In Context: Aarogya Setu, Data Security, and the Right to Privacy
08 Apr, 2021 · 5760
Vrinda Batra examines the case of the Aarogya Setu app and contextualises why resilient measures that adequately safeguard privacy and ensure transparency and accountability are essential.
With
over 150 million downloads, India’s Aarogya Setu is the world’s most downloaded
COVID-19 contact tracing app. Within the first month of its launch, it helped
identify approximately 600 COVID-19 hotspots around the country. However, a
lack of robust data protection laws and checks on mass surveillance to
safeguard privacy and individual autonomy makes Aarogya Setu vulnerable to
misuse. It thus presents a case for instituting a comprehensive regulatory
framework that governs privacy and its enforcement mechanisms.
Structural and Functional Aspects
On
the structural level, Aarogya Setu risks jeopardising data security. For
example, unlike its Singaporean equivalent, Trace Together, which
generates device IDs that change every 15 minutes, Aarogya Setu generates static
device IDs, which engenders greater vulnerability
to sniffing
attacks;
and makes it easier to link personal data back to de-identified information
shared with relevant departments. Cybersecurity experts and intelligence
officials have highlighted national
security risks it poses and the risks inherent in national digital databases
due to the sensitive nature of information Aarogya Setu collects. Sophisticated
cyber-attacks are increasingly difficult to discover, and even prevent in
totality. Due to digitisation and interconnectivity, attackers have
access to greater volumes of data, giving them more avenues to extract valuable
information. Officials have
expressed concerns that national databases could be misused by adversaries;
used for identity theft or profit by cybercriminals. Such incidents are
not unprecedented. For instance, in 2018, breaches in the Aadhaar database
potentially compromised records of millions of registered citizens.
Purposes and Informed Consent
On the operational level, Aarogya Setu presents a challenge for
free and informed consent—which is fundamental to ensuring privacy. In its use
as an electronic
pass for mobility, and with
many public and private sector personnel and consumers obligated to download it, Aarogya Setu
becomes an imposition. The resultant take-it-or-leave
situation relies on illusionary consent and undermines individual autonomy.
The Karnataka High Court's order
restraining the National Informatics Center (NIC) from sharing user data
without their informed consent is a step toward safeguarding individual
autonomy. However, establishing a framework to check compliance of how
collected data is used, shared, and deleted is essential. Currently, the NIC
maintains a list of agencies with whom Aarogya Setu data is shared but only to
“the
extent reasonable.” The NIC is tasked with documenting the time when data sharing was
initiated; department/s to whom access was granted; categories of data shared;
and the purpose/s. However, the language of this provision as noted in the Aarogya Setu Protocol allows the
NIC to exclude documenting specific agencies, thereby undermining transparency,
privacy, accountability, and potentially, national security.
Discrepancies in the contents of Aarogya Setu's Data
Access and Knowledge Sharing Protocol and its Privacy Policy further
foster concerns. While the Protocol states “response data” is stored for no
longer than 180 days, under the Privacy Policy, data will be deleted from
servers 60 days after an individual is declared cured of COVID-19. This
generates ambiguity regarding the precise timeframe by when personal data will
be deleted; and, verification mechanisms to check if data has been deleted are unavailable.
Looking Ahead
The
large volume of data collected through Aarogya Setu includes recording user
location every 15 minutes, travel history, profession, and phone number—expands
the scope of its potential use beyond contact tracing, thereby creating a
conducive environment in which the possibility of information being misused for
profiling and/or mass surveillance cannot be ruled out. The government’s stated intent
to share personal information to create an “appropriate
health response” with state and local
governments, public health institutions, and various other departments
amplifies this possibility.
The Personal
Data Protection Bill introduced in the parliament
in December 2019 aims to protect the personal data of everyone within Indian
territory. However, in the name of national
security, national sovereignty, and public order, it gives the central government
powers to exempt “any agency of the government” from complying with the bill’s
requirements. If the bill is passed as is, the abovementioned vague terms would
grant governments of the day far-reaching powers to collect personal user data,
creating implications for Aarogya Setu’s future use. The imminent National
Social Registry of citizens is an example. This Registry plans
to use Aadhaar to cross-link data on all aspects of an individual’s life.
Aarogya
Setu operates within this apparatus of power. And while its Protocol has
a sunset clause of six
months from the date it is issued, there is no indication that the same is also
applicable to the app itself, suggesting the app could stay on indefinitely as
there is no defined
period by which the government intends
to review and delete the functioning systems of the app and the data it collected.
Singapore’s Trace Together is already being used for non-contact tracing
purposes. In January 2021, the Singapore government admitted that its police could access
collected data for “criminal investigations,” even though at the time of
launching the app, they had assured the public that this would not
occur.
Conclusion
When
large-scale personal data collection is legitimised and normalised in the name
of public good, it also brings large-scale risks with it such as institutionalising
an invasive centralised database of personal information that can endanger privacy
and security. Aarogya Setu is one such example, and resilient measures that adequately safeguard privacy, transparency and accountability are
essential to ensure that such endeavours truly remain in service of public good.
Vrinda
Batra is a Research Intern with the Centre for Internal and Regional
Security (IReS), IPCS.