Aarogya Setu App

Aarogya Setu App: Privacy Concerns

By Nicole Karen Gomez

A distinguished incident was witnessed in 2017 when the elected Government argued before the Supreme Court of India that it had absolute right over the lives of the citizens of the country stating the Constitution does not guarantee a fundamental right to privacy and asserting that privacy is an elite concern. They further mentioned that surveillance powers have no Constitutional limits. The Court unanimously disagreed with them but twice thereafter the Government has attempted to side-step the Supreme Court’s instruction, firstly through the mandatory and unjustified expansive use of Aadhaar and secondly through the effort to build a surveillance system in 2018, both pruned by the Court. The recent and latest attempt of the Government to evade our privacy has been through the Aarogya Setu App.

On April 2, 2020 the app Aarogya Setu which means “bridge to health” in Sanskrit was launched in 11 languages on the Google Play Store and Apple App Store. The app has been developed with the aim to track the spread of coronavirus infections within the country through the users, and alert those who may have either come into contact with someone who has tested positive or is a suspect, by using phone’s Bluetooth and location data tracking technology up to 10 kilometres which scans the database of known cases of infection. The data is shared with the Government as well. The app moreover offers access to telemedicine, an e-pharmacy, and diagnostic services. The app has been downloaded by more than 100 million individuals in the span of 4 weeks. Initially the app could be downloaded voluntarily but later it became mandatory for citizens in containment zones, private sector and Government employees to download the app. In Noida, individuals who have not installed the app on their phone are fined up to Rs 1000 or can be imprisoned up to 6 months. Unlike any other democracy, India is forcing its citizens to download the app leaving millions of Indians with no alternate choice as their jobs are under risk or they get fined or jailed.  Prime Minister Modi has been repetitively urging the citizens to download the app stressing on its importance. However, the app has faced ample criticism for its potential privacy and security threats.

The former Supreme Court judge BN Srikrishna said in an interview that the drive to make people use the app was ‘utterly illegal’ and questioned under what law it was being mandated as it was not backed by any law until then.  In order for the app to be imposed legally, it must have a legislative sanction as it breaches the fundamental right to privacy, but instead the app is being imposed through an executive order. It has not been clarified whether the app complies with the Information Technology Act, 2000, and IT Rules, 2011. A French ethical hacker who goes by the name “Elliot Alderson” earlier in April claimed through a post that he found security and privacy issues in India’s Covid-19 tracker app which was denied by the Aarogya Setu team who stated the app is secure. Conversely, some concerns brought to light by the Alderson such as the WebViewActivity allowing users to access internal files by using commands due to lack of host validation were modified through the app updates leaving the remaining concerns unsolved. On April 14, the app updated the privacy policy without notifying users regardless of the privacy policy explicitly mandating the need for the same.

Other added apprehensions have been discussed further:

  1. There is an absence of safeguards against data theft and other breaches. The terms of service mentioned in the app confer limited liability on the Government proving them with a blanket of protection. So the question remains, who is accountable?
  2. The app is not open source unlike the TraceTogether app introduced in Singapore. The closed source architecture violates the transparency policy and does not permit researchers and experts to test the app and suggest changes to prevent vulnerabilities. Protection from scrutiny will not aid in progress of the app.
  3. There is an absence of protocol for deletion of data. The terms of service states the Government is obligated to delete certain personal data after a 30 day period but no framework has been put in place to ensure the compliance of the same giving the Government an opportunity to hold data and process it in perpetuity.
  4. In a developing country with 500 million smartphone users with a remaining two-thirds of the population who do not possess or cannot afford a smartphone, what alternative measures are being taken to ensure their safety? Or is the Government going to penalise them?

The Aarogya Setu team should take inspiration from Singapore where the TraceTogether app has limited the access of data to Health Ministry alone. If a similar measure is undertaken in India, it would assure citizens that the data is strictly used for disease control. Moreover, a legal recourse should be made available in the event of unauthorised access to information.  Constantly changing rules and policies are problematic. Concomitant obligations need to be enforced to overcome the security-related black holes and provide an overall ambiguity. Additionally, it is perceived the Aarogya Setu app may even come pre-installed on all new smartphones at the directive of the Government when the lockdown lifts and phone manufacturing and sale resumes.

REFERENCES

https://economictimes.indiatimes.com/tech/software/legal-experts-point-out-liability-concerns-with-the-aarogya-setu-app/articleshow/75561944.cms?from=mdr