accuracy of the information provided by the app, as to whether the persons one may have come into contact with have in fact been infected by COVID‑19. This impacts the extent of responsibility and control that may be expected from the developers of the app.
All of these concerns have led to suggestions that even if a new legislation was not feasible, the government should have at least used the ordinance route to create a specific legal framework for Aarogya Setu.[6] The Constitution of India allows the President to promulgate an ordinance, which essentially has the status of a temporary law, at a time when the Parliament is not in session. This suggestion gains particular relevance in light of the very real threat that the Aarogya Setu app could subsequently be repurposed for other uses. One such possibility that has been mentioned is that of using this data for the creation of the National Health Stack, which is a proposed system for management of personal health records.[7]
Finally, it is important to note that although Aarogya Setu happens to be the most significant of the various technological interventions adopted in India in the COVID-19 context, it is certainly not the only one. A survey by the Center for Internet and Society of seventeen COVID-19 related apps launched by various state governments found that many of the apps did not comply with data minimisation principles, specify security measures, or address the deletion of the data.[8] In fact, three of the apps did not even have a privacy policy while eleven relied on the general privacy policy of the developer or the state government.
In the absence of a robust data protection framework, the ordinance referred to above is, therefore, necessary not only to govern Aarogya Setu but also every other tech solution that involves the use of personal data to deal with the pandemic.
[1] Smriti Parsheera is a Fellow with the CyberBRICS Project. Nikhil Narendran is a Partner and Aparajita Lath and Swati Muthukumar are Associates at Trilegal, India. This chapter builds on the impact assessment of the Aarogya Setu app published by the authors in Technology governance in a time of crisis: COVID-19 related decision support, Human Technology Foundation, https://www.itechlaw.org/sites/default/files/Final%20Report_ENGLISH.pdf.
[2] Stephanie Chan, COVID-19 Contact Tracing Apps Reach 9% Adoption In Most Populous Countries, Sensor Tower, 14 July 2020, https://sensortower.com/blog/contact-tracing-app-adoption
[3] Justice K.S Puttaswamy (Retd.) v. Union of India and others, (2017) 10 SCC 1. The judgment made it clear that any interference in this right by the state can only be done in a manner that is fair, just and reasonable.
[4] The current data protection related provisions contained under the Information Technology Act, 2000 apply only to body corporates.
[5] https://github.com/nic-delhi/AarogyaSetu_Android
[6] Vrinda Bhandari and Faiza Rahman, Constitutionalism During a Crisis: The Case of Aarogya Setu, LEAP Blog, May 25, 2020, https://blog.theleapjournal.org/2020/05/constitutionalism-during-crisis-case-of.html.
[7] Shashidhar K.J., Aarogya Setu App and its many conflicts, Observer Research Foundation, Jun 06 2020, https://www.orfonline.org/expert-speak/aarogya-setu-app-many-conflicts-67442/.
[8] Pallavi Bedi and Amber Sinha, A Survey of Covid 19 Apps Launched by State Governments in India, Center for Internet and Scociety, https://cis-india.org/internet-governance/stategovtcovidapps-pdf.