The Ministry of Home Affairs’ (MHA) directive to make the Aarogya Setu app mandatory for individuals in all workplaces has not gone down well with privacy advocates who feel the app has several security-related blackholes and can eventually become surveillance tool for the government.
Aarogya Setu seeks continuous access to location information for its social movement graph and uses Bluetooth technology to alert people when they come in contact with a covid-19 positive person. Most contact-tracing apps work on the same principle. However, what clouds the narrative around Aarogya Setu is the ambiguous privacy policy and silence on security practices.
“The privacy policy of the app is completely silent on as to what security practices are being followed. Merely saying that data is kept secure through encryption is nothing but lip service. They need to give more details on the security procedures and answer what level of encryption is being used,” said Pavan Duggal, a cyberlaw expert.
Prasanto Roy, a tech policy analyst, is not just worried about the fact that the app is capturing his personal info, location and heath data. He is also concerned about what will be shared, with whom and for what purpose.
Duggal points out, the app dies not tell how it complies with the Information Technology Act, 2000, and IT Rules, 2011. Also, there is a huge gap in privacy policy, as it does not tell what is being done with the data that is being collected every 15 minutes. It is only talking about data that is being uploaded on the servers. “This can become a perfect tool for monitoring and surveillance in the absence of checks and balances,” rues Duggal.
In addition to being silent on the handling of data, the app itself has been protected from scrutiny by keeping its source code a secret. Roy wants to believe that the government’s intentions are good, and it wants to use the app for contact tracing alone and not to spy on citizens, adding, “If so, there is no need to make the apps’ source code a state secret. Just open-source it (make the code available for public view and scrutiny), as other countries like Singapore have done with their contact tracing apps.”
In an interview to The Print, Abhishek Singh, chief executive officer (CEO) of MyGovIndia, which developed the app, said the data will not be used for anything other than medical emergencies, no one’s personal data will be revealed or shared and data from servers will be deleted after 30 days.
Privacy watchdog Internet Freedom Foundation (IFF) has also appealed to Prime Minister Narendra Modi to not make the use of the app mandatory as it can have a damaging effect on privacy, autonomy and dignity of workers. It has already sent a joint representation endorsed by 45 organisations including Amnesty India, Access Now and Red Dot Foundation and over 100 individuals.
The joint representation argues that to satisfy the proportionality standard adopted in Puttaswamy (privacy) judgement, the use of any privacy infringing technology must satisfy five criteria. First, it must have a legislative basis. Second, it must pursue a legitimate aim. Third, it should be a rational method to achieve the intended aim. Fourth, there must not be any less restrictive alternatives which can also achieve the intended aim. Fifth, the benefits must outweigh the harm caused to the right holder.
“This is going to open a pandora’s box of legal issues and litigations. It violates a fundamental right, now that the SC (Supreme Court) says privacy is a fundamental right, and it can only be deprived in accordance with procedure established by the law. There is no act passed by the parliament, which authorises making this app mandatory,” adds Duggal.
The Aarogya Setu app may even come pre-installed on all new smartphones, at the directive of the government, once the lockdown lifts and phone manufacturing resumes, two industry executives told Mint.
Catch all the Industry News, Banking News and Updates on Live Mint. Download The Mint News App to get Daily Market Updates.