The recent Central government order, to make Aarogya Setu App – a pan – India mobile application launched for ‘contact tracing technology’, endorsed by Central Government, was made obligatory for public or private offices/organisations, which has been encrusting legal as well technical encounters. It is ‘tracking app’ which uses the smartphones GPS or Bluetooth features to track the COVID’19 virus infection, available for Android and iOS operating systems. In a recent government order, has made, the app mandatory for government employees, PSU’s, autonomous bodies and private organisations, which conveys whether the person is safe or not, displaying level of risks, on the basis of self-assessment of the symptoms, using colour coding of ‘Green’ and ‘Yellow’, the data of such users are uploaded in server and give the incidences of COVID’19 positives or suspects patients in the person’s neighbourhood. Government stated that it shall be the accountability of the head of the respective organisations, to ensure 100% coverage of this app among the employees. The government could only offer this large scale tool available for screening, amidst the lockdown across India. Officials said that, physical screening or contact tracing of all people may not be possible given the rising volume of infections. As per the government statement the app offers two way safeguard for service providers as well as the customers.
The controversy stirred when two ethical hackers from France, named Robert Baptiste & Elliot Alderson, upstretched questions over the veracity of the app vulnerability and privacy issues. They interrogated that data collected by the app is sent to government servers, without authorised access. As per the hackers, there are security apprehensions as to web view activity and no host validation. According to Elliot Alderson, any attacker can open app’s internal file, which have local data base, used by the app. The attacker, may also know who is infected anywhere in India, in the area of his choice, due to app’s malfunctioning ability to know the location or radius of user. Given that any number of total users will be a subset of smartphone owners in India, and there are bound to be variations in the levels of self-reporting, the efficacy is not unassailable. Both hackers, upraised trepidations as to the Source Code of the app, which means data collected by the app, passed on to whom, nobody really knows. Also, the app may afford authorities to tamper with personal information saved in device of user. The hackers, were sceptical that, app also miscarries to elucidate the issues with respect to ‘unauthorised access to user information’ as per the terms of use of such app.
Along with these contentions, the opposition leader Rahul Gandhi disparaged the government’s initiative of Aarogya Setu App, calling it as “a sophisticated surveillance system’, raised his worries over serious data security or privacy issues of user’s at stake. He remarked, that ‘technology can help us safe, but fear must not be leveraged to track citizens without their consent’.
In numerous research, conducted by technical or cyber experts or NGO’s, disputed that the data is outsourced to a private operators, with no institutional oversight. The Internet Freedom Foundation(IFF), stated that, India dearth’s a comprehensive data protection law and out-dated surveillance laws, that’s why the application would be unserviceable, and inadvertently differentiate against regions which having smaller number concentrations of smartphones or low income non smartphone users. Internet Freedom Foundation argued that if such systems erroneously urge people to pre-emptively take tests then there is threat that public health systems may be overwhelmed impulsively. The Internet Freedom Foundation raised apprehension over the compliance of the privacy standards, degree of institutional divergence, information collection, purpose limitation, data storage and institutional divergence, transparency, and recommended privacy instructions.. These concerns come amid confirmatory claims by certain sections of the government and technology volunteer groups that the app was designed with ‘privacy- by- design’ approach’. The app privacy policy does not specify which department or ministry or officials or operator will be the ones retrieving that data, in due course challenging the ‘Source code’ of the app.
Many legal experts & cyber security experts, outstretched their issue as to why there is no ministry majorly involved as player in the application, specially the Health Ministry? They argued that, health authorities are leading the efforts to respond to COVID-19, in other countries. They’ve raised questions to the involvement of multiple committees, setting up the Aroggya setu App, but no press reports having reference of involvement of Ministry of Health and Family welfare.
Also there are entanglements as to the risk of misidentification or false positive if the device is switched or is shared between people. Many hackers emphasized that how algorithm based predictive models to determine tested positive has material impact on people’s civil liberties.
The legal experts or cyber analysts also argued that, the app goes against the provisions of the Information Technology Act, as the app service provider would tumble under the ‘intermediaries’ definition and is obliged to safeguard the safety or security of the data collected, liable for the loss under the intermediary guidelines. Meaning thereby, there shall be no liability for the government, even if the personal information of users is leaked. The experts argue that, there is lack of legislative framework for contact tracing. Also, the unique digital identity in Aarogya Setu App is a static number, which increases the probability of identity breaches.
The controversial app got foremost blow, when Noida Police had issue, mandatory imposition of Aarogya setu App, along with Section 144 of the CRPC order. Failing to have app in phone would be criminally prosecuted under the Section 188 of Indian Penal code, which is a penal provision invoked in case of non-compliance of the guidelines or directives contained therein. Section 188 remains a cognizable, bailable, non-compoundable offence, deals with the offence of disobedience to an order duly passed by a public servant. Notably, ‘mens rea’ is not an essential requirement for commission of an offence under this section. The only requirement is ‘contravening the order’.
Now, as per the Section 195 of Criminal Procedure Code, 1972 which lays down a special procedure scheme relating to taking cognizance by courts in relation to certain offences, punishable under Section 171 to Section 188 IPC, except on a written complaint of public servant. It means no private complaints are entertained and it also bars a court from taking cognizance of this offence on the basis of final report. This procedural twist in the enforcement of Section 188 IPC has been flouted, or misconstrued, by police authorities, prosecuting agencies or state authorities. The court proceeds with cognizance of the offence, on final reports by public servant, which is comprehensive mockery of the judicial process. Further, upon conjoint reading of Section 144 (1) CrPC, orders cannot enforce positive obligations on persons to do ‘certain acts’, such as download or install an App, on their smartphones, but can only direct them to ‘ abstain from a certain act’.
On the other hand, Ministry Officials jagged that such clauses, added to disputed App are standard across the industries and the accountability is certainly not unconstrained on any government or private operator. The Government believes that, everyone is careful about the data and if anyone abuses the system, the prompt legal stroke has been assured, but the Government, else ways clarifies that, the entire accountability is not on them. The official says the data of positive patients of corona virus are uploaded to the server in an encrypted format; the government objective is only to ‘protect people’ and, if the technology allows it, stands fair.
As per Minister of Information & Technology, Ravi Shankar Prasad claims that the app is designed to meet the highest standards of privacy. The app will be used in response to COVID’19 crises, unlike Facebook or Google which don’t have clear purpose limitation, on how the data is used.
Zomato Founder Deepinder Goyal, also favoured the App, quoting ‘the idea is to keep individuals as well authorities informed in case they have crossed paths with someone has tested positive for virus, to prevent the further spread’.
Abishek Singh, CEO of MyGovIndia, told that the Indian Government be using data only for certain critical purposes such as medical emergencies, the app will not reveal anyone’s personal details and asserted that, it has a robust data security architecture. The app objective is to identify the potential cases. The app could be the key for opening up the economy. Such apps might enable governments to detect the outbreaks and prevent community transmission. They will also serves as e-pass and health certificates, necessary for workers to commute.
The mandatory use of Aarogya Setu app is authorized by the principle of “delegated legislation’ relationship between a Union and the States, under Article 256-257 of the Indian Constitution. Upon the ‘harmonious interpretation’ of the relations between Union – State, it can be inferred that, State Executive has duty to exercise and ensure the compliance with Parliamentary laws/rules/orders/regulations/directions for the maintenance of means of communications, for the purpose of ‘National Importance’.
At last, it can be inferred that, by constructing mandatory imposition of such apps, the fundamental rights as to ‘liberty and privacy’ construed in judicious manner to be implemented. There are countries like Israel, Australia and Singapore, which has used technology for tracing corona virus, but the, Judiciary interceded to protect the “citizen’s privacy or security issues”, goes on to struck down such powers having deleterious impact on privacy.
In India, the Supreme Court in KS Puttaswamy’s case, the fitting prerequisite, as to a law authorising the involuntary use of apps, has not been fulfilled. It can be perceived that government has no power to make the app’s use compulsory without legislative endorsement. There is no legislative guidance for the app’s purpose, functioning and the nature of the use of sensitive data it collects. The governments or corporations have demonstrated enormous ‘bad faith’ with respect to data privacy, in recent years and same cannot be disregarded in the Aarogya Setu App.
India lacks robust privacy or data protection laws, and no set of legal standards for the protection of user’s data, without any limitation of purpose. It can be concluded, that the Government’s initiative behind the app’s introduction “might be good”, as to keep a watch on the spread of the virus infected persons, but the growing fears as to “Individuals Privacy or Security relating to data”, is incommodious. This App might become a perpetual mass surveillance instrument, which shall ensure that there is sufficient anonymizing of data and its limited access. With robust legal framework, restructuring of data protection laws, the present Indian government is duty bound to resort to approaches that cause the least impairment as to citizen’s privacy rights.
Article by:-
- Mohit Parihar, Advocate & Cyber Law Expert, Rajasthan High Court, Jaipur
- Yamini Atreya, Research Scholar, Department of Law, University of Rajasthan, Jaipur
Join LAWyersClubIndia's network for daily News Updates, Judgment Summaries, Articles, Forum Threads, Online Law Courses, and MUCH MORE!!"
Tags :constitutional law