Aarogya Setu Privacy Guidelines: An Explainer

Getty Images

Aarogya Setu has rightly been at the center of conversations on India’s technological response to COVID 19. These are unprecedented times where normal boundaries of the role of the state have faded worldwide to reveal a Leviathan; an entity that can close Markets, social life, and normalcy in every sense with a flick of its hand. As befits a democracy, there have been vigorous debates on the scope, direction, and extent of state action particularly around the “mandated” use of Aarogya Setu.

The SeemingTradeoff: Public Health, Privacy, and Surveillance

Given the unprecedented scale of the epidemic, governments and private players across the world have scrambled to create technological solutions for surveillance and contact tracking. For app-based contact tracing to be effective, Oxford academics leading the UK effort estimate that 60% of the population must use it. The central issue then is the seeming tradeoff between ensuring public health one hand and ensuring privacy protection and data sovereignty.

There is also the fear of normalizing mass state surveillance and the almost inevitable mission-creep. In Canada Coronavirus related test data has already been shared with the police.

Between Private Decentralised Approaches and Centralised State-Led Ones

At one end of the spectrum is the private-led effort by Apple & Google to develop a Bluetooth based contact tracing mechanism that users can voluntarily use. Location data is not tracked and all data collected is stored in a decentralised manner. On the other is the far more stringent and centralised approach of the South Korean state. Its Epidemic Investigation Support System can pull up phone G.P.S data, CCTV footage, payment information, travel, and medical records of infected people on a real-time basis. This is used to issue emergency mobile alerts that contain gender, age category, and locations of places visited. The law permits these measures only in the context of disease outbreaks with strong safeguards and they are subject to public scrutiny.

The Indian Way: A Middle Path?

India’s approach has been closer to the South Korean approach with the government “encouraging” citizens to download Aarogya Setu. Travelling by train and flights in India will soon require passengers to have installed Aarogya Setu. The app has recently crossed 10 crore installs making it one of the top 10 downloaded apps worldwide. However, for a population of 130 crore, with 45 crore smartphone users, we are still quite short of 60% usage. Therefore it will have supplemental value.

The Data Access and Knowledge Sharing Protocol

Predictably the Aarogya Setu push by the government has led to serious questions around privacy, surveillance, and data rights of users. In response to this, the Ministry of Electronics and Information Technology (MeitY) released the Aroga Setu Emergency Data Access and Knowledge Sharing Protocol. In this explainer, we wish to outline the key provisions of this protocol, open possible questions, and leave it to the reader to decide their own positions.

According to the Protocol, data collection is necessary to formulate health responses and protect the “health and safety of the community at large”. It seeks to ensure “secure collection of data” and “protection of personal data”. MeitY is responsible for implementing this protocol, while the National Informatics Center is responsible for the collection, processing, and managing response data.

What Data Gets collected

Four types of data are collected from users:

1. Demographic data: This includes the name, mobile number, age, gender, profession and travel history
2. Contact data: Duration of the contact, distance between the individuals, and the geographical location at which the contact occurred.
3. Self assessment data: User responses to the self-assessment test in the app
4. Location data: GPS locations of the user( latitude, longitude).

Collecting and Processing Data

1. Collection Limitation: Only data that is necessary and proportionate to formulate or implement appropriate health responses. Data collected should be used only for these stated purposes.
2. Purpose Limitation: Data shall be used strictly for the purpose of formulating, implementing, and constantly improving such health responses. There is, of course, the expected commitment to processing in a fair, transparent, and non-discriminatory manner.
3. Local Storage of Contact and Location Data: By default contact and location data is locally stored. It can be uploaded “when necessary”. So far data of only 13,000 users or 0.1% of the users have been uploaded. However, there seems to be no explicit process or limitations beyond the generic “ when necessary” to pulling sensitive personal data including contact and location data to the centralised data store. If deemed necessary, Aarogya Setu can effectively become a centralised system.
4. Retention Of Data: Contact, Location, and Self Assessment Data collected by NIC “shall not ordinarily extend” beyond 180 days and will be permanently deleted. However, Demographic Data can be stored as long as the protocol is in force or within 30 days from a user delete request.

Sharing Response Data:

1. Personal Data can be shared with “public health institutions of the government of India” including the Ministry of Health and Family Welfare, State Health Departments, and National Disaster Management Authority.
2. Data sharing will be documented “to the extent reasonable” by the NIC. Documentation includes the time of sharing, persons or agency, categories of data shared, and purpose for sharing. This clause should be sharper.

Obligations of Entities to Whom Response Data is Shared:

1. Purpose Limitation: Data must strictly be used for the purpose shared. They must process data in a fair, transparent, and non-discriminatory manner.
2. Retention of Data: Data must be deleted within 180 days.
3. Security: Entities must “ implement reasonable security practices” as prescribed under law. To the best of our knowledge, no such “reasonable security practices” have been specified so far.

Third-Party Sharing

This is one of the trickiest parts of this protocol. All user data including demographic data, contact data, self-assessment data, and location data may be shared with third parties if it is “strictly necessary to directly formulate or implement appropriate health responses”. In our understanding, this clause could potentially open a Pandora’s Box.

1. Protocol Applies to Third Party: The entity sharing is responsible for ensuring that this Protocol is adhered to by the third party
2. Third-Party Purpose Limitation & Data Audits: Third parties cannot disclose or reuse data for other purposes. They are subject to data audits by the Central Government. No such audit procedure to the best of our knowledge exists and even if it does, practically there is negligible state capacity and state intent for the same.

Most importantly, there seems to be no clause requiring that citizens be informed of 3rd party sharing. This means that you, the app user, have no way of finding out where your data has been shared.

Data Sharing for Research Purposes

1. Anonymised Data for Indian Research Institutions: “Strictly anonymised data” is available for Indian universities and research institutions registered in India. A committee appointed by the Principal Scientific Advisor will stipulate research purposes for which this data can be accessed. It will be responsible for approving requests for research use of data.
2. No Deanonymisation: Research institutions must not attempt to re-identify individuals from anonymised data. This can result in the institution losing rights to data and becoming liable for penalties.
3. Further Sharing with Research Institutions: Research Institutions can share anonymised data with other institutions registered in India for the same research purpose it sought permission for. The third-party will be subject to this protocol. Sharing data requires a contract that specifies the data shared, the purpose of sharing, duration, etc. This contract must be approved by the expert committee.
4. Audits and Reviews: Any research institution with which data has been shared is subject to audit and review by the Central Government, a process that is practically non-existent at worst or infeasible at best.

Sunset Clause

In a welcome move, this protocol has a sunset clause giving a termination date of 6 months to its own validity, unless reissued. The lack of a sunset clause has led to multiple zombie laws and rules haunting India.

Open Questions: Surveillance Systems and Legal Backing

While the protocol answers some questions, it leaves more unanswered. There is no mention of the destruction of the centralised data collection systems created. As the Internet Freedom Foundation cautions, this could evolve into a permanent infrastructure of Government Surveillance. There have already been mentions of plans to expand the capabilities of Aarogya Setu or even proposals to make it a building block of India’s Health Stack. Such a move cannot be clandestine. It requires prolonged public consultation and a clear legal framework. Aarogya Setu itself rests on shaky legal foundations. The former Supreme Court Judge BN Srikrishna has said that mandating citizens to use Aarogya Setu was “utterly illegal”. He asked “Under what law do you mandate it? So far it is not backed by any law”.

As we said earlier, these are indeed unusual times and we face difficult tradeoffs. The conversation around Aarogya Setu could potentially shape India’s approach to questions of public good, privacy and surveillance for years to come.

Like what you are reading?

We write at the intersection of emerging tech, politics, culture and us every fortnight. Subscribe for free : www.bit.ly/IntechDispatch.