This article primarily focuses upon the newly launched Aarogya Setu App vis-à-vis right to privacy enshrined under Article 21[i] of the Constitution[ii]which gained immense popularity among the Indian citizens amid pandemic and nationwide lockdown. This article critically examines the privacy policies of the said application followed the issue in question and what changes have been made in the light of privacy and, as to whether the said application is violative of Article 21[iii]or not.
“Right to privacy and dignity is intertwined with the right to life and liberty”.[i]
As the nation collectively struggles to fight with the global pandemic named COVID-19, the Government of India recently in the month of April, launched a contact tracing application specially in the light of this pandemic namely AAROGYA SETU, which in terms of audience received a huge response with millions of downloads as per the ministry[ii].
The application was introduced with a simple aim to act as a precautionary measure towards the pandemic hereby warning the users through contact tracing. The applications tend to collect some sensitive data like location information and forces the smartphone to turn on the GPS and Bluetooth continuously hereby acting as a constant checker and constant surveillance upon the citizens. The issue arises when the element of privacy got noticed by some advocates for privacy.
The global pandemic attacked India in the month of January as reported in Kerala[iii] and as per the ministry of health we have 1.82 lakh[iv]cases confirmed with 89,995[v] active cases as on May, 31[vi]. In the month of April, the Government of India launched a contact tracking application namely AAROGYA SETU[vii], which touched a milestone by entering into the 100 million club[viii] rapidly. It works on the simple concept of contact tracing wherein personal data of users including GPS and location are shared with the server unique id called as ‘DiD’[ix]
- AAROGYA SETU APP: vis-à-vis right to privacy
“Privacy is intrinsic to the right to life and personal liberty under Article 21 of the Constitution and will be included under part III of the Constitution.”[xii]
The Hon’ble Supreme Court on various occasions had interpreted privacy as an intrinsic part of article 21. Recently, the Supreme Court through the Aadhar case[xiii]hereby declaring right to privacy as an interpretation and vital part to article 21, right to life.
- UNDERSTANDING THE APPLICATION
Aarogya Setu app functions on a simple method of contact tracing, that uses the GPS and Bluetooth of a smartphone and alerts the user on coming in contact with a COVID-19 positive patient around him/her. Contact tracing is a physical method of finding the infected people and using a smartphone application makes the process more feasible and affordable as well
It forces the smartphone to turn on the GPS and Bluetooth and share certain information like name, age, sex, travel history with the Government of India servers which are then stored in unique id[xiv] form and created a log of virtual ids which further gets shared with everyone if anyone is tested positive. The app also has a feature called ‘Self-Assessment’ which lets you know in case you have been tested positive or not and every time a user takes self-assessment test the data is automatically shared with the Government of India.
The Modi Government urged the citizens requesting them to download the application as a precautionary measure and on 2nd May, the government made the downloading of this app as mandatory for all especially for organizations and its employee including both private/government, school/colleges to ensure 100% coverage among citizens. The Government of Uttar Pradesh even attached few penal provisions[xv] along with the non-downloading of this app and movement is strictly prohibited without this app. This sudden mandate towards the app, attracted a lot of attention of many privacy advocates across the nation.
THE ISSUE OF PRIVACY
- The legality behind making the app mandatory and the legal framework.
The major concern which gets accumulated is the legality behind making the downloading of this app as mandatory since the app works on contact tracing there should be a legal framework governing the contact tracing without violating the privacy of citizens.
- Use of sensitive information
The application allows to share information like name, age, sex, travel history of both the infected person and non-infected person as well. Also, it mandated you to turn on the Bluetooth GPS and location access hereby acting as a surveillance app more than contact tracing. Rather the app should allow to use location only when it is turned on.
- Data retention and lifespan of data stored
The app does not notify users with regard to the data retention and lifespan of data stored and once the user registers, all the data is directly shared with the government through server. Rather the application should notify the data storage period and should be periodically deleted as well.
- No liability clause
The terms and conditions of the app states that “the user agrees and acknowledges that the Government of India will not be liable for…any unauthorized access to your information or modification thereof.”[xvi]This not only threatens the privacy of citizens but also raises a doubt on the credibility of this application.
- The ethical hacker concerns
The issue of privacy gained attention after the ethical hacker[xvii] through his twitter handle notified the government regarding the privacy issues stating that the privacy of citizens is at risk
- Changes undergone
CEO of MyGovIndia, gave a statement in media stating that “The app will not reveal anyone’s personal details. Information of any Covid-19 patient will not be shared with anyone. User’s data in the app is completely secure. In case of normal people, we delete the data from the server after 30 days. In case of a corona-infected patient, the limit to remove the data is 60 days.”[xviii]
- Unique IDs – the users will be provided with a unique digital ID called DiD which will be used to identify the user with all app-related information, and will be connected with any information uploaded from the server.
- No Third-party sharing – The policy reads that the information collected from one user will be securely stored and will not be accessible by other users and the data of users will not be shared with any third-party apps unless there’s a medical emergency.
- Duration of data stored – Data, including the DiD , will be stored for 30 days, after which it will be deleted automatically and, or the data that has been stored in the central database, the deletion period is 45 days and, users who have been tested positive for the virus, the data will be deleted after 60 days.
- Liability – The government cannot be held responsible for the failure of the app to identify a person accurately, as well as for the accuracy of the information provided by the app. The policy reads that the government is not liable in case of any unauthorized access to your information or modification thereof. However, it remains unclear if the clause is limited to unauthorized access of a user’s device or central servers which store the data.
- Data security – The app has been encrypted with standard security features, and all the data will be encrypted before it is further uploaded to an encrypted cloud server.
Aarogya Setu app being an innovative approach which works on the contact tracing method is not backed by any legislative framework hereby raising doubt regarding the legality of this app. The app lacks in many areas with regard to the privacy specially acting as a surveillance app over contact tracing. However, the app has undergone many changes over the time but still there are many areas that need attention with regard to the privacy. Therefore, the Aarogya Setu could be the next Aadhar case[xix] before the Supreme Court.
[i] Hon’ble Justice J.S. Keher during Aadhar hearing
[ii] Available at – https://entrackr.com/2020/05/aarogya-setu-crosses-100-mn-download-mark/ (visited 30 May, 2020).
[iii] Available at – https://en.wikipedia.org/wiki/Timeline_of_the_COVID-19_pandemic_in_India (visited 30 May, 2020)
[vii] Download available at – https://play.google.com/store/apps/details?id=nic.goi.aarogyasetu&hl=en_IN (visited 31 May, 2020).
[viii] Available at https://timesofindia.indiatimes.com/gadgets-news/aarogya-setu-app-enters-100-million-users-club/articleshow/75709726.cms (visited 31 May, 2020)
[x] Available at – https://theprint.in/india/govt-thanks-french-ethical-hacker-who-flagged-aarogya-setu-but-dismisses-security-concern/415348/ (visited May 31, 2020)
[xii] Ibid, 4
[xiii] Justice K.S. Puttaswamy v. Union of India, (2017) 10 SCC 1
[xiv] Ibid, 12
[xv] Available at – https://www.indiatoday.in/technology/news/story/voluntary-aarogya-setu-now-mandatory-in-noida-fir-rs-1000-fine-or-6-month-jail-if-app-not-downloaded-1674635-2020-05-05 (visited 31May, 2020)
[xvi] Ibid, 12
[xvii] Ibid, 13
[xviii] Available at – https://www.business-standard.com/article/current-affairs/indians-should-be-proud-of-safest-app-aarogya-setu-says-mygov-ceo-120052000203_1.html (visited 31 May, 2020)
[xix] Ibid, 16.
[i] Interpretation to art. 21, Justice K.S. Puttaswamy v. Union of India, (2017) 10 SCC 1
[ii] Constitution of India, 1950
[iii] Ibid, 1.