The Karnataka High Court has passed an interim order prohibiting the Central Government and the National Informatics Centre (NIC) from sharing the response data given by an individual in the ‘Aarogya Setu’ app with other government departments and agencies. The application was introduced for contact tracing in the wake of Covid-19.

A Division Bench comprising Chief Justices AS Oka and Justice Vishwajith Shetty noted that prima facie there was no informed consent taken of users for sharing of response data as provided in the Aarogya Setu Data Access and Knowledge Sharing Protocol, 2020, as reported by Bar and Bench.

The court said, “Prima facie we hold that there is no informed consent of users of app for sharing of response data as provided in Aarogya Setu Data Access and Knowledge Sharing Protocol, 2020 as there is no reference to protocol in the terms of use and privacy policy available on the app.” But it has clarified that the order is limited only to the aspect of sharing of response data as per the Aarogya Setu protocol.

The interim order passed by the Bench read, “Prima facie we hold that informed consent of users of app is taken to what is provided in the privacy policy which is available through the app and therefore is informed consent of the user of the app which is limited to collection and manner of collection and use of information and retention of data as provided in privacy policy which is available on the app. However, it is made clear that the use and retention of information and data will be limited to what is provided in the privacy policy.”

As reported by LiveLaw, the Bench recorded the assurance of the Central Government that it will not deny any benefit or services to citizens only on the ground that Aarogya setu app was not installed. “We accept the assurance of the Government of India that it will not deny any benefit or services to a citizen only on the ground that he has not installed the Aarogya setu app”, the Bench said.

A writ petition was filed by cyber security activist Anivar Aravind who challenged the imposition of the Aarogya Setu app on citizens on the grounds of violation of right to privacy. Senior Advocate Dr. Colin Gonsalves, appearing for the petitioner submitted before the High Court that India is the only democratic nation which mandates the use of a mobile application like the Aarogya Setu Tracking Application.

He argued that the collection of personal data via the app is unconstitutional as it was in violation of the principles of the Supreme Court delivered in the KS Puttaswamy judgment, which declared right to privacy as a fundamental right under Article 21 of the Constitution.

LiveLaw reported that the petitioners have also submitted that the data collection and sharing was done without the support of an enacted law and that mere executive orders issued under the Disaster Management Act 2005 cannot be used to support the app, which was collecting and storing personal data of citizens.

The Central Government, on the other hand has contended that the implementation of the Aarogya Setu application is supported by law and was one of the measures adopted for containing Covid-19 in the country, that does not violate an individual’s privacy.

Related:

Aarogya Setu app in hot water due to MHA’s order of mandatory downloads

Covid-19: Does the Aarogya Setu app violate privacy?

The post Karnataka HC restrains Centre & NIC from sharing Aarogya Setu data appeared first on SabrangIndia.

On Tuesday, flummoxed by the inability of government officials to furnish details of who had created the Aarogya Setu app and where files were stored, the Central Information Commission (CIC) issued notices to Central Public Information Commissioners (CPIOs), National E-Governance Division (NeGD), Ministry of Electronics and Information Technology (MeitY) and the National Informatics Center (NIC) demanding why action should not be taken against them.

An interim order passed by the CIC said, “None of the CPIOs were able to explain anything regarding who created the App, where are the files, and the same is extremely preposterous.”

The CIC was “of the view that it is necessary to identify the source/ custodian of information in respect of the complainant’s request for obtaining access to records under this Act. The addressees cannot simply wash their hands off by stating that the information is not available with them. Some effort should have been put in to find out the custodian(s) of the information sought, by the concerned public authorities when apparently they are the relevant parties.”

The CIC ordered, “In view of the above observations, the Commission is constrained to issue a show cause notice to the concerned CPIOs 1. Shri S.K Tyagi, Deputy Director and CPIO, 2. Shri D K Sagar, Deputy Director Electronics 3. Shri R A Dhawan, Senior General Manager (HR & Admn) and CPIO NeGD 4. Shri Swarup Dutta, Scientist F and CPIO NIC to explain why penalty u/s 20 of the RTI Act should not be imposed on them for prima facie obstruction of information and providing an evasive reply.”

This was in response to an application filed under the Right to Information Act (RTI) demanding details of the app’s creators such as:

a) origin of proposal,

b) approval details,

c) companies,

d) people, govt. departments involved,

e) file notings related to the app,

f) comments on files by various officers,

g) copies of communications between private people involved in making/developing the app and government departments concerned, etc.

h) copies of request for collaboration with people from industry who have helped in making this app

i) all communications received from all contributors/advisers of this app who have helped make this app.

The RTI application also sought information about the law under which the app was created or if there is a proposal to enact such a law.

But the response from the officials was evasive with the NIC, the purported developer of the app itself stating it had no information about the creation of the app! The Department of Electronics for its part passed the application to NeGD who just said the information sought does not relate to them.  Therefore, the applicant moved CIC with a complaint requesting an urgent hearing “due to the immense public interest in the matter and need for immediate public scrutiny. He also had pointed out that any failure by the public authorities to perform their duties as outlined in the Protocol, 2020 and its failure to inform the usage of people’s personal and user data will have a severe and irreversible detrimental effect on people’s right to privacy and therefore their fundamental right to life and liberty. He also submitted that the Aarogya Setu App will be rendered useless once the pandemic is over. In such a situation, if the normal time period of waiting is followed, it would take almost 2 years for the first hearing to come up before this Commission. He further submitted that this would lead to the matter becoming infructuous and of no use.”

The CIC held a hearing where the complainant was present over video conferencing. The respondents were: Shri S.K Tyagi, Deputy Director and CPIO, Shri D K Sagar, Deputy Director Electronics and Shri R A Dhawan, Senior General Manager (HR & Admn) and CPIO NeGD.

In its interim order the CIC observed, “After hearing the averments of all the concerned parties and also the CPIO NIC who was present in this case on the basis of oral direction by the Commission, the denial of information by all the concerned authorities cannot be accepted at all. It is relevant to mention here that Sec 6(3) of the RTI Act cannot be used by public authorities to push off the matter.”

Section 6(3) of the RTI Act says, “Where an application is made to a public authority requesting for an information,— (i) which is held by another public authority; or (ii) the subject matter of which is more closely connected with the functions of another public authority, the public authority, to which such application is made, shall transfer the application or such part of it as may be appropriate to that other public authority and inform the applicant immediately about such transfer: Request for obtaining information. Provided that the transfer of an application pursuant to this sub-section shall be made as soon as practicable but in no case later than five days from the date of receipt of the application.”

The CIC’s interim order further noted, “The Commission observes that it is a current issue and it is not possible that there was no file movement while creating this App, a citizen cannot go round in circles to find out the custodian. The CPIO, NIC’s submissions that the entire file related to creation of the App is not with NIC is understandable, but the same submissions if accepted from MeITY, NeGD and NIC in toto, then it becomes more relevant to now find out how an App was created and there is no information with any of the relevant public authorities.”

Taking to task the errant officials, the order continues stating, “The Commission observed that none of the CPIOs provided any information. Therefore, the Commission directs the CPIO, NIC to explain this matter in writing as to how the website https://aarogyasetu.gov.in/ was created with the domain name gov.in, if they do not have any information about it. Moreover, the registry is directed to send an e-mail to the e-mail idsupport.aarogyasetu.gov.in as mentioned in the website directing them to send the concerned authority to be present before the Commission on the next date of hearing.”

The CIC oobserved, “Furthermore, as per the website https://aarogyasetu.gov.in/ it is mentioned that the content is owned, updated and maintained by the MyGov, MeitY. Therefore, Shri Tyagi is directed to explain in writing who is the concerned CPIO to explain regarding MyGov, MeiTY maintaining the app. The CPIO NIC also should explain that when in the website it is mentioned that Aarogya Setu Platform is designed, developed and hosted by National Informatics Centre, Ministry of Electronics & Information Technology, Government of India, then how is it that they do not have any information about creation of the App.”

The entire interim order by the CIC may be read here: 

All of this is especially significant given how there has been a push by various government agencies to download the app. In fact, the Prime Minister himself had included it in his famous ‘Saptapadi’ to fight the Coronavirus. During the third phase of the lockdown the Ministry of Home Affairs had passed an order making it mandatory for public and private sector employees to download the app. This led to a representation by 45 organisations and over 100 individuals to the Prime Minister’s Office (PMO) raising privacy concerns.

Related:

Covid-19: Does the Aarogya Setu app violate privacy?

Did MHA sneak in Aarogya Setu into our lives through a back door?

Aarogya Setu app in hot water due to MHA’s order of mandatory downloads

The post Aarogya Setu: Whose App is it anyway? appeared first on SabrangIndia.

As per a circular issued by the Bombay High Court, all courts in Maharashtra, Goa and the Union Territory of Dadra and Nagar Haveli shall continue taking up remand work and extremely urgent matters until further orders. This circular has been issued in furtherance of the previous circular dated April 16.

The circular advises Advocates, litigants as well as the court staff to download the Aarogya Setu mobile app, among other social distancing related advisories. The other advisories include:

1.       Identity proofs of Advocates and litigants shall be asked for at the entry point of the Court Complex.

2.       A register be maintained at the entry point of the court complex and names of the entrants be recorded in the said register, after verifying due identification.

3.       No person shall be permitted to enter the premises of Courts without wearing a mask.

4.       Anyone showing signs or symptoms of COVID-19, after his apparent screening, shall not be allowed to enter or remain in the Court rooms. To meet any exigencies, pursuant to anyone found with COVID-19 symptoms, an isolation room shall be earmarked to isolate the said
person and undertake the further course of action vis a vis further treatment at Hospital.

5.       At the entry point / gates of the Court Complex keep liquid soap and water for hand wash. At the entrance of each Court hall, as far as possible make provision of hand sanitizer.

6.       Necessary social distancing shall be maintained during the transaction of the Court business.
Wherever there is a provision of lift, it should be ensured that not more than fifty percent of
the capacity allowed at a time. As far as possible, the members of the Staff, Advocates and
Litigants who are young and not differently abled should be encouraged to make use of stairs for their own safety.

7.       The Advocates and Litigants shall be advised to follow strict social distancing while accessing any department of Courts.

8.       The Departments shall endeavor to allot a time slot to address any query on the part of

9.       Advocates and Litigants and adhere the time slot in consonance with the social distancing
mechanism.

10.   The Judges and the members of the staff, in the unlikely event of having any symptoms of COVID-19, are requested to immediately report the same to the Medical Center and also the Principal District Judge / Principal Judge and District Registry. Same request is also made to the High Court employees who shall report to the concerned Registrar of their Department.

While all other advisories are important for maintenance of social distancing, the advisory on downloading the Aarogya Setu app remains questionable. The circular has effectively allowed the surveillance app to make inroads into judiciary, a platform where the viability of the mandate to download the app could be challenged, is an irony in itself.

This advisory seems to be following the Ministry of Home Affairs guidelines released on May 1 which makes use of the app mandatory for both public and private sector employees. The order reads, “It shall be the responsibility of the head of the respective organisations to ensure 100% coverage of this app among employees.”

Ever since the App has been made covertly mandatory for public offices and is being imposed in one way or the other, questions have been raised on the privacy issue.

The privacy policy of the app states that the app will store your name, phone number, age, sex, profession and countries visited in the last 30 days on a government server and provide the uses with a unique digital ID (DiD). It further states, “The app continuously collects your location data and stores securely on your mobile device a record of all places you have been at 15 minute intervals. This information will only be uploaded to the Server along with your DiD, (i) if you test positive for COVID-19; and/or (ii) your self-declared symptoms indicate that you are likely to be infected with COVID-19; and/or (iii) the result of the self-assessment test is either YELLOW or ORANGE.” The app therefore, appears to come dangerously close to ringing privacy alarm bells.

Given how a person’s infected status would only show if they upload this information to the app and consequently the government server, the app also therefore, inadvertently discourages people from reporting symptoms or infection status, rendering the entire purpose of the app pointless!

But there are many more concerns, the chief of which is mass surveillance. This kind of surveillance will be difficult to combat as the rampant contact tracing is being justified as being in public interest.

The Internet Freedom Foundation has even sent a joint representation to the Prime Minister’s Office (PMO) signed by 45 organisations and over 100 individuals highlighting several privacy related concerns with the app.

The representation states, “In order to satisfy the proportionality standard adopted in Puttaswamy (Privacy), the use of any privacy infringing technology must satisfy five criteria. First, it must have a legislative basis. Second, it must pursue a legitimate aim. Third, it should be a rational method to achieve the intended aim. Fourth, there must not be any less restrictive alternatives which can also achieve the intended aim. Finally, the benefits must outweigh the harm caused to the right holder. In the present case, Aarogya Setu fails the very first prong of the proportionality standard because it does not have a legislative framework to govern its functioning and to ensure adequate procedural safeguards. In the absence of a legislative guarantee containing a sunset clause, sensitive personal data about health and movement of gig workers collected by the Aarogya Setu app could be misused for profiling and mass surveillance even after the COVID-19 outbreak is over.”

Related:

Covid-19: Does the Aarogya Setu app violate privacy?
Aarogya Setu app in hot water due to MHA’s order of mandatory downloads
Did MHA sneak in Aarogya Setu into our lives through a back door?

The post Bombay HC advises lawyers and litigants to download Aarogya setu App appeared first on SabrangIndia.

On May 1, the Ministry of Home Affairs (MHA) set the cat among the pigeons when it attempted to sneak into our lives the Aarogya Setu app through a backdoor. The MHA order and guidelines pertaining to the third phase of the lockdown said, “Use of Arogya Setu app will be made mandatory for all employees, both private and public. It shall be the responsibility of the head of the respective organisations to ensure 100% coverage of this app among employees.”

Soon after that brickbats started flying in from all quarters, most notably from Congress party leader Rahul Gandhi who tweeted, “The Arogya Setu app, is a sophisticated surveillance system, outsourced to a pvt operator, with no institutional oversight – raising serious data security & privacy concerns. Technology can help keep us safe; but fear must not be leveraged to track citizens without their consent.”

The Arogya Setu app, is a sophisticated surveillance system, outsourced to a pvt operator, with no institutional oversight – raising serious data security & privacy concerns. Technology can help keep us safe; but fear must not be leveraged to track citizens without their consent.

— Rahul Gandhi (@RahulGandhi) May 2, 2020

Now, the Internet Freedom Foundation has sent a joint representation to the Prime Minister’s Office (PMO) signed by 45 organisations and over 100 individuals highlighting several privacy related concerns with the app. Among the signatories are Teesta Setalvad, secretary Citizens for Justice and Peace, as well as CJP’s partner organisation All India Union of Forest Working People (AIUFWP).

The letter says, “We acknowledge the severity of the COVID-19 crisis which has gripped the country and maintain that it is especially during such public health emergencies that we must ensure the privacy and dignity of essential frontline workers is protected.”

It goes on to say, “The Aarogya Setu app has been heavily criticized for failing to adhere to internationally recognized data protection principles endorsed by the Hon’ble Supreme Court in the landmark judgement in K.S. Puttaswamy v. Union of India (2017 10 SCC 1).” The representation further adds, “In order to satisfy the proportionality standard adopted in Puttaswamy (Privacy), the use of any privacy infringing technology must satisfy five criteria. First, it must have a legislative basis. Second, it must pursue a legitimate aim. Third, it should be a rational method to achieve the intended aim. Fourth, there must not be any less restrictive alternatives which can also achieve the intended aim. Finally, the benefits must outweigh the harm caused to the right holder. In the present case, Aarogya Setu fails the very first prong of the proportionality standard because it does not have a legislative framework to govern its functioning and to ensure adequate procedural safeguards. In the absence of a legislative guarantee containing a sunset clause, sensitive personal data about health and movement of gig workers collected by the Aarogya Setu app could be misused for profiling and mass surveillance even after the COVID-19 outbreak is over.”

The representation also goes on to criticise the Aarogya Setu app for deviating from international best practices based on the following parameters:

a. Lack of Consent: The use of Aarogya Setu cannot be considered voluntary anymore as it has been made mandatory for delivery workers. Therefore, there is no scope for delivery workers to refuse consent or opt-out.

b. Lack of Data Minimization: Registration for the Aarogya Setu app requires sharing large amount of personal data: name, phone number, age, sex, profession, countries visited in the last 30 days and smoking habits. This is inconsistent with the principle of data minimization.

c. Lack of Transparency: While it is claimed that personal data collected by Aarogya Setu is aggregated and anonymized, there is no publicly available information about what processes and techniques are followed for aggregation and anonymization. This is relevant because there is high risk of re-identification unless personal data is properly anonymized. Therefore, the app must be subjected to thorough security testing by governmental and independent agencies.

d. Lack of Algorithmic Accountability: The Terms of Service for Aarogya Setu exempt the government from any liability arising out of misidentification of an individual’s COVID-19 status. Therefore, individuals are left at the mercy of opaque algorithms which perform risk assessment and do not have any remedy in case of false positives. If gig and platform workers were falsely identified as high-risk individuals by Aarogya Setu’s algorithm, they would be required to self- isolate and lose their income and freedom of movement.

e. Unauthorized Data Sharing and Risk of Function Creep: There is no prohibition on sharing of personal data collected by the Aarogya Setu app with third parties. The government is allowed to share this personal information with “other necessary and relevant persons” for “necessary medical and administrative interventions.” The Privacy Policy for Aarogya Setu fails to specify which government departments will have access to personal data collected by the app. Therefore, sensitive personal data collected for contact tracing may also be used by law enforcement agencies for punitive purposes.

f. Risk of external transfer and integration with other databases: Personal data collected by the Aarogya Setu may be transferred to an external cloud-based server and there is no guarantee that it will only be stored locally on the individual’s device. Reports suggest that the data collected by Aarogya Setu is being integrated with other databases maintained by the Indian Council for Medical Research and Integrated Disease Surveillance Programme. This is worrisome because it is difficult to delete such integrated datasets and secondary inferences at a later stage.

The joint representation makes the following recommendations:

a. Take cognizance of privacy concerns associated with Aarogya Setu and issue an advisory clarifying that use of the app should not be made mandatory for workers in the gig economy and also the traditional economy.

b. In addition to (a), to ensure greater safety, rely on certain methods of risk mitigation such as working with companies to provide daily temperature checks and personal protective equipment to all gig and platform workers who continue working during the COVID-19 pandemic.

c. Further, devise the right incentive structures both for companies and workers to ensure that gig and platform workers are able to sustain themselves during the lockdown and those displaying symptoms of COVID-19 are not forced to work to ensure their livelihood. This includes provisions for medical insurance and financial relief to all gig and platform workers who have been unable to work during the lockdown or have witnessed a significant decrease in earnings due to low demand.

The entire representation may be read here:

Related:

Covid-19: Does the Aarogya Setu app violate privacy?
Did MHA sneak in Aarogya Setu into our lives through a back door?

The post Aarogya Setu app in hot water due to MHA’s order of mandatory downloads appeared first on SabrangIndia.

When the Ministry of Home Affairs (MHA) issued an order containing guideline for the third phase of the lockdown on May 1, it set alarm bells ringing given how the order proved to be a virtual backdoor for mandatory universalization of the Aarogya Setu app.

Point 15 on page 7 of the MHA order says, “Use of Arogya Setu app will be made mandatory for all employees, both private and public. It shall be the responsibility of the head of the respective organisations to ensure 100% coverage of this app among employees.”

This is a very curious aspect of the lockdown order. Earlier, downloading the app was mandatory only for people who had been diagnosed as Covid-19 positive were required to use the app for monitoring purposes. For everyone else it was optional.

It is important to understand just how the Aarogya Setu app ‘protects’ the user. Actual protection from the disease can only come from frequently washing hands, wearing masks, practicing good hygiene and social distancing. However, the app alerts its users if a Covid-19 positive person is nearby, thereby allowing uninfected users to maintain distance. The app works by collecting a user’s location data and cross referencing it with the Covid-19 test database of the Indian Council of Medical Research (ICMR). The objective is to help people maintain distance from infected persons, in a bid to curb the spread of the infection. But what it also does is put a virtual bull’s eye on an infected person, making them vulnerable to stigmatization, ostracization or worse.

But the app has received nothing endorsement from those in the highest echelons of power. On April 14, during his famous Saptapadi address, Prime Minister Narendra Modi had himself urged people to download the app and even tweeted about it.

चौथी बात-
कोरोना संक्रमण का फैलाव रोकने में मदद करने के लिए आरोग्य सेतु मोबाइल App जरूर डाउनलोड करें।
दूसरों को भी इस App को डाउनलोड करने के लिए प्रेरित करें: PM @narendramodi #IndiaFightsCorona

— PMO India (@PMOIndia) April 14, 2020

Now that the MHA order requires one to mandatorily download the app, the nature of concerns in two-fold; invasion of privacy, given how the app tracks the location of the user, and the exclusion factor, given how only people with a smart phone can download the app, leaving those who are not privileged enough to own a smart phone devoid of the ‘protection’ the app purportedly provides.

Privacy Concerns

The privacy policy of the app states that the app will store your name, phone number, age, sex, profession and countries visited in the last 30 days on a government server and provide the uses with a unique digital ID (DiD). It further states, “The app continuously collects your location data and stores securely on your mobile device a record of all places you have been at 15 minute intervals. This information will only be uploaded to the Server along with your DiD, (i) if you test positive for COVID-19; and/or (ii) your self-declared symptoms indicate that you are likely to be infected with COVID-19; and/or (iii) the result of the self-assessment test is either YELLOW or ORANGE.” The app therefore, appears to come dangerously close to ringing privacy alarm bells.

Given how a person’s infected status would only show if they upload this information to the app and consequently the government server, the app also therefore, inadvertently discourages people from reporting symptoms or infection status, rendering the entire purpose of the app pointless!

But there are many more concerns, the chief of which is mass surveillance. This kind of surveillance will be difficult to combat as the rampant contact tracing will be justified as being in public interest.

The Internet Freedom Foundation (IFF) has raised several red flags with respect to Aarogya Setu and possible misuse of contact tracing for mass surveillance purposes. It says, “With the creation of such systems, come new risks of institutionalisation of mass surveillance. Critically, India lacks a comprehensive data protection law, outdated surveillance and interception laws, or any meaningful proposals for meaningful reform. In domains like disaster relief, most apps which are purported as ‘contact tracing’ technologies, they often devolve into systems of movement control and lockdown enforcement.”

The IFF also warns about the efficacy of such apps saying, “A lot of technology solutions with no demonstrable scientific value to the national response can be passed off as being in the public interest. It leads to poor deployment of public resources and also makes it difficult for crisis responders to discern between “snake oil” and quality technology products. These risks are exacerbated in technology markets since there are no adequate checks and balances in development phases which ensure quality.”
 

Exclusion factor

It is well known that despite the fact that the virus was brought into the country by people privileged enough to afford international travel, it had disproportionately affected the lives of the poor who are forced to live cheek-by-jowl in congested urban slums and low-income neighbourhoods located in cities where every square inch of space is an indicator of privilege. If it is essential to download the app because it ‘protects’ people, then are the lives of the poor less valuable?

On April 13, 2020 IFF released its working paper called Privacy Prescriptions for technology interventions on COVID-19 in India. In this report IFF addresses this very concern about Aarogya Setu and says, “Such systems inadvertently discriminate against regions which have fewer concentrations of smartphones. Specifically, it can lead to harmful outcomes for people residing in economically weaker areas. In countries public health systems are already creaking under the looming threat of capacity deficits. If such systems wrongly urge people to pre-emptively take tests then there is a risk that public health systems may be overwhelmed prematurely. It may also exacerbate the risks associated with the harvesting of personal data like health information, and also see the creation of new privacy invasive systems.”

Related:

Covid-19: Does the Aarogya Setu app violate privacy?

Saptapadi: Modi’s Se7en steps to fighting Covid-19

The post Did MHA sneak in Aarogya Setu into our lives through a back door? appeared first on SabrangIndia.

In a rather bizarre incident, the Jharkhand High Court has given bail to accused persons in two separate cases, on two conditions, that they should make donations to the PM CARES fund and that they should download the “Aarogya Setu” app. This is bizarre since the condition is completely unrelated to the crimes committed by the accused. One case is of former MP Som Marandi and others who were convicted under the Railways Act for holding a protest on railway tracks in Pakur, Jharkhand. The other case is of a person named Ravi Rai accused of theft.

In both cases, bail has been granted on two conditions as mentioned before. In both cases the accused persons’ counsels have themselves suggested that the accused are ready to deposit a certain sum in the PM CARES fund and the submission has been duly accepted by the court. Both cases have been heard by the single judge bench of Justice Anubha Choudhary who, while accepting the condition of depositing money in the PM CARES fund, added this unusual condition that the accused persons must download the Aarogya Setu app once they have been released from custody.

While it is surprising that downloading the app has become a bail condition, it is not unusual seeing various government offices encouraging people or its employees to download the app, commissioned by the Central government. What is this insistence on downloading the app? Who stands to benefit if a large number of people download this app? Are some of the questions that spring up when such kind of incidents occur.

Sabrang India recently did a report on what the app does and what are its privacy concerns. Basically, the app allows a user to identify any infected person around them, provided both people have downloaded the app. The objective is to help people maintain distance from infected persons, in a bid to curb the spread of the infection. The objective of the app is ‘contact tracing’ which is essential for fighting COVID19 but it would only work if the infected person updated such information on the app, otherwise it just remains to be a surveillance app that constantly tracks an individual’s movement.

The complete judgment can be read here.

Related:

Covid-19: Does the Aarogya Setu app violate privacy?

Is Justice Delivery not an Essential Commodity?

Whither Article 15?

The post Download Aarogya Setu app, donate to PM CARES: Jharkhand HC’s bizarre conditions for bail appeared first on SabrangIndia.

The Aarogya Setu app, launched just a fortnight ago by the government, as a tool to combat the Covid-19 pandemic, has already crossed over 5 crore downloads. However according to media reports, none other than the Indian army has reportedly found reason to be concerned about the app.

It is noteworthy that the army had urged its current and even retired jawaans to download the app. The official handle of the Additional Directorate General of Public Information, IHQ of MoD (Army), had tweeted on April 15, “Serving personnel, #Veterans & families of #IndianArmy advised to use “Aarogya Setu” App for duration of #COVID19.”

#COVID19

Serving personnel, #Veterans & families of #IndianArmy advised to use “Aarogya Setu” App for duration of #COVID19. pic.twitter.com/XwVjIEja3D

— ADG PI – INDIAN ARMY (@adgpi) April 15, 2020

Deccan Chronicle reported that the army had urged its jawaans to:

– avoid the app in office premises, operational areas and sensitive locations

– only switch on location services and bluetooth features while visiting public spaces or when they are engaged in managing isolation centers, while on call for COVID-19 related assistance to civil authorities and while out of cantonments or military stations for essential administrative duties

– not disclose service identity including rank and appointment

– ensure that their contact list should not contain any reference to rank, appointment or service

– install antivirus software on their cellphones.

But why is there so much concern about an app owned and operated by the government itself?

What is Aarogya Setu?

Aarogya Setu, which is Sanskrit for Health Bridge, is an app developed by the National e-Governance Division (NeGD) at the Ministry of Electronics and Information Technology (MeitY), and was released in association with the Ministry of Health and Family Welfare (MoHFW).

According to the app description on Google Play, “Aarogya Setu is a mobile application developed by the Government of India to connect essential health services with the people of India in our combined fight against COVID-19. The App is aimed at augmenting the initiatives of the Government of India, particularly the Department of Health, in proactively reaching out to and informing the users of the app regarding risks, best practices and relevant advisories pertaining to the containment of COVID-19.” The app is available on both, Google Playstore and iOS.

On April 14, during his famous Saptapadi address, Prime Minister Narendra Modi had himself urged people to download the app and even tweeted about it.

चौथी बात-
कोरोना संक्रमण का फैलाव रोकने में मदद करने के लिए आरोग्य सेतु मोबाइल App जरूर डाउनलोड करें।
दूसरों को भी इस App को डाउनलोड करने के लिए प्रेरित करें: PM @narendramodi #IndiaFightsCorona

— PMO India (@PMOIndia) April 14, 2020

How does it work?

Basically, the app would allow a user to identify any infected person around them, provided both people have downloaded the app. Also, the infected person should have used the appt to inform the government that they are either infected or are showing symptoms of the infection. The app works by collecting a user’s location data and cross referencing it with the Covid-19 test database of the Indian Council of Medical Research (ICMR). The objective is to help people maintain distance from infected persons, in a bid to curb the spread of the infection. But what it also does is put a virtual bull’s eye on an infected person, making them vulnerable to stigmatization, ostracization or worse.

Privacy concerns about Aarogya Setu

The privacy policy of the app states that the app will store your name, phone number, age, sex, profession and countries visited in the last 30 days on a government server and provide the uses with a unique digital ID (DiD). It further states, “The app continuously collects your location data and stores securely on your mobile device a record of all places you have been at 15 minute intervals. This information will only be uploaded to the Server along with your DiD, (i) if you test positive for COVID-19; and/or (ii) your self-declared symptoms indicate that you are likely to be infected with COVID-19; and/or (iii) the result of the self-assessment test is either YELLOW or ORANGE.” The app therefore, appears to come dangerously close to ringing privacy alarm bells.

Given how a person’s infected status would only show if they upload this information to the app and consequently the government server, the app also therefore, inadvertently discourages people from reporting symptoms or infection status, rendering the entire purpose of the app pointless!

But there are many more concerns, the chief of which is mass surveillance. This kind of surveillance will be difficult to combat as the rampant contact tracing will be justified as being in public interest.

What is ‘contact tracing’?

According to the World Health Organisation (WHO), closely watching contacts after exposure to an infected person will help the contacts to get care and treatment, and will prevent further transmission of the virus. This monitoring process is called contact tracing, which can be broken down into 3 basic steps:

• Contact identification: Once someone is confirmed as infected with a virus, contacts are identified by asking about the person’s activities and the activities and roles of the people around them since onset of illness. Contacts can be anyone who has been in contact with an infected person: family members, work colleagues, friends, or health care providers.
   
• Contact listing: All persons considered to have contact with the infected person should be listed as contacts. Efforts should be made to identify every listed contact and to inform them of their contact status, what it means, the actions that will follow, and the importance of receiving early care if they develop symptoms. Contacts should also be provided with information about prevention of the disease. In some cases, quarantine or isolation is required for high risk contacts, either at home, or in hospital.
   
• Contact follow-up: Regular follow-up should be conducted with all contacts to monitor for symptoms and test for signs of infection.

But the Internet Freedom Foundation has raised several red flags with respect to Aarogya Setu and possible misuse of contact tracing for mass surveillance purposes. It says, “With the creation of such systems, come new risks of institutionalisation of mass surveillance. Critically, India lacks a comprehensive data protection law, outdated surveillance and interception laws, or any meaningful proposals for meaningful reform. In domains like disaster relief, most apps which are purported as ‘contact tracing’ technologies, they often devolve into systems of movement control and lockdown enforcement.”

The IFF also warns about the efficacy of such apps saying, “A lot of technology solutions with no demonstrable scientific value to the national response can be passed off as being in the public interest. It leads to poor deployment of public resources and also makes it difficult for crisis responders to discern between “snake oil” and quality technology products. These risks are exacerbated in technology markets since there are no adequate checks and balances in development phases which ensure quality.”

It adds, “Such systems inadvertently discriminate against regions which have fewer concentrations of smartphones. Specifically, it can lead to harmful outcomes for people residing in economically weaker areas. In countries public health systems are already creaking under the looming threat of capacity deficits. If such systems wrongly urge people to pre-emptively take tests then there is a risk that public health systems may be overwhelmed prematurely. It may also exacerbate the risks associated with the harvesting of personal data like health information, and also see the creation of new privacy invasive systems.”

On April 13, 2020 IFF released its working paper called,  Privacy Prescriptions for technology interventions on COVID-19 in India. A significant portion of this working paper is dedicated to the proliferation of experimental contact tracing applications not just in India but across the world. Chapters 5-7 devote significant space in studying the emergent government and non-government practices, standard setting processes and first principles in the space. Chapter 7 of the paper studies three specific models of contact tracing including the Singapore Government’s Trace Together application, MIT’s Private Kit: Safe Paths initiative, and Aarogya Setu. The paper may be read here: 

International concerns about privacy

In Germany, where Angela Merkel’s government is all set to unveil a new app, concerns are already being raised about data privacy and surveillance capitalism. Julian Teicke, head of Berlin-based insurance start-up WeFox and a backer of a German-language app, developed by a group called Gesund Zusammen — or “Healthy Together”, told Financial Times, “Germany has gone through two terror regimes, so the consciousness about data privacy is higher than anywhere in the rest of the world.” He said that for it to work properly, 50 million Germans would have to download the app.

Covid-19 contact tracing apps in Europe must comply with its stringent privacy laws. It has therefore launched the Pan-European Privacy Preserving Proximity Tracing (“PEPP-PT”) project, that comprises more than 130 members across eight European countries, including scientists, technologists, and experts, to create “well-tested proximity tracking technologies” that national authorities can use to create their own COVID-19 apps.  According to their manifesto, these technologies ensure “secure data anonymization” and “cross border interoperability”.  

Meanwhile Apple and Google released a joint statement addressing some of the privacy concerns raised so far. The statement says, “Across the world, governments, and health authorities are working together to find solutions to the COVID‑19 pandemic, to protect people and get society back up and running. Software developers are contributing by crafting technical tools to help combat the virus and save lives. In this spirit of collaboration, Google and Apple are announcing a joint effort to enable the use of Bluetooth technology to help governments and health agencies reduce the spread of the virus, with user privacy and security central to the design.”

Other apps like Aarogya Setu

Interestingly, Aarogya Setu isn’t the only Coronavirus related app. Many others like Corona Kavach, Cowin-20 and Test Yourself Goa and Test Yourself Puducherry have been launched so far. Karnataka’s Quarantine Watch has already received scathing criticism for making it mandatory for infected persons to send periodic selfies. Additionally, Maharashtra, Gujarat and Himachal Pradesh are also said to be developing similar apps.  

The post Covid-19: Does the Aarogya Setu app violate privacy? appeared first on SabrangIndia.