The Aarogya Setu app whodunnit

Three central organisations, responsible for the app, have little knowledge about its creation and were issued show cause notices by the CIC, leading to privacy concerns of some 16.23 crore people who downloaded it.

By Shivanand Pandit

Many dealings of the government indicate that the left hand does not know what the right hand is doing. A notice was issued by the Central Information Commission (CIC) to the government for responding ambiguously towards an application lodged as per the provisions of the Right to Information Act. This pertains to the procedure which led to the creation of Aarogya Setu, a contact locating application created in the wake of Covid-19 and which has the data of billions of operators.

The CIC also gave show cause notices to Central Public Information Officers (CPIOs) of the Ministry of Electronics and Information Technology (MEIT), National Informatics Centre and National E-Governance Division. These organisations were responsible for providing concrete details about the process of crafting the application, files connected to the formation and review actions to verify ill use of personal records of users. Information Commissioner Vanaja Sarna noted that none of the CPIOs was capable of clarifying anything about the creation of the application and details about files and this was absurd.

The Aarogya Setu app was developed in only 21 days and unveiled on April 2, 2020, by the government. As per its data, the application has been downloaded by more than 16.23 crore people. The app was made mandatory by the home ministry for a number of activities, including travelling during Covid-19.

On August 1, 2020, RTI activist Saurav Das filed his plea before the CIC and said that the Ministry had not provided a fitting response to his request for particulars of the app. A copy of the complete file having details of the origin of the proposition, approval process, particulars of the companies, people and government branches involved in the designing of the app was sought by the activist. He had also asked for internal transcripts, memorandums, file recordings and communication connected with its creation. Furthermore, details regarding the legislation under which the app was designed and the government’s plan of introducing a separate law for it and its administration were also demanded by him.

On August 7, the activist complained to CIC saying that the CPIO of MEIT had informed him that the application had been forwarded to the CPIO of the national e-governance division of the Ministry.

He did not provide concrete answers to his questions, said Das. On October 2, he mentioned that the e-governance division declared to him that it did not possess any information concerning his questions.

Bearing in mind the massive public interest in the topic, Das insisted that an instant inspection of the matter be conducted to safeguard citizens’ elemental entitlement to life and liberty. Looking at the failure to apprise how these personal records were utilised, he also indicated that malfunction by the public authorities to execute their duties as per Protocol 2020 will have an irrevocable, harmful influence on citizens’ right to confidentiality. Besides, he felt that the hearing of the matter would be pointless if it was postponed because the app would be unusable once the pandemic ends.

Considering the importance of the issue, the CIC positively acknowledged Das’ appeal and issued warnings to the officers of the three organisations mentioned above. The CIC requested the concerned departments to explain why penalty as per the provisions of the Right to Information Act should not be enforced for giving a vague response to the petition of the activist and for apparently blocking information.

In the order, the CIC questioned the National Informatics Centre, which comes under MEIT, and asked it to specify why in spite of the Aarogya Setu app asserting that the podium was fabricated, improved and hosted by it, the Ministry had no knowledge about its formation. The panel also voiced its astonishment that the Ministry was ignorant of this notwithstanding that another body under it, MyGov, retained, rationalised and reinforced the content on the platform. The CIC instructed CPIOs to clarify in writing how the website was shaped with the domain if they were not aware about it.

The CIC told these officers to be present before the Bench on November 24, 2020, to explain why action should not be instigated against them. They were also instructed to send a copy of all relevant documentary evidence which they would rely on during the trial. These should be sent at least five days before the hearing through linkpaper. These officers should also serve the copy of the CIC’s order to those who were accountable for the laxity and inform them to be present before the Bench.

Responding to the order of the CIC, MEIT said that it would take essential measures to obey its command. It mentioned that the app was launched by the government through public private partnership and since April 2020, press reports were broadcast relating to the Aarogya Setu app, including making the source code accessible in Open domain. According to the Ministry, all details linked with the development and management of the app ecosystem were shared when the code was released in Open or Public Domain and the same was disclosed extensively in the media.

The comedy of errors continues. Earlier, the government had claimed that it did not possess any clue about the design of the app, but now it back pedalled by stating that the information had been shared widely on different platforms. This has raised many questions and concerns and destroys citizens’ trust in the government’s declarations.

Moreover, why has the government not responded to Saurav Das’s appeal in the same way it handled Aniket Gaurav’s RTI plea in August 2020? He had received information from the I&B ministry that Rs 4.15 crore was spent between May and July 2020 for publicising the app, mostly through television and radio mode.

Immediately after the launch of the app, several advocates and security academics raised the flag against privacy matters. The vague privacy policy of the app has also come under the radar of many experts. Robert Baptiste, popularly known as Elliot Alderson, who is a French ethical hacker, also highlighted the confidentiality apprehensions over the app and said it had numerous security defects and anybody could retrieve the internal database of the app. However, the government did not exhibit any positive response to it.

Although the government is aware that India does not have a data protection law, it botched up regarding how the app was managed, saved and used. Justice BN Srikrishna, who supervised the panel on framing the data protection bill, had spoken about data safety and noted that failure to have a strong protocol to safeguard it raised many doubts about the sincerity with which the government was handling the privacy of billions of citizens.

Additionally, the government failed to answer some vital questions. One of them was that users of the app don’t have a right to know how their data is being managed. When the list of beneficiaries is not kept, how do they know who has accessed their personal data? Without a strong security mechanism or data protection law, how do people know there has been no violation? Could these worries have been tackled if there was a meticulous audit and review system in place? If there is no audit procedure, what is the use of the protocol? Considering the absence of guidance notes in the app, why were no safeguard measures suggested to be followed by district magistrates?

The CIC should not conduct this hearing fast when the three main organisations that work closely with each other provided ambiguous answers to the activist on the progression of the tracing app. The government should manage centralised health data systems like Aarogya Setu strongly. Otherwise, the forthcoming digital health ID and National Health Stack projects will be unsuccessful and ineffectual.

Also Read: 4,000 RTI applicants’ data on I&B ministry site, Bombay High Court orders inquiry

Therefore, if the Aarogya Setu application is executed only through a comprehensive data protection law, the unpredictable hazards and disproportionate limitations of fundamental rights can be avoided. This will also expedite constitutional scrutiny. If not, the app will not be seen as a trustworthy setu (bridge) between the government and citizens.

—The writer is a tax specialist and financial adviser based in Goa