Aarogya Setu App: India Amid Lockdown And ‘Right To Privacy’ Under Threat
This Blog is written by Ujjawal Vaibhav Agrahari from National Law University, Odisha. Edited by Saumya Tripathi.
AN INSIGHT OF THE APP ‘AAROGYA SETU’ AND ITS WORKING
As novel infection with coronavirus continues to grow in the country, the good news is that the number of patients recovered / discharged is also on the rise. With more than 1 lakh active coronavirus cases in India, the country’s recoveries were also crossing the 1 lakh mark as of June 3. Meanwhile the government launched an app to trace and minimize the growth of the app. Aarogya Setu which means “bridge to health” in Sanskrit was launched on April 2nd, it is basically an app designed and developed by ‘National Infomatics Centre’ which comes under the Ministry of Electronics and Information Technology (MeitY).. It is an Indian app, open-source cross-platform COVID 19 “contact tracing, Syndromic mapping and Self-assessment” digital service made few days after the massive outbreak of the deadly virus.
This app is the updated version of previous app “Corona Kavach” released by Government of India earlier (now it is not functional). The app comes in 11 languages. It was directed to download all Central Government officials, including the outsourced workforce. It has been recommended that all citizens of the country use the Aarogya Setu app to ensure better tracking of contacts, which can significantly reduce spread of the virus. According to NITI Aayog CEO Amitabh Kant, “it has become the world’s fastest app to reach 50 million downloads in just 13 days”.
As soon as you install the application, a set of personal information is asked from user which includes: name, sex, age, profession, countries visited (in last month, if any), current location etc.
THE 3-STAGE CONTACT TRACING PROCESS
1) Contact identification – Contacts are identified once a person is tested positive for a virus. These are based on the activities of the person, roles of people around him since the onset of the disease and so on. Contacts can be anyone who has come into contact with the infected person – family, friends, colleagues at work, health care providers, etc.
2) Contact listing –The next move is to list all these people who have come in touch as contacts with the infected person. All these people should be identified and informed of the precautions they must take, they should be given early care if they develop symptoms, etc. In the case of coronavirus, quarantine or isolation of these contacts is also recommended, and as a precautionary measure is being taken.
3) Contact follow-up – The third and final stage, follow-ups. Daily follow-ups of all contacts should be carried out to control symptoms, check for signs of infection.
The app utilizes the capabilities of Bluetooth and GPS on the phone. Record of every user nearby is kept through it. Within 15 minutes of time span, wherever the device has been, the location of it is detected and stored through GPS. The record thus are kept in the device until the user test corona positive and then information is circulated to servers.
The app aarogya Setu gained so much attention in short span. There were some places where installing the app was made mandatory like Noida, failing which Rs.1000 fine or six month punishment was imposed.  Several questions have been raised from public, experts and also from ethical hackers. They say that linking Aarogya Setu with the apps like “Sahyog” could pose danger to privacy as there is absence of transparency.
ACHIVEMENTS TILL DATE
• Amitabh Kant, CEO, NITI Ayog confirmed that, “The Aarogya setu app has become the world’s fastest app to reach 50 million downloads in just 13 days”.
• More than 75% of the users registered (approximately 114 million) have taken the assessment test of the app for the Covid19 risk exposure.
• The app has made significant achievement by identifying “more than 3,000 hotspots in 3-17 days ahead of time.”
ANALYSIS AND CRITIQUE OF THE APP
Aarogya Setu has access to your location through Bluetooth phone, which, according to critiques, is intrusive from viewpoint of one’s security and privacy. In Singapore the “TraceTogether app” can only be used to access data through health ministry. It guarantees peoples that the data can only be used solely to monitor spread of Covid19 and will not be shared with law enforcement agencies to enforce lockdowns and quarantines.
The big problem with the app is that it monitors position that is considered redundant globally, as Nikhil Pahwa said, Medianama’s editor, an internet supervisory body, “Any app that tracks with whom you have always been in touch and your location is a clear breach of privacy.”
Aarogya Setu enables authorities to upload the information collected to a government-owned and controlled “directory” that “provides data to individuals conducting the required medical and administrative interventions in relation to Covid-19.” It is questionable because it signifies that the administration will be sharing the data with “almost everyone it likes.”
There are also technical faults beyond the legal loopholes. AarogyaSetu’s unique digital identity is a static number, which increases the likelihood of identity breaches. A better approach would be to constantly change digital identification keys, like what Google and Apple are deploying in their technology for joint contact tracing.
India has “a horrific history” of privacy security, for example Aadhaar-the largest and most contentious biometric identification database in the world. Critics had repeatedly cautioned that the system is jeopardizing personal information and have opposed attempts by the government to connect it to bank accounts and mobile phone numbers.
People have to give their name, gender, phone number, location to register and travel history. Also, “People can fill out the form incorrectly and it cannot be verified by the government, so the effectiveness of the data is questionable” Mr Pahwa said in an interview with BBC.
French cybersecurity researcher Robert Baptiste, with the handle ‘Elliot Alderson,’ published a blog post entitled ‘Aarogya Setu: The Story of a Failure’ highlighting security lapses in the Aarogya Setu COVID-19 tracking app at the Centre, which has been installed by over 90 million people to date. Alderson contends to have been able to misuse one of the functionalities which allows users to see the number of people who installed Aarogya Setu, including the number of COVID-19 positive users and those who felt unwell in their geographical vicinity to see the health status of any of the users of the app in a geographical location within India. Alderson claims he did this by spoofing his position, allowing him to view such details anywhere in India including at the Office of the Prime Minister and headquarters of the Army.
STATUTORY PROVISIONS FOR ‘PRIVACY’ AND ARE THEY SUFFICIENT?
Though there are very few legislations related to right to privacy and protection of healthcare data in India, right to privacy is still the fundamental right as declared by supreme court under Article 21. However, a subordinate legislation was passed earlier on June 2011 that contained various rules and regulations that apply to companies and consumers. A key point to this legislation was “rules required that any organization that processes personal information must obtain written consent from the data subjects before undertaking certain activities”. However, there is no certainty as to the enforcement of the rules.
The Information Technology Act of 2000 set out specific punishments for data breaches and Privacy, in computer domain at least, and the cybercrime. Also, there had been amendments and changes in the Information Technology Act, 2000 through the new Information Technology (Amendment) Act, 2008 (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) and four sections of the Information Technology Act specifically deal with penalties against breach and misuse of data in India. These are Sections 43, 65, 66, and 72.
To be clear, the current regulatory structure is comprehensive to address most of the concerns on the Indian market, but it does not provide full data breach protection. The Government of India has the intention to enhance the country’s data security and privacy and it feels this is a crucial step towards promoting offshoring in India.
On 11 December 2019, a draft Personal Data Protection Bill, 2019 (“Bill”) was introduced before the Lok Sabha. The 2019 Bill provides some key provisions for which the 2018 draft Bill did not include such provisions that the central government could exempt any government agency from the Bill and the right to be forgotten. The right to be forgotten means “right to have negative private information about a person to be removed from Internet searches and other directories under some circumstances”. At its base, the Bill continues to require that Personal Data be handled fairly and reasonably while ensuring the privacy of the Principal Data, for purposes consented by the Principal Data, or for incidental or connected purposes thereof.
While anonymized data, as proposed in the draft law, remains outside the scope of the law, an exception has been made that “anonymized data may need to be shared with the government in order to better target the provision of services or to formulate evidence-based policies”.
However, the draft law published last year by the Justice BN Srikrishna Committee expressly stated that “the processing of personal data in the interests of the security of the State is not permitted unless authorized in accordance with a law and in accordance with the procedure laid down by that law, made by Parliament and necessary for, and proportionate to, such interests being achieved.”
WHY IS ‘PRIVACY’ SO IMPORTANT?
The increasing diversity of Internet and the fraudulent incidents in virtual world has led us to a point where protection and endurance of the data has become utmost need of an hour. Personal Information and security details of people are being hacked and manipulated for illegal advantages. These situations aren’t going to stop and as we see tomorrow is the world of technical advancements, virtual environment will spread and will take massive space in the society therefore, and we need stronger legislations to combat such delusory world.
The maximum extent of personal freedom referred to in Article 21 covers a variety of rights which constitute personal liberty viz. “secrecy, autonomy, human dignity, human right, self-evaluation, limited and protected communication, limiting exposure of man etc”.
HEALTH AND PRIVACY
The health sector is a significant privacy issue. Your safety data includes any information on your health or disability, and any information you have received collected in relation to a health service. Many people regard their information about their health as highly sensitive. The right to life is so important that it does away with the right to privacy. Under medical supervision ethics needs a doctor not to reveal the confidential details about the patient as the disclosure would adversely impact or place the lives of others at risk. Mr. X v. Hospital Z  ‘the Supreme Court held that the relationship between the patient and the doctor, although essentially commercial, is professionally a matter of trust and therefore doctors are morally and ethically bound to maintain confidentiality. In such a case, public disclosure of even true private information may often lead to a conflict between the rights of one person to be left alone with the right of another to be told.
Justice K.S.Puttaswamy (Retd) vs Union Of India
This case was concerned with a challenge to the Aadhaar, a government scheme (a form of a uniform biometric identity card) in which the government made it compulsory to use government services and benefits. The matter was brought before a tri-judge bench in the Supreme Court on the grounds that this system infringed the privacy right. Accordingly, a Constitution Bench was formed and determined that a nine-judge bench was required to decide if Article 21 of the Indian Constitution provides for a fundamental right to privacy.
The nine-judge bench of the Supreme Court unanimously accepted that the Constitution guaranteed the right to privacy under Article 21 as an essential aspect of the right to life and personal freedom.
Considering India’s current complex and continuously changing scenario, which is full of challenges, growing foreign investment, and economic growth in an ever-expanding digital era, there is an unparalleled need to update laws and standards on privacy and data security in line with the global initiatives that are being tested and already in place.
The government and the public should take lessons from the critique of ‘Aarogya Setu’ App, and when the next time an app is floated in the market, there should be greater concern beforehand by the makers and afterwards by public about whether the app isn’t infringing the privacy.
In the future, India can draw inspiration from other countries that have come up with better alternatives for monitoring the pandemic. Stanford’s Covid Watch, creating an anonymized heatmap of high-risk areas with low risk of privacy. It is also possible to refer to the policy framework of Thailand, in which each person designated at high risk for COVID-19 is given a SIM card and monitored for 14 days.
While these apps come with a host of issues, once addressed beyond the superficial reassurances, these apps have the ability to function as long-term solutions in the pandemic battle. This can be done by maintaining the utmost emphasis on, first, data integrity and validity, and, second, preventing third party intrusion, such as mobile malware.
Better legislations required now because 21st century and upcoming centuries are of digital era and virtual world. The right to privacy is becoming more and more important, as everyday progresses. For all our lives being revealed to the media by social networking sites or surveillance cameras, protection should be provided to all and it should function in such a way that no one should think of intruding the individual’s right to privacy.
After analysis all the statues and laws and going through the past incidents and cases, some suggestions below few actions that should be taken to deal with data breach issue:
1• Imposition of Greater Penalty: A person who tries to get any data or information from any resource government officer under any pretext should be penalised stringently.
2• Prohibition of interruption of communications: Excluding few cases, interception of communications may be prohibited, but only with the Secretary-level officer’s approval.
3• Safety from Citizen’s Identity Theft: Another law on the right to privacy has to be drawn up to protect against theft of citizens’ individuality whether it is theft of personal identity or financial identity that can take into account theft of criminal identity and theft of financial identity.
4• Central Communication Interception Review Committee should be established: to review and analyse the interception orders issued by the authority concerned.
5• Establishing Data Protections and Regulatory Authority: There should be establishment of a responsible authority who will protect data and will have work of keeping track of the data processing.
 Aparna Banerjea, ‘Aarogya Setu identified over 3,000 Covid-19 hotspots in 3-17 days ahead of time: Kant’ <https://www.livemint.com/technology/tech-news/coronavirus-update-aAarogya-setu-identified-over-3-000-covid-19-hotspots-in-3-17-days-ahead-of-time-kant-11590503060663.html > as accessed on 2 June 2020
 ‘nic-delhi/AarogyaSetu_Android’ <https://github.com/nic-delhi/AAarogyaSetu_Android> as accessed on 2 June 2020
 Ashna Butani, ‘No Aarogya Setu app? Pay Rs 1,000 fine or face 6 months jail in Noida’ < https://indianexpress.com/article/cities/delhi/aAarogya-setu-app-fine-jail-noida-6394954/ > as accessed on 2 June 2020
[4‘nic-delhi/AAarogyaSetu_Android’<https://github.com/nic-delhi/AAarogyaSetu_Android> as accessed on 2 June 2020
 Aparna Banerjea, ‘AAarogya Setu identified over 3,000 Covid-19 hotspots in 3-17 days ahead of time: Kant’ <https://www.livemint.com/technology/tech-news/coronavirus-update-aAarogya-setu-identified-over-3-000-covid-19-hotspots-in-3-17-days-ahead-of-time-kant-11590503060663.html > as accessed on 2 June 2020
 Andrew Clarance ‘Aarogya Setu: Why India’s Covid-19 contact tracing app is controversial’ < https://www.bbc.com/news/world-asia-india-52659520 > as accessed on 5th June 2020
 MINISTRY OF COMMUNICATIONS AND INFORMATION TECHNOLOGY, ‘NOTIFICATION (subordinate legistlation)’ (Department of Information Technology) New Delhi, the 11th April, 2011< https://meity.gov.in/writereaddata/files/GSR313E_10511%281%29_0.pdf > as accessed on 3rd June 2020
 Patrick S Ryan, Ronak Merchant and Sarah Falvey ,’Regulation of the Cloud in India’ (Journal of Internet Law), Vol. 15, No. 4, p. 7, October 2011
 Section 91(2), Personal Data Protection Bill, 2019
 Kharak Singh v State of U.P  AIR 1963 SC 1295
 Spring Meadows Hospital v Hajot Ahluwalia (1998) AIR 1998 SC 1801
 Mr. X v Hospital Z (1999) AIR 1999 SC 495.