The government’s new Aarogya Setu app and its directive to make it mandatory for people in all workplaces have stirred a hornet’s nest due to privacy issues and fears that it could be used as a surveillance tool eventually.
The centre said it was mandatory for government and private sector employees to use the Aarogya Setu app to bolster its efforts to fight the Covid-19 pandemic. It further asked organisational heads to ensure 100 percent coverage. The home ministry said the app would be a must for those living in containment zones.
Privacy watchdog Internet Freedom Foundation and the Software Freedom Law Center have raised major concerns over it and said that the Aarogya Setu app is something of a black box. They appealed to Prime Minister Narendra Modi not to make the app mandatory and have sent a joint representation endorsed by 45 organisations, including Amnesty India, Access Now and Red Dot Foundation. Meanwhile, Congress’ Rahul Gandhi also opposed the app by tweeting: “The Arogya (sic) Setu app, is a sophisticated surveillance system, outsourced to a pvt operator, with no institutional oversight – raising serious data security & privacy concerns. Technology can help keep us safe; but fear must not be leveraged to track citizens without their consent.”
While this app was developed by the National Informatics Centre under the Ministry of Electronics and Information Technology and has approximately 75 to 80 million users and is available in 11 languages, questions have risen over it. The application uses the phone’s Bluetooth and GPS capabilities and will keep a record of all other Aarogya Setu users detected nearby using Bluetooth. It also has a GPS log of all the locations where the phone had been at 15-minute intermissions. These details are hoarded in the phone till the time any user tests positive or affirms symptoms of Covid-19 in a self-evaluation investigation in the app. It gives users a colour coding of green and yellow based on their self-evaluation.
During the registration process, many personal details are collected by the application, such as name, sex, age, contact number, present location and travel history. Thereafter, a unique digital identity will be created for the user. When the Bluetooths of two Aarogya Setu users snuffle each other out, this distinctive digital identity is swapped along with the time and location of the meeting. When an app user tests positive, all distinctive digital identities in his records get an alert on the threat they face and directives on self-isolation and next measures.
Unfortunately, technological solutions provided by the government to fight Covid-19 do not meet minimum legal requirements. Complete details of the Aarogya Setu application’s technical design and its source are kept out of public reach. The application subsists in the privacy law vacuum in India and this confirms that it will be used as an object of compulsion like Aadhaar.
Moreover, the app’s link with the Sahyog application may intrude on the sanctity of privacy due to lack of clarity on data sharing. Similarly, many advisory groups argued that more transparency is needed on the workings of the application and documentation should be publicly available. In addition, the distinctive digital identity in Aarogya Setu is a static number, which augments the possibility of identity crisis. Also, the abundance of data collected is problematic.
Concurrently, the application also bestows power on the government to restrict and regulate the freedom of movement of citizens. Probably the government may utilise the application as a norm for confining users’ movement. The possible restriction on freedom of movement will have substantial impact on an individual’s access to basic government benefits and services, thus jeopardising his right to life. Even though the government has articulated that all the data assembled by the app would exist within the device, it also says that in certain conditions, the information could be uploaded to a cloud server.
According to Indian defence sources, the application can be tainted by Pakistan intelligence operatives by tampering with its name. Pakistan-based intelligence operatives have developed a spiteful application “ArogyaSetu.apk” which has been sent to Indian defence personnel through WhatsApp from the UK. Defence officials stated that the malevolent software can extract sensitive details and transfer it to the originator without the knowledge of the owner. However, the Army has counselled its workforce to stick to certain protocols or etiquettes while using the Aarogya Setu application.
We all know that the right to privacy is not absolute and it can be legitimately curtailed. However, any such restriction, as the Supreme Court held in K.S. Puttaswamy v. Union of India (2017), must be tested against the requirements of legality, necessity and the doctrine of proportionality. This will require the government to show us, first, that the restriction is sanctioned by legislation; second, that the restriction made is in pursuance of a legitimate State aim; third, that there exists a rational relationship between the purpose and the restriction made; and lastly, that the State has chosen the “least restrictive” measure available to achieve its objective.
If the Aarogya Setu application is executed only through comprehensive data protection law, the unpredictable hazards and disproportionate limitations of fundamental rights can be avoided. This will also expedite constitutional scrutiny. If not, it may not be a trustworthy setu (bridge) between the government and citizens.
—The writer is a financial and tax specialist, author and public speaker based in Margao, Goa
Lead Visual: Rajender Kumar