File Copyright Online - File mutual Divorce in Delhi - Online Legal Advice - Lawyers in India

Aarogya Setu App-A surveillance tool or a helping hand?

Technology cannot prevent the onset of a pandemic but it can educate, warn and empower people. Dire circumstances like these call for optimum utilization of technology to mitigate the impact of the pandemic. In April 2020, National Informatics Centre (under the Ministry of Electronics and Information Technology) developed a contact tracing mobile application Aarogya Setu. It is a syndromic mapping and self-assessment digital platform.

It also offers access to telemedicine, an e-pharmacy and diagnostic services in 12 languages. It entered the 100 million users club recently. However, the app has faced a lot of flak for it's potential privacy and security flaws. This article is an attempt to explore the role of this app during the pandemic, it's privacy issues and the various steps taken by the government to ensure security of the users in accordance with the pending Personal Data Protection Bill, 2019' in the parliament.

How does the app assist the healthcare authorities?

To register for the app, the users have to provide their mobile number, name, gender, age, profession, travel history in the past months and willingness to volunteer in times of need. The app uses the phone's Bluetooth and GPS services to keep a track of the app users as and when they come in proximity of other users. It then alerts the users if in case they have come in contact with a user who has tested COVID-19 positive. Authorities trace such people and alert them.

However, the user has to honestly update his/her health status whether he/she has been tested and is COVID-19 positive. Over 1.4 Lakh people were traced and alerted by the authorities based on 13,000 COVID-19 positive users of the app. This data further helps the authorities to segregate geographical areas based on the level of risk, into hotspots or less-affected zones. The authorities issue separate guidelines for each zone pertaining to movement of people, supply of essential & other commodities etc.

In addition to this, the app also provides daily updates about the total number of cases (infected & recovered) so that the people are well informed and aware. To achieve higher accuracy and precise results, the government focused on maximizing the coverage of the app. Union Home Ministry issued an order making it mandatory for both government and private sector employees, people in containment zones to download the app on their devices.

On May 12, 2020 the Indian Railways announced it was mandatory for those traveling in the special trains to download the app. In initial stages, participation on the app was voluntary but these guidelines raised some eyebrows.

Privacy Concern & Criticism

The provisions of the present law [Information Technology Act, 2000 and Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011] are not properly equipped to deal with the current situation. One of the major drawbacks is that it is only applicable on corporate entity and not on the State. Right to privacy under Article 21 is a fundamental right in the Constitution of India enforceable against the State, but apart from that we do not have a separate law.

Advocacy groups alleged that the government is using the app for mass surveillance due to the absence of any legislation around privacy. Legal experts stressed the need for a personal data protection law to back the government's decision to make the app mandatory. Former Supreme Court Judge B N Srikrishna who chaired the committee that came out with the first draft of the Personal Data Protection Bill, termed the government's push mandating the use of the app as illegal. Particularly with increasing user base, the possibility of data being shared with the third parties was one of the biggest areas of concern.

A clause limiting the government's liability in case of unauthorized access to the data made it worrisome. The app was not open source, which prevented it from being audited for security flaws by independent coders, researchers and experts. MIT Technology Review rated the app 2 out of 5 points (further degraded to 1 out of 5). It was based on an index developed to assess various contact tracing apps across the world. The Indian app lost out on parameters related to voluntary use and specially on transparency as it collected more data than required, like the location of the user.

A few weeks ago, a French cyber security expert claimed that a security vulnerability in the app could allow the attacker to know who is infected in any location as per his choice. The UK government disallowed the roll out of a similar contact tracing app mainly due to the absence of a proper legislation to deal with the issues mentioned above.

As per the head of the project, Arnab Kumar (Niti Aayog's programme director), the app was built to the standards of a draft data privacy bill that is currently in the country's parliament.

Here is a brief background of the bill:

The Personal Data Protection Bill, 2019 was introduced in Lok Sabha by the Minister of Electronics and Information Technology, Mr. Ravi Shankar Prasad, on December 11, 2019. The PDPB inter alia, prescribes the manner in which personal data is to be collected, processed, used, disclosed, stored and transferred.

The PDPB proposes to protect Personal Data relating to the identity, characteristics trait, attribute of a natural person and Sensitive Personal Data' such as financial data, health data, official identifier, sex life, sexual orientation, biometric data, genetic data, transgender status, intersex status, caste or tribe, religious or political beliefs.

The bill governs processing of data by: Government, Companies incorporated in India, Foreign Companies dealing with personal data of individuals in India.

The bill sets up a Data Protection Authority which may take steps to protect interests of individuals, prevent misuse of personal data and ensure compliance with the bill.
Steps taken by government to ensure security of users.

Ministry of Electronics and IT secretary Ajay Sawhney claimed:

A lot of work has been done over data privacy and privacy is an important aspect of Aarogya Setu.

According to the privacy policy of the app, the preliminary data collected at the time of registration is encrypted and stored on the app's server. An anonymized unique device ID is created (DiD) for all users and future interactions between users are strictly based on this DiD assigned to the device of the user.

The results of the optional self-assessment test and the location is also paired with the DiD. All contact tracing and location information collected further is stored on the user's device, this information is uploaded on the server only if the user tests COVID-19 positive. The data for non-infected people is deleted after 30 days, 45 days in case the user has undergone tests and 60 days if the user is tested positive.

The app is now open source to the developer community and so they will be able to go through the code and point out vulnerabilities. Their suggestions will help the government fix loopholes. The government has also announced a bug bounty programme for finding security flaws within the app. The app has made quite a few changes in it's policies in the last few weeks, the most significant one is the change in the guidelines which does not make the app mandatory anymore. However, travellers in trains and flights are advised to sign up to the app.

According to the PDPB, the Central Government of India (i.e., the State) is a Data Fiduciary and has to comply with obligations set out for them. Data Fiduciary is defined under clause 2 (13) of the PDPB as:
any person (natural or legal), including the State, a company, any juristic entity or an individual who alone or in conjunction with other determines the purpose and means of processing of personal data.

Here, data fiduciary is the State. The information sought is personally identifiable data and the purpose of processing is to check the spread of the virus for better handling of the situation.
The Bill allows processing of data by fiduciaries only if consent is provided by the individual. However, in certain circumstances, personal data can be processed without consent.

These include:
  1. if required by the State for providing benefits to the individual,
  2. legal proceedings, (iii) to respond to a medical emergency.
The central government may direct data fiduciaries to provide it with any:
  1. non-personal data and
  2. anonymized personal data (where it is not possible to identify data principal) for better targeting of services.

If PDPB could have been passed as on date, then the central government would have invoked such exceptions available, considering it necessary in the wake of the global pandemic.
As per the government, the data can be shared with universities for research purposes after delinking details that can identify individuals. Any violation of these directions may lead to penalties as per section 51 to 60 of Disaster Management Act, 2005 and other provisions as may be applicable.

The app raises some important issues relating to privacy and security of users. It proves that a robust data protection mechanism is the need of the hour. Another important aspect is that the government is fixing these issues to some extent for the betterment of public at large, ensuring that there is no data epidemic after the pandemic.

Apart from these issues, the app is successful in assisting the healthcare authorities in numerous ways, as discussed above. It is a helping hand in my opinion. Technology is playing a crucial role in keeping the society somewhat functional and making us resilient. Some of these technologies will have a long lasting impact beyond COVID-19. We need to make the best possible use of technology tackling the problem at hand instead of making technology the problem.

Written By: Bhavik Chheda

Law Article in India

Ask A Lawyers

You May Like

Legal Question & Answers

Lawyers in India - Search By City

Copyright Filing
Online Copyright Registration


Section 482 CrPc - Quashing Of FIR: Guid...


The Inherent power under Section 482 in The Code Of Criminal Procedure, 1973 (37th Chapter of th...

How To File For Mutual Divorce In Delhi


How To File For Mutual Divorce In Delhi Mutual Consent Divorce is the Simplest Way to Obtain a D...

Whether Caveat Application is legally pe...


Whether in a criminal proceeding a Caveat Application is legally permissible to be filed as pro...

The Factories Act,1948


There has been rise of large scale factory/ industry in India in the later half of nineteenth ce...

Constitution of India-Freedom of speech ...


Explain The Right To Freedom of Speech and Expression Under The Article 19 With The Help of Dec...

Copyright: An important element of Intel...


The Intellectual Property Rights (IPR) has its own economic value when it puts into any market ...

Lawyers Registration
Lawyers Membership - Get Clients Online

File caveat In Supreme Court Instantly