Aarogya Setu: A Vulnerable Bodyguard?

In the year 2017, our nation witnessed a historical event. The Republic of India stood before the Supreme Court of India and argued that they have complete and absolute control over the privacy of their citizens. It contended that privacy was an “elitist” affair and its surveillance powers have no constitutional limits and, under the Constitution of India, the Right to Privacy has not been deemed a Fundamental Right. On this, the court disagreed unanimously. 

After that, the Government of India strived to by-pass the Supreme Courts strictures twice. First, through the obligatory, wide-ranging and unjustified use of Adhaar which was pruned substantially by the Hon’ble Supreme Court of India. Second, by issuing a tender in the year 2018 to build a monitoring system, which, when it comes before the eye of the court got struck down, And now, the latest move by the government to circumvent the “Fundamental Right to Privacy’ guaranteed by the constitution of India is has been Aarogya Setu app.

On April 2, 2020, the Government of India’s National Service Commission developed a mobile app, known as Aarogya Setu in the wake of the ongoing Pandemic, to connect the citizens of India with the health services. The objective behind developing the app is to help people identify whether they are near someone who has been tested positive by the Coronavirus. Another aim of this app is to give a collective fight to Coronavirus by enhancing government initiatives in reaching out to the users and informing them the risk practices, and advisories to restrain the spread of this disease further. Since then, the app has been installed by more than 100 million people against a smartphone user base of 440 million in India.

The government of India affirms that they have launched a contact tracing app that would help the country to fight against this Pandemic. However, throwing some light upon the government’s historically poor track record on privacy, the lack of transparency about who built and operated the application, and the absence of the personal data protection legislation leads to people’s concern.

How does the app operate?

The data accumulated by the Aarogya Setu App is broadly classified into four categories — demographic, contact, self-assessment, and location. This data is collectively known as response data. 

  • Demographic data includes information regarding the name, mobile number, age, gender, profession and travel history of the user. 
  • Contact data tells about the proximity of one user to the others.
  • Self-assessment data records information provided by users after taking a self-assessment test, which is an integral part of the application itself. 
  • Location data comprises the geographical location of the user.

When the Aarogya Setu App is installed in smartphones, the app operates through Bluetooth and Location generated ‘social graph’, which alerts its registered users regarding who has come in the proximity of people who have tested positive for Coronavirus. After which, it commences a protocol by which all important and essential information about that other registered user is collected and stored in the app itself. In the event, if a person gets tested positive for the virus, the government will contact all the registered users that he came in proximity over the last 30 days to administer adequate medical services. Similarly, the user will also be notified if he gets in the vicinity of any positive tested patient over the last 30 days.

Before using this app, a user has to give his consent to the concerned authorities allowing it to collect personal data and use it at his/her discretion. The app stores this accumulated data on secured and encrypted government servers which safeguard the security of this information. This information is then passed on further with a unique digital ID assigned to the user for recording all subsequent app-related transactions.

Does the app risk the users’ privacy?

Since Aarogya Setu app permits the authorities to upload the collected information to the government-owned and operated servers, which further dispense the data to people who carry out medical and administrative interventions significant to COVID-19″. As it construes, the government has the power to further delegate this information with “practically anyone it wants”.

According to the Government “the app has been built with privacy as a core principle”, and the process of contact tracing and risk evaluation is conducted in an “anonymous manner”. The government claims that the app is completely safe and used only for Coronavirus contact tracing as it assigns an individual unique device ID only when he/she registers. All interactions from the device with the government servers are done through this ID only, and no personal information is exchanged after registration. The government also states that for those who are not at risk, their data is erased after every 30 days and the data for those who are being tested currently is deleted after every 45 days. If a user tests positive, his/her information is kept up to 60 days, after he/she is cured.

These assurances by the government of India came, after the ethical hacker Robert Baptiste wrote an article to the government detailing some ways in which a hacker may take advantage of the app. His claims triggered a war of words between the government and the opposition over the safety and privacy issues concerning the app. While the opposition stated that the Aarogya Setu app breaches privacy, the government said it is robust, safe and secure. However, the government responded to the Ethical hacker’s claims by insisting that their assumptions are not valid and the information stored on the servers safe. But views of experts in this matter differ as many have raised doubts on the government’s claims.

Soon after the government made its bold claim on the being robust, safe and secure a counter incident occurred, in which a software engineer who goes by the name ‘Jay’ from Bangalore hacked the Aarogya Setu app. Shedding some light upon the event, he breached the app’s defense program in less than 4 hours. His justification for the breach was, “I didn’t like the fact that the installation of the app is gradually becoming mandatory in India. So I kept thinking of the solution how I can avoid installing it on my device”. Thus, he managed to circumvent the page that requests personal information and COVID-19 symptom checker. Besides, he also managed to access the app without providing all necessary permissions. While the government has claimed Aarogya Setu to be safe, the fact that it reportedly got hacked raises concerns that it’s not only the government, hackers can also get into the app and leak user data. This raises concerns in people mind creating doubt to whether to trust the app or not.

Furthermore, according to Apar Gupta, Executive Director of the “Internet Freedom Foundation (IFF)”, “Aarogya Setu is a form of surveillance and inflicts privacy injury”, IFF also stated that the country lacks a proper data protection law, and, besides, the application would be futile for low-income, uneducated, and unaware users.

The surveillance technology has given rise to a raft of questions about security, privacy and prospective data breaches — and whether it compromises civil liberties and gives the government snooping powers.

Aarogya- Setu not a magical tool

There are two other fundamental issues that must be flagged out on the usage of the Aarogya Setu app. First, capacity and usefulness in “safeguarding” an individual from the COVID-19? Second, the incorrect information provided by the user through this app.

From the outset, the app is perceived as a magical protective band to protect against the ongoing Pandemic, and most reports assert that the app will enable people to fight collectively against this novel Coronavirus, whereas several fallacies exist about it. Further, the official release states that the app “will enable individuals to assess themselves on the chances of catching the virus. The calculation is based on the interaction with one user with other app users. Besides, it states, that the app “traces other devices with Aarogya Setu installed that comes in proximity of that device. Only after that, the app can calculate the risk of infection based on sophisticated parameters”. Many reports claim that this does not seem plausible because the app is not a diagnostic app.

Therefore, in the absence of complete transparency, one can only deduce that the app operates on the basis of contact tracing only. The primary utility of the app is that it traces individuals who have is tested positive. These individuals may be asked to acknowledge the test results or to quarantine themselves. Thus, it can be deduced, as of now, that the app is a ‘post facto’ application and not a real-time alert device. The only alert that the device will receive is that there are others in the locality who have downloaded the app. In a hyped-up situation where anybody who gets infected by the virus is seen as an offender, and only those individuals who have downloaded this app would be considered as “responsible” and ‘patriotic” citizens.

On the contrary, all the other citizens who have not downloaded the app would be profiled as “irresponsible” and “anti-national” citizens. Due to this bias among the individuals, it becomes tough for the government to verify the data as the information provided by the users may be incorrect; therefore this questions the authenticity of the data provided by the users. For instance, people who are privacy-conscious would be likely to provide wrong information and may look for a way around. Thus, how can one be sure that the information provided by any user is authentic and Aarogya Setu is keeping us safe from the infected individuals.

The Aarogya Setu app is daunting because it could be set off as a surveillance tool of the government. In a situation like this, making this app mandatory for everyone to download and install, would be easier for the government to track the data of a political adversary. The authorization that individual clocks in the process of installing the app grant the government authorization to utilize the information in future for purposes other than epidemic control.

As per recent news, in which ‘Aarogya Setu’ app was made compulsory for all smartphone users in Noida and Greater Noida. Now it has been noticed that the Noida Police has issued an order asking all residents to download Aarogya Setu app on their devices—non-adherence of the same while going out will be considered as a violation of the Lockdown and will attract punishment. On this, the former Supreme Court Judge BN Srikrishna, who chaired the committee that came out with the first draft of the Personal Data Protection Bill, termed the government’s push for mandating Aarogya Setu app “utterly illegal”. He also asserted “the guidelines cannot be considered as there is no sufficient legal backing to make the use of Aarogya Setu mandatory.” Furthermore, he also added “These pieces of legislation — both the National Disaster Management Act and the Epidemic Diseases Act — are for a specific reason. The national executive committee, in my view, is not a statutory body”.

For the moment, the recommendation of the app was within the rights of the government. But to make it mandatory violates individual freedom and breaches everyone’s privacy. Greater transparency is required, and it is time to stop projecting the Aarogya Setu app as a mystical solution having divine powers.

Conclusion

Digital technologies have been a boon for the society in this time of crisis as they allow communities across India to build solidarity, offer mutual aid, and carry on social ties in the middle of this Pandemic and Lockdown. On the same lines, the idea of an App like Aarogya Setu to provide real-time updates of the disease, possible threats of contamination, and guidance on how to stay safe is wonderful. However, the app could’ve made more sense if the real-time data was not restricted to the details given by registered users only. There are many cases of people either suffering from or at risk of COVID’19, but they haven’t installed the app, and therefore, the app shows you safe even when you are not.

However, even after carrying such a huge potential, the mere idea of this app is surrounded by allegations of surveillance issues, privacy concerns, and the threat of data breach. Knowing the poor track record of our country on maintaining privacy, followed by the absence of data protection bill and acute lack of the required safety infrastructure raises a concern on the use of such digital technologies for such purposes.

Mohit Nautiyal from Law College Dehradun

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: