Logo

Defender of your Digital Freedom

All Posts | May 07,2020

Aarogya Setu Protest

Aarogya Setu Protest

By Vickram Crishna


This is a statement of protest against the mandating of installation of privacy-breaching software on persons who may be affected by the risk of infection under certain circumstances, detailed below. SFLC.in reserves the right to file, or to assist with filing of petitions against the inclusion of this clause in the order, either in a High Court or directly in the Supreme Court. Such petition shall inter alia call for a statement from the Union Home Secretary, explaining the circumstances under which such an order, ultra vires of the law covered by the National Disaster Management Act, and directly contravening the Constitution of India, thereby exceeding the authority of the executive, has been released.

1. The order issued on May 1, 2020, (40-3/2020-DM-I(A) dt 01.05.2020), detailing the scope of graduated easing of the lockdown across the country, includes specific instructions for persons who will be allowed to attend places of employment, whether public/state or private sector (clause 3 iii.), and for persons living within designated ‘containment zones’, (Annexure 1, clause 15) to install and use the 'Aarogya Setu' (or, sic ‘Aarogya Setu’)smartphone app.

2. The app is a data collection tool that makes no verifiable claim for husbanding of the data, which is personal and personally identifiable information about phone users.

3. The app claims to be useful for protecting users from the risks of infection, but carries no guarantees or assurances that this is even possible.

4. Apart from whether it is even theoretically possible for the app to assist in safeguarding users, the order gives no instructions to anyone about usage of the app in a manner that will actually achieve that objective (also see para 7 below).

5. The tool uses Bluetooth (near distance) and GPS (locational) radio signalling tools, both of which are extremely unreliable for the stated purpose, and have never been used for assuring proximity of any two or more users. In fact, neither communication system is capable of giving that assurance, even in open air spaces, and completely incapable in covered and walled spaces. That is established science. To expect otherwise is not just wishful thinking, but has not even been tested in such an application, and for such a purpose.

6. The app in question can only be installed on Apple phones and Android phones using operating systems created after the introduction of Android ver 6. As such, the order excludes the ability of those who don't use smartphones (an estimated 70% of India) and also those who own older phones to be gainfully employed in a workplace, or to legally continue to live in containment zones. The order makes no provision for people already living in such designated containment zones to be moved safely to live elsewhere, rather, it provides for criminalisation of existing residents who are unable to install the app.

7. The 2017 judgment on privacy spells out in no uncertain terms that any intrusion upon personal space must be in the form of a law (or, temporarily, an order) that specifically limits such intrusion, in terms of parameters of intrusion and specific time period for which such intrusion might be allowed, and the purpose for which such intrusion is needed.

8. The app itself, as mentioned above, fails to establish in any way that it can achieve any level of assurance of identification of genuine exposure to the risk of infection. Apart from that, neither the app nor the order offers any instruction, guidance nor stipulation as to how such exposure is to be dealt with, other than baldly stating that the officials legally mandated to administer those areas called containment zones must undertake ‘contact tracing’. There is no instruction or guideline on the management of contact tracing, which is a highly specialised feature of the branch of healthcare management known as epidemiology. In the current environment, where mistreatment and exclusion of persons (and their families) who are not in any way known to be certainly at risk, but who belong to particular communities or professions, such as healthcare and transportation workers, is rampant, this is both dangerous and unacceptable.

9. Quite apart from the Constitutional issues, the development and release of this app, which claims to have been created by the government (this claim is detailed in the Google Play Store) is based on secret software code. This is directly against declared government policy, which demands the usage of Free and Open Software. Not only is the code secret, but the terms of access to the app from the authorised sources (the Apple and Google Stores/repositories) specifically outlaws any deconstruction of the source code (of course, this outlawing is only legally practical within India, whereas the app can be downloaded anywhere in the world) under threat of prosecution. It is clear that such a stipulation defies, on the one hand, the letter and spirit of Free and Open Software, and, on the other, prevents any public audit of the app to ensure that it only does what it claims, in terms of the data collected, now, and in future versions. Further, it casts serious doubt on the unsubstantiated claim that the app development has taken place under government control, or that the development was actually done only by directly government contracted agents.

10. The secretive nature of the code makes it impossible for independent verification of the operation of the app and of the limitations to the dissemination of the data collected by the app. The development of such tools, to further the global response to the pandemic nature of the Covid-19 virus, is an iterative process, that can only improve with use. However, without releasing the code (both at the app and server) that controls the utility of the app, neither technologists in India nor any other part of the world are able to contribute to such improvement. It prevents India from taking a leadership role in the development of such technologies. This is a deplorable attitude to adopt, and speaks poorly of our confidence in dealing with this pandemic.

Vickram Crishna

Independent Researcher

Advisor, SFLC.In


Disclaimer: The opinions expressed within this article are the personal opinions of the author. The opinions appearing in the article do not reflect the views of SFLC.in and SFLC.in does not assume any responsibility or liability for the same.

All Posts | Apr 28,2020

Our Analysis of Aarogya Setu’s UpdatedPrivacy Policy

Our Analysis of Aarogya Setu’s Updated Privacy Policy

After drawing flak over its privacy policy and terms of use, Government of India’s contact tracing application “Aarogya Setu’s,which is handled by MeitY and now boasts of 50 million usersi,privacy policy was updated on April 12.  On April 26th, the Government disclosed that Aarogya Setu had a vulnerability where it shared user location with Google.

We at SFLC.IN,have also done a word by word analysis of old and new privacy policy of the Application which has been highlighted in the table mentioned below. Before that, we  would chalk out our assessment of the updated privacy policy.

1.The updated Privacy Policy is ultra vires the principle of data proportionality and necessity :The privacy policy fails to specify if Aarogya Setu is a temporary application whose purpose is contact tracing only during the pandemic. Therefore, the policy does not fall within the yardstick of principle of “data proportionality and necessity” as listed out by the United Nations High Level Committee on Management.ii It also goes against the principles of of privacy enshrined in Puttaswamy case.iii

2.Storage of Personal Information:Clause 1(a) of the updated privacy policy clarifies that the information will be stored on the servers operated and managed by the Government of India.

3. Collection and identification of personal information:The old privacy policy collected the age, name, sex, phone number, profession, travel history of last 30 days and if person is a smoker. The updated privacy policy has done away with the question “if a user is a smoker of not”.

Unique Digital Id(DID): Clause 1(a) of the updated privacy policy also mentions that the information stored on the server will be hashed with a unique digital ID (DID) which will be used to identify the user in subsequent app related transactions. This was not present in the initial version of the privacy policy.

Storage and sharing of personal information: The updated privacy policy clarifies that that at the time of registration, location details of the user will also be captured and uploaded to the server.

Self assessment test by the user:Clause 1(c) of the new privacy policy authorizes the App to collect the location data and upload it along with DID to the server every time a user takes a self-assessment test. This was absent in the initial privacy policy.

Pre-conditions to upload the location data collected every 15 minutes on government servers:According to Clause 1(d), the App has been authorised to collect user’s location data every 15 minutes and store it locally in user’s mobile device. However, it has laid down 3 pre-conditions when this information will be uploaded on the server along with the DID--

i. If the user has been tested positive for COVID-19; or/and

ii. if user’s self-declared symptoms indicate that it is likely to be infected with COVID-19; or/and

iii. If result of user’s self-assessment test is either yellow or orange.

However, if a user has been tested positive for COVID-19, clause 2(d) of the privacy policy mandates that the information uploaded by user will be used to map the places visited over past 14 days. In case there is a requirement to accurately map places visited by the user, the DID associated with the information collected under clause 1(d) will be co-related with the user’s personal information collected under clause 1(a).

4. Purpose limitation:The updated privacy policy in Clause 2(a) clarifies that the user information shall only be used by the government in anonymised aggregated data sets.

It limits the purpose of information collected to--

i. generate reports, heat maps, and other statistical visualizations for the purpose of management of COVID-19;

ii.  to provide general updates pertaining to COVID-19.

Co-relation of user’s DID with its personal information:

Clause 2(a) further clarifies that a user’s DiD will only be co-related with its personal information in order to-

i. communicate the probability of contracting COVID-19; and/or

ii. to provide information to persons carrying out medical and administrative interventions in relation to COVID-19. This has been limited to the information need by medical personnel to do their job.

5. Use of information collected from other users: Clause 2(b) provides that information collected from any other user’s mobile device shall be uploaded and stored on the server and be used to calculate the user’s probability of contracting COVID-19.

According to Clause 1(b), as soon as two users come within each other’s Bluetooth range, the DIDs will be automatically exchanged and time and GPS location when the contact took place will be recorded. 

Since this data will be stored in the respective devices of both users in encrypted manner, in case of them tests positive for COVID-19, this data of contact between the two users shall be uploaded on the government server.

In the earlier privacy policy, SFLC.IN had raised the concern arising from “sharing of personal information with such other necessary and relevant persons as may be required in order to carry out necessary medical and administrative interventions”. This has been done away with in the new privacy policy which now specifies that and/or to provide persons carrying out medical and administrative interventions necessary in relation to COVID-19, the information they might need about you in order to be able to do their job.”

6. Data RetentionWhile clause 4 of updated privacy policy allows a registered user to “add, remove or modify any registration information supplied”,the application does not have an option of account deletion.

Clause 3(a) states that “all personal information collected from you under Clause 1(a) at the time of registration will be retained for as long as your account remains in existence and for such period thereafter as required under any law for the time being in force”.

This leaves a lot of ambiguity considering India does not have a Personal Data Protection legislation in place or a legislation on privacy.

Information collected from risk assessment tests and location data:  

Clause 3(b) lays down certain conditions for data retention:

i.All personal information collected under Clause 1(b), (c), and (d) will be retained on the mobile device for a period of 30 days from the date of collection after which, if it has not already been uploaded to the Server, will be purged from the App.

ii.All information collected under Clause 1(b), (c) and (d) and uploaded to the Server will, to the extent that such information relates to people who have not tested positive for COVID-19, will be purged from the Server 45 days after being uploaded.

iii. All information collected under Clause 1(b), (c), and (d) of persons who have tested positive for COVID-19 will be purged from the Server 60 days after such persons have been declared cured of COVID-19.

Aggregated anonymised data to be retained:Provisions of Clause 3(a)are not applicable anonymized, aggregated datasets generated by the personal data of registered users of the App or any reports, heat maps or other visualizations created using such datasets.

Clause 3(a) is also not applicable on medical reports, diagnoses or other medical information generated by medical professionals in the course of treatment.

7. Rights of the user to add, remove or modify any information provided durinregistration:Clause 4(a) gives a user the option to “add, remove or modify any registration information that you have supplied”.

Clause 4(b) reads asYou cannot manage the communications that you receive from us or how you receive them. If you no longer wish to receive communications from us, you may cancel your registration. If you cancel your registration, all the information you had provided to us will be deleted after the expiry of 30 days from the date of such cancellation.”

Considering that the App does not provide an option to delete one’s account, it is ambiguous what will be considered as deletion of account, and if un-installation shall be considered as deletion.

Moreover, what will happen to the data of such user who has been tested positive for COVID-19 but later uninstalled the App. Will such person’s personal information be deleted after 30 days, and will such deletion of data be not in conflict with Clause 3(b) which mandates storage of personal data of COVID-19 positive person till 60 days after such person has been cured.

Word by word comparison of old and updated privacy policy of Aarogya Setu App

 Old Privacy PolicyUpdated Privacy Policy
Clause 1(a)1.The old privacy policy did not specify that the information of users shall be stored in government servers or private servers.2.There were 7 questions a user had to answer at the time of registration which included age, sex, travel history, profession, phone number, name, and if the user is a smoker.1.The updated privacy policy clarifies that the information will be stored in servers operated and managed by the Government of India.2. It states that the information stored on the server will be hashed with a unique digital ID (DID) which shall be used to identify the user in subsequent app related transactions.3. The updated policy also clarifies that at the time of registration, location details of the user are captured and uploaded to the server.4.While the 6 questions pertaining with age, sex, travel history, profession, phone number, name find mention in the updated policy, the 7th question has been omitted.
Clause 1(b)The old policy did not mandate for creation of a (unique digital ID)DID.According to the new policy, as soon as two users come within each other’s Bluetooth range, the DIDs will be automatically exchanged and time and GPS location when the contact took place will be recorded.
Clause 1(c) Each time a user completes a self-assessment test, the App has been authorized to collect the location data and upload it along with DID to the server.
Clause 1(d) The app continuously collects location data, and stores record of all places the user has been at 15 minutes intervals in the user’s mobile device.There are 3 pre-conditions when this information shall be uploaded to the server along with the DID--i. If the user has been tested positive for COVID-19; or/andii. if user’s self-declared symptoms indicate that it is likely to be infected with COVID-19; or/andiii. If result of user’s self-assessment test is either yellow or orange.Yellow colour code means that the user is at high risk. Orange means moderate risk.
Clause 2(a)1. In the old privacy policy, the personal information collected was to be stored locally in the App on user’s mobile device and was to be uploaded and used by Government of India only in anonymised, aggregated datasets.2. The purpose of this information collection was to -i. generate heat maps, reports and other statistical visualisations for the purpose of management of COVID-19; andii. contact tracing in case the user has been tested positive or has come in contact with anyone who has been tested positive.3. User’s personal information may also be shared with such other necessary and relevant persons as may be required to carry out necessary medical and administrative interventions.1. The personal information of user collected at the time of registration shall be stored on the government server and will only be used by Government of India in anonymised aggregated datasets.2. The purpose of this information collection is to-i. generate reports, heat maps, and other statistical visualisations for the purpose of management of COVID-19;ii.to provide general updates pertaining to COVID-19.3. A user’s DiD will only be co-related with its personal information in order to-i. communicate the probability of contracting COVID-19; and/orii. to provide information to persons carrying out medical and administrative interventions in relation to COVID-19. This has been limited to the information need by medical personnel to do their job.
Clause 2(b)The mobile number provided by the user at the time of registration was to be used to communicate through SMS, IVR, push notifications or other such means to inform the user that it has come in close contact with someone who has been tested positive for COVID-19.Information collected from any other user’s mobile device shall be uploaded and stored on the server and be used to calculate the user’s probability of contracting COVID-19.
Clause 2(c) The information collected under clause 1(c) shall be used by the Government of India to evaluate, based on self-assessment tests and GPS locations, whether a disease cluster is developing at any geographic location.
Clause 2(d) 1. In case, the user has been tested positive for COVID-19, information uploaded by user will be used to map the places visited over past 14 days.2. In case there is a requirement to accurately map places visited by the user, the DID associated with the information collected under clause 1(d) will be co-related with the user’s personal information collected under clause 1(a).
Clause 3(b)1. Location information of registered users with whom such user had come in contact was to be retained fora period of 30 days from the date of such contact, after which neither such user nor other registered user had tested positive for COVID-19 during such 30 day period, shall be purged from the App.1. All personal information collected under Clause 1 will be retained on the mobile device for a period of 30 days from the date of collection after which, if it has not already been uploaded to the Server, will be purged from the App.2. All information collected under Clause 1 and uploaded to the Server will, to the extent that such information relates to people who have not tested positive for COVID-19, will be purged from the Server 45 days after being uploaded.3.All information collected under Clause 1 of persons who have tested positive for COVID-19 will be purged from the Server 60 days after such persons have been declared cured of COVID-19.
Clause 3(c)1.Nothing set out herein shall apply to the anonymised, aggregated datasets generated by the personal data of registered users of the App or any reports, heat maps or other visualisations created using such datasets.1.Nothing set out herein shall apply to the anonymised, aggregated datasets generated by the personal data of registered users of the App or any reports, heat maps or other visualisations created using such datasets.2. Nothing set out herein shall apply to medical reports, diagnoses or other medical information generated by medical professionals in the 

We had also written about concerns with the previous privacy policy  of Aarogya Setu, and on March 31st, several organisations led by SFLC.in had written a joint letter to the Central and State Governments on unwarranted excessive collection and processing of personal data of individuals during COVID-19 pandemic.

iAarogya Setu: Govt’s coronavirus tracker app gets 5 crore users in 13 days, 16 April, 2020. LiveMint. <https://www.livemint.com/news/india/aarogya-setu-govt-s-coronavirus-tracker-app-gets-5-crore-users-in-13-days-11587021032271.html >.

ii. Personal Data Protection and Privacy Principles, Adopted by the UN High-Level Committee on Management (HLCM) at its 36th Meeting on 11th October, 2018. United Nations. <https://www.unsceb.org/CEBPublicFiles/UN-Principles-on-Personal-Data-Protection-Privacy-2018.pdf >.

iiiJustice K.S. Puttaswamy (Retd.) v. Union of India, WP (Civil) No. 494 of 2012.