scorecardresearch
Follow Us:
Friday, January 28, 2022

3 Things

Our flagship daily news show, where hosts Shashank Bhargava and Snigdha Sharma talk to in-house experts about what is going on and why you need to care about it.

Episode 868 May 14, 2020

Why has Aarogya Setu raised legal and privacy concerns?

Since it was launched last month, the Aarogya Setu has raised several concerns. Not only about privacy, but also about the legality of making it mandatory. Earlier this week, the former Supreme Court Judge B N Srikrishna called the government mandating the app “utterly illegal”. In this episode, we take a deep dive into the legal and privacy concerns around the app.
Transcript:
Shashank Bhargava
Hi, I’m Shashank Bhargava and you’re listening to 3 Things, The Indian Express news show.

Over the course of the coronavirus outbreak in the country, the government’s strategy against the virus has been evolving. From extending lockdowns, categorising different coloured zones and promoting social distancing, to changing the way it tests and treats people.

And along with all this, the government has also been aggressively pushing the Aarogya Setu mobile app that it launched last month. It has now in many cases made it mandatory for people to download it.

The app, as we have discussed in previous episodes, is essentially a contact tracing app that uses GPS coordinates and Bluetooth data to track your location, both on your own, as well as relative to other users, to see whether you have physically come close to someone suffering from COVID-19. It asks you to self assess and then informs you about the risk of your infection and also informs you about other users in your vicinity.

The app by now has raised several concerns, not only related to privacy and data protection, but also about the legality of making it mandatory. In this episode, we take a deep dive into these issues.

Now the govt had been extensively marketing the app from the beginning, urging people to download it, but it was on the 3rd of May that the govt issued guidelines saying that it was mandatory for employees of all public and private organisations to download the app.

Deeptiman Tiwary
The orders by the Central government were issued under the Disaster Management Act.

Shashank Bhargava
That’s Deeptiman Tiwary who reports on issues of corruption and government agencies for The Indian Express.

Deeptiman Tiwary
And this is specific to employees to ensure that the employers know where their employees are coming from. If they’re coming from containment zones or someplace which is heavily affected by the spread of coronavirus. And so that accordingly, they can take measures to ensure that others do not get infected, or take preventive measures.

Shashank Bhargava
Recently, an article published in the MIT Technology Review pointed out that this guideline made India perhaps the only democratic nation in the world to make a contact tracing app mandatory. So what happens if the employee doesn’t download the app?

Deeptiman Tiwary
Given that it has been issued under the Disaster Management Act, if employees do not download this Aarogya Setu app and reach their offices, and the onus of ensuring this has been put on employers, then under the Disaster Management Act, if you violate guidelines issued by the Centre, you could be prosecuted and there is a punishment of up to 2 years and there is a fine also. The court may decide whether you should just be fined or you should be put in jail.

Shashank Bhargava
A few days after this, orders were also issued by the UP government for the residents of Noida.

Deeptiman Tiwary
In Noida, orders have been issued that everyone irrespective of whether you are an employer, employee, unemployed, housewife, sanitation worker, irrespective of who you are, rickshaw puller, everybody has to download the Aarogya Setu app. If you do not, the government orders have said that you will be prosecuted under Section 188 of the IPC.

Shashank Bhargava
These orders were issued under the Epidemic Diseases Act. An act that was introduced by the British colonial government to tackle the epidemic of bubonic plague in the 1890s.

Deeptiman Tiwary
Punishment for Epidemic Diseases Act is under Section 188 of the IPC. If you do not download the Aarogya Setu app, you could be prosecuted and be jailed for 6 months, or be fined.

Shashank Bhargava
Though there are still some questions that remain unanswered about these orders. Like, if an employee doesn’t download the app, will he or she face the same consequences as the employer, who was supposed to be responsible for all employees to download the app? And what happens if you don’t have a smartphone? The Noida police at least, was clear on that.

Deeptiman Tiwary
See, the Noida police has made it clear that only those with smartphones are bound by this law of downloading Aarogya Setu. If you do not have smartphones, and there are very many people among the poor sections of the society who do not have a smartphone, that is exempted. That is something that the law will consider because you cannot force people to buy a smartphone. So you cannot be prosecuted if you do not have a phone or a smartphone.

Shashank Bhargava
The app in some other instances has been used as a pass to cross inter state borders, Haryana recently mandated people coming from abroad to download it and when train services were resumed on Tuesday, the passengers were required to download it.

This aggressive push has reflected in the app’s growth. Till April 11, the app had 2.3 crore downloads. But yesterday, 31 days later, the app crossed 10 crore registered users.

But the question is, can the government make it mandatory for people to download it? Is that legal? According to the Former Supreme Court Judge B N Srikrishna the answer is no. In fact, earlier this week he called the government mandating the app “utterly illegal”. Now to understand why he said that, we need to take a look at a landmark judgment that the Supreme court made nearly three years ago.

Apurva Vishwanath
So, there is this 2017 landmark judgement which recognised that privacy is a fundamental right.

Shashank Bhargava
That’s Apurva Vishwanath. She covers law for the Indian Express.

Apurva Vishwanath
So the Supreme Court decision in that said that informational privacy is also a facet of the Right to Privacy. So if it is a fundamental right, if you infringe on that fundamental right, how does it happen? That’s the central question that we need to understand to sort of put justice Shri Krishna’s comments in perspective.

Shashank Bhargava
The judgement says that if the state has to infringe upon the Right to Privacy, which the Aarogya Setu app seems to do by making it mandatory, then it has to pass a three fold test.

Apurva Vishwanath
The first one is that it has to have legality. Which means there must be an existence of law. And by law, the court means a statute passed by the Parliament. So here is what justice Shri Krishna says – that there is no law which can back this move, through which the governments can say to its citizens that downloading the Aarogya Setu app is mandatory. And if you don’t, you will face a jail term.

Shashank Bhargava
These guidelines mandating people to download the app were actually issued by the National Executive Committee, which was setup under the Disaster Management Act. This committee comes up with guidelines that states are supposed to follow when dealing with a disaster. But what Justice Srikrishna points out is that this committee is not a statutory body and therefore their guidelines, especially ones that seem to infringe upon individual privacy, cannot be considered law.

Apurva Vishwanath
So the Supreme Court judgement in 2017 was sort of emphatic in recognising that informational privacy is a very important facet of the right to privacy. They said that the individual should have control on how their personal information is used. And the Supreme Court was assured by the government that a robust data protection framework, a law for that will be brought in very soon.

Shashank Bhargava
Back then the government had appointed a committee on data protection. This committee was headed by Justice Sri Krishna himself. The committee later proposed a draft data protection law. The bill is yet to be brought to Parliament for approval.

Apurva Vishwanath
And that bill also dealt with issues like an individual’s consent and how important it is. So whether you can revoke your consent and under what conditions your consent can be obtained, and issues like that.

Shashank Bhargava
But an overarching law that looks at these individual privacy concerns doesn’t exist in India. Apurva also mentions how debates around this issue are reminiscent of those that took place around Aadhaar.

Apurva Vishwanath
Initially, the entire execution of the Aadhaar scheme, as it was called, was done by a notification. Was done through a notification issued by the erstwhile Planning Commission. It wasn’t backed by a Parliament made law. Which is why when it came up for scrutiny in court, the government passed a bill and ensured that there was some statutory backing to implementing Aadhaar in the country.

Shashank Bhargava
And so various privacy concerns around the app continue to loom large. About whether it can be used for surveillance in the future, or how will the app data be used or shared, and what happens if there is a breach.

We discussed some of these concerns with Malavika Raghavan. Malavika is public policy researcher, a lawyer and heads the Future of Finance Initiative at Dvara Research, and she raised her concerns regarding data protection.

Malavika Raghavan
I mean, I think at the highest level when you’re talking about protecting personal information, you generally think about what are the processes and procedures you can put around how it is harvested. Should it be collected, and then how it’s used, right? And then things around quality checking that it actually represents the person that you say is going to represent. On all these counts, I really worry. One is we really don’t understand the data quality that’s coming out of this because my understanding of the app, again, is that it’s largely self assessment and self declaration driven. Which means you’re really relying on a person sitting in their homes on their phone, to declare themselves whether they think they are positive or not. If a public health authority, or even the national authorities diverting budgets, or trying to do some kind of disaster preparedness, or pandemic preparedness, based on this data, I really worry. The second major issue for me is that there is no use and disclosure policy at all.

Shashank Bhargava
The idea is that the user should know who all has access to their data and how it’s being used. She also expresses concerns about how hospitals and testing centres will have access to this data.

Malavika Raghavan
Because if we don’t have a sensible use and disclosure framework and a sensible data quality checking mechanism, I really worry about the kind of information we are looking at to make public health decisions in this stage. Whether that’s at an individual level, or at a country’s level.

Shashank Bhargava
She also points to specific privacy concerns that can affect the individual, based on how data is collected and how the app is designed.

Malavika Raghavan
The way that this data is collected is that it’s tied to you to your record, and then it’s pseudonymised, right? So you get a device ID, as I understand it. Now, it’s a static device ID. So if at one point it’s hacked, or if there’s a way that people can see that that record relates to you, there’s no way to update that. So a very basic privacy fix has been to have a dynamic device ID. A dynamic ID through which your health status and all that is recorded, anywhere. I think that’s quite important.

I think the other big one people have been talking about is GPS. Seems like India is an outlier. Nobody else to my mind currently collects GPS location every 15 minutes, as this app does. That’s quite unusual. And I understand from other experts who have been involved with Singapore’s TraceTogether app that they took the call that said bluetooth was what was required, because you need proximity and timestamp kind of information. And GPS is often inaccurate in a small range, and most people are in a lockdown. So you could actually not collect GPS without compromising contact tracing.

Shashank Bhargava
The app was initially marketed and pushed as a contact tracing app. But the government since then has said that the app data will be used to identify hotspots and visualize the outbreak.

Malavika Raghavan
And I think that is a very core thing about privacy is purpose limitation. You need to sit back, think what is it that you need personal information for and then set the purpose. That’s another core principle of privacy protection law which is purpose limitation. And also, I think connected to this is that larger issue we’re talking about right? Where does it fit in the public health response? So a) Do we have a systematic public health response to this crisis? Where is technology’s role? And if there is a risk that this technology is not only going to be for contact tracing for COVID, but we are going to use beyond that, as it’s currently being said for like authentication or for allowing people to go to work, these are related to the crisis, but they open up all these other questions about livelihoods and so on. Actually, how do you ensure that it’s done in a fair, just and reasonable way, as is required by the Constitution of India.

Shashank Bhargava
There are also security issues that have been highlighted about the app. One such person to do that is the ethical hacker Robert Baptiste, who is popularly known as Elliot Alderson. Last week, he was able to access through the app information about people who were COVID-19 infected and felt unwell, including people in sensitive offices like the PMO or Parliament. We spoke to Karishma Mehrotra about this. Karishma reports on the intersection of technology and politics for the newspaper.

Karishma Mehrotra
He essentially was able to find the number of people who are unwell or COVID-19 positive in a very small location. And he used that to, sort of, say that okay, if I’m in front of the PMO’s office or in the PMO office, this vulnerability would be able to show the hacker how many people are unwell showing symptoms, have their bluetooth on etc, etc, in this location. So he also said this might be a privacy issue for let’s say, if you can find out if your neighbour is unwell, or what your neighbour’s health status is. So the response from this from the government was multi-folded. One response that they gave before he came out with a security note was that most of the features that he’s described are actually aspects of the app that are useful. But to be clear, there’s not been an official response from the government since Elliot Alderson has come out with his security technical note.

Shashank Bhargava
A few days back Alderson had also pointed out data that leaked from the Sarthak app that the Madhya Pradesh government has been using. As per information shared by him, the COVID-19 dashboard on the state government’s website revealed, among other things, the name of the quarantined people, their device ID and name, GPS coordinates of their current locations, as well as the GPS coordinates of their office. He also shared the link of the site along with the screenshots of the leaked data.

Karishma Mehrotra
So the other thing that some IT officials talk about is in regards to a lot of desires from the hacker community and the civil society community to have the app open source.

Shashank Bhargava
When an application is open sourced, it allows its source code to be accessible to the public. Users have the right to study and modify the software. That way programmers and ethical hackers can spot bugs and improve on features that the developers may not have thought of.

Karishma Mehrotra
Now these calls have been coming since March. And some of the officials I talked to you have said that they do hope to make the app open source. However, other officials that I speak to have told me that that’s not a top priority of theirs right now. And they sort of want people to focus on what they feel is the main problem at this point fighting the COVID-19 epidemic.

Shashank Bhargava
The app has been developed by the National Informatics Centre (NIC) which comes under the Ministry of Electronics and Information Technology. And addressing some of the concerns we have talked about, On Monday, the ministry released a set of protocols for the National Informatics Centre.

Karishma Mehrotra
The main purpose of this is to sort of delineate that the National Informatics Centre, which is under the IT Ministry, has primary responsibility for the data on this application. But it also distinguishes that all the data needs to be permanently deleted after 180 days.

Shashank Bhargava
That means after 180 days the data should be deleted from the app and the server. The data though could be held beyond it if there is “a specific recommendation made” by the empowered group on technology, which is one of the 11 empowered groups of officers formed to deal with lockdown issues.

Karishma Mehrotra
And it also allows for an individual to request to have their data removed. However, there’s no real delineation of how that request is made. The other norms that it lays out is in regards to the responsibility of those who the data is shared with. So for example, right now it’s shared heavily with the Ministry of Health, including the CMR, and so those entities also have a certain amount of responsibility about the purpose for which this data is used. The NIC and these other entities all have to use this data only for appropriate health purposes and responses, and it can’t be used for other purposes.

Shashank Bhargava
The IT secretary also presented these protocols and highlighted how the data will be transferred across the system.

Karishma Mehrotra
So he mentioned that the most important or main sort of data set is this special surveillance system made by the health department, presumably that’s made by the Integrated Disease Surveillance Programme (IDSP). So that’s the state and district level data that is combined as well with testing sample data from ICMR, which the NIC is also building mobile applications for as well. Now, these data sets are combined with Aarogya Setu’s self assessment and bluetooth contact tracing data. All of those data sets, along with some data from the National Disaster Management Authority, are analysed to figure out what actions can be done.

Shashank Bhargava
But it is important to note that these are in essence just guidelines. They are not backed by any law that will address what will happen if these protocols are not followed. This is why Justice Krishna called them “akin to an inter-departmental circular.”

These protocols also run parallel to the app’s privacy policy which continues to remain a bit vague on future use of the data and on restrictions on who in the government can use the data.

But there is another question to consider. To what extent can Aarogya setu help India in its fight against COVID-19?

Malavika Raghavan
So I think any intervention has to be seen as part of a broader public health response and pandemic preparedness.

Shashank Bhargava
That’s Malavika again.

Malavika Raghavan
And I think to that extent, this app in a vacuum and by itself, probably can’t make a big dent, unless it actually has some kind of clear link and loop with a broader, stronger public health response. I’m not hundred percent, or even much below that percentage, convinced that it’s going to in itself help India fight coronavirus. I think it’s something we have to wait and see. And often I think it depends very much on that first factor we were talking about. In that, how much is it used in conjunction with public health responses, because ultimately here this app is meant to help solve the crisis of a very virulent virus, that’s in our country and across the globe right now. So yeah, my broad understanding in a nutshell is that there isn’t any coherent understanding of whether this app actually results in solving for coronavirus anywhere in the world. And that’s why I think different countries are proceeding cautiously. There are probably a handful of countries now that have an app. It’s not by any means ubiquitous, but I think every single country is being watched very closely.

Shashank Bhargava
As far as contact tracing goes, there are experts that say that manual contact tracing can be far more effective. And experts have also said that for an app like Aarogya Setu to make a significant impact, at least 50% of the population would need to download it.

Malavika Raghavan
Now, I think one factor that I have not seen that much in the public debate is that…my understanding is that there are just 400 million smartphones in India, at last count. And there are no confirmed statistics on this. You have some of it from the ITU, you have other kind of mobile industry numbers out there, but if you’re seeing like less than half of the country has smartphones, and even if that’s grown, that means half of the country at least is on feature phones and this app was not built for the feature phones. And if at the get go, we need 50 to 60 to maybe more penetration in order for it to work, on the logic on which it’s built to work, then there at that level, I see a kind of logical inconsistency.

Shashank Bhargava
A few days after our conversation with Malvika, the government launched the Aarogya Setu Interactive Voice Response System for people with feature phones and landlines. This is a toll free service, where you will need to give a missed call and get a call back requesting for inputs regarding your health. You then get an SMS indicating your health status and alerts for your health moving forward. But since there will be no app on the phone, it is unclear to what extent it will help in contact tracing.

Malavika also questions the degree to which the government is focusing on the app.

Malavika Raghavan
Sometimes it strikes me, right…Here we are all having this conversation about the pluses and benefits of an app on the phone and this has nothing to do with personal protective equipments or the number of emergency beds or the oxygen supply or ICU, you know, and I kind of really question the prioritisation of the conversation and the resource here in India. Like if we have money, should we be spending that helping more people get PPE and actually doing more testing? Or is this just, I worry, is this just a distraction from the real issues over here? Because, you know, it’s much easier to release an app and then force people to download it on their phone. It’s much harder, I think, to have a conversation about how are we actually going to solve this health problem. So it doesn’t matter if other countries are having apps in our country, for our population with majority of feature phone users, is this the best way we can be spending our time and our conversation?

Shashank Bhargava
It is of course too early to see to what extent the app will end up helping India. But meanwhile what are some of the immediate steps that the government can take against some of the issues that we have discussed so far?

Malavika Raghavan
There are two, three immediate things that I think the government can do. And I think the reason I’m saying this, just to frame it up front, is I think the need of the hour when people are really under distress, if you want to build trust in governments is to increase trust, right? And not to resort to coercion. So what can we do to improve trust and to just give people the confidence that the government’s got this or at least somebody is thinking about these larger issues?

So I think one major important thing that the government should really take a call on is, do they need that GPS location? And if they do, then I think there is a need for a very, very clear use and disclosure policy. I think we’ve all talked about how the data is collected and when it should go to the government server, and I do appreciate the effort that a lot of the coders and I think some legal experts have taken to limit the number of times that the information goes from the phone to the government server. I think the big trick we’ve missed is what happens with it then.

Shashank Bhargava
Whether a person will be unfairly targeted and if they are what legal remedies will there be for it.

Malavika Raghavan
Because I think a lot of these concerns go back to that classic issue, when you’re talking about tracking somebody, is that it’s very easy. You might be tracking them for legitimate purposes and then you can use that same infrastructure to track them for illegitimate purposes. So I think that’s the heart of this, I think, to improve the app, the government needs to be very clear that any data that it is collecting, which is not strictly necessary, it needs to be clear about why it’s collecting the data. And second, when it’s collecting very sensitive things like GPS on a 15 minute basis, it needs to put some clear guardrails around who can and cannot use that data and put in place an oversight mechanism to ensure that this is not happening, right? Because we know that once the genie is out of the bottle, if there isn’t someone to blow the whistle, then who is to guard the guard themselves.


You can follow us and leave us feedback on Facebook and Twitter @expresspodcasts, or send us an email at podcasts@indianexpress.com. If you like this show, please subscribe and leave us a review wherever you get your podcasts, so other people can find us. You can also find us on https://indianexpress.com/audio.

More info
More less

Why has Aarogya Setu raised legal and privacy concerns?Since it was launched last month, the Aarogya Setu has raised several concerns. Not only about privacy, but also about the legality of making it mandatory. Earlier this week, the former Supreme Court Judge B N Srikrishna called the government mandating the app "utterly illegal". In this episode, we take a deep dive into the legal and privacy concerns around the app. Transcript: Shashank Bhargava Hi, I'm Shashank Bhargava and you're listening to 3 Things, The Indian Express news show. Over the course of the coronavirus outbreak in the country, the government's strategy against the virus has been evolving. From extending lockdowns, categorising different coloured zones and promoting social distancing, to changing the way it tests and treats people. And along with all this, the government has also been aggressively pushing the Aarogya Setu mobile app that it launched last month. It has now in many cases made it mandatory for people to download it. The app, as we have discussed in previous episodes, is essentially a contact tracing app that uses GPS coordinates and Bluetooth data to track your location, both on your own, as well as relative to other users, to see whether you have physically come close to someone suffering from COVID-19. It asks you to self assess and then informs you about the risk of your infection and also informs you about other users in your vicinity. The app by now has raised several concerns, not only related to privacy and data protection, but also about the legality of making it mandatory. In this episode, we take a deep dive into these issues. Now the govt had been extensively marketing the app from the beginning, urging people to download it, but it was on the 3rd of May that the govt issued guidelines saying that it was mandatory for employees of all public and private organisations to download the app. Deeptiman Tiwary The orders by the Central government were issued under the Disaster Management Act. Shashank Bhargava That's Deeptiman Tiwary who reports on issues of corruption and government agencies for The Indian Express. Deeptiman Tiwary And this is specific to employees to ensure that the employers know where their employees are coming from. If they're coming from containment zones or someplace which is heavily affected by the spread of coronavirus. And so that accordingly, they can take measures to ensure that others do not get infected, or take preventive measures. Shashank Bhargava Recently, an article published in the MIT Technology Review pointed out that this guideline made India perhaps the only democratic nation in the world to make a contact tracing app mandatory. So what happens if the employee doesn't download the app? Deeptiman Tiwary Given that it has been issued under the Disaster Management Act, if employees do not download this Aarogya Setu app and reach their offices, and the onus of ensuring this has been put on employers, then under the Disaster Management Act, if you violate guidelines issued by the Centre, you could be prosecuted and there is a punishment of up to 2 years and there is a fine also. The court may decide whether you should just be fined or you should be put in jail. Shashank Bhargava A few days after this, orders were also issued by the UP government for the residents of Noida. Deeptiman Tiwary In Noida, orders have been issued that everyone irrespective of whether you are an employer, employee, unemployed, housewife, sanitation worker, irrespective of who you are, rickshaw puller, everybody has to download the Aarogya Setu app. If you do not, the government orders have said that you will be prosecuted under Section 188 of the IPC. Shashank Bhargava These orders were issued under the Epidemic Diseases Act. An act that was introduced by the British colonial government to tackle the epidemic of bubonic plague in the 1890s. Deeptiman Tiwary Punishment for Epidemic Diseases Act is under Section 188 of the IPC. If you do not download the Aarogya Setu app, you could be prosecuted and be jailed for 6 months, or be fined. Shashank Bhargava Though there are still some questions that remain unanswered about these orders. Like, if an employee doesn't download the app, will he or she face the same consequences as the employer, who was supposed to be responsible for all employees to download the app? And what happens if you don't have a smartphone? The Noida police at least, was clear on that. Deeptiman Tiwary See, the Noida police has made it clear that only those with smartphones are bound by this law of downloading Aarogya Setu. If you do not have smartphones, and there are very many people among the poor sections of the society who do not have a smartphone, that is exempted. That is something that the law will consider because you cannot force people to buy a smartphone. So you cannot be prosecuted if you do not have a phone or a smartphone. Shashank Bhargava The app in some other instances has been used as a pass to cross inter state borders, Haryana recently mandated people coming from abroad to download it and when train services were resumed on Tuesday, the passengers were required to download it. This aggressive push has reflected in the app's growth. Till April 11, the app had 2.3 crore downloads. But yesterday, 31 days later, the app crossed 10 crore registered users. But the question is, can the government make it mandatory for people to download it? Is that legal? According to the Former Supreme Court Judge B N Srikrishna the answer is no. In fact, earlier this week he called the government mandating the app "utterly illegal". Now to understand why he said that, we need to take a look at a landmark judgment that the Supreme court made nearly three years ago. Apurva Vishwanath So, there is this 2017 landmark judgement which recognised that privacy is a fundamental right. Shashank Bhargava That's Apurva Vishwanath. She covers law for the Indian Express. Apurva Vishwanath So the Supreme Court decision in that said that informational privacy is also a facet of the Right to Privacy. So if it is a fundamental right, if you infringe on that fundamental right, how does it happen? That's the central question that we need to understand to sort of put justice Shri Krishna's comments in perspective. Shashank Bhargava The judgement says that if the state has to infringe upon the Right to Privacy, which the Aarogya Setu app seems to do by making it mandatory, then it has to pass a three fold test. Apurva Vishwanath The first one is that it has to have legality. Which means there must be an existence of law. And by law, the court means a statute passed by the Parliament. So here is what justice Shri Krishna says - that there is no law which can back this move, through which the governments can say to its citizens that downloading the Aarogya Setu app is mandatory. And if you don't, you will face a jail term. Shashank Bhargava These guidelines mandating people to download the app were actually issued by the National Executive Committee, which was setup under the Disaster Management Act. This committee comes up with guidelines that states are supposed to follow when dealing with a disaster. But what Justice Srikrishna points out is that this committee is not a statutory body and therefore their guidelines, especially ones that seem to infringe upon individual privacy, cannot be considered law. Apurva Vishwanath So the Supreme Court judgement in 2017 was sort of emphatic in recognising that informational privacy is a very important facet of the right to privacy. They said that the individual should have control on how their personal information is used. And the Supreme Court was assured by the government that a robust data protection framework, a law for that will be brought in very soon. Shashank Bhargava Back then the government had appointed a committee on data protection. This committee was headed by Justice Sri Krishna himself. The committee later proposed a draft data protection law. The bill is yet to be brought to Parliament for approval. Apurva Vishwanath And that bill also dealt with issues like an individual's consent and how important it is. So whether you can revoke your consent and under what conditions your consent can be obtained, and issues like that. Shashank Bhargava But an overarching law that looks at these individual privacy concerns doesn't exist in India. Apurva also mentions how debates around this issue are reminiscent of those that took place around Aadhaar. Apurva Vishwanath Initially, the entire execution of the Aadhaar scheme, as it was called, was done by a notification. Was done through a notification issued by the erstwhile Planning Commission. It wasn't backed by a Parliament made law. Which is why when it came up for scrutiny in court, the government passed a bill and ensured that there was some statutory backing to implementing Aadhaar in the country. Shashank Bhargava And so various privacy concerns around the app continue to loom large. About whether it can be used for surveillance in the future, or how will the app data be used or shared, and what happens if there is a breach. We discussed some of these concerns with Malavika Raghavan. Malavika is public policy researcher, a lawyer and heads the Future of Finance Initiative at Dvara Research, and she raised her concerns regarding data protection. Malavika Raghavan I mean, I think at the highest level when you're talking about protecting personal information, you generally think about what are the processes and procedures you can put around how it is harvested. Should it be collected, and then how it's used, right? And then things around quality checking that it actually represents the person that you say is going to represent. On all these counts, I really worry. One is we really don't understand the data quality that's coming out of this because my understanding of the app, again, is that it's largely self assessment and self declaration driven. Which means you're really relying on a person sitting in their homes on their phone, to declare themselves whether they think they are positive or not. If a public health authority, or even the national authorities diverting budgets, or trying to do some kind of disaster preparedness, or pandemic preparedness, based on this data, I really worry. The second major issue for me is that there is no use and disclosure policy at all. Shashank Bhargava The idea is that the user should know who all has access to their data and how it's being used. She also expresses concerns about how hospitals and testing centres will have access to this data. Malavika Raghavan Because if we don't have a sensible use and disclosure framework and a sensible data quality checking mechanism, I really worry about the kind of information we are looking at to make public health decisions in this stage. Whether that's at an individual level, or at a country's level. Shashank Bhargava She also points to specific privacy concerns that can affect the individual, based on how data is collected and how the app is designed. Malavika Raghavan The way that this data is collected is that it’s tied to you to your record, and then it's pseudonymised, right? So you get a device ID, as I understand it. Now, it's a static device ID. So if at one point it's hacked, or if there's a way that people can see that that record relates to you, there's no way to update that. So a very basic privacy fix has been to have a dynamic device ID. A dynamic ID through which your health status and all that is recorded, anywhere. I think that's quite important. I think the other big one people have been talking about is GPS. Seems like India is an outlier. Nobody else to my mind currently collects GPS location every 15 minutes, as this app does. That's quite unusual. And I understand from other experts who have been involved with Singapore's TraceTogether app that they took the call that said bluetooth was what was required, because you need proximity and timestamp kind of information. And GPS is often inaccurate in a small range, and most people are in a lockdown. So you could actually not collect GPS without compromising contact tracing. Shashank Bhargava The app was initially marketed and pushed as a contact tracing app. But the government since then has said that the app data will be used to identify hotspots and visualize the outbreak. Malavika Raghavan And I think that is a very core thing about privacy is purpose limitation. You need to sit back, think what is it that you need personal information for and then set the purpose. That's another core principle of privacy protection law which is purpose limitation. And also, I think connected to this is that larger issue we're talking about right? Where does it fit in the public health response? So a) Do we have a systematic public health response to this crisis? Where is technology's role? And if there is a risk that this technology is not only going to be for contact tracing for COVID, but we are going to use beyond that, as it's currently being said for like authentication or for allowing people to go to work, these are related to the crisis, but they open up all these other questions about livelihoods and so on. Actually, how do you ensure that it's done in a fair, just and reasonable way, as is required by the Constitution of India. Shashank Bhargava There are also security issues that have been highlighted about the app. One such person to do that is the ethical hacker Robert Baptiste, who is popularly known as Elliot Alderson. Last week, he was able to access through the app information about people who were COVID-19 infected and felt unwell, including people in sensitive offices like the PMO or Parliament. We spoke to Karishma Mehrotra about this. Karishma reports on the intersection of technology and politics for the newspaper. Karishma Mehrotra He essentially was able to find the number of people who are unwell or COVID-19 positive in a very small location. And he used that to, sort of, say that okay, if I'm in front of the PMO's office or in the PMO office, this vulnerability would be able to show the hacker how many people are unwell showing symptoms, have their bluetooth on etc, etc, in this location. So he also said this might be a privacy issue for let's say, if you can find out if your neighbour is unwell, or what your neighbour's health status is. So the response from this from the government was multi-folded. One response that they gave before he came out with a security note was that most of the features that he's described are actually aspects of the app that are useful. But to be clear, there's not been an official response from the government since Elliot Alderson has come out with his security technical note. Shashank Bhargava A few days back Alderson had also pointed out data that leaked from the Sarthak app that the Madhya Pradesh government has been using. As per information shared by him, the COVID-19 dashboard on the state government’s website revealed, among other things, the name of the quarantined people, their device ID and name, GPS coordinates of their current locations, as well as the GPS coordinates of their office. He also shared the link of the site along with the screenshots of the leaked data. Karishma Mehrotra So the other thing that some IT officials talk about is in regards to a lot of desires from the hacker community and the civil society community to have the app open source. Shashank Bhargava When an application is open sourced, it allows its source code to be accessible to the public. Users have the right to study and modify the software. That way programmers and ethical hackers can spot bugs and improve on features that the developers may not have thought of. Karishma Mehrotra Now these calls have been coming since March. And some of the officials I talked to you have said that they do hope to make the app open source. However, other officials that I speak to have told me that that's not a top priority of theirs right now. And they sort of want people to focus on what they feel is the main problem at this point fighting the COVID-19 epidemic. Shashank Bhargava The app has been developed by the National Informatics Centre (NIC) which comes under the Ministry of Electronics and Information Technology. And addressing some of the concerns we have talked about, On Monday, the ministry released a set of protocols for the National Informatics Centre. Karishma Mehrotra The main purpose of this is to sort of delineate that the National Informatics Centre, which is under the IT Ministry, has primary responsibility for the data on this application. But it also distinguishes that all the data needs to be permanently deleted after 180 days. Shashank Bhargava That means after 180 days the data should be deleted from the app and the server. The data though could be held beyond it if there is “a specific recommendation made” by the empowered group on technology, which is one of the 11 empowered groups of officers formed to deal with lockdown issues. Karishma Mehrotra And it also allows for an individual to request to have their data removed. However, there's no real delineation of how that request is made. The other norms that it lays out is in regards to the responsibility of those who the data is shared with. So for example, right now it's shared heavily with the Ministry of Health, including the CMR, and so those entities also have a certain amount of responsibility about the purpose for which this data is used. The NIC and these other entities all have to use this data only for appropriate health purposes and responses, and it can't be used for other purposes. Shashank Bhargava The IT secretary also presented these protocols and highlighted how the data will be transferred across the system. Karishma Mehrotra So he mentioned that the most important or main sort of data set is this special surveillance system made by the health department, presumably that's made by the Integrated Disease Surveillance Programme (IDSP). So that's the state and district level data that is combined as well with testing sample data from ICMR, which the NIC is also building mobile applications for as well. Now, these data sets are combined with Aarogya Setu's self assessment and bluetooth contact tracing data. All of those data sets, along with some data from the National Disaster Management Authority, are analysed to figure out what actions can be done. Shashank Bhargava But it is important to note that these are in essence just guidelines. They are not backed by any law that will address what will happen if these protocols are not followed. This is why Justice Krishna called them "akin to an inter-departmental circular." These protocols also run parallel to the app's privacy policy which continues to remain a bit vague on future use of the data and on restrictions on who in the government can use the data. But there is another question to consider. To what extent can Aarogya setu help India in its fight against COVID-19? Malavika Raghavan So I think any intervention has to be seen as part of a broader public health response and pandemic preparedness. Shashank Bhargava That's Malavika again. Malavika Raghavan And I think to that extent, this app in a vacuum and by itself, probably can't make a big dent, unless it actually has some kind of clear link and loop with a broader, stronger public health response. I'm not hundred percent, or even much below that percentage, convinced that it's going to in itself help India fight coronavirus. I think it's something we have to wait and see. And often I think it depends very much on that first factor we were talking about. In that, how much is it used in conjunction with public health responses, because ultimately here this app is meant to help solve the crisis of a very virulent virus, that's in our country and across the globe right now. So yeah, my broad understanding in a nutshell is that there isn't any coherent understanding of whether this app actually results in solving for coronavirus anywhere in the world. And that's why I think different countries are proceeding cautiously. There are probably a handful of countries now that have an app. It's not by any means ubiquitous, but I think every single country is being watched very closely. Shashank Bhargava As far as contact tracing goes, there are experts that say that manual contact tracing can be far more effective. And experts have also said that for an app like Aarogya Setu to make a significant impact, at least 50% of the population would need to download it. Malavika Raghavan Now, I think one factor that I have not seen that much in the public debate is that...my understanding is that there are just 400 million smartphones in India, at last count. And there are no confirmed statistics on this. You have some of it from the ITU, you have other kind of mobile industry numbers out there, but if you're seeing like less than half of the country has smartphones, and even if that's grown, that means half of the country at least is on feature phones and this app was not built for the feature phones. And if at the get go, we need 50 to 60 to maybe more penetration in order for it to work, on the logic on which it's built to work, then there at that level, I see a kind of logical inconsistency. Shashank Bhargava A few days after our conversation with Malvika, the government launched the Aarogya Setu Interactive Voice Response System for people with feature phones and landlines. This is a toll free service, where you will need to give a missed call and get a call back requesting for inputs regarding your health. You then get an SMS indicating your health status and alerts for your health moving forward. But since there will be no app on the phone, it is unclear to what extent it will help in contact tracing. Malavika also questions the degree to which the government is focusing on the app. Malavika Raghavan Sometimes it strikes me, right...Here we are all having this conversation about the pluses and benefits of an app on the phone and this has nothing to do with personal protective equipments or the number of emergency beds or the oxygen supply or ICU, you know, and I kind of really question the prioritisation of the conversation and the resource here in India. Like if we have money, should we be spending that helping more people get PPE and actually doing more testing? Or is this just, I worry, is this just a distraction from the real issues over here? Because, you know, it's much easier to release an app and then force people to download it on their phone. It's much harder, I think, to have a conversation about how are we actually going to solve this health problem. So it doesn't matter if other countries are having apps in our country, for our population with majority of feature phone users, is this the best way we can be spending our time and our conversation? Shashank Bhargava It is of course too early to see to what extent the app will end up helping India. But meanwhile what are some of the immediate steps that the government can take against some of the issues that we have discussed so far? Malavika Raghavan There are two, three immediate things that I think the government can do. And I think the reason I'm saying this, just to frame it up front, is I think the need of the hour when people are really under distress, if you want to build trust in governments is to increase trust, right? And not to resort to coercion. So what can we do to improve trust and to just give people the confidence that the government's got this or at least somebody is thinking about these larger issues? So I think one major important thing that the government should really take a call on is, do they need that GPS location? And if they do, then I think there is a need for a very, very clear use and disclosure policy. I think we've all talked about how the data is collected and when it should go to the government server, and I do appreciate the effort that a lot of the coders and I think some legal experts have taken to limit the number of times that the information goes from the phone to the government server. I think the big trick we've missed is what happens with it then. Shashank Bhargava Whether a person will be unfairly targeted and if they are what legal remedies will there be for it. Malavika Raghavan Because I think a lot of these concerns go back to that classic issue, when you're talking about tracking somebody, is that it's very easy. You might be tracking them for legitimate purposes and then you can use that same infrastructure to track them for illegitimate purposes. So I think that's the heart of this, I think, to improve the app, the government needs to be very clear that any data that it is collecting, which is not strictly necessary, it needs to be clear about why it's collecting the data. And second, when it's collecting very sensitive things like GPS on a 15 minute basis, it needs to put some clear guardrails around who can and cannot use that data and put in place an oversight mechanism to ensure that this is not happening, right? Because we know that once the genie is out of the bottle, if there isn't someone to blow the whistle, then who is to guard the guard themselves. You can follow us and leave us feedback on Facebook and Twitter @expresspodcasts, or send us an email at podcasts@indianexpress.com. If you like this show, please subscribe and leave us a review wherever you get your podcasts, so other people can find us. You can also find us on https://www.indianexpress.com/audio.
share