On Monday, the Indian government released a new set of protocols for the use and processing of data collected by its Aarogya Setu app.
The guidelines have been released amid widespread privacy concerns raised by legal experts and rights bodies as the app is slowly being made mandatory in the daily life of millions of Indians.
Over 100 million people have registered with the app so far.
The government launched the app on April 2. Soon, startups such as Swiggy, Zomato, Urban Company and Grofers had made it mandatory for their frontline staff to use the app. Amazon and Flipkart recommended it to their workers.
That’s not all. The National Centre for Disease Control director reportedly recommended that the app be made mandatory for people entering Delhi.
The CISF proposed the app should be made compulsory for passengers when Delhi Metro resumed services.
A month later, the Indian government had made the app mandatory for citizens living in an identified COVID-19 containment zone and all employees in the public and the private sector.
The Noida police said people living in or travelling to Noida and Greater Noida could be booked for not having Aarogya Setu installed on their smartphones. The Delhi government wanted stranded migrant workers, tourists, pilgrims and students to be encouraged to download the app.
Now, as the government carries out a gigantic evacuation exercise, Indians being brought back to the country need to register on the app.
As railways prepares to partially resume services, passengers will need to download the app on their phones.
In just over a month, an app once touted as voluntary has become almost ubiquitous.
Former Supreme Court Judge BN Srikrishna, who chaired the committee which came out with the first draft of the Personal Data Protection Bill, told the Indian Express that making the app mandatory was “utterly illegal”.
So what exactly are privacy advocates worried about with Aarogya Setu?
1. Legality of making the app mandatory
According to MIT Technology Review’s Covid Tracing Tracker, India is currently the only democratic nation in the world that had made its coronavirus tracking app mandatory for people.
Before the app was made mandatory, Vrinda Bhandari of Internet Freedom Foundation told The Quint that this would have to be done “under the authority of law, and will have to satisfy the necessity and proportionality test for the violation of privacy – this will look, for instance, what is the data being collected, how long is it stored for, what are the deletion protocols in place.”
It wasn’t enough to mandate its use under the Disaster Management Act, there needed to exist a law that authorised the app’s use. “Any such law has to be specific and explicit with respect to the rights that it seeks to infringe, the bases of infringement, the procedural safeguards that it establishes, and so on,” lawyer and legal scholar Gautam Bhatia wrote in The Wire.
Bhatia also said, ”... if the state is going to mandate an intrusive, data-collecting app upon its citizens, then the least that ought to be done is that it be authorised by the citizens’ elected representatives, in parliament.”
The Internet Freedom Foundation pointed out: “Critically, India lacks a comprehensive data protection law, outdated surveillance and interception laws, or any meaningful proposals for meaningful reform. In domains like disaster relief most apps which are purported as ‘contact tracing’ technologies, they often devolve into systems of movement control and lockdown enforcement,” the Internet Freedom Foundation said.
2. Using GPS and Bluetooth
Aarogya Setu uses the phone’s bluetooth and GPS to track the user’s movement, making it more invasive than other such apps.
The new norms announced by the government on Monday allow it to collect demographic, contact, self assessment and location data of persons infected by the coronavirus or those who come in contact with the infected person.
According to Livemint, other apps collect just one data point which is later replaced with a scrubbed device identifier, but Aarogya Setu collects multiple data points for personal and sensitive personal information which increases privacy risks.
SFLC said the government needed to prove data was anonymised properly.
While the app also does not specify which government departments will have access to the database, the new protocol says data can be shared with the Indian government, and all the agencies that are granted access to the data must use it only for the purpose for which it has been shared and delete it after 180 days. NIC will maintain a list of agencies that get this access.
Abhishek Singh, the chief executive of MyGovIndia, which developed Aarogya Setu, told The Guardian last week, the government would use information only for necessary medical interventions. “Data is not going to be used for any other purpose. No third party has access to data,” he said.
Meanwhile, the new protocol mentions that personal data will be anonymised when it is shared with third parties.
“The government cannot just say something is anonymised and aggregated so no longer personally identifiable without showing its citizens how it is ensuring this. This level of transparency is a minimum, since the vulnerability of anonymised datasets to people’s informational privacy and security is well documented in information security communities.”
3. It’s not open source
“If you force people to install an app by law, the bare minimum is to open source this code,” said ethical hacker and cyber security researcher Baptiste Robert, who goes by the name Elliot Alderson online.
Aarogya Setu’s code is not open source, despite the government’s policy to make code for its apps available to the public.
Since the app is not open source, its code and methods can’t easily be reviewed by third parties, the MIT Technology Review says.
“Making the source code available enhances transparency and this also improves security as the code is open to community audit. The app primarily collects personal data from user cellphones and cellphones are an immense repository of personal data of users and sometimes, of a user’s contacts and acquaintances. In this scenario, keeping the source code of such an app proprietary is not advisable,” says the Software Freedom Law Center.
According to the Internet Freedom Foundation, the app also “prohibits external good faith actors from reverse engineering the application for further scrutiny, information security and other related research which help facilitate stability.”
Contrast this with Singapore’s Trace Together app and the contact tracing app used by United Kingdom’s National Health Services, which are both open sourced.
A day after Alderson pointed out gaps in the app’s security, NITI Aayog programme director Arnab Kumar said that the government was considering open sourcing the code for the app, though a decision has still not been taken.
4. The lifespan of the app and its data systems
Kumar said last week that the data is deleted on a rolling basis after, at most, 60 days for sick individuals and 30 days for healthy people. Personal information is removed from the server after 45 days.
The government’s new protocol says data must be permanently deleted after 180 days “from the date on which it is collected”. It also allows individuals to seek deletion of their data within 30 days of raising the request.
The Internet Freedom Foundation has said researchers and individual users cannot actually check if the government has deleted people’s personal information and there is no means of transparently auditing what the app is doing in the backend.
The government’s new protocol will also allow it to hold on to data beyond 180 days if “a specific recommendation …. is made” by the empowered group on technology, Indian Express reported.
The MIT Technology Review pointed out that there was no public sunset clause stating when the app will stop being mandatory,
IFF noted that government had not stated any defined period by when it intends to review, delete and ultimately destroy its systems and data which is collected.
″... there are already reports which confirm that this server is being linked with other government datasets. Such linking increases risks of permanent systems of mass surveillance,” the foundation said.
The Guardian’s Hannah Ellis-Petersen wrote: “Unlike in most other countries, there is no transparency on the limitations on the lifespan of database and no binding policy that it will not be repurposed after the pandemic.”
5. Data breach
Alderson had last week pointed out an issue in the app that had allowed him to access any internal file on it.
The hacker said it let him pick any area of his choice and check who was infected, unwell and had made a self-assessment. “Basically, I was able to see if someone was sick at the PMO office or the Indian parliament. I was able to see if someone was sick in a specific house if I wanted,” he said.
While the government strongly denied any data breach and declared the app safe, Alderson said the issue had been quietly fixed after he pointed it out.
This was not the first such incident. In April, a New York Times report said the app had exposed some users’ location data to YouTube. Google told the NYT that the app seemed to have inadvertently sent location data and that YouTube would delete it. While the government admitted to fixing the issue, it did not explain exactly how many users had been affected by the breach.
6. No liability
SFLC notes that the the liability clause in the app’s Terms of Service exempts the Government from liability in the event of “any unauthorised access to the (user’s) information or modification thereof”, meaning there is no liability for the Government even if personal information of users is leaked.
It also limits the government’s liability if the app provides inaccurate information or shows false positives.
IFF says this means citizens cannot hold the government accountable or seek judicial remedy if they want to ensure the government’s processes are compliant with the right to privacy.
Justice Srikrishna said the Aarogya Setu Data Access and Knowledge Sharing protocol was akin to an inter-departmental circular. “It is good that they are keeping with the principles of the Personal Data Protection Bill but who will be responsible if there is a breach? It does not say who should be notified,” he told the Indian Express.