Logo

Defender of your Digital Freedom

All Posts | Apr 08,2020

Our Concerns With The Aarogya Setu App

Our Concerns With The Aarogya Setu App

Recently, the Ministry of Electronics and Information Technology (“MEITy”) rolled out its “Aarogya Setu" application (“the App”) for Android and iOS platforms. The app aims at providing users information as to whether they are prone to a COVID-19 infection by analysing their proximity to COVID-19 positive persons. The app requires the user to submit the user’s geodata. It also uses bluetooth to connect to other registered users and from the network thus formed, analyse whether the user has come in contact with anyone who has been tested positive. The app, as per its terms of service is intended to “notify, trace, and suitably support” a registered user regarding COVID-19 infection.

We, at SFLC.IN, went through the software’s features and also took a look at its terms of service and its privacy policy. The application collects personal information some of which are sensitive personal data such as a person’s gender, and travel information. So, it was necessary to scrutinise the App in these testing times. And we do have some concerns with the App. They are as follows:

1. Violation of the law laid down by the Supreme Court– It is important to note that the Aarogya Setu app has been launched in the time of an ongoing pandemic, when the Governments are trying to maximise data collection, often at the cost of privacy rights of citizens. India does not have a law dealing with personal data protection which should be limiting data collection and processing. SFLC.IN, along with a coalition of lawyers, social activists, entrepreneurs, and concerned citizens, had recently sent a joint letter to various ministries of the Central Government and also the heads of states and union territories expressing concerns over the unwarranted and excessive collection of personal data during the ongoing COVID-19 pandemic urging the various governments to follow law enunciated in various Supreme Court judgments. If you haven’t signed on the campaign letter, you can do so by clicking here.

2. “Aarogya Setu” is not open source – Though the Central Government has a prevailing policy on adoption of open source software the Aarogya Setu app’s code has not been made open source. Making the source code available enhances transparency and this also improves security as the code is open to community audit. The app primarily collects personal data from user cellphones and cellphones are an immense repository of personal data of users and sometimes, of a user’s contacts and acquaintances. In this scenario, keeping the source code of such an app proprietary is not advisable.

3. Personal Data Collected and its Use – The app, as per its privacy policy collects the following personal information during registration and stores it in the cloud: (i) name; (ii) phone number; (iii) age; (iv) sex; (v) profession; (vi) countries visited in the last 30 days; and (vii) whether or not you are a smoker and a person’s current medical condition collected through a series of questions when the app is run for the first time to asses the condition of the user. Moreover, the App continuously collects the location data of the registered user and maintains a record of the places where the user had come in contact with other registered users.

Clause 2 (a) of the Privacy Policy states, concerning the use of collected data, that:

 “The personal information collected from or about you under Clause 1(a) above, will be stored locally in the App on your device and will only be uploaded to and used by the Government of India (i) in anonymized, aggregated datasets for the purpose of generating reports, heat maps and other statistical visualisations for the purpose of the management of COVID-19 in the country and/or (ii) in the event you have tested positive for COVID-19 or have come in close contact with any person who has tested COVID-19 positive. Any personal information uploaded to the cloud will only be used for the purpose of informing you, or those you have come in contact with, of possible infection. Such personal information may also be shared with such other necessary and relevant persons as may be required in order to carry out necessary medical and administrative interventions.”

This clause enables the Government to share personal information uploaded to the cloud with “such other necessary and relevant persons” in order to “carry out necessary medical and administrative interventions. This is problematic as the clause is broadly worded allowing the data to be shared with practically anyone that the Government wants.

Moreover, the promises made in the privacy policy can also be detonated through the vagueness of Clause 2 (c) which states:

The personal information collected will not be used for any purpose other than those mentioned in this Clause 2 save as required in order to comply with a legal requirement.” [emphasis supplied]

Nowhere in the policy documents is the phrase “legal requirement” defined. It is not unreasonable to think that this could be defined as whatever the Government wishes. This can lead to excessive collection and use of sensitive personal data. Moreover, true anonymisation of personal data has been debated by technologists and the Government has to prove that it has anonymised the data properly.

4. Very “Limited Liability” - The liability limitation clause of the Terms of Service limits the Government's liability even if inaccurate information is given by the App or in case of failure to generate true positives. It is pertinent to note that this acquits the Government’s liability in case of any harm caused due to incorrect information. Therefore the App’s policies render the App as nothing but another data grabbing exercise.

Moreover, the liability clause also exempts the Government from liability in the event of “any unauthorised access to the [user’s] information or modification thereof” (emphasis supplied). This means that there is no liability for the Government even if the personal information of users are leaked.

5. Restriction on Reverse Engineering

Section 52 clauses (ab) and (ac) of the Copyright Act, 1957 states:

“(ab) the doing of any act necessary to obtain information essential for operating inter-operability of an independently created computer programme with other programmes by a lawful possessor of a computer programme provided that such information is not otherwise readily available;

(ac) the observation, study or test of functioning of the computer programme in order to determine the ideas and principles which underline any elements of the programme while performing such acts necessary for the functions for which the computer programme was supplied;”

Through the aforementioned provisions a Central Act enables a lawful possessor of a computer programme to do any act to obtain information essential for inter-operability of an independently created computer programme and to determine the ideas and principles which underline any elements of the programme. Essentially, these provisions enable reverse engineering of a lawfully obtained computer programme.

However, the Aarogya Setu app, through Clause 3 of its Terms of Service, restricts the user from reverse engineering the App.

“...You agree that you will not tamper with, reverse-engineer or otherwise use the App for any purpose for which it was not intended including, but not limited to, accessing information about registered users stored in the App, identifying or attempting to identify other registered users or gaining or attempting to gain access to the cloud database of the Service.”

(emphasis supplied)

Reverse engineering a process through which one is able to study a computer programme and understand how the programme functions and whether the programme is doing only what it is supposed to do or what it was promised by the developers that the app would do.

It is indeed essential for security researchers to study and examine the working of an app like Aarogya Setu which is potentially a surveillance tool that collects the movements and geolocation data of its users.

A provision in a Terms of Service cannot take away a statutory right provided by a Central Act. The former is a violation of the latter. Therefore, this provision within the Terms of Service must be taken off.

Note: We are also doing a technical analysis of the Aarogya Setu app. We will upload more information if we find any more issues.

All Posts | Nov 07,2019

FAQ on surveillance in India.

What exactly is surveillance?

The Merrian - Webster dictionary defines surveillance as “keeping a close watch kept on someone or something”. In the context of this FAQ we refer to the word ‘surveillance’ only to the act of real-time surveillance conducted by Governments through telecommunication systems (namely, telephones and the Internet), though private actors may also conduct surveillance through various methods and offline methods are also used by governments to conduct surveillance.

 

Is there a way that survellience can happen offline as well?

Yes, Section 26 of the Indian Post Office Act, 1898 gives the government the power to intercept articles for public good. It has been mentioned in the section that when there is an occurrence of a public emergency or in the interest of public safety/tranquility an authorized officer of either the state or the central government by making an order in writing can intercept, detain or dispose of any kind of postal article. The subsection (2) of the section mentions that when there is unsurity of if the interception/detention or disposing off was done in public interest, a certificate issued by the government will be conclusive proof. However, for the purpose of this article, we will not be diving into details of offline surveillance.

 

Is suveillance in India legal?

Yes, as there exists a legal framework which enables the Government to conduct surveillance on the occurrence of certain circumstances. However, the surveillance has to be undertaken within the boundaries of this legal framework.

 

Which are the laws that regulate surveillance conducted by the government?

Telephones

1. The Indian Telegraph Act, 1885

  1. Section 3(1AA): Defines what a 'telegraph' is and means, “...any appliance, instrument, material or apparatus used or capable of use for transmission or reception of signs, signals, writing, images, and sounds or intelligence of any nature by wire, visual or other electro-magnetic emissions, Radio waves or Hertzian waves, galvanic, electric or magnetic means...”
  2. Section 5(2): This section is invoked to conduct surveillance over telegraph lines (as defined above, but with the occurence and condition of the pre-requisites of a public emergency or the interest of public safety.

2. Indian Telegraph Rules, 1951

  1. Rule 419A: This provision lays down the procedural law regarding telephone tapping. It was introduced by way of an amendment in 2007, which was necessitated by the Supreme Court's condemnation in the case People's Union for Civil Liberties v. Union of India (AIR 1997 SC 568) of the lack of procedure governing telephone tapping. The provision mandates that telephone tapping can be done only through a lawful order.
diagram explaining how lawful order to tap telephones are procured

Internet

Provisions dealing with Internet surveillance may be found interspersed throughout the Information Technology Act 2000 and several rules made thereunder.

1. Information Technology Act, 2000

diagram depicting the differences between the grounds for interception under Section 5 clause 2 of the Telelegraph Act and Section 69 B of the information technology act

 

  1. Section 69: Modeled extensively after Section 5(2) of the Telegraph Act, allows the Government to engage in surveillance of Internet data. However, there exists no pre- requisites for the invocation of Section 69 when compared with Section 5(2) of the Indian Telegraph Act, 1885 and has enlarged grounds.>
  2. Section 69B: This provision in turn deals with the surveillance of Internet metadata as compared to Internet data. Metadata is any data that gives information about other data. For example, if person A sends a message to person B, then the content of the message will be data and the data such as the time and date of sending and receiving the message, information about the devices from which the message was sent and received, profile information, etc. would be the metadata.

2. Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009

These rules lay down the provision for the procedural law related to the Internet-data surveillance conducted under Section 69 of the Information Technology Act.

3. Information Technology (Procedure and Safeguards for Monitoring and Collecting Traffic Data or Information) Rules, 2009

These rules lay down the provision for the procedural law related to the Internet-data surveillance conducted under Section 69B of the Information Technology Act.

Under both the above Rules, the procedure laid down is substantially similar to the procedure laid down in Rule 419A of the Indian Telegraph Rules, 1951.

In addition to these laws, license agreements such as the Unified Access Service License (UASL), Internet Service License (ISL), and the Unified License (UL) which incorporates the former two licenses between the Department of Telecommunications and telecommunications service providers also enable the government to receive assistance from telecommunication service providers in conducting surveillance. Licensees must also provide in the interests of security, 'suitable monitoring equipment as per the requirement of the DOT or law enforcement agencies.

 

Are there any monitoring systems in place in India?

As per available information, the Central Monitoring System (CMS) and the National Intelligence Grid (NATGRID) are the two intelligence systems in place in India. Also, another system named Network Traffic Analysis (NETRA) was rumoured to be launched in 2014. NETRA was developed by the Centre for Artificial Intelligence and Robotics (CAIR), a lab under the Defense Research and Development Organisation (DRDO). However, not much information is available regarding the project.

In additions to such dedicated systems, state police forces also conduct monitoring of social media platforms and the web. For example, the Mumbai police force monitored social media platforms to tackle fake news surrounding the Maharashtra elections and similarly, the Uttar Pradesh police force has been put on ‘high alert’ in anticipation of the Ayodhya verdict and as part of vigilance, is conducting social media monitoring. However, this is purely not ‘backdoor’ surveillance but a scan and analysis of publicly available social media posts.

 

Which are the government agencies involved or carry out surveillance in India?

In a starred question which was raised in the Lok Sabha and answered on 11.02.2014, the names of the agencies authorised to intercept and collect details of telephonic conversations under Section 5(2) of the Indian Telegraph Act, 1885 read with Rule 419A of Indian Telegraph (Amendment) Rules, 2007. were listed as follows:


# Central Agencies

  1. Intelligence Bureau

  2. Narcotics Control Bureau

  3. Directorate of Enforcement

  4. Central Board of Direct Taxes

  5. Directorate of Revenue Intelligence

  6. Central Bureau of Investigation

  7. National Investigation Agency

  8. Research & Analysis Wing (R&AW)

  9. Directorate of Signal Intelligence, Ministry of Defence - for Jammu & Kashmir, North East & Assam Service Areas only

# State Agencies

  1. Director General of Police, of concerned state/Commissioner of Police, Delhi for Delhi Metro City Service Area only


As per the order of the Ministry of Home Affairs S.O. 6227(E) dated 20.12.2018 the following Security and Intelligence Agences were authorised “for the purposes of interception, monitoring and decryption of any information generated, transmitted, received or stored in any computer resource under the Sub-section 69 (1) of the Information Technology Act, 2000 (21 of 2000) read with rule 4 of the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009

  1. Intelligence Bureau

  2. Narcotics Control Bureau

  3. Enforcement Directorate

  4. Central Board of Direct Taxes

  5. Directorate of Revenue Intelligence

  6. Central Bureau of Investigation

  7. National Investigation Agency

  8. Cabinet Secretariat (RAW)

  9. Directorate of Signal Intelligence (For service areas of Jammu & Kashmir, North-East and Assam only)

  10. Commissioner of Police, Delhi

 

 

What is the remedy available in case you suspect that you have been placed under surveillance illegaly, for example the WhatsApp-NSO scandal?

Judicial recourse is obviously the effective remedy available for negating unlawful monitoring/surveillance efforts by the Government. Illegal monitoring methods, such as the one employed in the WhatsApp-NSO Spyware employs malicious hacking (also known has black-hat hacking) methods which amount to violation of Sections 43 and 66 of the Information Technology Act, 2000, which ascribes liability on the perpetrator of the crime.

Section 43

Section 43 of the Information Technology Act, 2000 deals with penalties and compensation for damage to computer, computer system etc. Section 43 ascribes civil liability to anyone who causes any damage to a computer or a computer system and demands the actor to pay damages (compensation) to the affected person.

Section 66

Section 66 deals with computer related offences. If any person, dishonestly or fraudulently, does any act referred to in Section 43, he shall be punishable with imprisonment for a term which may extend to three years or with fine which may extend to five lakh rupees or with both. Section 66 ascribes criminal liability onto the prepetrator of a cyber crime.

 

 

How can I approach forums for securing a remedy?

1. Approaching Cyber Cells

All state police forces have a cybercrime division or a cyber cell or a dedicated cybercrime police station established where victims of cybercrimes can file complaints in case of a malicious cyber incident. First Information Reports can be filed under S. 154 of the Criminal Procedure Code, 1973 in case you are a victim of a cyber crime such as malicious hacking.

It is advised to provide as much information as you can while filing such complaints, including information regarding application and system logs, IP addresses, relevant screenshots. It would be wise to approach a cyber security expert or a digital forensics examiner if you are unaware of how to retrieve necessary information.

2. Approaching Magistrate Courts

If under any circumstances, the police officer/cell refuses to receive or investigate your complaint, recourse may be taken by approaching the Magistrate court through Section 156 (3) read with Section 190 of the Criminal Procedure Code, 1973 by filing a private complaint and seek a direction to the police station concerned to investigate the matter (called a ‘forwarding petition’).

3. Approaching the High Courts

If you suspect that you are being placed under surveillance through an illegal order in contravention to Section 5(2) of the Indian Telegraph Act, 1955 and Rule 419A of the Indian Telegraph Rules, 1951, or under Section 69 of the Information Technology Act, 2000, you can approach the appropriate state High Court under Article 226 of the Constitution of India invoking the ‘writ’ jurisdiction of the High Court to quash the illegal surveillance order and also for exemplary compensation. It is advisable to obtain relevant information regarding the surveillance order by filing RTI applications.

If you suspect that you are a victim of the WhatsApp-NSO Spyware row, then you can approach the High Court if your name has been revealed in any list released by Citizen Lab or any other publicly reported list.

What if the Information Officer under the State/Central authority refuses to furnish information your RTI Application is rejected citing exemptions under Section 8 of the Right to Information Act, 2005 or is delayed?

Under the RTI Act, application for information maybe refused to be furnished citing exemption from disclosure under different grounds enumerated in Section 8 of the Act (and also Section 9 if it infringes copyright of a person other than the State).

Normally, information sought by an application under the RTI Act, has to be furnished within 30 days from the receipt of the application by the public authority and if the information sought for by the applicant is concerned with the life and liberty of a person, it is to be provided within 48 (forty-eight) hours.

If any of the above is a case concerning your application or if you are not satisfied with the information supplied to you, you can still raise an appeal (within 30 days) to the first appellate authority (who is an officer senior in rank to the Information Officer) in the office of the public authority wherein you sought the application. If in case the first appellate authority also furnishes unsatisfactory information, you can approach the State/Central Information Commission (depending on whether the public authority is under the State or Central Government) by filing an appeal.

All Posts | Aug 14,2010

The BlackBerry Emergency

According to the Government of India, private service providers like AirTel and Vodafone are failing in their legal obligations under the Information Technology Act, hastily amended in the days immediately following the Mumbai 7/11 attacks, by not providing access to the content of emails and texts sent to or from BlackBerry users. As a lawyer, I have some doubt about this legal position, no doubt under discussion between GoI and the service providers. But there is no doubt that the Government has failed to make clear the context of this dispute, or the real consequences of the demands it is making.

BlackBerry devices use the wireless networks of the local service providers to deliver email and texts through servers operated by Research in Motion located outside India. If you or I as individuals buy a BlackBerry through one of the offering service providers, our email and text traffic will not be encrypted, and GoI will have whatever access to our communications the law requires. If, however, your BlackBerry was given to you as an employee of an MNC or a large local enterprise, for work use, those emails and texts will be encrypted so that only the sender and receiver, but not Research in Motion (RIM) and not the local Indian wireless service provider, will be able to read them. Since these parties do not have access to the content of encrypted messages, and therefore cannot provide what Government says the Act requires, the Government now threatens to force a halt to their services as of August 31.

Unless a ring of terrorists is embedded entirely within some MNC, and is using its email and messaging system to plan terrorist attacks or other crimes using corporate BlackBerries, such a service cut would not be likely to prevent the planning or execution of any attacks. What it would do, however, is effectively cut off India from the global financial system. The ability of banks, insurance companies, law firms, consultancies and other professional service enterprises to operate around the globe depends entirely on the flow of confidential intra-firm communications. People cannot do business anywhere unless they can be sure that their firm's business communications are not being overheard by competitors or other parties using breaches in communications networks. So every such enterprise relies upon mechanisms that ensure complete confidentiality on which the movement of trillions of crores every day in the world economy depend. BlackBerry provides one portion of that network to a large subset of that market. Any country which shuts off encrypted BlackBerry communications has shut down its place in the global economy.

Government knows, what the extent of its threat implies if our connection with the global economy is temporarily lost. But if the Government were clear with the public now about the small security benefit to gain and the magnitude of the harm it will cause if its threat is carried out, its dis-proportionality would raise questions in the mind of the public. Apparently GoI believes that such a threat can, from its very desperate dramatic quality, induce a useful result. Unfortunately, this too is wrong. Because nobody but the enterprises themselves have an access to the decrypted information, Government must get inside the BlackBerry itself if it is to read the messages.

Thus, it is likely that GoI is pressurizing the local service providers like Airtel and Vodafone to put spyware within the BlackBerries attached to their networks. Thus, an arriving investment banker or CEO from New York or Frankfurt would have his BlackBerry subject to the introduction of spyware by the network, along with all the BlackBerries used by Indian financial services firms. There is precedent for this effort. One UAE wireless company, Etisalat, was caught installing spyware on more than 100,000 enterprise BlackBerries in the Emirates last year. Research in Motion was required by its customers to bear the cost of software upgrades to the system to remove the spyware and secure their business communications. Etisalat has been fundamentally injured in its credibility in international business, and is in some danger of becoming a global pariah.

GoI is making threats that could only be fulfilled at cataclysmic cost to the economy. It will in effect result in causing immense harm to India's telecommunications sector and our reputation in the global financial services economy, where so many of our jobs are being created. In the end, it would inflict immense damage, much greater than any terrorist could ever cause scarcely achieving any additional security.