The Indian government faces strong pushback from civil society for mandating the use of a privacy-intrusive COVID-19 tracing app. The heated legal debate resembles the previous one over the country’s controversial biometric ID system Aadhaar.
India is trying to build a “bridge to health” with personal data. The country’s COVID-19 contact-tracing app Aarogya Setu (“Health Bridge”) works like this: citizens with a smartphone register by providing their name, age, gender, mobile number, profession, and recent travel history. After that, the app prompts users to follow a basic self-assessment check asking for symptoms and other underlying medical conditions.
From then on, users must keep location services and Bluetooth enabled at all times. The app tracks their GPS location and movements to see if they pass by an area with a high infection rate, and uses Bluetooth to alert for proximity to anyone who is infected or has reported symptoms. On the basis of all this information, the app makes a safety assessment for the user, based on which it assigns them a green, yellow or orange status.
If this sounds similar to China’s “Health Code” app, that’s because it is. Of the different contact-tracing models out there, India has opted for one of the most intrusive versions. In the world’s largest democracy, the app’s rollout faces intense pushback from civil society, similar to the debate over the country’s controversial biometric ID system Aadhaar.
Within weeks of its launch, Aarogya Setu is a facing at least two legal challenges. In addition, a group of 44 civil society and digital rights organizations have written to Prime Minister Narendra Modi’s Office speaking out against the way it is being deployed. Security researchers on Twitter are warning against it, while one hacker has managed to game it.
App uses GPS and Bluetooth
Unlike Singapore’s Trace Together app, which relies on Bluetooth only and has become the blueprint for similar apps in Europe, Aarogya Setu combines proximity tracing and GPS tracking, causing privacy activists to fear misuse of the collected data. Also, unlike in Singapore and many other countries, the use of the app in India is mandatory for activities like boarding trains. A central government order from April asked its employees to download the app and only turn up at work if it assigns them a “safe” status. Another order issued by the Ministry of Home Affairs in the beginning of May says that, “use of Aarogya Setu app shall be made mandatory for all employees, both private and public.” (Update: On May 17, the ministry relaxed these guidelines, which now say that employers “on best effort basis should ensure” that employees install the app, but that employers will not be held responsible for failing to do so.)
Despite being one of the biggest markets for international internet businesses and having the reputation of being the tech “back office” of the world, India does not yet have a comprehensive data protection statute. A Draft Personal Data Protection Bill, which was first released to the public in 2018, has been pending since.
Up until 2017, the Indian state had actively argued against the right to privacy. It was only after a series of Supreme Court hearings that it was pronounced a fundamental right in a landmark ruling. While the right to privacy is now a matter of legal record, state institutions and decision makers are yet to internalize the concept. Government websites have a history of disclosing information, like electoral roll details. During the COVID-19 crisis, the states of Madhya Pradesh and Karnataka published the names of those in quarantine online. The data from Madhya Pradesh were taken down after a social media outcry.
An equally strong point of contention has been the compulsory introduction of the app. In Noida, a suburb of Delhi, one can be jailed for six months or fined Rs 1,000 (around 12 Euros) for being out on the road without the app on one’s phone.
Legal challenges against mandated use
The Internet Freedom Foundation (IFF), an Indian digital rights advocacy organization, has legally challenged the government order mandating this. A politician from the southern state of Kerala filed a legal petition in the Kerala High Court, arguing that mandating the use of the app makes consent for data sharing irrelevant. Justice B N Srikrishna, the former Supreme Court judge who headed the committee that drafted India’s data protection bill has said that making the app mandatory would be “utterly illegal.” He has also pointed out that “such an order has to be backed by Parliamentary legislation.”
Neither does the executive order take into account those who aren’t privileged enough to have phones or the internet. Government data shows that the number of wireless internet subscribers in India, a country of nearly 1.3 billion people, stood at 643.64 million as of June 2019. This would make it impossible for India to reach the wide coverage these apps need to be successful. By early May, Aarogya Setu had only been downloaded over 90 million times on Android and iOS combined. Mandatory use of the app almost sounds out of place in light of recent news from India that has been dominated by heartbreaking stories of migrant daily wage laborers, out of job and money, walking back to their villages hundreds of kilometers away. Many died of hunger, exhaustion, or accidents along the way.
Apart from exclusion, there is also the matter of transparency. Free and Open Source Software (FOSS) advocates and researchers have been asking to reveal the app’s source code and to submit it to an independent audit. The app has also been scrutinized for security and encryption issues. A French security researcher with over 200,000 Twitter followers pointed out several vulnerabilities. An engineer from the city of Bengaluru (formerly Bangalore) has reportedly managed to hack the app so that it shows a “green” status at all times.
There has been some backtracking. A senior government official has said at a UN Women event that "in his personal opinion," Aarogya Setu should not be made mandatory. Another senior government official involved with the app has now said that India is “not far from open sourcing the app.”
In a more significant move, on 11 May, the federal Ministry of Electronics and Information Technology issued the “Aarogya Setu Data Access and Knowledge Sharing Protocol, 2020.” This lays out the purpose and duration of use of the data, and means by which the government can extend the time period for which it uses the data and also the agencies with which it can share it. One of the provisions in the privacy policy of the app as published on the app store allowed the government to retain user data “for as long as your account remains in existence and for such period thereafter as required under any law for the time being in force.” The protocol can be expected to address such problematic features, for example by limiting the use of data collected through the app to public health.
Fears of “function creep”
Much of the deployment and handling of Aarogya Setu right now mirrors the handling of Aadhaar, India’s nationwide biometric ID program, which works on tech-enabled online authentication. The program sparked the biggest legal debate on privacy and data protection in India, and continues to do so even today.
With Aadhaar, the government was at pains to assure everyone that the citizens’ data were safe, despite the repeated reports of data being compromised or leaked. The program started out as a tool to make welfare distribution more efficient. It raised apprehensions about purpose limitation of the data collected, when it moved on from state benefit distribution to be linked to tax returns, bank accounts, and even phone numbers. It was also criticized for being abused for political goals.
This kind of “function creep” is observed with Aarogya Setu as well. As of writing, plans are afoot to introduce “e-passes” on the app. These are permits that will allow one to pass through areas with movement restrictions, such as containment zones. The app’s scope is already expanding. The readiness with which citizens receive it is likely to inform much of what is considered acceptable state action in India’s larger privacy debate.
Views expressed here are the author’s own and do not represent those of her employer, Proto.