Aarogya Setu, the Indian government’s controversial COVID-19 contact-tracing mobile app, lauds itself as having the largest user base (over 114 million) amongst all such apps worldwide.
On May 26, the government also took the unexpected but prominent step to declare the app ‘open source’. It even launched a ‘bug bounty’ rewards programme for researchers and developers to identify and propose corrections to security vulnerabilities and other bugs in the app. This bolsters its case of robustness and ‘privacy by design’.
The decision came after sharp criticisms labelling the app as non-transparent, invading users’ privacy, risking personal data of users, enabling undue surveillance of citizens, and even inaccurate. With the app now becoming open source, its source code, design and functions can be publicly tested, and alterations may be proposed.
Across the globe, contact-tracing apps are being viewed as integral in the fight against COVID-19, especially with movement restrictions now being eased gradually.
However, the standards of privacy, transparency and data protection required for such apps have become a subject matter of intense debate not only in India but all over the world including the European Union (EU), which has one of the sternest data protection and privacy laws.
Basic contact-tracing methods
Contact-tracing involves identifying people who come in contact with an infected person. Most contact-tracing apps use GPS location tracking or Bluetooth proximity tracking, or both, to collect such ‘contact data’.
Bluetooth tracking is seen as more privacy-preserving, as it only records unique IDs of other Bluetooth devices which were in a user’s proximity for a certain minimum duration, without recording the user’s location or movement. The app may also collect other personal or demographic identifiers like name, gender or phone number, which may not be strictly required for contact-tracing.
All collected data can be stored and processed either in a ‘centralized’ manner (on government-controlled servers) or in a ‘decentralized’ manner (on the users’ device), or both.
Centralized systems allow governments to access such data. However, anonymised unique IDs may be generated for such storage and processing. In a centralized system, if a user tests positive the central server sends alerts to all Bluetooth proximity contacts of that user. In a decentralized system, the user’s device directly sends these alerts.
The use of GPS or Bluetooth tracking, collection of non-essential personal data, and processing of data through centralized or decentralized systems have become the litmus test of a country’s commitment towards privacy and data protection of its citizens.
In the EU, due to heightened public sensitivity towards data protection issues, various official EU bodies have issued guidance to EU member states regarding transparency, privacy and data protection standards for contact-tracing apps. These are in line with General Data Protection Regulations (GDPR) and the ePrivacy Directive norms.
This guidance includes: (a) use of such apps not being mandatory; (b) minimal, anonymised and preferably decentralised data collection; (c) preference to Bluetooth over GPS tracking; and (d) open availability of the app source code.
However, despite the above guidelines and the continued spread of the virus, the use and scope of such apps is still being widely debated in the EU, and several major EU countries are yet to widely launch approved apps.
As per reports, France and the United Kingdom are likely to launch contact-tracing apps relying on a centralized system. Germany and Italy have opted for the decentralised system for greater acceptability among users.
Most existing or upcoming apps in major EU countries neither rely on GPS tracking nor collect personally identifiable data such as name or phone number.
The app uses GPS and Bluetooth tracking along with a hybrid (centralized plus decentralised) model to enable contact tracing. Users must provide certain personal and demographic identifiers like name, phone number, location, age and gender during registration, and may undertake self-assessment tests. Such details and test results are stored on a central server against a unique anonymised ID which is used for future interactions.
All Bluetooth proximity and GPS data collected by the app is initially stored only on the user’s device. If, however, the user reports on the app as coronavirus positive or symptomatic, or tests positive in a lab result, then such data is securely uploaded to the server. All positive lab results are shared with the Indian Council of Medical Research, which passes them on to the central server for matching with registered Aarogya Setu users.
The protocol mandates that the data collected can only be shared with central and state governmental departments, ministries and health institutions in anonymised form and strictly for the purpose of formulating or implementing a health response. If required for this purpose, the data can be shared with third parties including research institutions, subject to the restrictions under the protocol.
One major concern has been that central and local governments have been swaying between whether the app should be made mandatory.
Initially, the app was released for voluntary use, but was subsequently made mandatory under the NDMA for all public and private employees. The NDMA overrides other legislation.
However, legal experts questioned the authority of an executive group (even under NDMA) to issue directions which potentially impede upon the fundamental right to privacy of citizens, without a specific and explicit parliamentary legislation on the subject.
The government retracted the decision on May 17. Considering the possible legal obstacles, any future attempts to make the app mandatory may thus meet with tough legal scrutiny. It will also be in contrast with global practice in countries with well-established privacy and data protection laws, such as in the EU.
A mandatory app collecting personal data also negates the aspect of user consent and the right to seek erasure of personal data. Although current Indian laws allow users to withdraw consent to the processing of their personal data (if the app is not mandatory), a well-defined framework permitting users to seek erasure of personal data is missing.
Such a framework is proposed under the Personal Data Protection Bill of 2019, which is yet to be enacted. However, erasure rights proposed under the bill are not unconditional. It draws from the GDPR, but the European law arguably allows a broader right to request erasure.
At the same time, collection of GPS location data through Aarogya Setu has been termed as a surveillance tool and inconsistent with data minimisation practices.
Critics contend that successful contact-tracing apps in other regions (such as Singapore) rely on Bluetooth proximity tracing and that the utility of GPS tracking in India is doubtful due to high population density in any given location especially during lockdown. This makes it infeasible to identify an infected person from others just from GPS data.
In response, Aarogya Setu’s FAQs suggest that higher population density increases the risk of geometric spread. Thus, the tracing of the “paths traversed” by an infected person becomes necessary to take effective measures. Such location data (including that collected through self-assessment) is also used to identify hotspots, clusters and zones, and prepare heat maps.
While India’s use of a centralized server is similar to that adopted by France and the UK for managing health responses better, many other countries in the EU and outside are looking to use decentralized systems. Google and Apple have entered the fray and launched application programming interfaces (APIs) to facilitate use of Bluetooth on Android and iOS operating systems for decentralized collection and processing of user data.
Managing the tussle between individuals’ privacy and public health during a pandemic requires a tough balance. The government’s decision to make Aarogya Setu voluntary, open source and subject to public scrutiny are encouraging steps.
Nevertheless, the government’s responsibility and liability in case of a data breach remains uncertain.
Further, the app’s source code is now under the Apache 2.0 open source licence, which allows creation of derivative works freely. It remains to be seen whether such derivative apps will be allowed on mobile platforms without the government’s approval especially if they relate to COVID-19.
Harsh Walia is a partner and Abhinav Chandan is a principal associate at law firm Khaitan & Co. Views are personal.