A project of the Centre for Internet and Society, India
Supported by Omidyar Network
In an effort to contain the spread of COVID-19, governments across the world have used contact tracing as a means to identify and map the spread of the virus. This has led to a large-scale push for digital contact tracing in the form of smartphone applications that alert users in case of potential exposure to someone who has been infected. These applications can generate heat maps of areas with high rates of infection, and have proven useful in identifying emerging hotspots. However, in the rush to introduce digital methods of contact tracing, concerns around privacy, surveillance and potential discrimination and exclusion remain unaddressed. Governments must keep in mind that digital contract tracing cannot replace manual contract tracing, and successful contact tracing is a result of manual and digital contact tracing working in tandem.1 Applications have also reported cases of false positives and false negatives, and require high participation from the local population to be of any real significance.
In India, the National Informatics Centre (NIC) developed the Aarogya Setu application to serve as a contact tracing, syndromic mapping and self-assessment digital service, in addition to a number of similar applications released by state governments.2 The application collects demographic, health data and real-time location data and colour codes users based on the risk that they pose to others due to their health status, and maps infection hotspots.
We examine the Aarogya Setu application against a series of tests in our evaluation framework in order to determine whether the use of Digital ID in this application is legitimate, human-rights respecting, and balanced against potential risks.
Aarogya Setu has been deployed in the absence of an appropriate statutory framework and is not codified in a valid law. It was initially mandated by the Ministry of Home Affairs on the basis of a Government Order (G.O.)3 that finds its basis in the Disaster Management Act, 2005. No legislation has been passed by Parliament to authorise the creation and mandatory deployment of the application. In response to data protection concerns around the application, the government released the Aarogya Setu Data Access and Knowledge Sharing Protocol, 20204 (“Protocol”) which lays down broad principles of data protection, along with the Android and iOS source code of the application.5 India also presently lacks a data protection framework, which leaves the collection and use of data collected from the application to the vagaries of executive orders.
The framework governing the use of Aarogya Setu in India is not codified in valid law, and is made up entirely of delegated legislation.
The use of Aarogya Setu must correspond to a legitimate aim in the law governing it. It is necessary to point out that the application is not codified in a valid law. A reading of the G.O. (drawn from the Disaster Management Act, 2005) in combination with the Act could satisfy the legitimate aim test. The present COVID-19 pandemic would qualify as a disaster under Section 2(d) of the Act, 2005 and deployment of the application for digital contract tracing could be justified as a form of disaster management under Section 2(e). The Disaster Management Act aims to provide effective management of disasters and matters connected therewith or incidental thereto.
In the absence of a valid law, these objectives could qualify as a legitimate aim.
The Protocol states that the NIC can share information with the Ministry of Health and Family Welfare, Government of India, Departments of Health of the State/Union Territory Governments/local governments, National Disaster management Authority (NDMA), State Disaster Management Authorities (SDMAs), and other Ministries and Departments of the Government of India and State Governments and other public health institutions of the Government of India, State and local governments, where such sharing is strictly necessary to directly formulate or implement an appropriate health response.7 The NIC can also share response data in de-identified form (defined in the Protocol as data which has been stripped of personally identifiable data to prevent the individual from being personally identified through such data and assigned a randomly generated ID8) with such Ministries or Departments of the Government of India or the State/Union Territory Governments, local governments, NDMA, SDMAs and such other public health institutions of the Government of India or State Governments or local governments with whom such sharing is necessary to assist in the formulation or implementation of a critical health response.9 Data can also be shared with Indian universities and research institutions/entities registered in India - however, what constitutes a research institution or entity has not been clearly defined and can be broadly interpreted.10 This could potentially include pharmaceutical companies, for instance, who could then have access to sensitive health information without sufficient safeguards in the absence of a data protection framework.11
In addition to plans to integrate more functions such as telemedicine within the application, Aarogya Setu is intended to become the “initial building block for India Health Stack”,14 which is indicative of growing function creep of the application beyond its original stated purpose.15
The use of the ID system by private actors has not been adequately regulated.
Further, researchers have documented how information from the application can be easily used by anyone for non-COVID surveillance purposes, such as estimating population spread in a particular area, or even spying on army bases.16
There is also no restriction on private parties mandating use of the application for any purpose.
An Open API platform set up by Aarogya Setu also allows third-party apps to check the health status (and no other personal information) of a user with their consent. There are protective measures including user notification in case of breach, anonymisation, encryption and audit logs.17 However, there are concerns that a reading of the other clauses in the terms and conditions suggests that third party applications will have access to data apart from “health status” but must commit to not use it.18 The requirements are loose enough to allow any company registered and operating in India with more than 50 employees, customers or users to be authorised to access the API.19 With the intended use of the application as the basis of the National Health Stack, integration with third parties raises the possibility of the application being forming the basis of an immunity passport to access services and gain entry to spaces (which can lead to exclusions and discrimination).
There is no explicit provision for user notification mechanisms on how user data is used or shared (including with third parties), or for breach of user data.
This is particularly concerning because of the sensitive nature of the data collected by the application (such as health information and real-time location), and the harms that could arise out of unauthorised disclosure or sharing of this information.
While users are given the option of deleting their Aarogya Setu account (which would also delete response data from their phone), the application clearly states that this will not cause response data to be deleted from government servers.23 Moreover, while use of the application is voluntary on paper, it is still de facto mandatory for many in order to access essential services. For instance, when it is mandated by employers, opting out of using the application is not a realistic option.
While users have some rights over their information, they cannot confirm their data or delete their own data from government servers, and many cannot opt out of using the application at all.
As stated in the Protocol, any violations would lead to penalties under Sections 51 to 60 of the Disaster Management Act, 2005.24
However, there are no other redressal mechanisms for users specifically relating to the application.
Principles of data minimisation are followed to varying degrees.
The Protocol limits the NIC from collecting more data than is necessary and proportionate, and “strictly for the purpose of formulating or implementing appropriate health responses and constantly improving such responses”.25 Of the information collected by the application, the collection of real-time location leads to obvious concerns about surveillance, but has been justified on the grounds of the contact tracing aim of the application. However, the need for a user to enter their professional status in order to use the application remains unclear.
Moreover, while there are limits to sharing only information that is strictly necessary, there is no requirement that the information must be strictly proportionate for the appropriate health response.
Considering the sensitive nature of the information collected and stored by the application, there are inadequate obligations on the disclosure of this information, particularly to third parties.
The NIC can share information with the Ministry of Health and Family Welfare, Government of India, Departments of Health of the State/Union Territory Governments/local governments, NDMA, SDMAs, and other Ministries and Departments of the Government of India and State Governments and other public health institutions of the Government of India, State Governments and local governments, where such sharing is strictly necessary to directly formulate or implement an appropriate health response.28 It can share response data in de-identified form (defined in the Protocol as data which has been stripped of personally identifiable data to prevent the individual from being personally identified through such data and assigned a randomly generated ID) with such Ministries or Departments of the Government of India or the State/Union Territory Governments, local governments, NDMA, SDMAs and other public health institutions of the Government of India or State or local governments with whom such sharing is necessary to assist in the formulation or implementation of a critical health response.29
It has been pointed out that the Protocol, while allowing sharing of data with “research institutions” and “research entities”, has not defined what would constitute these entities, giving wide scope for third party entities to potentially access sensitive medical information.30 As highlighted previously, users will not be notified when their information has been shared with a third party, or what information has been shared and to whom.
The use of Aarogya Setu is no longer mandatory. However, it has been made mandatory for many essential purposes, and there is no restriction on private parties (such as employers) mandating the use of the application.
Since many users do not have a meaningful choice to opt-out of the application, this will have exclusionary impacts.
There is no data protection law in place (and no sufficient judicial or legislative oversight) governing the use of personal data for Aarogya Setu.
Information collected through the application is stored in a centralised server, with no clear information about its functioning.
There is no clearly articulated mitigation strategy built into the design of the application.
Despite having introduced a bug bounty programme,31 there have been instances where potential security issues were publicly dismissed, and articles reporting these concerns have been withdrawn or taken down.32
|1||Susan Froetschel and Douglas P. Olsen, “Commentary: Manual contact tracing still the gold standard for COVID-19 response”, Channel News Asia, May 30, 2020, https://www.channelnewsasia.com/news/commentary/coronavirus-covid-contact-tracing-app-who-new-zealand-us-infect-12782748. ↑|
|2||A Survey of Covid 19 Apps Launched by State Governments in India (July 14, 2020), https://cis-india.org/internet-governance/stategovtcovidapps-pdf. ↑|
|3||Government Order No. 40-3/2020-DM-I(A), Ministry of Home Affairs, May 02, 2020 https://www.india.gov.in/sites/upload_files/npi/files/MHA_%20new_guidelines.pdf. ↑|
|4||Government Order No. 2(10)/2020-CLeS, Ministry of Electronics and Information Technology, May 11, 2020, https://www.meity.gov.in/writereaddata/files/Aarogya_Setu_data_access_knowledge_Protocol.pdf [“Aarogya Setu Protocol”]. ↑|
|5||The server-side source code of the application has not been made public, which means that the backend use of collected data cannot be monitored. ↑|
|6||Aarogya Setu Protocol, supra, Clause 5(a). ↑|
|7||Aarogya Setu Protocol, supra, Clause 6(a). ↑|
|9||Aarogya Setu Protocol, supra, Clause 6(b). ↑|
|10||Guest Report: Bridging Concerns with Recommending Aarogya Setu (June 20, 2020), https://cis-india.org/aarogya%20setu%20privacy [“CIS Report”]. ↑|
|11||CIS Report. ↑|
|13||Aarogya Setu Protocol, supra, Clause 5(b). ↑|
|14||Aditi Agrawal, “Aarogya Setu will include telemedicine, greater personalisation; may act as building block for India Health Stack”, Medianama, April 22, 2020, https://www.medianama.com/2020/04/223-aarogya-setu-upcoming-features/. ↑|
|15||Aditi Agrawal, “Aarogya Setu will include telemedicine, greater personalisation; may act as building block for India Health Stack”, Medianama, April 22, 2020, https://www.medianama.com/2020/04/223-aarogya-setu-upcoming-features/. ↑|
|16||Tweet by @rajbhagatt, Twitter, last accessed September 10, 2020, https://twitter.com/rajbhagatt/status/1302618044439511043. ↑|
|17||Aditi Agrawal, “Aarogya Setu launches Open API Services Portal: All you need to know”, Medianama, August 22, 2020, https://www.medianama.com/2020/08/223-aarogya-setu-open-api-services/. ↑|
|18||Aditi Agrawal, “Aarogya Setu launches Open API Services Portal: All you need to know”, Medianama, August 22, 2020, https://www.medianama.com/2020/08/223-aarogya-setu-open-api-services/. ↑|
|19||“Aarogya Setu Open API Terms of Service”, Open API Services Portal, National Informatics Centre, last accessed September 10, 2020. https://openapi.aarogyasetu.gov.in/tandc. ↑|
|20||Aarogya Setu Protocol, supra, Clause 5(b). ↑|
|21||Aarogya Setu Protocol, supra, Clause 3. ↑|
|22||Aarogya Setu Protocol, supra, Clause 6(c). ↑|
|23||“Delete My Account”, Aarogya Setu (mobile application), last accessed September 10, 2020. ↑|
|24||Aarogya Setu Protocol, supra, Clause 9. ↑|
|25||Aarogya Setu Protocol, supra, Clause 5(b). ↑|
|26||Aarogya Setu Protocol, supra, Clause 3(b). ↑|
|27||Aarogya Setu Protocol, supra, Clause 5(e). ↑|
|28||Aarogya Setu Protocol, supra, Clause 6(a). ↑|
|29||Aarogya Setu Protocol, supra, Clause 6(b). ↑|
|30||CIS Report. ↑|
|31||Tech Desk, “Aarogya Setu source code available: How to access, details of bug bounty programme”, The Indian Express, May 27, 2020, https://indianexpress.com/article/technology/tech-news-technology/aarogya-setu-source-code-bug-bounty-programme-6429331/. ↑|
|32||Business Line Bureau, “Centre pulls up agency on ‘malicious article’ about Aarogya Setu App”, Business Line, August 12, 2020, https://www.thehindubusinessline.com/news/centre-pulls-up-agency-on-malicious-article-about-aarogya-setu-app/article32339119.ece. ↑|