Centre must address privacy concerns, and ensure greater transparency on Aarogya Setu

Editorial | App for a reason

The government claims it has launched this contact tracing app to better equip healthcare authorities to fight the COVID-19 pandemic. However, its historically poor track record on privacy, the lack of transparency about who built and runs the app, and the absence of data protection legislation compound people’s anxieties. Especially because the app allows the government continuous access to an individual’s location and demographic data. Thus it is imperative that the government answer some burning questions:

First, since the app breaches the fundamental right to privacy, it must have legislative sanction. Instead, the app is being imposed through executive order. Companies are being told that all their employees must use the app, and local governments, building societies and shops are making it mandatory. Why has the government not complied with the orders of the Supreme Court vis-a-vis the need for legislation? Under what legal framework has this breach of privacy been shown to be reasonable?

Second, what are the safeguards against data theft and other breaches? The app’s Terms of Service (TOS) confer blanket limited liability on the government. In cases of data theft, who will be held accountable? How can the government be allowed to operate a huge surveillance system without concomitant obligations?

Third, why is the app not open source? The closed source architecture of the app violates transparency principles and this government’s own policies. Singapore’s TraceTogether app was made open source, thus allowing researchers and experts to test the architecture and suggest measures to correct vulnerabilities.

Read | Aarogya data only for health needs, to be deleted in 180 days

Fourth, why is there no protocol for deletion of data? What legal rights do users have over their data and its deletion? Does the government have a right to hold the data and process it in perpetuity? Under the TOS, the government is obligated to delete certain personal data after a 30-day time period. However, there exists no framework to check compliance of the same. If users have no control over their data, it is a complete violation of their right to informational self-determination and the right to be forgotten.

Ever-changing rules add to the problem. On April 14, the app updated its privacy policy without notifying users, despite the privacy policy explicitly mandating the same. Such actions do not inspire trust.

Fifth, has the app been tested with any groups of users, for example, like Britain is testing a contact tracing app with a limited population in the Isle of Wight? Has the government conducted scenario analyses of how the app can be misused or abused? This is crucial in India given how much stigmatisation has already occurred (communities refusing to bury bodies of COVID patients and an instance of the lynching of a person suspected to be positive). The human touch may be vital, as Kerala has demonstrated, by successfully using old-fashioned manual contact tracing.

Sixth, has the government figured out how to deal with cases of false positives, the possibility of which is acknowledged in the TOS? How well trained are officials who will be making decisions about whom to quarantine? What if the app provokes people to infer incorrectly that someone they encountered a few days earlier was a carrier of the virus? If they attack or stigmatise that person, a faulty algorithm or inference would have jeopardised someone’s life. How will the government deal with such cases?

Seventh, in a country where the total number of smartphone users is around 500 million, is the government going to penalise the remaining (almost) two-thirds of the population for not downloading the app on a smartphone they do not possess or cannot afford?

Across India, there are efforts to build databases of people’s health records to enable easier treatment, including through telemedicine. If instances of misuse of the Aarogya Setu app emerge, then people will not trust other government initiatives involving health records, even if they are undertaken with due care, inclusive consultations, and respect for privacy.

The government must address these concerns in an open manner. Contradictory statements from ministers and combative rejoinders to those, like Rahul Gandhi, who raised valid concerns, just worsen the confusion.

When the Supreme Court heard the Right to Privacy case, it marked an unprecedented occasion where the government of India actually argued against the rights of its citizens. Now, it is time to stand up and ensure that, through the Aarogya Setu app, this government does not callously snatch those rights and jeopardise citizens’ safety.

The writer is a Member of Parliament, Rajya Sabha, and chairman of the Indian National Congress’ Research Department