Home » News » Tech » IFF, Other Parties Urge Indian Govt to Change Compulsory Aarogya Setu Order

IFF, Other Parties Urge Indian Govt to Change Compulsory Aarogya Setu Order

By: Shouvik Das


Last Updated: May 04, 2020, 16:26 IST

Representative screenshot of the Aarogya Setu app. (Image: MyGov)

Representative screenshot of the Aarogya Setu app. (Image: MyGov)

The independent internet rights organisation has filed a petition to the Prime Minister’s Office, urging them to revise the compulsory Aarogya Setu order.

With Aarogya Setu deemed as a compulsory app in the third leg of the Covid-19 lockdown in India, debates have been raised about the app and its privacy credentials. Taking this on, the Internet Freedom Foundation (IFF) has submitted a joint representation to the Prime Minister’s Office, urging the government of India to review its decision of making the app a compulsory installation on all phones. The representation has been signed by 45 organisations and 104 individuals, all of whom urge the government to not establish the Aarogya Setu installation mandate for the sake of preventing a wrong precedent.

The IFF is a digital liberties organisation, which primarily works to preserve fundamental rights such as privacy and freedom of speech on the internet, and works as a watchdog against company activities and government orders. Soon after the introduction of the Aarogya Setu app, IFF conducted an exhaustive review of the app, exploring how much of a user’s privacy is compromised by Aarogya Setu.

IFF’s paper also explored non-surveillance contact tracing options, and looked through the app’s privacy and data usage guidelines to understand if the Indian government could have a better way of implementing contact tracing. With sources suggesting that Aarogya Setu will also be made mandatory to set up before setting up a new smartphone, it is important to understand the privacy implications of the app, against which IFF’s new joint representation aims to seek solace.

Not enough privacy assurances

Speaking to News18, Sidharth Deb, parliamentary and policy counsel at the Internet Freedom Foundation of India (IFF), says, “India struggles in the domain of non-surveillance contact tracing, since not only are there multiple state level apps which don’t have a discernible privacy policy or attendant restriction, even the Aarogya Setu app does the same. It does not operate under a valid legal framework that would satisfy requirements of necessity and proportionality. Such elements are required to justify any intrusion to the right to informational privacy.”

Deb further states that the Aarogya Setu app presently offers “sub-optimal transparency”, and lacks self-imposed limits that would assure people that apps such as these are only temporary.

The issue of accountability

Another big reason why the IFF is moving against the mandatory order on the Aarogya Setu app is the sheer lack of proper accountability in terms of handling the service and its gathered data. Deb offers a four-part explanation for this. He says:

First, there is a liability limitation clause in the app’s Terms of Service, which indicates that the Government of India would not be liable for any issues which may arise out of the app. Second, citizens don’t have a means to check if the Government of India has actually deleted the app as per the prescribed timelines stated in Privacy Policy. Third, citizens do not have underlying means of judicial remedy in ordinary circumstances. Finally, all of this is compounded by the fact that Indian government authorities, both at the centre and in states, have limited accountability when using or hosting or storing people’s personal data in pursuit of government projects. This contrasts with the scenario in countries like the US which has the Privacy Act of 1974 to hold its federal government and state governments accountable to fair information practice principles through legal systems when they use people’s data for government projects.

Challenging the discourse on this, the government of India's digital adoption division, MyGov, has tweeted details about how it accounts for safety and privacy of users downloading Aarogya Setu. In a thread of tweets, a MyGov spokesperson has said:

The app requires you to enter your mobile number and certain personal information at the time of registration. All this information submitted is securely encrypted and stored on the server. On registration, the app assigns you a unique, anonymised, randomly generated device ID. The linking of device ID to mobile number is one time, and is securely encrypted and stored in a server. All future interactions from device to server is done through device ID only. No personal information is exchanged post the registration. Thus, all processing of contact tracing and risk assessment is done in an anonymised manner. When you come in proximity of other people with this app installed, it stores encrypted information of this interaction in a secure manner on your mobile only. Information of your social interactions is NOT sent to the server in most cases, except when you have come in contact with someone who has later been diagnosed high risk or your self-assessment categorises you at risk. Government of India will use your information ONLY for administering necessary medical interventions. Your data is NOT going to be used for any other purpose. No third party has access to data.

Alternate routes for the Govt

Deb affirms that the Indian government does have available, open source models that can be adopted while establishing a private contact tracing procedure. These options include the likes of PEPP-PT (Pan-European Privacy-Preserving Proximity Tracing), which is being advocated by EU officials against Apple and Google’s proprietary, decentralised approach. The latter is also found in an alternate option, DP3T (Decentralized Privacy-Preserving Proximity Tracing), which is being advocated by blockchain companies.

Explaining this, Deb said, “These models, such as PEPP-PT and DP3T, are available through open source protocols. Unfortunately, India’s approach is very divergent. Adapting such protocols would obviously take longer, but considering that the duration of this crisis will likely be a prolonged one, the government must ensure that it adopts the right technological interventions which add to the public health responses, whilst minimising restrictions on people’s civil liberties. If it isn’t possible, then there has to be an evidenced based justification by the government, which the public must be able to scrutinise.”

Going forward, given the order passed by the Ministry of Home Affairs (MHA) in the third leg of the lockdown extension, it looks unlikely that the Indian government will be looking to revise the application’s core structure. However, as the IFF pitches, there is plenty of room to enhance the app’s privacy policy, and ensure that the government agencies are imposed with necessary safeguards in order to protect the aspect of user privacy.