Is Aarogya Setu the next Aadhaar Project? – By Shivani Agarwal and Samaksh Khanna

I. Background

While announcing extension of the lockdown, Prime Minister Narendra Modi had urged everyone to download  the ‘Aarogya Setu’ (“the app”), an application developed by the Government of India as a measure to combat the severe respiratory syndrome COVID-19. 

The app essentially requires access to the location and bluetooth of the device to find out proximity with anyone who might have tested positive for COVID-19. As per clause 1(a) of the privacy policy of the app, it collects the following information:

It further states that instead of storing the information itself, it creates a Digital ID (“DiD”) unique to each person. Hence when two people with the app on their phone come in contact with each other, the information will get stored on the other person’s device for a period of 30 (thirty) days and will be stored on the government’s servers as well. If a person has not tested positive for COVID-19, the information from the government’s server will get deleted in 45 (forty-five) days. 

II. Privacy and other concerns

a. Aarogya Setu is not an open source app

An open source programme is where the developer shares the source code for people to evaluate the application. Therefore, it is difficult for people to rely on whether the data is anonymised or that the application actually functions as has been advertised to the users.

If the app was made open source, any code developers could point out a bug or fix it. This would have also ensured transparency. 

b. Collection of Data

The data collected at the time of registration has been listed above. The primary principle of any data collection is that it should be limited to what is essential for the purpose of providing services (as is also provided by the upcoming Personal Data Protection Bill, 2019). The government has stated it will create a DiD from the data provided and use location and bluetooth to identify COVID-19 cases. There is a lack of clarity on the kind of data collected by the government, e.g. sex and profession of a person. This is in complete contrast with a similar app created by the Government of Singapore called ‘trace together’ where the data stored is limited to a mobile number which then creates an ID for every phone number collected. Therefore, the Government of India should clarify the purpose of collecting each detail of the user. 

The data retention time, for those users who have not been tested positive for COVID-19, on other user’s devices is 30 (thirty) days and 45 (forty-five) days on government’s servers. This data retention time is far exceeding the incubation period for COVID-19 which is 14 (fourteen) days, as declared by the World Health Organisation (“WHO”). Therefore, it shall be noted that the retention of data is beyond the period of incubation. 

c. Retention of Data

Clause 3 (a) of the privacy policy of the app states that the data shall be retained “as long as your account remains in existence or for such period thereafter as required under any law for the time being in force.”

The clause states that the data which has been collected at the time of registration shall be retained till the account of a user is active “or” as required by any law in force. The issue is with the vaguely structured language of the clause. The laws of India are not yet adequate to safeguard its citizens’ personal data. Therefore, to collect such information, and not deleting it after the said purpose of providing services has been fulfilled, raises a concern over how long shall the data actually be retained by the government. This allows the government to turn the data collected into a permanent architecture instead of deleting it after the purpose has been served. Moreover, this is also in contradiction to 

the upcoming Personal Data Protection Bill, 2019 which clearly states that the data shall be removed once the purpose of processing the data has been fulfilled.

Clause 3(c) of the privacy policy of the app states “nothing herein shall apply to the anonymised, aggregated datasets generated by personal data”. This gives the government the right to store the anonymised data even after the user has deleted its account for as long as it wishes. The concern is that firstly, ‘anonymised’ has not been defined either in the privacy policy or the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011. Therefore, if the data is anonymised in such a way that it is possible to reverse engineer it, the privacy is not actually secured and the data protection concerns emerge. Further, the measures taken for the security of the aggregate datasets has not been laid down. Aggregate data sets denote the aggregate groups of places in the form of a summary. Therefore, one cannot be certain of the security of any community, which may be at risk. 

d. Storage of data on other devices and on the government server

It has been highlighted in the privacy policy of the app that the data is stored on the devices of those people with whom you have come in contact. The government has further clarified in the policy that the data will not be accessible by the people on whose device the data has been stored. However, the government has not stated if only they DiD is stored on other devices, or the anonymised data, or data in any other encrypted format. For example, Singapore’s app ‘trace together’ clarifies that the devices only exchange a temporary ID which is encrypted by a private key which is only held with the Ministry of Health.

Further, by virtue of the government having access to the devices itself, it is unclear as to whether the government also has access to other information like contacts or any other details that might be stored on the device. 

Further, clarity is required by the government as to which ministry shall have access to the data uploaded on the government’s server. For example, the privacy policy of ‘trace together’ clearly states that the data shall be held by the ministry of health. Further, it needs to be identified whether inter-ministerial data sharing shall be permitted.

e. Third party transfers

Clause 6 of the privacy policy of the app states that the data may be provided to “the persons carrying out medical and administrative intervention necessary in relation to COVID-19”. Therefore, the government can also broaden the scope of those people whose “medical and administrative” intervention is necessary. It is suggested that the 

government should have been more specific about the third-party transfers and transfer such data to ANY third party only after obtaining specific consent before such transfer, in order to uphold the spirit of privacy. Moreover, any medical and administrative intervention may also be carried out by private entities which may be involved in research sciences pertaining to COVID-19 or any medical agency which is helping the government with infrastructure required for COVID-19. Therefore, the government holds the power to broaden the scope of third-party transfers at any point in time. 

f. Limitation of liability

The Government of India absolves itself from any liability including inability to access the app or failure to accurately identify a person who has contracted COVID-19 or any unauthorised access to the information collected. Firstly, this portrays a clear lack of accountability on the part of the government. The government needs to consider a scenario where the false alarm may go to users, and their information is transferred to the third party without their specific consent. Further, as per the privacy policy, the data retention period is 60 (sixty) days after the cure of COVID-19. Therefore, in case of a false alarm, the event after which the data shall be deleted needs to be clarified. In such cases, the lack of accountability portrays miniscule concern to user’s data protection. Secondly, once the data is collected by any entity or organisation, it is their responsibility to ensure that there is no “unauthorised access” and shall take full responsibility in case of any misuse. Further, it is essential to define what an unauthorised access is, in order to ensure that reasonable security measures are in place. 

Lack of such assurance calls for a severe reconsideration on the introduction of the app to the general public and for it to be recalled until all such questions with regards to the citizens’ privacy have been answered. 

On a positive note, the government has designated the grievance officer who is the Deputy Director General of National Informatics Centre.

****

Shivani Agarwal practices corporate and commercial law and is the founder of W-Investment (winvestment.wordpress.com). She closely follows developments in cryptocurrencies and blockchain laws. Her areas of work include banking laws, restructuring and project and finance.

Samaksh Khanna is the Co-founder of W-Investment (winvestment.wordpress.com), a blogging platform for mainly exploring the usage of blockchain in law and research on cryptocurrencies. He closely follows privacy laws and digital assets laws.

Disclaimer: The views or opinions expressed are solely of the author.