There are disturbing implications of privacy violation, security concerns, and the implicit exclusion of lower-income groups arising from the government’s attempt to force the mandatory adoption of the Aarogya Setu app. According to the latest notification, every employer must ensure that its workforce has downloaded and is using the app, and it may be made mandatory for travellers on public transport systems. New smartphones will come with the app pre-installed. The app can be used only on a smartphone. By switching on GPS location and Bluetooth it monitors the location of the user, and the proximity to other Bluetooth-on devices. It uses colour coding to mark the user as healthy, or infected, or recovered. By using big data, the app will supposedly be able to check for contact tracing if a given handset has been in a “red zone”, or near the handset of a user marked infected.
Roughly half of India’s one billion mobile subscribers don’t use smartphones or data connections, since both handsets and tariffs are more expensive. This segment is overwhelmingly lower-income. These subscribers would not be able to download the app and would, therefore, be excluded from availing of public transport, or working. Or else, they would face the burden of being compelled to buy a smartphone and subscribe to a data connection when they have already suffered catastrophic income loss. The security concerns arise from the fact that the app was put together in haste and the code is not open-source, unlike similar contact-tracing apps released in Singapore and South Korea. This means that its security, or problems in programming, cannot be independently verified. It gathers huge amounts of critical private data. The lack of open-source programming makes it difficult to judge what data it may be collecting. In addition to location, it may, for instance, be monitoring phone calls, or SMS-es. It may be reading social message posts and WhatsApp messages. The data is transferred to servers, which may or may not be secure. Technical details about anonymisation are unknown. There is lack of clarity about which agency would be responsible in the case of data theft. However serious as these issues are, the breach of privacy involved in forcing such an intrusive app upon every smartphone is the overriding concern. Aarogya is designed as a surveillance app, and one that could gather vast amounts of data far beyond what is required for the stated narrow purpose of contact tracing.
One of the guiding principles in collect private data is to gather the minimum required for a specific purpose, and to ask granular permission for every separate data gathering. Another important principle is giving citizens the “right to forget”. As and when the data is no longer required, the citizen should have the right to explicitly ask for it to be deleted. Unfortunately, India still doesn’t have a personal data protection law incorporating such provisions even though privacy has been acknowledged as a fundamental right since 2017. The proposed Personal Data Protection Bill has serious lacunae. It gives the state blanket permission to gather all data it pleases and citizens don’t have a right to forget. In the absence of specific legislation, the app may be misused and citizens should not be forced to download. Its utility will anyway remain limited.