By Manish Soni and Aditi Mozika
“Dictatorships and authoritarian societies often start in the face of a threat. That is why it is important to be vigilant today and not give away all our freedoms.”[1]
Introduction
As the world battles the menace of COVID-19, there have arisen several socio-economic and privacy related implications that go beyond the public health issue. The crisis has strained the economy and has rendered daily wage-earners vulnerable. Governments, fraught with the duty of protecting public health as well as the declining economy, have been forced to put into operation radical measures to contain the spread of the disease. Countries across the world are hastily developing technologies that examine citizens’ conduct, predominantly their movements, with a view to warn other citizens and thereby contain the crisis. However, in doing so, they have crossed the ‘laxman rekha’ by harnessing large amounts of personal information without proper checks and balances, thereby threatening citizens’ privacy and civil liberties.
As the world embraced contact-tracing technology to combat the virus, India also launched several applications[2] which help in tracking and thereby containing its spread. However, these applications have raised a host of concerns relating to the privacy and freedom of movement of citizens.
This article highlights the technological measures taken by various countries to track suspected COVID-19 infected persons and analyze the privacy concerns arising out of India’s official corona-virus tracking application, Aarogya Setu. It was launched across the nation without any trials (unlike the UK) or having in place a proper data protection mechanism.
Risk of Intrusion
The crisis has emerged as a test bed for governments’ surveillance system. Several countries such as China, Germany, Italy, Austria, and South Korea have adopted means of analyzing data from smart-phones to ascertain whether citizens are indeed obeying the lock-down requirements by staying at home.[3] India has not been slow in replicating these measures, having developed its own contact-tracing application.
It is well-accepted that in comparison to the alternatives, opting for the aggressive use of technology is indeed a reasonable method of containing the spread of the virus and flattening the curve.[4] However, concerns have been raised with respect to the government’s breach of the principles of privacy and data protection. The threat citizens face is that the surveillance measures being imposed on them eternally risk altering the amount of privacy and freedom they have as individuals. The question on every citizen’s mind therefore is whether it is possible to develop an application that can limit the spread of the disease and concurrently ensure privacy in an effective manner.
International sphere
The Chinese government has taken an initiative whereby citizens are given colour-coded QR codes based on their risk level.[5] Following China, Israel began collecting large amounts of data from its mobile networks.[6] Singapore has launched a contact-tracing application which informs users if they have been exposed to the virus.[7] Taiwan has built an “electronic fence” using phone-tracking data to enforce quarantine measures.[8] The United Kingdom too is making attempts to use mobile data to track movements.[9]
The trend emerging, therefore, is that of curating detailed maps of citizens’ movements by tracing their transactions and movements. The use of these applications has thrown up a host of questions around violation of the principles of data protection and mass surveillance.
Aarogya Setu
The Government of India unveiled the Aarogya Setu application on 2nd April as it entered the second week of the nation-wide lock-down. The application enables a user to make a self-assessment of his getting infected by the Coronavirus based on his interaction with others. This is done using Bluetooth and GPS-based location tracking, algorithms and artificial intelligence. The application notifies, traces, and suitably supports the users who have come in close proximity with COVID-19 positive patients. The application also captures this data and informs the administration about suspects’ movements.[10] Though the government claims that data will be anonymized before storage, there is a debate among technologists with regard to the technique used for the process. Data anonymization is necessary in order to protect the identity of the users. However, the policy remains silent in this regard.
There is no comprehensive legal data protection framework in India. The Personal Data Protection Bill is still under review and hence, any access to personal data even for public health will create far-reaching issues in connection with data minimization, anonymization, purpose limitation, accountability and transparency.[11] As the data collected by the application includes ‘sensitive personal data’ of users it becomes necessary to scrutinize the Terms and Conditions of the application.
First of all, users of the application cannot give informed consent while registering for the application as the ‘Terms of Use’ document is accessible only after the registration process is completed.
Second, the application collects personal data and discloses it to government and “may be shared with such other necessary and relevant persons as may be required.”[12] Such a vague articulation of the terms defeats the objective of purpose limitation and grants unrestrained discretion to the government to share personal information with such other persons to carry out interventions. The government may also revise the terms (and has done so) without bringing it to the notice of the users.[13] The limited liability clause of the Terms of Service absolves the government from any liability in case of inaccurate information generation by the application, harm caused due to wrong results given by the application, or in case of leakage of information.[14]
Third, though the Central Government has a policy on adopting open source software, the code of this application has not been made open source, making it opaque and unavailable for scrutiny.[15] Further, even though Section 52 of the Copyright Act, 1957[16] enables the lawful possessor of the program to reverse engineer the lawfully obtained computer program, clauses of Aarogya Setu application restrict it.[17]
Fourth, the seemingly harmless application developed for public health regulation has the potential to be used as a tool for violating the fundamental rights of citizens. The Central Government has made it mandatory for several classes of citizens to download the application.[18] The government can subsequently also make the application a prerequisite to citizens’ accessibility to basic services. This is reminiscent of the Aadhar scheme, which was voluntary initially but was later made mandatory in order for citizens to avail the benefits of government schemes. This continued until the intervention of the Supreme Court.[19] The scheme of the application appears to be trading the rights of citizens (such as right to autonomy, privacy and freedom of movement) in exchange of basic services, and can be rightly termed as an unconstitutional barter in view of the fact that users would not have foreseen such consequences while downloading the application and further because their consent was obtained without providing them with this information.[20]
The system put in place does not bode well for the privacy of citizens. The application also enables the government to restrict and regulate the freedom of movement of citizens due to its vague terms. This will largely impact the ease of access of citizens to essential and basic services. For instance, availing the services of Banks or Public Distribution Systems might be subject to colour-coding of users. This will chiefly affect the vulnerable sections of the society, impacting their right to life and livelihood.[21] The government’s claim of protection of identity fell apart recently when a France-based hacker identified locations of suspects from the Prime Minister’s Office and the Ministry of Home Affairs.[22]
Finally, as the application collects sensitive personal data which might be used to restrict the rights of people, it is imperative that the application be governed by law. It is a settled principle of law that fundamental rights (Articles 19 and 21[23]) can only be restricted through a law pursuant to a legitimate state interest. However, India lacks a proper data protection regime. The Personal Data Protection Bill is pending in the Parliament and the existing laws such as the Information Technology Act, 2000[24] and Information Technology Rules, 2011[25] are not sufficiently equipped to cater to the need of the hour. These rules are further applicable only on corporate entities and not on the State. Therefore, the enactment of a law or an ordinance becomes important to protect the rights of individuals and to impart legal protection to the actions of the government.[26]
On 11th May, 2020, the Empowered Group on Technology and Data Management with the assistance of Vidhi Centre for Legal Policy issued the Aarogya Setu Data Access and Knowledge Sharing Protocol, 2020,[27] under the Disaster Management Act, 2005. The Protocol aims to provide legal safeguards for the operation of Aarogya Setu. In particular, it provides guidelines in relation to the collection and storage of data and also limits the extent to which such data can be shared. However, Vidhi Centre for Legal Policy points out[28] that Parliament must enact a legislation in order to ensure that making the use of the application mandatory does not infringe privacy rights.
Alternatively, in the absence of a law, the application should at least be compliant with proposed privacy protection principles of “sharing of data” as enshrined under the Personal Data Protection Bill. These principles include a specific, clear and lawful purpose,[29] purpose and use limitation,[30] collection limitation,[31] storage limitation,[32] accountability,[33] and consent.[34]
Conclusion
Though the use of technology in combating the pandemic is appreciated, the government should at the same time address the fears of data experts with regard to collection, storage and dissemination of personal data of citizens. The terms of use of Aarogya Setu should be amended to comply with the principles of the Personal Data Protection Bill. Further, since restrictions on fundamental rights can only be imposed as per the procedure established by law, the government should give statutory backing to the application.
The authors, Manish Soni and Aditi Mozika, are law students at the Gujarat National Law University (GNLU), Gandhinagar.
[1] Andy Gregory, ‘‘Dictatorships often start in the face of a threat’: UN privacy chief warns against long-lasting theft of freedoms amid coronavirus surveillance’The Independent(31 March 2020) <https://www.independent.co.uk/news/world/coronavirus-lockdown-surveillance-tracking-dictatorship-authoritarian-united-nations-privacy-a9438561.html> accessed 29 April 2020Top of Form
[2] ‘Our Analysis of the Indian COVID-19 Apps’ (Software Freedom Law Center, 20 April 2020) <https://sflc.in/our-analysis-indian-covid19-apps> accessed 29 April 2020
[3] Elvira Pollina and Douglas Busvine, ‘European mobile operators share data for coronavirus fight’ Reuters (18 March 2020) <https://www.reuters.com/article/us-health-coronavirus-europe-telecoms/european-mobile-operators-share-data-for-coronavirus-fight-idUSKBN2152C2> accessed 28 April 2020
[4] Robin Mansell, ‘Coronavirus Contact tracing apps- a proportionate response? ’ LSE (23 April 2020) <https://blogs.lse.ac.uk/medialse/2020/04/23/coronavirus-contact-tracing-apps-a-proportionate-response/> accessed 20 May 2020
[5] Paul Mozur, Raymond Zhong and Aaron Krolik, ‘In Coronavirus Fight, China Gives Citizens a Color Code, With Red Flags’ The New York Times (1 March 2020) <https://www.nytimes.com/2020/03/01/business/china-coronavirus-surveillance.html> accessed 20 May 2020
[6] Natasha Lomas, ‘Israel passes emergency laws to use mobile data for covid-19 contact tracing’ Tech Crunch (18 March 2020) < https://techcrunch.com/2020/03/18/israel-passes-emergency-law-to-use-mobile-data-for-covid-19-contact-tracing/ > accessed 20 May2020
[7] Yeo Sam Jo, ‘A Guide to Singapore’s Contact Tracing System’ The Straits Times (28 March 2020) <https://www.straitstimes.com/multimedia/a-guide-to-singapores-covid-19-contact-tracing-system> accessed 20 May 2020
[8] Yimou Lee, ‘Coronavirus: Taiwan tracking citizens’ phones to make sure they stay indoors’ The Independent (20 March 2020) <https://www.independent.co.uk/news/world/asia/coronavirus-taiwan-update-phone-tracking-lockdown-quarantine-a9413091.html> accessed 28 April 2020
[9] Simon Chandler, ‘Coronavirus Could Infect Privacy And Civil Liberties Forever’ (Forbes, 23 March 2020) <https://www.forbes.com/sites/simonchandler/2020/03/23/coronavirus-could-infect-privacy-and-civil-liberties-forever/#3811eba8365d> accessed 28 April 2020
[10] Press Information Bureau, ‘Government of India launches Aarogya Setu App to track Covid 19 infection’ (Press Information Bureau, 2 April 2020) <https://pib.gov.in/PressReleaseIframePage.aspx?PRID=1610326> accessed 29 April 2020
[11] ‘Our Concerns With The Aarogya Setu App’ (Software Freedom Law Center, 8 April 2020) <https://sflc.in/our-concerns-aarogya-setu-app> accessed 29 April 2020
[12] The Aarogya Setu Privacy Policy, cl 2(a)
[13] Rohit Chaterjee, ‘Arogya Setu App Gets Revised Privacy Policy’ (Analytics India Magazine, 17 April 2020) <https://analyticsindiamag.com/arogya-setu-app-gets-revised-privacy-policy/> accessed 29 April 2020
[14] Rahul Matthan, ‘The privacy features that are built into Aarogya Setu’ Live Mint (7 April 2020) <https://www.livemint.com/opinion/columns/the-privacy-features-that-are-built-into-aarogya-setu-11586279239882.html> accessed 28 April 2020
[15] Andrew Clarance, ‘Aarogya Setu: Why India’s Covid-19 contact tracing app is controversial’ BBC (15 May 2020) <https://www.bbc.com/news/world-asia-india-52659520> accessed 20 May 2020
[16] The Copyright Act, No. 14 of 1957, s 52(a)
[17] Aarogya Setu, Terms of Use, cl 3.
[18] Devesh Pandey, ‘All Central Govt. Officials To Use Aarogya Setu App’ The Hindu (New Delhi, 29 April 2020) <https://www.thehindu.com/news/national/all-central-govt-officials-to-use-aarogya-setu-app/article31461138.ece> accessed 1 May 2020
[19]Justice K.S. Puttaswamy (Retd.) v Union of India, 2017 10 SCC 1
[20] Venkat Ananth, ‘Aarogya Setu’s Not All That Healthy for a Person’s Privacy’ The Economic Times (15 April 2020) <https://economictimes.indiatimes.com/tech/software/aarogya-setus-not-all-that-healthy-for-a-persons-privacy/articleshow/75112687.cms> accessed 27 April 2020
[21]The Constitution of India, art 21
[22]The Quint,‘Aarogya Setu Security Issue exposed PMO, MHA employee data: Hacker’ The Quint(6 May 2020)<https://www.thequint.com/tech-and-auto/tech-news/aarogya-setu-app-data-security-issue-raised-by-french-hacker-elliot-alderson> accessed 9 May 2020
[23]ibid, art 21
[24]The Information and Technology Act, No. 21 of 2000
[25] Information Technology (Reasonable Security Practices and Procedures and sensitive personal data or information) Rules 2011, F. No. 11(3)/2011-CLFE
[26] Kashish Aneja and Nikhil Pratap, ‘Implement Aarogya Setu, but only through law’ The Hindu (21 April 2020) <https://www.thehindu.com/opinion/op-ed/implement-aarogya-setu-but-only-through-law/article31391708.ece> accessed 29 April 2020
[27] Aarogya Setu Data Access and Knowledge Sharing Protocol, 2020.
[28] ‘Aarogya Setu’s Data Access and Knowledge Sharing Protocol’ Vidhi Centre for Legal Policy (11 May 2020) <https://vidhilegalpolicy.in/2020/05/11/aarogya-setus-data-access-and-knowledge-sharing-protocol-2020/> accessed 21 May 2020
[29] The Personal Data Protection Bill (2019) No. 373 of 2019, cl 4 (PDP Bill)
[30] PDP Bill, cl 5
[31] PDP Bill, cl 6
[32] PDP Bill, cl 9
[33] PDP Bill, cl 10
[34] PDP Bill, cl 11
The Journal of Indian Law and Society Blog 