Contact Tracing applications to monitor COVID-19: The Aarogya Setu app and the Right to Privacy

The number of cases of COVID-19 is rampantly increasing at a global level. The Government of India too, trying to leave no stone unturned in its fight against the pandemic, has launched many such technological platforms including the newly rolled out contact tracking app called, ‘Aarogya Setu’ for smartphones.

Through the app, the government seeks to proactively inform citizens about the best practices and relevant advisories for containment of COVID-19. Understandingly, such a measure is necessary to combat the pandemic.

However, controversy has broken out over the platform’s privacy safeguards, calling into question the government's accountability in case of breach of data.

In the course of this article, the author has analyzed what arguable backing in law these applications have, if any. The author, while suggesting the way forward, has also discussed the technological developments made by the international community in combating the pandemic.

Contact tracing Apps

Ramping up the fight against Coronavirus, every other state in the country is scrambling to employ different mass surveillance technologies. If on one hand, the Delhi government is using mobile phone trackers, on the other hand, Kerala and Pune have resorted to drones.

However, most popular of all are the newly envisaged contact tracing applications. These apps aim to ensure compliance with quarantine rules, tracking infected individuals, and disseminating information to at-risk individuals, apart from providing updates about the outbreak. The consequence of unrestricted flooding up of such apps is, however, not unknown.

To trace the legitimacy of such apps, let us for instance consider the most apt application, as per the government - The Aarogya Setu app. The app makes use of GPS and Bluetooth to alert people if an infected individual is in their vicinity. It assesses their risk of getting infected, or at least aims to do so in theory. The app also has an inbuilt chat box facility that provides a range of information about the pandemic.

While the agendas set out by the government appear to be legitimate, let’s look at the ground details to ascertain the strength and extent of the platform’s privacy safeguards.

As per the Supreme Court's judgment in Justice KS Puttaswamy v. Union of India, invasion of the fundamental right to privacy (life or personal liberty) is required to meet the threefold requirement:

1. Legality

To handle the havoc caused by the pandemic, the government at first has invoked the National Disaster Management Act. This subjective Act, if applied, is capable of depriving even basic human rights. For instance, s. 35(1) grants unbridled power to the Centre to take all measures it deems necessary, opening the gateway for violating the right to privacy of the individual unrestrictedly.

Another legislation invoked by the government is the Epidemic Diseases Act, 1897, which dates back to the age when the internet was not even prevalent.

Yet another Act, under which the government justifies the collection of data through the app is the Information Technology Act, 2000. Section 69 of the Act prescribes directions for "interception or monitoring or decryption" of information through computer resources.

As correctly remarked by Apar Gupta of Internet Freedom Foundation,

“These applications by themselves aim towards providing data-rich insights. However, they also run the risk of mass surveillance given that these apps are coming without any underlying legal framework for privacy protections being in place. As India does not have a pre-existing data protection law and there is a lack of statutory protection in place there is also a further problem given that these specific applications on the Play Store itself do not link to applicable privacy policies”

2. Need, defined in terms of legitimate State aim

The legitimate aim of the State signifies its adherence to twin principles enshrined under Article 14 of the Constitution. Herein, the aim of the state is to contain the pandemic.

The Supreme Court in the Maneka Gandhi case held that any procedure “which deals with the modalities of regulating, restricting or even rejection of a fundamental right falling within Article 21 has to be fair, not foolish, carefully designed to effectuate, not to subvert, the substantive right itself. Thus, understood, 'procedure' must rule out anything arbitrary, freakish or bizarre.”

According to review by multiple studies over the effectiveness of the contact tracing app, at least 40 to 70% of the population should be actively using it. However, according to the India Internet 2019 report by IAMAI and Nielsen, smartphones lie significantly below this benchmark range. Thus, there is no cohesion between aim which the State hoards as legitimate and the policy implemented, thus rendering the second test unfulfilled.

3. Proportionality

Privacy has both positive and negative aspects. Where the negative content aims to restraint the State from intruding upon life and liberty of the person, the positive content aims to impose an obligation upon the State to take necessary precautions for safeguarding the privacy of an individual. Interestingly, the Arogya Setu app fails to satisfy both of these, because of its non-justifiability to proportionality principles.

For determining how, let’s consider the Terms & Conditions and Privacy Policy of the app for safeguarding individual interests. Under the limitation of liability clause, the T&C states that the government is neither liable for inaccurate identification of infected persons, nor inaccuracy of the information provided by its inbuilt services. This then raises the question as to how the government will prevent the spread of fake news when it can’t guarantee the correctness of information released by it, officially.

Ironically, the app, within its privacy framework, is not liable for disclosure of any unauthorized access to an individual’s data stored by any third party. Nevertheless, the app has a privacy policy in place, clause (5) of which states that as a measure to protect confidentiality and security of information, data of an individual is stored securely in encrypted format.

Update [21:45, April 16]: The privacy policy for the app has since been updated. The complete list of changes can be seen here.

However, the problem with the virtually emerging buzzword ‘encryption’ is that apart from offering feeble reassurance to users, it does nothing to combat the privacy issues, a point that was raised in the Government of India v Whatsapp case.

Even more surprisingly, clause 2(a) remarks that information given by the individual will be used by government only in ‘anonymized, aggregated dataset’ for statistical visualization to manage COVID-19. However, that personal information can be ‘shared to other necessary and relevant person to carry out necessary medical and administrative interventions’, which is further upheld under clause (6). After deleting the account, an individual’s data will be deleted after 30 days, but how the account will be deleted is also not known.

Clearly, these provisions do not satisfy the proportionality test. In fact, they not only intrude upon privacy, but also do not guarantee accurate information.

Crucially, the app then clearly comes without appropriate procedural safeguards concerning monitoring and oversight of data collected and stored than strictly required, to keep a track over infected individuals.

Moreover, the current provisions fail to balance the two facets of dignity - privacy and autonomy on one hand, and the ability to live a dignified life, on the other. Thus, the whole policy framework of the app is nothing but delusionary, completely failing the proportionality test, lest we decide to rely heavily on the government’s promise and satiate ourselves with the “minimal” inroads into privacy rights like we did for the Aadhaar judgment.

As said by Rachel Caldicott,

“These are testing times, but they do not call for untested new technologies. This is not a time to innovate in haste and repent at leisure.”

Thus, such an application is a poor policy choice made at the time of a pandemic, leading to long term danger of ushering in a surveillance state while trying to mediate the short-term problem of hastily controlling the virus.

Way forward in addressing the privacy question

“Constitutional guarantees cannot be subject to the vicissitudes of technology.”

-(Chandrachud J., dissenting, paragraph 269)

Moving forward, India can take inspiration from other countries that have arrived at better possible alternatives to monitor the pandemic. For instance, Singapore’s TraceTogether is based on the exchange of data via Bluetooth in an anonymized and encrypted manner via a temporary unique ID. It is open-source and thus can be reviewed by anyone, paving the way for maintaining privacy and security concerns.

Another application is Stanford's Covid Watch, which creates an anonymized heatmap of high-risk areas with low privacy risk.

Thailand’s policy framework can also be referred to, wherein each person designated at high risk for COVID-19 is provided with a SIM card and monitored for 14 days.

Although these apps come with a host of concerns, once resolved beyond the shallow reassurances, these apps have the potential to serve as long term solutions in combatting the pandemic.

This can be achieved by keeping the utmost focus over, firstly, the integrity and authenticity of data, and secondly, preventing intrusion by third parties like mobile malware.

The author is a student at Dr. Ram Manohar Lohiya National Law University, Lucknow.