Answering the critics of Arogya Setu

I would like to draw the attention of the critics of Aarogya Setu as expressed in the article that appeared today in TOI under the title, “Transparency and respect for Privacy are essential…to build trust which is totally absent from Aarogya Setu process”

The author expresses the opinion that “Contact Tracing” apps are invasive and if insecurity in the app is not fixed, we may be helping snooping and hacking. The author advocates that the source code of the app should be made public and its use should not be made mandatory. The author praises the Apple-Alphabet partnership to restrict sharing of location data and calls it a “Privacy respecting” and “Secure” measure.

The collection of location data and limited scope of liability and accountability is what the author considers as endangering the “Safety of millions at risk”.

The first correction we need to make to this statement is that the app collects only minimal information about the person who downloads it and gives him an option to declare his health status. He can very well declare himself as healthy. If and when he is diagnozed as infected, then his status would be suggested to be changed. If the person does not change, he would be liable for giving a false information which could endanger others.

The potential to endanger the community with false information therefore lies with the individual and not the Government. As regards the “Location information”, I suppose the author who represents the Software Freedom Law Center is aware that Google does track your location through your Google map usage openly and perhaps covertly through the in built location detection mechanism. The activists however trust Google but not the Indian Government because these commercial organizations do fund many NGOs to lobby for them, while the Indian Government ignores them.

Now we come to the question of “Leakage of Information”.  The app certainly collects the mobile number which is the most significant personal identity collected. Name, gender, age, profession, countries visited in last 30 days are details which the data principal himself submits. At this point of time these are not verified though the Government can track the mobile number and find out in whose name the SIM is registered. If it is a prepaid SIM, even this data is not very reliable.

Hence the “Location Data” if tracked is a “Pseudonymous personal data”. It is only when the person encounters an employment situation or undergoes a test in a hospital, the question of whether the name as declared in the App and the real identity that can be picked from say the Aadhaar card comes into the open.

We donot know if the Government wants to take any action for such “Voluntary impersonation”. If necessary the activists may ask the Government about the intended punishment for such impersonation. Such impersonation does not affect the person coming into contact with others in a mall etc since the app can still track the mobile to whom so ever it may belong to. If an employer has made it mandatory that installation of the app is mandatory to come back to work, then the person has to register the app in his name in which he has the employment and cannot impersonate himself.

So it is unlikely that we can prove that the impersonation itself caused any harm and hence the legal liability may not be enforceable except as an “Attempt” to mislead others.

As regards the making of the App “Open Source”, I donot trust the activists to make any responsible use of the open sourced code to come up with any suggestions on improving what they call as security weaknesses in the App. I rather would suspect that they would be hiring unethical hackers to hack into the app and create problems for the Government.

As regards the mandatory status of the App, we must appreciate that there is a right even for the people who interact with a suspected infectious person whom these privacy activists are trying to protect from revealing his status. This right of safety supercedes the right of privacy of the app owner.

The Supreme Court is also well aware that the “Freedom to stretch ones arms stops at the tip of the nose of the person standing next to him”. Hence the claim of the legal flaws related to Aarogya Setu app if brought before the Supreme Court would get a fair dealing unless the activists can fix the decision by any nefarious arguments.

It can however be agreed that the if the Government had been more careful, it could have avoided the confrontation with the activists. Just as they let the opposition to mislead the public with the CAA, they are now allowing the privacy activists mislead the community into believing that a great calamity would occur if they register themselves for the Aarogya Setu app.

Naavi

Also see: Exposing the IMAGINARY Aarogya Setu security issues raised by Elliot Alderson @fs0c131y

 

 

 

About Vijayashankar Na

Naavi is a veteran Cyber Law specialist in India and is presently working from Bangalore as an Information Assurance Consultant. Pioneered concepts such as ITA 2008 compliance, Naavi is also the founder of Cyber Law College, a virtual Cyber Law Education institution. He now has been focusing on the projects such as Secure Digital India and Cyber Insurance
This entry was posted in Cyber Law. Bookmark the permalink.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.