Increasing data privacy concerns over Aarogya Setu app

Governments needs to be transparent on data ownership and usage


October 30, 2020

/ By / New Delhi

Increasing data privacy concerns over Aarogya Setu app

Aarogya Setu: World's biggest data privacy invasion?

Fresh controversy over the Aarogya Setu app signals the continued risks over data privacy and the need for the government to be transparent in its statements and dealings.

Claimed to be world’s most downloaded contact tracing app, Aarogya Setu app, found itself again in the eye of storm when the Central Information Commission (CIC) asked the National Informatics Centre (NIC) for some specific details on the app and the NIC said it had no information about who had created the app.

The CIC had enquired about the status of the app after it received a complaint from a Right to Information (RTI) activist who said that several government departments including the Ministry of Electronics and Information Technology (MeitY), the National E-Governance Division (NeGD) and the NIC had failed to provide information about the process of creation of the Aarogya Setu app with the app developer NIC saying that it did not hold the information related to the creation of the app, which has been downloaded by more than 165 million persons around the country. What made the whole incident even incredulous was that even when all the Central Public Information Officers of the three organisation were asked why they did not have any information about the creation of the Aarogya Setu app when the website was created with a domain name, none of the CPIOs were able to explain who created the app.

Outraged, the CIC ordered immediate information on the matter in a hard-hitting notice to the three organisations. “The Commission directs the CPIO, NIC to explain this matter in writing as to how the website was created with the domain name if they do not have any information about it,” Information Commissioner Vanaja N Sarna, the most senior official in CIC, ordered. The CIC asked the CPIOs to appear before it on November 24 and to justify why action should not be initiated against them under Section 20 of the RTI Act.

The news made a huge amount of buzz in the media as well as the social media with information and privacy activists saying that the episode was a proof of their repeated warnings about the real danger of data abuse by the app which was launched over six months ago amidst much ado by Prime Minister Narendra Modi and hailed as a necessary shield against the Covid-19 pandemic and the importance of effective contact tracing for curbing the spread of the coronavirus. The app is meant to alert users if they have come in contact with a Covid-19 positive patient, and what measures they need to take in case that happens.

Soon after the launch, the government made the app mandatory for practically everything that a citizen may need to step out for and even including consultations with doctors and hospital admissions for any reason, even if not related to the pandemic. The decision to make it mandatory came in for sharp criticism from privacy advocates. The government had asked companies to make it mandatory for their staff to download and use the app and soon after the launch on April 2, companies like Swiggy, Zomato, Urban Company and Grofers had made it compulsory for their staff to use the app, while Amazon and Flipkart recommended it to their workers. In May, the central government had made the app mandatory for all residents living in an identified COVID-19 containment zone and all employees in the public and the private sector. Also, the Uttar Pradesh police said people travelling to and from Noida and Greater Noida, near New Delhi, could be prosecuted if they did not have the app installed and used on their smartphones.

The app was also made mandatory for all travel, during the lockdown and even after the first phase of lockdown ended and domestic air travel resumed on May 25, after a two-month break. Having the app on their smartphone was also made a necessary condition for all Indian citizens who were brought back to India from overseas on all the flights operated under the ‘Vande Bharat Mission’.

Even though during the hearing of a petition against the app in the Karnataka High Court, the central government had admitted that the app was not mandatory and its use was voluntary, most government departments continued to insist on the app and many private sector players, afraid of falling foul of the government, insisted that the customers and their staff use the app.

Former Supreme Court Judge BN Srikrishna, who chaired the committee which came out with the first draft of the Personal Data Protection Bill currently pending in the Indian Parliament, was quoted by media as saying that making the app mandatory was ‘utterly illegal’. Overseas, the Covid Tracing Tracker of MIT Technology Review said that India was the only democracy in the world to make the coronavirus tracking app app mandatory.

The app was made mandatory even though none of the legal formalities that had to precede any such action had been followed. Vrinda Bhandari of Internet Freedom Foundation, that promotes freedom of expression and is against all curbs on the internet, that making Aarogya Setu mandatory would need to be done “under the authority of law, and will have to satisfy the necessity and proportionality test for the violation of privacy – this will look, for instance, what is the data being collected, how long is it stored for, what are the deletion protocols in place.”

It wasn’t enough to mandate its use under the Disaster Management Act, there needed to exist a law that authorised the app’s use. “Any such law has to be specific and explicit with respect to the rights that it seeks to infringe, the bases of infringement, the procedural safeguards that it establishes, and so on,” another privacy advocate, lawyer and legal scholar Gautam Bhatia was quoted. “If the state is going to mandate an intrusive, data-collecting app upon its citizens, then the least that ought to be done is that it be authorised by the citizens’ elected representatives, in parliament,” he had added.

“Critically, India lacks a comprehensive data protection law, outdated surveillance and interception laws, or any meaningful proposals for meaningful reform. In domains like disaster relief most apps which are purported as ‘contact tracing’ technologies, they often devolve into systems of movement control and lockdown enforcement,” the Internet Freedom Foundation had said.

Aarogya Setu uses the phone’s bluetooth and GPS to track the user’s movement, making it more invasive than other such apps. The app was also allowed to collect demographic, contact, self-assessment and location data of persons infected by the coronavirus or those who come in contact with the infected person. In comparison with other tracking apps that collect just one data point and which is later replaced with a scrubbed device identifier, Aarogya Setu collects multiple data points for personal and sensitive personal information which increases privacy risks.

This led to heightened concerns about the data privacy and the need to prevent any misuse of such data by storing it and handling it with greatest care and under secure conditions.

It was in this background that the response by the three stakeholders of Aarogya Setu disclaiming any information about the creation and control of the app is even more surprising, even shocking. Even though in many places the app is no longer really mandatory and few institutions ask for it, notably for travelling, yet the app remains installed and active on over 160 million smartphones and in the past six months, it must have collected thousands, if not millions, of data points about each user, making it one of the biggest repositories of human data in the world, a real treasure trove for a wide range of scrupulous and unscrupulopus organisations, companies and individuals.

With India already figuring high on the global list of cybercrime and data piracy victims, any institution – government or private—has a huge responsibility towards the Indian society to not only be sure that it has secured the data and to assure the country that it will not use or abuse and neither allow access to a third party, but also be transparent about the way the data points are stored and handled.

In view of the latest fracas, this aspect has definitely taken a huge beating and the government needs to do much more than simply issue a face-saving statement like it did once the controversy over the CIC order broke in the public domain.

All that the government could say was that the app had been ‘developed by the Government of India in collaboration with private enterprises and that the app had helped strengthen the country’s fight against the novel coronavirus outbreak. “The names of all those associated with the development of the App and management of the App ecosystem at various stages were shared when the code was released in Open/Public Domain and the same was shared widely in media also,” MeitY said in the statement. “On all such occasions, it has been clearly mentioned that the Aarogya Setu App has been developed by the NIC in collaboration with volunteers from Industry and Academia,” it further added.

Despite the government announcing that the source code is public, renowned ethical hacker Elliot Alderson, who has been following up on various controversies around Aarogya Setu, said that the app is still not open source.

However, a visit to the GitHub site that has the contributor page of Aarogya Setu app just displays names of people under various sections, without any details about their credentials or the role played by them. This is hardly the level of transparency or honesty needed when the government is handling extremely sensitive and private data of hundreds of millions of Indians. Display of some sensitivity here may indeed be welcomed by the citizens and privacy activists.



    Leave a Reply

    Your email address will not be published. Required fields are marked *