Why Mandating The Aarogya Setu App Is Not The Solution To The Covid-19 Pandemic

A petition has been filed on 7^th may, 2020 in the Kerala High Court, challenging the constitutionality of the guideline mandating 100% coverage of the app in workplaces and containment zones, arguing that the guideline is unconstitutional. It has based its challenge on the judgement in Justice K.S. Puttaswamy (Retd) vs Union Of India^[2], which ruled that the right to privacy is a fundamental right of citizens under Art 21 of the Constitution, and has sought the quashing of the MHA order. In the interim, it seeks "to restraint the authorities from resorting to coercive action for enforcing the mandatory use of app."^[3]

The guidelines mandating the use of the app, in addition to being contrary to India's Human Rights obligations under international law, have raised concerns over privacy. The app continuously tracks its users' location using both GPS and Bluetooth to alert users as soon as they come in contact with a person with CoViD-19 infection. The use of both GPS and Bluetooth puts a question mark over the necessity of doing so and does not match the standard of similar apps used around the world. The NITI Aayog has justified this tracking by saying that, the location data is not analysed individually but only on an aggregate and that GPS data is necessary to demarcate containment zones and disease clusters While these steps may be considered appropriate to some extent, there are major bypasses that the government has made while mandating the use of the app.

Even if one concedes that the urgency of the situation demands a breach of the right to privacy, and that all the assertions about its illegality can be refuted, one expects a reasonable degree of protection and adequate remedies from the government. Instead, the government has in its limited liability notice on the app stated that it would not be liable if any third party gains access to the data.^[4] And the integrity of government developed software was on wide shameful display when the mAadhaar app's security issues where exposed by a French hacker in 2018. In fact, the same hacker has recently tweeted:

(referring to Rahul Gandhi's recent tweet¹⁰ on the issue which called the app a "sophisticated surveillance system") 

Team Aarogya Setu soon released a statement, which, in short, dismissed all claims about security and privacy made in the tweet and said a big "No, thank you."

The hacker was quick to respond. He published an article^[6] which explains how he gained access and was able to tweak parameters in the app to remotely get data on how many persons felt "unwell" at any given location in India which is not possible to obtain by the normal use of the app. To quote his response to Aarogya Setu's statement:

"My answer to them is:
- As you saw in the article, it was totally possible to use a different radius than the 5 hardcoded values, so clearly they are lying on this point and they know that. They even admit that the default value is now 1km, so they did a change in production after my report
- The funny thing is they also admit an user can get the data for multiple locations. Thanks to triangulation, an attacker can get with a meter precision the health status of someone.
- Bulk calls are possible my man. I spent my day calling this endpoint and you know it too.

I'm happy they quickly answered to my report and fixed some of the issues but seriously: stop lying, stop denying."

He has raised concerns over the app not being secure enough, and has resulted in a slew of tweets and retweets, some supportive of the government, which keeps repeating that it is a robust technology, others questioning these claims.

SIMILAR TECHNOLOGY IN OTHER COUNTRIES

Several other countries have developed similar technologies and have been using them for contact tracing, such as Singapore's Trace Together App and South Korea's Smart Management System (SMS), Corona 100 app and Corona Map, but they too have resulted in wide criticism from privacy experts.^[7] However, one major difference is that these countries have data protection laws, such as South Korea's Personal Information Protection Act, which provides for the right to be forgotten, and Singapore's Personal Data Protection Act, 2012 (PDPA).

Even in Italy, which faces a much worse crisis, the government has been careful not to be hasty and will be opening its app Immuni for use only once the lockdown has been lifted and it is approved by the parliament.

The United States has come up with Private Automated Contact Tracing (PACT) which protects the privacy of individuals and does not need personal data for contact tracing. In the European Union, countries have been leaning toward the Decentralized Privacy-Preserving Proximity Tracing (DP-3T) technology which is more protective of the privacy of its users than its rival Pan-European Privacy-Preserving Proximity Tracing (PEPP-PT).

The United Kingdom is also in the process of launching a similar app under its "test, track and trace" programme but it will be testing the app first on a small population with a lower smartphone user percentage, before making it mandatory for its citizens. However, there are many concerns there too which will need to be addressed for a successful application of the plan once the lockdown is eased.

ISSUES WITH THE INDIAN APPROACH

A major difference in India's approach is that, in addition to keeping the Aarogya Setu app closed source meaning the source code is not available for examination which in itself is in derogation of the National Open Source Policy^[8], the Indian Government has decided to impose this as a necessary condition if one wishes to work in offices, and has made it absolutely mandatory in all containment zones. It does not respect the contemporary international norm of a consent-based data collection, and has also not followed any test-stage like the one being conducted in The U.K. before mandatory imposition. India also lacks a comprehensive data protection law. Additionally, The Terms of Service of the Aarogya Setu app has a limitation of liability clause, and the relevant part reads as follows:

" 6. LIMITATION OF LIABILITY

You agree and acknowledge that the Government of India will not be liable for any claims in relation to the use of the App, including but not limited to … (d) any unauthorised access to your information or modification thereof."^[9]

It precludes the government from having any liability for unauthorised access to user data on the app, effectively absolving the government of all fault in the tracking system. The above Limited Liability Clause, in saying that the government will not be liable for breach by unauthorised third parties, is also in violation of the Information Technology (IT) Act, 2000 which requires all app service providers (as intermediaries, in this case the government) "to ensure the security of the data collected" and makes them liable for any loss.^[10]

As pointed out above, India lacks a comprehensive data protection law. This poses a problem since the existing law does not adequately address basic issues such as the length of storage, liability for breaches, requirement of consent, duties of the collector of data and leaves a bulk of the decisions on how and till when to use the data up to the government without any fear of legal challenge. The Personal Data Protection Bill, 2019 remains to be passed by the parliament, and until that is done, data remains inadequately protected under legislations such as the IT Act, 2000. Breach of data may go undetected or unpunished under the current data protection regime.

Advocate Gautam Bhatia in his recent analysis^[11] of the legal flaws in mandating the use of the app has rightly pointed out that the guideline lacks an anchoring legislation, and the National Disaster Management Act, 2005 under which the guideline has been issued cannot be legally considered the basis for such directions as the provision invoked is an umbrella clause and if accepted, will basically entail that "the government may do anything that it believes is reasonable to achieve the public interest" "and do away with any further need for law making in toto."

It is also not clear whether the government can be allowed to impose a condition upon citizens such as giving up a fundamental right (the right to privacy, Article 21, held in Justice K.S. Puttaswamy (Retd.) v. Union of India^[12] ) in order to be able to exercise another fundamental right (Right to livelihood, Art 19 (1) (g)). Some might consider this as a reasonable restriction under Art. 19 (6), some may say it is in excess of the proportionality in Art. 21, and some may say it serves public function and can be allowed to be done. The fulfilment of one fundamental right cannot be made conditional on the giving up of another. And as clearly explained above, mandating the use of the app lacks legal sanction and thus will not be a legal infringement of the right to privacy, thus it is an illegal breach of privacy and it cannot be held to be in the larger public interest either. The taking away of a fundamental right, the right to privacy in this case, needs to be based on legislation, otherwise it paves the way for rule by the executive. This debate may continue for a long time to come in the present circumstances. The fact remains that in absence of a law, the privacy infringement sought to be made through the app is absolutely unconstitutional.

STATE SURVEILLANCE, RIGHT TO PRIVACY AND INTERNATIONAL HUMAN RIGHTS LAW

Right to privacy being one of the core foundation stones of democratic society has been recognized in various International Human Rights Treaties and creates an obligation upon states for effective protection of right to privacy against government surveillance. India being a signatory of various International Human Rights treaties has an obligation to ensure full compliance with their provisions, in particular, right to privacy enshrined in the Universal Declaration of Human Rights (UDHR), which has attained the status of customary international law, and article 17 of the International Covenant on Civil and Political Rights (ICCPR).

The importance of legislative measures for protection of right to privacy under the ICCPR has been emphasised by the UN Human Rights Committee (HRC) in its General Comment No. 16 (Right to Privacy).^[13] In year 2013 UN General Assembly adopted resolution 68/167 on 'The right to privacy in the digital age' wherein General Assembly required that "Noting that while concerns about public security may justify the gathering and protection of certain sensitive information, States must ensure full compliance with their obligations under international human rights law".^[14]

There is, therefore, a clear obligation on the government, as stated in Art 51 of the Constitution, to ensure compliance with International Human Rights law standards while collecting sensitive personal data even when it is in public interest.

Also, the app is based on a self-assessment mechanism and can be called self-diagnosis at best. How the government seeks to create such support for the app that each person will religiously input correct data remains to be seen. The accuracy and actual usefulness of the app's alert system is also doubtful, since the government has so far only made claims, without much proof of usefulness.

While a voluntary approach of users signing up to the app does not work effectively, making it mandatory will definitely not work either. There can be many reasons for the failure of the app's objective. Lack of smartphones, problems with technology (people passing by on street or in different rooms will be alerted too), lack of internet service coverage, etc. There is also a general lack of trust in the government's actions and concerns over lack of transparency shown in other situations during the pandemic such as the expenditure of the donations made to the PM-Cares Fund.^[15] The app may be a constructive step, but is a fundamental breach of privacy when one is made to mandatorily give access to his whereabouts, and without proper safeguards, making it mandatory can easily be seen as just another attempt in a series of steps taken by the government to bring about a strict surveillance regime.

The Aarogya Setu app and its constant surveillance features also create serious implications relating to human rights on the international level, particularly the right to privacy, freedom of movement and right to life and liberty. Given these risks, the government needs to create the right balance between human rights and state surveillance by fixing accountability in case the app fails to meet the standards of international human rights law.

India can learn a great deal from the U.K. in its step-by-step approach, starting with careful testing and mandating it only if it proves successful over a small sample size, in the least favourable conditions.^[16] But the inspiration must end there, since the app has generated backlash over privacy concerns in the U.K. too, just as it should. It is important that transparency be maintained while handling sensitive data, and it is the duty of the people to hold the government accountable.

The South Korean example^[17], which saw mandating of contact tracing technology like in India, can be seen as a holistic approach to the problem. Using technology as well as improving other areas, such as wide and free testing, quick isolation, and an overall faith in the government created by its efficient handling of contagious diseases in the past has been the country's saving grace. India can learn a great deal from South Korea if it decides to continue the mandatory imposition, but must be careful to look at other aspects which it is simultaneously obliged to consider.

Views Are Personal Only

(Dr. Anita Yadav is Assistant Professor at Campus Law Centre, University of Delhi and Nausheen Khan is a 2^nd year student of LL.B. at Campus Law Centre, University of Delhi)