UNPACKING THE PRIVACY CONCERNS OF AAROGYA SETU APP

This morning after our Prime Minister addressed the nation and urged every citizen to install Aarogya Setu App, my WhatsApp chat box was flooded with the links to install this app and even my telecom service provider has texted me thrice today in an urge to install this app. Therefore, this urgent move of the nation to install this app has made me curious to unpack the details of this app such as, how this app work and the level of security implemented by the government for respecting our privacy. 

So, Let's unpack everything about this app one by one below:

WHAT IS AAROGYA SETU APP?

In the first week of April, the Ministry of Electronic and Information Technology has launched its app “Aarogya Setu” which translates as to ‘a bridge of health’ for both the android as well as the iOS platform. The app aims at providing its user a piece of information concerning whether they are prone to the pandemic which is currently spreading throughout the world by analysing the proximity of the app user to the Corona infected individual. 

HOW DID THIS APP WORK?

This app work by gathering the user identity, tracking the Realtime movement of the user and continuously examining if the user of the app has come in the close proximity of any other user. For tracking the same it makes use of Bluetooth technology and GPS location. Further, this app has access to the Government of India database in which information regarding corona positive individuals is stored, through this access the AI of the app determines and notifies the app user whether they have come across any corona positive individual or not.

DATA AND PERMISSION REQUIRED FOR SIGNUP FOR THIS APP

The above part of the paper clarifies the purpose and functionality of the app. Now in this part, let's unbox the crucial aspects of this app, which is undoubtedly the privacy of the users. But before, heading further let me tell you what kind of your data and permissions is required for signing up on this app.

While registering an account, there is an "App Permission" pop up in the app, wherein there is an explicit acknowledgment of "sensitivity of permission" collected by the app. This acknowledgment specifically states, “the Government understand the nature and sensitivity of this topic and have taken strong measures to ensure that your data is not compromised.” Below this acknowledgment, the app discloses that it requires three permission to function, which are as follows:

·      Device Location: this application by default "always" has access to the location of a device and recommends that this permission should not be changed by a user. However, the user has an option to change this setting.

·       Bluetooth: Bluetooth is supposed to be used for monitoring device proximity with other Aarogya Setu installed devices. Again, the developer recommends that users always keep their device Bluetooth turned on.

·      Data Sharing: It states that the data generated through the app shall only be shared with the Government of India. Further, it also clarifies that the app does not allow the disclosure of username and number to the public at large at any time.

After these permissions are granted, users are required to fill self-identification form, in which he is required to fill his sensitive and personal information such as (i) name (ii) phone no (iii) age (iv) sex (v) profession (vi) countries visited in the last 30 days (vii) whether or not you are a smoker.

MY CONCERNS WITH AAROGYA SETU APP

As mentioned above, this app is collecting a significant amount of personal and sensitive information of the users, with the addition of real-time tracking feature of the app (which tracks upon the user of the app 24x7 in the interval of every 15 min.) This whole functioning mechanism of the app had made me curious to look at the terms and conditions and privacy policy of the app. Going through which I found various concerns with this app. These are as follows:

·      HIGH POSSIBILITY OF INACCURATE RESULTS: as a matter of fact, every user would be willing to install this app with the intention to get notified if he has met with any corona positive user. But do you think, what could happen if the app provides an inaccurate or wrong result to a user? I believe that such a situation could create a lot of panic among the already anxious users. Especially, one could see the unnecessary people approaching for testing, with already scarce testing kits available in the country.

Clause 2 of the terms and conditions of the app require every user to always allow the app to have access to the Bluetooth and GPS service of their device. It further acknowledges, that in case a user denies access to these permissions, the app may lead to inaccurate or incomplete results. Further, this clause also forbade the users to share their device with anyone else, as such situations may lead to a risk of the user being wrongly identified as Corona positive by the app. Therefore, even though you have properly followed the T&C of the app, it is not necessary that people you contact with might also have followed the same properly, leading to the wrong result by the app.

·      VERY LIMITED LIABILITY OF GOVERNMENT: Clause 6 and 7 of the terms and condition limits the liability of the government to a great extent. The conditions mentioned under this clause, immunes the government from any kind of liability, even which may arise due to an inaccurate result generated through the app or in case the app fails to generate true corona positive case. In simple words, this clause acquits the government, in case of any kind of harm generated through the inaccuracy of the app.

Further, this clause also safeguards the government from any kind of liability arising in the event of “unauthorised access to the user information or modification thereof.” Considering the nature of the clause, one may assume that “Aarogya Setu” is a gimmick of the government to collect the personal data of the citizen, in the name of a pandemic spreading throughout the world. As these conditions indirectly enable the unaccountable compromise to our information privacy and security.

·      LACK OF REVERSE ENGINEERING: There are cybersecurity researchers and ethical hackers in the country, who works in finding security loopholes in the system and applications. However, clause 3 of Terms and Condition, specifically prohibits the individuals from tampering and reverse engineering the application in any kind. Although, since the "Aarogya Setu" app is working with the sensitive information of the users. Therefore, the government should have opened the source codes of the app as the Singapore Government did with their similar app[1]. So, security experts and app developers could check the level of security implemented in the app.

·      HOW IS YOUR DATA USED: there is no doubt that the “Aarogya Setu" app is working with a lot of our sensitive and personal information. Adding to this, the app is continuously collecting its user location data and is maintaining a record of the places where its users are coming in the contract with another user.

Clause 2(a) of the privacy policy, deals with the usage of the user information and it reads as follows:

• The personal information collected from you at the time of registration under Clause 1(a) above, will be stored on the Server and only be used by the Government of India in anonymized, aggregated datasets for the purpose of generating reports, heat maps and other statistical visualisations for the purpose of the management of COVID-19 in the country or to provide you general notifications pertaining to COVID-19 as may be required. Your DiD will only be co-related with your personal information in order to communicate to you the probability that you have been infected with COVID-19 and/or to provide persons carrying out medical and administrative interventions necessary in relation to COVID-19, the information they might need about you in order to be able to do their job.

I found two issues in this clause. Firstly, the upper part of this clause states that the user information could be used by the government in creating aggregated datasets of "anonymized” data to generate reports, heat maps and other similar statistical visualisations for the purpose of COVID-19 management. However, unfortunately, the whole policy lacks the definition of term "anonymized" data, which make it nearly impossible to predict that how is the information collected by the user is stored by the government, as just by using a term “anonymize” one could not predict that the data of the user is stored by the government with the highest level of security.

Secondly, the later part of this clause (highlighted above) allows, the Government to share the sensitive information stored on the servers in order to “carry out medical and administrative interventions necessary in relation to Covid19 management.” This is a very broadly worded statement, which could allow the Government to share the sensitive information of a user with practically anyone they want (even with private individuals). Therefore, the Government must provide supporting texture to this clause. Otherwise, this opacity in the clause would empower the government to misuse the sensitive information of the user. A classic example of this could be seen through the launch of "Aadhar" in India, we all remember the purpose behind launching the Aadhar and the way it was later used in India.

·      DATA RETAINED BY THE GOVERNMENT: Clause 3 of the privacy policy indicates that the app will delete all-time user data from the mobile device, after 30 days from the date of its collection with certain caveats. However, Clause 3(C) of the policy also states that any kind of deletion requirement does not apply in any capacity to "anonymised and aggregated datasets." I do not understand the need for retaining any kind of sensitive information beyond a pandemic period. We should see this is as a government move towards creating its permanent architecture of user sensitive information.

·      QUESTION OF PROPORTIONALITY: there is no doubt that the situation of India is completely different from other countries such as Singapore, where a good proportionality of individuals is having a smartphone. But in India still today, two-third of the population do not hold smartphones and are excluded from taking the benefit of the "Aarogya Setu" app. Interestingly, even the developer of the app in the initial phase of development have stated that at least 50% of the population must download this application to make it an effective solution in the country[2]. But considering the Non-Smartphone population in India, it may be considered that the App might not get success in achieving its purpose.

·      VIOLATION OF OUR RIGHT TO PRIVACY: Supreme Court in the year 2017, has passed a landmark judgment in the case of KS Puttaswamy V. UOI[3], wherein the nine-judge bench of SC has recognized the Right to Privacy as an integral part of Fundamental Right to Life and Personal Liberty protected under Article 21 of the Indian Constitution. but still, until today India lacks a Personal Data Protection Law, which may help in limiting the collection and processing of any kind of our Personal Data. On the contrary, the Government is trying to maximise the data collection of personal information, at the cost of privacy rights of individuals.

On the other hand, since Europe is already having Data Protection Laws (GDPR). Therefore, Mr. Wiewiorowski, European Data Protection Supervisor, stated that they are in a process of developing an App for tracking Coronavirus for whole Europe by following a strict principle of "Data Protection by Design" where he specifically told that any measure implemented in their app that infringes upon privacy must be[4]:

• Temporary and “not here to stay after the crisis”
• Limited in purpose, to what is needed
• Have restricted access to data, and know who has access
• Have a purpose, or “know what we will do” with the raw data and its results

But if we strictly read the T&C and Privacy policy of the "Aarogya Setu" app, we could observe that the Indian government, has not developed this app by taking into consideration the principle of "Privacy by Design" as similar to what is getting implemented in Europe. On the contrary, it feels like, Aarogya Setu feels like a tool developed by the Government, for collecting personal information of the citizens.

CONCLUSION

Although Aarogya Setu App was launched by the Government in the first week of April. However, I was shocked to see, that after our PM has addressed the nation, in less than 24 hours around 40 million people have downloaded this app, without knowing the consequences of this app on their fundamental right to privacy.

Considering the situation of this Pandemic, I believe that people are forced towards choosing their survival, thereby leaving behind the fundamental Right to Privacy, but right now, they are not realizing the long-term effect of such decisions. I think during such a pandemic situation, the Government is the one, who shall respect the Fundamental Right of their Citizen. Unfortunately, I am afraid to say that the Indian Government has failed to respect the same.

As far as I am concerned, I am giving a red flag to this Application.

[1] https://www.huffingtonpost.in/entry/aarogya-setu-surveillance-covid-tracking-app_in_5e8d6e26c5b6e1d10a6bdea6

[2] https://indianexpress.com/article/coronavirus/behind-aarogya-setu-app-push-at-least-50-people-must-download-for-impact-6357121/

[3] 2017 10 SCC 1

[4] https://www.bbc.com/news/technology-52189551