The recent Central government order, to make Aarogya Setu App - a pan - India
mobile application launched for contact tracing technology', endorsed by
Central Government, was made obligatory for public or private offices/organisations,
which has been encrusting legal as well technical encounters. It is tracking
app' which uses the smartphones GPS or Bluetooth features to track the COVID'19
virus infection, available for Android and iOS operating systems.
In a recent
government order, has made, the app mandatory for government employees, PSU's,
autonomous bodies and private organisations, which conveys whether the person is
safe or not, displaying level of risks, on the basis of self-assessment of the
symptoms, using colour coding of Green and Yellow, the data of such users
are uploaded in server and give the incidences of COVID'19 positives or suspects
patients in the person's neighbourhood. Government stated that it shall be the
accountability of the head of the respective organizations, to ensure 100%
coverage of this app among the employees.
The government could only offer this
large scale tool available for screening, amidst the lockdown across India.
Officials said that, physical screening or contact tracing of all people may not
be possible given the rising volume of infections. As per the government
statement the app offers two way safeguard for service providers as well as the
The controversy stirred when two ethical hackers from France, named Robert
Baptiste & Elliot Alderson, upstretched questions over the veracity of the app
vulnerability and privacy issues. They interrogated that data collected by the
app is sent to government servers, without authorised access.
As per the
hackers, there are security apprehensions as to web view activity and no host
validation. According to Elliot Alderson, any attacker can open app's internal
file, which have local data base, used by the app. The attacker, may also know
who is infected anywhere in India, in the area of his choice, due to app's
malfunctioning ability to know the location or radius of user.
Given that any
number of total users will be a subset of smartphone owners in India, and there
are bound to be variations in the levels of self-reporting, the efficacy is not
unassailable. Both hackers, upraised trepidations as to the Source Code of the
app, which means data collected by the app, passed on to whom, nobody really
knows. Also, the app may afford authorities to tamper with personal information
saved in device of user. The hackers, were sceptical that, app also miscarries
to elucidate the issues with respect to unauthorised access to user
Along with these contentions, the opposition leader Rahul Gandhi disparaged the
government's initiative of Aarogya Setu App, calling it as a sophisticated
surveillance system, raised his worries over serious data security or privacy
issues of user's at stake. He remarked, that technology can help us safe, but
fear must not be leveraged to track citizens without their consent'.
In numerous research, conducted by technical or cyber experts or NGO's, disputed
that the data is outsourced to a private operators, with no institutional
The Internet Freedom Foundation(IFF), stated that, India dearth's a
comprehensive data protection law and out-dated surveillance laws, that's why
the application would be unserviceable, and inadvertently differentiate against
regions which having smaller number concentrations of smartphones or low income
non smartphone users. Internet Freedom Foundation argued that if such systems
erroneously urge people to pre-emptively take tests then there is threat that
public health systems may be overwhelmed impulsively.
The Internet Freedom Foundation raised apprehension over the compliance of the
privacy standards, degree of institutional divergence, information collection,
purpose limitation, data storage and institutional divergence, transparency, and
recommended privacy instructions.. These concerns come amid confirmatory claims
by certain sections of the government and technology volunteer groups that the
department or ministry or officials or operator will be the ones retrieving that
data, in due course challenging the Source code' of the app.
Many legal experts & cyber security experts, outstretched their issue as to why
there is no ministry majorly involved as player in the application, specially
the Health Ministry? They argued that, health authorities are leading the
efforts to respond to COVID-19, in other countries. They've raised questions to
the involvement of multiple committees, setting up the Aroggya setu App, but no
press reports having reference of involvement of Ministry of Health and Family
Also there are entanglements as to the risk of misidentification or false
positive if the device is switched or is shared between people. Many hackers
emphasized that how algorithm based predictive models to determine tested
positive has material impact on people's civil liberties.
The legal experts or cyber analysts also argued that, the app goes against the
provisions of the Information Technology Act, as the app service provider would
tumble under the intermediaries' definition and is obliged to safeguard the
safety or security of the data collected, liable for the loss under the
intermediary guidelines. Meaning thereby, there shall be no liability for the
government, even if the personal information of users is leaked. The experts
argue that, there is lack of legislative framework for contact tracing. Also,
the unique digital identity in Aarogya Setu App is a static number, which
increases the probability of identity breaches.
The controversial app got foremost blow, when Noida Police had issue, mandatory
imposition of Aarogya setu App, along with Section 144 of the CRPC order.
Failing to have app in phone would be criminally prosecuted under the Section
188 of Indian Penal code, which is a penal provision invoked in case of
non-compliance of the guidelines or directives contained therein. Section 188
remains a cognizable, bailable, non-compoundable offence, deals with the offence
of disobedience to an order duly passed by a public servant. Notably, mens rea
is not an essential requirement for commission of an offence under this
section. The only requirement is contravening the order.
Now, as per the Section 195 of Criminal Procedure Code, 1972 which lays down a
special procedure scheme relating to taking cognizance by courts in relation to
certain offences, punishable under Section 171 to Section 188 IPC, except on a
written complaint of public servant. It means no private complaints are
entertained and it also bars a court from taking cognizance of this offence on
the basis of final report.
This procedural twist in the enforcement of Section
188 IPC has been flouted, or misconstrued, by police authorities, prosecuting
agencies or state authorities. The court proceeds with cognizance of the
offence, on final reports by public servant, which is comprehensive mockery of
the judicial process. Further, upon conjoint reading of Section 144 (1) CrPC,
orders cannot enforce positive obligations on persons to do certain acts, such
as download or install an App, on their smartphones, but can only direct them to
abstain from a certain act.
On the other hand, Ministry Officials jagged that such clauses, added to
disputed App are standard across the industries and the accountability is
certainly not unconstrained on any government or private operator. The
Government believes that, everyone is careful about the data and if anyone
abuses the system, the prompt legal stroke has been assured, but the Government,
else ways clarifies that, the entire accountability is not on them. The official
says the data of positive patients of corona virus are uploaded to the server in
an encrypted format; the government objective is only to protect people and,
if the technology allows it, stands fair.
As per Minister of Information & Technology, Ravi Shankar Prasad claims that the
app is designed to meet the highest standards of privacy. The app will be used
in response to COVID'19 crises, unlike Facebook or Google which don't have clear
purpose limitation, on how the data is used.
Zomato Founder Deepinder Goyal, also favoured the App, quoting the idea is to
keep individuals as well authorities informed in case they have crossed paths
with someone has tested positive for virus, to prevent the further spread.
Abishek Singh, CEO of MyGovIndia, told that the Indian Government be using data
only for certain critical purposes such as medical emergencies, the app will not
reveal anyone's personal details and asserted that, it has a robust data
security architecture. The app objective is to identify the potential cases. The
app could be the key for opening up the economy. Such apps might enable
governments to detect the outbreaks and prevent community transmission. They
will also serves as e-pass and health certificates, necessary for workers to
The mandatory use of Aarogya Setu app is authorized by the principle of
delegated legislation relationship between a Union and the States, under
Article 256-257 of the Indian Constitution. Upon the harmonious interpretation'
of the relations between Union - State, it can be inferred that, State Executive
has duty to exercise and ensure the compliance with Parliamentary
laws/rules/orders/regulations/directions for the maintenance of means of
communications, for the purpose of National Importance.
At last, it can be inferred that, by constructing mandatory imposition of such
apps, the fundamental rights as to liberty and privacy' construed in judicious
manner to be implemented. There are countries like Israel, Australia and
Singapore, which has used technology for tracing corona virus, but the,
Judiciary interceded to protect the citizen's privacy or security issues, goes
on to struck down such powers having deleterious impact on privacy.
In India, the Supreme Court in KS Puttaswamy's case, the fitting
prerequisite, as to a law authorising the involuntary use of apps, has not been
fulfilled. It can be perceived that government has no power to make the app's
use compulsory without legislative endorsement. There is no legislative guidance
for the app's purpose, functioning and the nature of the use of sensitive data
it collects. The governments or corporations have demonstrated enormous bad
faith with respect to data privacy, in recent years and same cannot be
disregarded in the Aarogya Setu App.
India lacks robust privacy or data protection laws, and no set of legal
standards for the protection of user's data, without any limitation of purpose.
It can be concluded, that the Government's initiative behind the app's
introduction might be good, as to keep a watch on the spread of the virus
infected persons, but the growing fears as to Individuals Privacy or Security
relating to data, is incommodious. This App might become a perpetual mass
surveillance instrument, which shall ensure that there is sufficient anonymizing
of data and its limited access. With robust legal framework, restructuring of
data protection laws, the present Indian government is duty bound to resort to
approaches that cause the least impairment as to citizen's privacy rights.
- Mohit Parihar, Advocate & Cyber Law Expert, Rajasthan High Court,
- Yamini Atreya, Research Scholar, Department of Law, University of