With over 150 million downloads, India’s Aarogya Setu is the world’s most downloaded COVID-19 contact tracing app. Within the first month of its launch, it helped identify approximately 600 COVID-19 hotspots around the country. However, a lack of robust data protection laws and checks on mass surveillance to safeguard privacy and individual autonomy makes Aarogya Setu vulnerable to misuse. It thus presents a case for instituting a comprehensive regulatory framework that governs privacy and its enforcement mechanisms.

Structural and Functional Aspects
On the structural level, Aarogya Setu risks jeopardising data security. For example, unlike its Singaporean equivalent, Trace Together, which generates device IDs that change every 15 minutes, Aarogya Setu generates static device IDs, which engenders greater vulnerability to sniffing attacks; and makes it easier to link personal data back to de-identified information shared with relevant departments. Cybersecurity experts and intelligence officials have highlighted national security risks it poses and the risks inherent in national digital databases due to the sensitive nature of information Aarogya Setu collects. Sophisticated cyber-attacks are increasingly difficult to discover, and even prevent in totality. Due to digitisation and interconnectivity, attackers have access to greater volumes of data, giving them more avenues to extract valuable information. Officials have expressed concerns that national databases could be misused by adversaries; used for identity theft or profit by cybercriminals. Such incidents are not unprecedented. For instance, in 2018, breaches in the Aadhaar database potentially compromised records of millions of registered citizens.

Purposes and Informed Consent
On the operational level, Aarogya Setu presents a challenge for free and informed consent—which is fundamental to ensuring privacy. In its use as an electronic pass for mobility, and with many public and private sector personnel and consumers obligated to download it, Aarogya Setu becomes an imposition. The resultant take-it-or-leave situation relies on illusionary consent and undermines individual autonomy. The Karnataka High Court's order restraining the National Informatics Center (NIC) from sharing user data without their informed consent is a step toward safeguarding individual autonomy. However, establishing a framework to check compliance of how collected data is used, shared, and deleted is essential. Currently, the NIC maintains a list of agencies with whom Aarogya Setu data is shared but only to “the extent reasonable.” The NIC is tasked with documenting the time when data sharing was initiated; department/s to whom access was granted; categories of data shared; and the purpose/s. However, the language of this provision as noted in the Aarogya Setu Protocol allows the NIC to exclude documenting specific agencies, thereby undermining transparency, privacy, accountability, and potentially, national security.

Discrepancies in the contents of Aarogya Setu's Data Access and Knowledge Sharing Protocol and its Privacy Policy further foster concerns. While the Protocol states “response data” is stored for no longer than 180 days, under the Privacy Policy, data will be deleted from servers 60 days after an individual is declared cured of COVID-19. This generates ambiguity regarding the precise timeframe by when personal data will be deleted; and, verification mechanisms to check if data has been deleted are unavailable.

Looking Ahead
The large volume of data collected through Aarogya Setu includes recording user location every 15 minutes, travel history, profession, and phone number—expands the scope of its potential use beyond contact tracing, thereby creating a conducive environment in which the possibility of information being misused for profiling and/or mass surveillance cannot be ruled out. The government’s stated intent to share personal information to create an “appropriate health response” with state and local governments, public health institutions, and various other departments amplifies this possibility.

The Personal Data Protection Bill introduced in the parliament in December 2019 aims to protect the personal data of everyone within Indian territory. However, in the name of national security, national sovereignty, and public order, it gives the central government powers to exempt “any agency of the government” from complying with the bill’s requirements. If the bill is passed as is, the abovementioned vague terms would grant governments of the day far-reaching powers to collect personal user data, creating implications for Aarogya Setu’s future use. The imminent National Social Registry of citizens is an example. This Registry plans to use Aadhaar to cross-link data on all aspects of an individual’s life.

Aarogya Setu operates within this apparatus of power. And while its Protocol has a sunset clause of six months from the date it is issued, there is no indication that the same is also applicable to the app itself, suggesting the app could stay on indefinitely as there is no defined period by which the government intends to review and delete the functioning systems of the app and the data it collected. Singapore’s Trace Together is already being used for non-contact tracing purposes. In January 2021, the Singapore government admitted that its police could access collected data for “criminal investigations,” even though at the time of launching the app, they had assured the public that this would not occur.  

Conclusion
When large-scale personal data collection is legitimised and normalised in the name of public good, it also brings large-scale risks with it such as institutionalising an invasive centralised database of personal information that can endanger privacy and security. Aarogya Setu is one such example, and resilient measures that adequately safeguard privacy, transparency and accountability are essential to ensure that such endeavours truly remain in service of public good.

Vrinda Batra is a Research Intern with the Centre for Internal and Regional Security (IReS), IPCS.