Is Arogya Setu a Privacy threat? or a Security shield?

Critics are endangering the silent majority

There are a class of critics in India who donot spare any opportunity in taking a dig at the Government for every decision and also take the issue to the Courts to challenge every day to day operations of the Government.  This has happened earlier in respect of the ITA notification on Section 69 and Section 79 when Government wanted to make some amendments to the notification and the critics cried foul and went to the Court to stall the Government move. This frequent invocation of Court intervention by publicity hungry PIL lawyers supported by a section of the media which always highlights such opposition has posed many avoidable challenges to the Governance.

However, as a part of the democratic tradition of our country, it is necessary for us to accept such challenges.

At the same time, it is necessary for that section of the population which is in agreement with the move of the Government and is opposed to the critics not to hesitate coming out with their own opinion countering the objections despite it looking like swimming against the tide. But it is always the silence of the majority that enables the minority to create disproportionate noise and if we need to prevent misconceptions spreading out in the community, it is necessary to be vocal to express what we believe as true and face the backlash if any.

Naavi.org has been following this tradition since the 1998 when it started out its activity first under naavi.com and naavi.org (before naavi.com it was squatted by somebody else and had to be dropped).

Currently we have an occasion to express our views on Aarogya Setu the App which the Government of India is promoting as a measure towards mitigation of the Covid19 spread risk.

After the COVID Lockdown, there have been discussions on the strategy for lifting the lockdown and allowing the movement of people, starting of business activities in a manner that would not ignore the possibility of a spurt in the infection cases. One of the arguments have been that economy cannot be for ever put under lock down and we need to restart immediately.

If however, there is an increased incidence of infections, while we keep the medical defense ready, we also need to improve our ability to track the movement of an infected person in the immediate previous 14-30 days to alert all those who came in contact with an infected person. Such persons can undertake a test and be assessed. If they are infected, they need to be treated. If not they could continue their activities with confidence.

In view of this requirement, worldover, Governments started introducing mobile based “Contact tracing apps”. These apps could use Bluetooth and GPS tracking of the mobile and based on other mobiles with similar apps could generate alerts when an infected person came near another non infected person. Such GPS based tracking has been regularly used by the advertising industry to provide information of services available around you (including Uber and Ola) and also for identifying your social media contacts if they are around.

The “Critics” who have so far been tolerant of the GPS based apps who bought the location information mostly from Google through their licensed mapping solution, have suddenly turned aggressive when the Indian Government wanted to introduce an App which could track the movement of the device holder in the immediate past. Along with this, the app provides some useful Covid information.

But the most important reason why this App is needed is to enable a healthy individual to avoid interaction with another person who may have either been positively diagnosed  for COVID or is suspected to be a carrier.

There have been two types of objections to this App. One is that it violates the privacy of an individual because it tracks his physical location. Second is that the information gathered may be misused for surveillance. One is a professional Privacy and Information Security argument and the other is purely political.

We shall restrict our discussion to the objections from the professionals and leave out the objections raised by Rahul Gandhi or Sashi Tharoor which are political comments. These politicians are known to pursue their agenda irrespective of the damage they may cause to the nation and it is their privilege  to do so. But many professionals are unable to keep their discussions free from political considerations and hence some of the criticisms from Privacy and Security professionals become coloured with prejudice and confuses an ordinary person.

The App which was launched on April 2, was first pushed by the PM on 14th April 2020 and  got critical attention when on April 29, the Government issued a circular that it is compulsory for all Government employees returning to work to download the app and keep it in operating conditions. This raised the bar since the Government was making it partly mandatory. In the private sector the employers were made responsible for similar compulsion if they wanted to re-open their business and allow the employees back to the offices.

The order of May 1st by the Government is said to have pointed out to Section 188 of IPC which suggests imprisonment upto 1 month for disobeying a lawful order of a Government servant.

The Privacy activists now have a serious objection for the mandatory nature of the need to download the app and to keep the Bluetooth and GPS tracking on at all the times because they consider it their right to privacy to hide their physical location at any point of time. Some Security specialists like the French citizen “Robert Baptiste” who uses the twitter handle “Edward Elliot” (Information from Wikipedia), also pointed out what they called as bugs in the app which could be considered as a security risk.

Many of these critics are advising public how to cheat the App and such advise can only be termed as lack of concern for national safety.

In Noida, a group of residents have started a legal battle against the local administration. They have now filed a police complaint and intend to take it up further with who else but the Supreme Court. In Kerala a Congress leader has already moved the High Court against the usage of the App and got notices issued to the Government.

While the Government fights the Covid19 at the medical level, it has been dragged into other side battles to divert its attention.  We need to wait and see whether the Courts would be able to see beyond technicalities and political prejudice and come up with decisions in the larger interest of the community since most of the persons who oppose the petitions may not be able to represent themselves in the Court while the supporters of the petition can engage the services of advocates who can argue that a Mango is an Orange if they are suitably paid and do it convincingly enough for the Judges to appreciate.

The Privacy Concerns

Some of the privacy concerns that have been expressed are that

  1. Aarogya Setu collects personal information of an individual without his or her consent
  2. The use of the app is made mandatory for all citizens
  3. App is tracking the location of the mobile continuously
  4. App collects personal information  such as name, phone number, age, sex, profession, countries visited in the last 30 days and whether a person is a smoker or a non smoker and his or her medical condition.
  5. Use of the App raises the risk of “institutionalization of mass surveillance”
  6. Use of the app urges people to Pre-emptively take tests and overwhelm the public heath systems prematurely
  7. Use of the app inadvertently discriminates against regions which have fewer concentrations of smartphones

The Internet Freedom Foundation (IFF) which is spearheading the legal action in Noida has raised its objections through a letter written to the parliament members  and will soon approach the Supreme Court for relief agains their concerns some of which are common with the case filed in Kerala High Court.

The main argument against the app is the “mandatory nature” of the order for employees. Otherwise, the consent is provided by the people who download and the privacy policy indicates the use of the information which may pass the test of reasonableness given the present public health emergency which we are in. The security objections raised by Edward Elliot have been found to be only peripheral issues not serious enough to be worried about. The objections of IFF on overwhelming of public health system etc are gap fillers in the petition and donot need attention.

The Government has also clarified that the data collected is stored in the user’s device and would be deleted in 30/45 days. Hence most of the Privacy concerns are being addressed.

No Need to Put the Source code in the open

There is one demand that the Aarogya Setu source code should be put in the open source. It is not recommended since hackers are waiting to subvert the system and whether they call themselves “Ethical” or not they cannot be trusted.

“Obfuscation” of the code is an information security strategy and the Government should secure its source code to prevent motivated attacks.

Circular should  be Re-worded

We need to therefore come back to the “Mandate” and the pointing out of Section 188 of IPC.

The Government as usual has not anticipated the possibility of the opposition mounting this attack through the legal challenges and perhaps thought that we are in the era of “Dharma Yuddha” where in times of crisis, certain norms of opposition would be followed. But for the Duryodhana clan, everything is fair in politics and pulling the rug under the Government even at the time of this crisis is only a fair game.

As a result of this, the Government failed to put its circular in the proper perspective and has given a handle to the opposition to beat itself. The only saving grace for the country is that we have a PM who is not allowing himself to be distracted from his goal and doing his best to take steps towards mitigation of the Covid19 risk in a manner he thinks is best. All the critics are not able to provide any alternatives but are only happy to criticize. They deserve to be ignored.

I however suggest that the Government should re-issue the circular of May 1 with a cover note where it should state as follows:

“Lockdown continues until further notice and no body should move out of their houses unless they have necessary pass issued by a Government authority.

However, exception would be granted to those individuals who voluntarily submit themselves to a discipline which includes social distancing, wearing of masks and keeping an active Aarogya Setu enabled smart phone.”

If people realize that it is in their own interest to know if the person next to him is not a person who has recently returned from a vulnerable foreign country or was a person who was assessed infected less than 45 days back, they would gladly agree to use the App.

The Organizations and the Government have every right to secure their working area by mandating that employees will continue to be on work from home location unless they start using the Aarogya Setu app in the interest of other employees with whom they may come into closer contact if they attend the office.

It is the right of other employees who have downloaded the App in their own health interest to insist that no dilution of this order should be permitted.

Courts whether it is the Supreme Court or the Kerala High Court should not take any decision without considering the rights of this silent majority of people who are concerned with their colleagues who may be carriers of the infection and may join employment by disabling the Aarogya Setu app or the Bluetooth/GPS  functionality because they have a false sense of them being Privacy warriors. If the Courts ignore the safety of this section of people who are 9.5 crores at present, it will only display a judicial impropriety that is avoidable.

Digital Rights Survive if we survive COVID-19

For activists,  I would request them to check their own suggestion on storing of the information in the device etc as provided in their website and accept the Government clarification in this regard. If they shed their anti-government attitude they will agree that this app has a purpose and we don’t gain anything by killing it.

Activists  should also spend their energy more fruitfully and look at the Net Neutrality concept being adversely affected by the Alphabet & Apple agreement on sharing of GPS data, the Bois Locker room issue, the INS attack on WhatsApp admins, Banning of Tiktok, Banning of Crypto Currencies etc., which are all representations of misuse of Internet Freedom,  rather than focusing only on anti Government issues.

Activists should realize that Digital Rights will survive only if we survive COVID-19. Let us fight COVID-19 first and then focus on digital rights.

Pass Personal Data Protection Bill 2019 immediately

The petitioners who have approached the Courts will be pointing out that the lack of a Privacy Protection Law is allowing the Government to indulge in this excess.

I wish that the Government takes the cue and based on whatever public comments already with it, go for immediately passing the Personal Data Protection Bill 2019 after conducting virtual meetings of the Parliamentary committee.

PDPA has the exceptions under which the Aarogya Setu could operate as a Sandboxed scheme.

Naavi

(Views expressed here and in other articles on this blog are entirely the personal views of Naavi)

About Vijayashankar Na

Naavi is a veteran Cyber Law specialist in India and is presently working from Bangalore as an Information Assurance Consultant. Pioneered concepts such as ITA 2008 compliance, Naavi is also the founder of Cyber Law College, a virtual Cyber Law Education institution. He now has been focusing on the projects such as Secure Digital India and Cyber Insurance
This entry was posted in Cyber Law. Bookmark the permalink.

1 Response to Is Arogya Setu a Privacy threat? or a Security shield?

  1. Anand says:

    Article is bringing right perspective and has well countered all points of critics of this App. Highlighting, that Government should of have been more cautious is very valid.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.