Technology cannot prevent the onset of a pandemic but it can educate, warn
and empower people. Dire circumstances like these call for optimum utilization
of technology to mitigate the impact of the pandemic. In April 2020, National
Informatics Centre (under the Ministry of Electronics and Information
Technology) developed a contact tracing mobile application Aarogya Setu
. It is
a syndromic mapping and self-assessment digital platform.
It also offers access
to telemedicine, an e-pharmacy and diagnostic services in 12 languages. It
entered the 100 million users club recently. However, the app has faced a lot of
flak for it's potential privacy and security flaws. This article is an attempt
to explore the role of this app during the pandemic, it's privacy issues and the
various steps taken by the government to ensure security of the users in
accordance with the pending Personal Data Protection Bill, 2019' in the
How does the app assist the healthcare authorities?
To register for the app, the users have to provide their mobile number, name,
gender, age, profession, travel history in the past months and willingness to
volunteer in times of need. The app uses the phone's Bluetooth and GPS services
to keep a track of the app users as and when they come in proximity of other
users. It then alerts the users if in case they have come in contact with a user
who has tested COVID-19 positive. Authorities trace such people and alert them.
However, the user has to honestly update his/her health status whether he/she
has been tested and is COVID-19 positive. Over 1.4 Lakh people were traced and
alerted by the authorities based on 13,000 COVID-19 positive users of the app.
This data further helps the authorities to segregate geographical areas based on
the level of risk, into hotspots or less-affected zones. The authorities issue
separate guidelines for each zone pertaining to movement of people, supply of
essential & other commodities etc.
In addition to this, the app also provides
daily updates about the total number of cases (infected & recovered) so that the
people are well informed and aware. To achieve higher accuracy and precise
results, the government focused on maximizing the coverage of the app. Union
Home Ministry issued an order making it mandatory for both government and
private sector employees, people in containment zones to download the app on
On May 12, 2020 the Indian Railways announced it was mandatory
for those traveling in the special trains to download the app. In initial
stages, participation on the app was voluntary but these guidelines raised some
Privacy Concern & Criticism
The provisions of the present law [Information Technology Act, 2000 and
Information Technology (Reasonable security practices and procedures and
sensitive personal data or information) Rules, 2011] are not properly equipped
to deal with the current situation. One of the major drawbacks is that it is
only applicable on corporate entity and not on the State. Right to privacy under
Article 21 is a fundamental right in the Constitution of India enforceable
against the State, but apart from that we do not have a separate law.
Advocacy groups alleged that the government is using the app for mass
surveillance due to the absence of any legislation around privacy. Legal experts
stressed the need for a personal data protection law to back the government's
decision to make the app mandatory. Former Supreme Court Judge B N Srikrishna
who chaired the committee that came out with the first draft of the Personal
Data Protection Bill, termed the government's push mandating the use of the app
as illegal. Particularly with increasing user base, the possibility of data
being shared with the third parties was one of the biggest areas of concern.
clause limiting the government's liability in case of unauthorized access to the
data made it worrisome. The app was not open source, which prevented it from
being audited for security flaws by independent coders, researchers and experts.
MIT Technology Review rated the app 2 out of 5 points (further degraded to 1 out
of 5). It was based on an index developed to assess various contact tracing apps
across the world. The Indian app lost out on parameters related to voluntary use
and specially on transparency as it collected more data than required, like the
location of the user.
A few weeks ago, a French cyber security expert claimed
that a security vulnerability in the app could allow the attacker to know who is
infected in any location as per his choice. The UK government disallowed the
roll out of a similar contact tracing app mainly due to the absence of a proper
legislation to deal with the issues mentioned above.
As per the head of the project, Arnab Kumar (Niti Aayog's programme director),
the app was built to the standards of a draft data privacy bill that is
currently in the country's parliament.
Here is a brief background of the bill:
The Personal Data Protection Bill, 2019 was introduced in Lok Sabha by the
Minister of Electronics and Information Technology, Mr. Ravi Shankar Prasad, on
December 11, 2019. The PDPB inter alia, prescribes the manner in which personal
data is to be collected, processed, used, disclosed, stored and transferred.
The PDPB proposes to protect Personal Data
relating to the identity,
characteristics trait, attribute of a natural person and Sensitive Personal
Data' such as financial data, health data, official identifier, sex life, sexual
orientation, biometric data, genetic data, transgender status, intersex status,
caste or tribe, religious or political beliefs.
The bill governs processing of data by: Government, Companies incorporated in
India, Foreign Companies dealing with personal data of individuals in India.
The bill sets up a Data Protection Authority which may take steps to protect
interests of individuals, prevent misuse of personal data and ensure compliance
with the bill.
Steps taken by government to ensure security of users.
Ministry of Electronics and IT secretary Ajay Sawhney claimed:
A lot of work
has been done over data privacy and privacy is an important aspect of Aarogya
collected at the time of registration is encrypted and stored on the app's
server. An anonymized unique device ID is created (DiD) for all users and future
interactions between users are strictly based on this DiD assigned to the device
of the user.
The results of the optional self-assessment test and the location
is also paired with the DiD. All contact tracing and location information
collected further is stored on the user's device, this information is uploaded
on the server only if the user tests COVID-19 positive. The data for
non-infected people is deleted after 30 days, 45 days in case the user has
undergone tests and 60 days if the user is tested positive.
The app is now open
source to the developer community and so they will be able to go through the
code and point out vulnerabilities. Their suggestions will help the government
fix loopholes. The government has also announced a bug bounty programme for
finding security flaws within the app. The app has made quite a few changes in
it's policies in the last few weeks, the most significant one is the change in
the guidelines which does not make the app mandatory anymore. However, travellers in trains and flights are advised to sign up to the app.
According to the PDPB, the Central Government of India (i.e., the State) is a
Data Fiduciary and has to comply with obligations set out for them. Data
Fiduciary is defined under clause 2 (13) of the PDPB as:
any person (natural or legal), including the State, a company, any juristic
entity or an individual who alone or in conjunction with other determines the
purpose and means of processing of personal data.
Here, data fiduciary is the State. The information sought is personally
identifiable data and the purpose of processing is to check the spread of the
virus for better handling of the situation.
The Bill allows processing of data by fiduciaries only if consent is provided by
the individual. However, in certain circumstances, personal data can be
processed without consent.
The central government may direct data fiduciaries to
provide it with any:
- if required by the State for providing benefits to the individual,
- legal proceedings, (iii) to respond to a medical emergency.
- non-personal data and
- anonymized personal data (where it is not possible to identify data
principal) for better targeting of services.
If PDPB could have been passed as on date, then the central government would
have invoked such exceptions available, considering it necessary in the wake of
the global pandemic.
As per the government, the data can be shared with universities for research
purposes after delinking details that can identify individuals. Any violation of
these directions may lead to penalties as per section 51 to 60 of Disaster
Management Act, 2005 and other provisions as may be applicable.
The app raises some important issues relating to privacy and security of users.
It proves that a robust data protection mechanism is the need of the hour.
Another important aspect is that the government is fixing these issues to some
extent for the betterment of public at large, ensuring that there is no data
epidemic after the pandemic.
Apart from these issues, the app is successful in assisting the healthcare
authorities in numerous ways, as discussed above. It is a helping hand in my
opinion. Technology is playing a crucial role in keeping the society somewhat
functional and making us resilient. Some of these technologies will have a long
lasting impact beyond COVID-19. We need to make the best possible use of
technology tackling the problem at hand instead of making technology the
Written By: Bhavik Chheda