Introduction
With the eruption of Covid-19 pandemic, the physical world is at stand still. The online platform has taken a new course and has been filling the lack of physical contact. Technology dependency has also increased immensely. To overcome this unprecedented outbreak, government from all the countries are taking effective measures. India has been ahead of the curve by announcing a county wide lockdown before the virus started showing its ill effects. One of the steps taken by the Government was to introduce the Arogya Setu App (Bridge to Healthcare) (Herein referred as ASA). It aims at bringing the citizens of the country together to combat this fearful virus and parallelly monitor the contact tracing and declare effective steps accordingly. In all fairness, it is a great initiative by government but the privacy loopholes that the app is accountable for cannot be disregarded.
Aim and Objective
A huge population being very close to the poverty line is one of the many disadvantageous aspects that India has to juggle along with this wide spread disease. International organisations like the World Health Organisation (WHO) have articulated four key pillars as the ‘backbone’ of effective response strategies; namely testing, isolation, tracing and Treatment[1]. The ASA revolves around the third pillar of this response strategy i.e. Tracing.
Contact tracing basically means to control the speed of spread. It is one of the most effective methods to break the vicious chain and identify the hotspots which can ultimately lead to optimum usage of the limited health supplies.
The app is designed so as to monitor the same contact tracing for it is the most effective tool to prevent further spreading of the disease. The users self-assess for if they have any Covid-19 symptoms as declared by those who are already affected. The main feature of the app is that it alerts the users if they come in vicinity of an infected person and it is followed by what precautionary steps they need to undertake.
How it works?
The app once downloaded guides the user with the aim and purpose of it and the information it will provide the user. The user needs to add its mobile phone number, name age, gender, profession, travel history and known contact with an infected patient, if any. The terms of service[2] of the app declares that when accepting the terms for usage we agree for usage of GPS and Bluetooth services which can be turned on/off upon the discretion of the user. The app requests the user for accessing the GPS and Bluetooth feature so as to effectively monitor the location and contact traces of the user and ultimately notify him in case he comes in the radius of an infected person. This is achieved through data sharing between devices when they are in each other’s proximity.
For example, In case ‘x’ is tested positive for COVID-19, The Government will inform all those users ‘x’ has come in contact with over past 30 days considering they have the risk of being infected and ultimately being carriers of the virus. Similarly, a person will also be notified if he was in vicinity of another infected individual.
Privacy concerns
Micheal Ryan, executive Director of the World Health Organization’s Health emergencies programme said,
“We do always have to have in the back of our minds, especially when it comes to collecting information on individual citizens or tracking their whereabouts or movements, that there are always very serious data protection implications.” [3]
Even before the app was built, In India, there was case wherein state government had uploaded PDF files online with names, house addresses, and travel history of people ordered into COVID-19 quarantines.[4]. This was a method of combating the pandemic on the leverage of major invasion of privacy of individual. Similarly, the app also attracts several privacy loopholes. The biggest concern with the app was that it can lead on to become a central source of information from being a mere contact tracing app.
India suffers from a massive disadvantage of lack of a Personal data protection framework. However, even in times of extremities like these governments interventions which restricts people’s privacy against the rule of law, the case law KS Puttaswamy (Retd) and Anr v Union of India[5] holds a substantial relevance. The case declares that Right to Privacy shall extend towards the privacy of personal data. The judgement declares that during the times of epidemic or national health crisis, the data shall meet the “anonymity” principle. This means that in spite of not attracting the usual privacy concerns, the data needs to be undertaken with the same secured manner and practices towards anonymisation shall not be compromised. Thus, the data needs to undergo and fulfil the below mentioned criteria:
- obtained through a legal regime,
- obtained for a necessary purpose,
- otained in manner where the restriction is proportionate and
- Effective safeguards to prevent potential abuse of data[6].
The necessity and proportionality requirement mandates that the procurement of data must have a legitimate purpose for which it was collected. It must be proportionate with the purpose for which it was collected. On entering the app, the app asks the user to feed in the personal details like mobile phone number, name age, gender, profession, travel history and known contact with an infect patient. It is important to see that all the data collected holds value. In our case this accounts for too much information and acts against the necessity and proportionality principle of data collection thus deviating from the primary purpose that is situational awareness.
The app functions on multiple data points i.e. the GPS and Bluetooth. Arguably, GPS can provide with higher accuracy however there is no point in tracking the location wherein the infection was spread weeks ago for it doesn’t satisfy the purpose. Moreover, they are the reason for overtly compromising people’s privacy. Obtaining the location of infected person at that very moment so as to give him necessary instructions makes more sense. For the same, mere phone number and Bluetooth of the infected person shall suffice and any detail which the app collects on top of that holds no value. The most concerning issue in collection through multiple point is that this app which is designed for health surveillance can lead to Mass Surveillance.
Furthermore, the said data collected is saved on both the device and on central servers. The Terms of service[7] of the app establish that the time stamped records of the user contact will be deleted in 30 days but not anonymized and aggregated datasets. The vagueness of the Terms of service establish that the encrypted user data can last beyond the purpose of tracing corona virus and ultimately become a raw material for mass surveillance by the Government. This conflicts with the purpose principle of collection of data which says that the data collected should be used only for the declared purpose for which it was collected, in our case, contact tracing.
In ASA, neither the source code nor the technical specifications are public and only privacy policy and terms of service are made public. This prevents any reverse engineering to the app which gives information of any end points within the app and how the data is being used. Thereby it also prevents ethical hackers and cybersecurity experts to test the system and locate the loopholes which can be actually fixed.
The app uses static device ids that are vulnerable to sniffing attacks[8] which makes it easier for the hackers to hack the personal data as the app constants the device ids which are ultimately not encrypted nor they change overtime. Thus, making it prone to mass hacking experience which India has always been experiencing.
The term of service of the app are vague which is the primary reason for the numerous privacy concerns which the app has been criticized upon instead of its noble purpose of stopping further spread. Regarding the retention of data under the privacy policy[9] of the app states that the information collected from the user at the time of registration remains in the server and is retained for as long as your account remains in existence and for such period thereafter as required under any law for the time being in force. There is no mention of deletion or destruction of such data once the purpose is fulfilled, this leaves a room for manipulation of data and usage of data for further usage. This results into conflicting the principle of proportionality mentioned above which states that the data collected shall be proportional for the legitimate aim it was collected.
Lastly, the disruption clause in the Terms of service app[10] states that the user shall not expect any permanent or uninterrupted access to the app as the app may be suspended permanently or temporarily with respect to all or some class of the people. This creates a mass room for the data which is still there in the server to be used beyond the purpose for which it was collected for innumerable time period.
Contrary to the ASA, The Singapore app on contact tracing called Tracktogther app (TTA) collects mere phone number of the user and the said phone number is reflected on the server only when approached by the contact tracer by a central sever owned by Ministry of Health. TTA has proposed a data minimization principle which functions on a single data point, i.e. Bluetooth which as explained above is more acceptable form of giving them desired results which they are achieving. The app has an open source code which is backed up by a tight server security. Through this we can keep a track of what data is collected though the app. Thus, any manipulation of the data can be detected and addressed which can lead to protection of data. Having said that, the app ASA app altogether is not a faulty attempt in itself if it follows the same privacy structure as TTA.
Conclusion
India’s attempt to combat this extraordinary virus is a great initiative provided the above-mentioned privacy loopholes are addressed and fixed. As discussed in the essay, the role of app in contact tracing opens up challenges to right to privacy under the constitution of India. The country lacks a data protection regulatory framework and nor has it reformed its surveillance framework i.e the Telegraph Act, 1885 and the Information Technology Act, 2000 in line with the right to privacy[11]. As per a recent report the central government is contemplating using the application as an e-pass to travel within the country[12]Combine this with the fact that its riskassessments are done though unsupervised algorithms and we are looking at a template which mirrors China’s AliPay Health Code[13]. Hence, if not paid heed immediately, current privacy structure the app can resort to mass surveillance by the government and can attract innumerable cybercrimes.
[1] Linda Lacina, WHO coronavirus briefing: Isolation, testing and tracing compromise the “backbone’ of response, World Economic Forum, March 2020, https://www.weforum.org/agenda/2020/03/testing-tracing-backbone-who-coronavirus-wednesdays-briefing/
[2] Aarogya Service TERMS OF SERVICE https://web.swaraksha.gov.in/ncv19/tnc/
[3] World Health Organisation. COVID-19 virtual press conference – 25 March 2020. https://www.who.int/docs/default-source/coronaviruse/transcripts/who-audio-emergencies-coronavirus-press- conference-full-25mar2020.pdf
[4] Bangalore Mirror. Government publishes details of 19,240 home-quarantined people to keep a check, 2020. https://bangaloremirror.indiatimes.com/bangalore/others/government-publishes-details-of-19240-home-quara ntined-people-to-keep-a-check/articleshow/74807807.cms
[5] Justice K.S.Puttaswamy(Retd) vs Union Of India on 26 September, 2018 [(2017) 10 SCC 1]
[6] Bhandari, V., Kak, A., Parsheera, S., & Rahman, F. (2017). An Analysis of Puttaswamy: The Supreme Court’s Privacy Verdict. IndraStra Global, 11, 1-5.
https://nbn-resolving.org/urn:nbn:de:0168-ssoar-54766-2
[7] Aarogya Service TERMS OF SERVICE https://web.swaraksha.gov.in/ncv19/tnc/
[8] https://www.bloombergquint.com/coronavirus-outbreak/covid-19-how-the-aarogya-setu-app-handles-your-data
[9] Aarogya Setu Privacy Policy https://web.swaraksha.gov.in/ncv19/privacy/
[10] Disruption Clause, Aarogya Setu Terms of service,
https://web.swaraksha.gov.in/ncv19/tnc/
[11] Telegraph Act, 1885 and the Information Technology Act, 2000
[12] Sean McDonald, The Digital Response to the Outbreak of COVID-19 , Centre for International
Governance Innovation, March 2020,
https://www.cigionline.org/articles/digital-response-outbreak-covid-19 .
[13] A combined interpretation of the ChinAI newsletter and a Google translation from Chinese
(simplified) to English of the original article. Any errors in interpretation are the author’s alone
We the People 
Excellent Article. I appreciate the view that while importance of the software cannot be undermined but should be rather appreciated, the concerns over the privacy of individuals must be addressed. A good point. I am sure the Government will look into it.
LikeLike
As Mr. Prime Minister at the Howdy, Modi event quoted “data is the new gold” and “if there is one country in the world where data is cheapest, then that is India”. It looks like the government has taken a step but with a wrong interpretation and in a wrong direction.
Let’s hope that government understands that Gold is the new oil; valuable but needs refining.
LikeLike
Well written and well researched article. Would like to hear your views on Right to Information, Personal Data Protection, GDPR and HIPPA on the data that is being collected, analysed, stored, managed and (supposedly) destroyed on ASA guidelines. Integration of this data with Aadhar and the threat this possesses if mass surveillance is activated.
LikeLike