Image Courtesy:nationalheraldindia.com
On May 1, the Ministry of Home Affairs (MHA) set the cat among the pigeons when it attempted to sneak into our lives the Aarogya Setu app through a backdoor. The MHA order and guidelines pertaining to the third phase of the lockdown said, “Use of Arogya Setu app will be made mandatory for all employees, both private and public. It shall be the responsibility of the head of the respective organisations to ensure 100% coverage of this app among employees.”
Soon after that brickbats started flying in from all quarters, most notably from Congress party leader Rahul Gandhi who tweeted, “The Arogya Setu app, is a sophisticated surveillance system, outsourced to a pvt operator, with no institutional oversight – raising serious data security & privacy concerns. Technology can help keep us safe; but fear must not be leveraged to track citizens without their consent.”
The Arogya Setu app, is a sophisticated surveillance system, outsourced to a pvt operator, with no institutional oversight – raising serious data security & privacy concerns. Technology can help keep us safe; but fear must not be leveraged to track citizens without their consent.
— Rahul Gandhi (@RahulGandhi) May 2, 2020
Now, the Internet Freedom Foundation has sent a joint representation to the Prime Minister’s Office (PMO) signed by 45 organisations and over 100 individuals highlighting several privacy related concerns with the app. Among the signatories are Teesta Setalvad, secretary Citizens for Justice and Peace, as well as CJP’s partner organisation All India Union of Forest Working People (AIUFWP).
The letter says, “We acknowledge the severity of the COVID-19 crisis which has gripped the country and maintain that it is especially during such public health emergencies that we must ensure the privacy and dignity of essential frontline workers is protected.”
It goes on to say, “The Aarogya Setu app has been heavily criticized for failing to adhere to internationally recognized data protection principles endorsed by the Hon’ble Supreme Court in the landmark judgement in K.S. Puttaswamy v. Union of India (2017 10 SCC 1).” The representation further adds, “In order to satisfy the proportionality standard adopted in Puttaswamy (Privacy), the use of any privacy infringing technology must satisfy five criteria. First, it must have a legislative basis. Second, it must pursue a legitimate aim. Third, it should be a rational method to achieve the intended aim. Fourth, there must not be any less restrictive alternatives which can also achieve the intended aim. Finally, the benefits must outweigh the harm caused to the right holder. In the present case, Aarogya Setu fails the very first prong of the proportionality standard because it does not have a legislative framework to govern its functioning and to ensure adequate procedural safeguards. In the absence of a legislative guarantee containing a sunset clause, sensitive personal data about health and movement of gig workers collected by the Aarogya Setu app could be misused for profiling and mass surveillance even after the COVID-19 outbreak is over.”
The representation also goes on to criticise the Aarogya Setu app for deviating from international best practices based on the following parameters:
a. Lack of Consent: The use of Aarogya Setu cannot be considered voluntary anymore as it has been made mandatory for delivery workers. Therefore, there is no scope for delivery workers to refuse consent or opt-out.
b. Lack of Data Minimization: Registration for the Aarogya Setu app requires sharing large amount of personal data: name, phone number, age, sex, profession, countries visited in the last 30 days and smoking habits. This is inconsistent with the principle of data minimization.
c. Lack of Transparency: While it is claimed that personal data collected by Aarogya Setu is aggregated and anonymized, there is no publicly available information about what processes and techniques are followed for aggregation and anonymization. This is relevant because there is high risk of re-identification unless personal data is properly anonymized. Therefore, the app must be subjected to thorough security testing by governmental and independent agencies.
d. Lack of Algorithmic Accountability: The Terms of Service for Aarogya Setu exempt the government from any liability arising out of misidentification of an individual’s COVID-19 status. Therefore, individuals are left at the mercy of opaque algorithms which perform risk assessment and do not have any remedy in case of false positives. If gig and platform workers were falsely identified as high-risk individuals by Aarogya Setu’s algorithm, they would be required to self- isolate and lose their income and freedom of movement.
e. Unauthorized Data Sharing and Risk of Function Creep: There is no prohibition on sharing of personal data collected by the Aarogya Setu app with third parties. The government is allowed to share this personal information with “other necessary and relevant persons” for “necessary medical and administrative interventions.” The Privacy Policy for Aarogya Setu fails to specify which government departments will have access to personal data collected by the app. Therefore, sensitive personal data collected for contact tracing may also be used by law enforcement agencies for punitive purposes.
f. Risk of external transfer and integration with other databases: Personal data collected by the Aarogya Setu may be transferred to an external cloud-based server and there is no guarantee that it will only be stored locally on the individual’s device. Reports suggest that the data collected by Aarogya Setu is being integrated with other databases maintained by the Indian Council for Medical Research and Integrated Disease Surveillance Programme. This is worrisome because it is difficult to delete such integrated datasets and secondary inferences at a later stage.
The joint representation makes the following recommendations:
a. Take cognizance of privacy concerns associated with Aarogya Setu and issue an advisory clarifying that use of the app should not be made mandatory for workers in the gig economy and also the traditional economy.
b. In addition to (a), to ensure greater safety, rely on certain methods of risk mitigation such as working with companies to provide daily temperature checks and personal protective equipment to all gig and platform workers who continue working during the COVID-19 pandemic.
c. Further, devise the right incentive structures both for companies and workers to ensure that gig and platform workers are able to sustain themselves during the lockdown and those displaying symptoms of COVID-19 are not forced to work to ensure their livelihood. This includes provisions for medical insurance and financial relief to all gig and platform workers who have been unable to work during the lockdown or have witnessed a significant decrease in earnings due to low demand.
The entire representation may be read here:
Related:
Covid-19: Does the Aarogya Setu app violate privacy?
Did MHA sneak in Aarogya Setu into our lives through a back door?