IN our last article, we talked about the concerns arising out of India's architecture of surveillance. It prompted readers to wonder whether there was any way to ensure that India remains privacy compliant and, at the same time, ensure that contact tracing is employed. We will take the case of the Aarogya Setu to demonstrate how efficiency can be maintained while protecting privacy.
India's Aarogya Setu has been full of controversy. The government has continuously changed its privacy policy and, most recently, reversed its directive to make it mandatory for office employees. This trend is representative of the lack of foresight in building and developing the app.
This lack of foresight has manifested into severe concerns been raised regarding the compatibility of the app with the privacy standards laid down by the Supreme Court in the Puttaswamy decisions. They require any measure restricting an individual's privacy to be legal, suitable, necessary, and proportional. In response to the criticism, the government introduced the Aarogya Setu Data Access and Knowledge Sharing Protocol [the Protocol].
However, as we will show, the Protocol leaves several questions unanswered. It does not go a long way in making the app constitutionally compliant. Our concerns regarding Aarogya Setu and the Protocol primarily revolve around the inadequate anonymization and lack of transparency and accountability.
To understand how these problems can be fixed, we place reliance on the European Union Tracing Tools Guidelines [EU Guidelines] and the Personal Data Protection Bill, 2019 [PDP Bill]. The PDP Bill is currently the only framework at the center stage, albeit a draft, which regulates and provides safeguards regarding data protection in India. It offers valuable lessons for our inquiry.
One may argue that the bill is currently not in force, and the government is not bound by it. While true, it is, to our mind, indeed a matter of concern that the government is not following safeguard standards they have introduced by them in the first place.
On the other hand, the EU Guidelines were introduced by the European Data Protection Board in the wake of the COVID-19. They have been made under the EU General Data Protection Regulation [GDPR] regime. They have been created to ensure that contact tracing apps are consistent with the principles of effectiveness, necessity, proportionality, which the Puttaswamy decisions also laid down. Moreover, the EU GDPR's underlying philosophical basis understands privacy as a facet of human dignity, much like the Indian Supreme Court and their framework heavily relied upon by the SC in the Puttaswamy Decisions and by the Justice BN Srikrishna Committee in drafting the PDP Bill. Therefore, the lessons taken from the EU Guidelines and the PDP Bill can be used to make Aarogya Setu App that is constitutionally compliant.
The EU guidelines and the PDP bill ensure contact tracing apps meet the elements of "proportionality" by providing that the data is only collected and processed only to the extent that it is strictly required to tackle the pandemic. Moreover, "adequate procedural safeguards" are employed by allowing for transparency and accountability mechanisms.
Aarogya Setu's first problematic aspect is its anonymization Protocol. Due to the nature of the personal information collected and stored, the app's existing anonymization Protocol grossly lacks in efficacy. It collects detailed demographic information, including name, phone number, age, sex, profession, travel history, which is stored centrally. It also collects precise locational data using both GPS and Bluetooth stored on user's devices. This dataset requires extensive protection owing to its sensitivity. To remedy this, the Protocol recommends complete anonymization of the data by using techniques developed and reviewed periodically by an in-house government expert committee.
However, experts have suggested that such complex personal information containing multiple demographic attributes cannot be effectively anonymized. In a study with a dataset containing numerous demographic attributes, the data was de-anonymized, and the user identified 99.98% of the time. These concerns can only be assuaged if the app does not collect or store demographic information of its users in the first place. This step would be in line with the notion of "data minimization" under the EU Guidelines. Other model apps like Singapore's TraceTogether and MIT's PrivateKit also adhere to this standard.
Additionally, regarding the precise locational data of such apps, the EDPB concluded that "data pattern tracing the location of an individual over a significant period cannot be fully anonymized."
The EU Guidelines suggest that to anonymize user data effectively, the geographical coordinates recorded should be significantly decreased and properly aggregated; that is, the data should also be amalgamated such that individual user data points cannot be recognized.
None of the proposed changes come at the cost of the effectiveness of the app. The privacy policy of the Aarogya Setu app clarifies that it shall create heat maps to recognize clusters of the spread of the virus. However, heat maps can be made simply by collecting less precise locational data. Model apps, like Singapore's TraceTogether and MIT's PrivateKIT, generate heat-maps by relying upon less accurate location data and have been effective.
If Aarogya Setu app only records less precise location data and only collects personal data of those users centrally who are infected or at high risk of getting infected, it will satisfy the requirement of proportionality of the Puttaswamy decisions, by ensuring that the data is only recorded or collected to the extent strictly required to combat COVID-19.
The second flaw that raises questions over the app's concern for privacy is the lack of transparency and accountability in its privacy policy and the Protocol.
The Protocol does set up an expert committee reviewing the anonymization technique employed by the app, and its use by third parties.
However, a lot is still left to be done. It does not specify whether the expert committee reports will be made available in public or not. It also does not mandate the public availability of the app's source code or a review of the entire code of the app by an independent expert body – 'independent' being the keyword here, as opposed to its current internal review mechanism.
Without any source code being open or any report regarding the working of the being made publicly available, the app is shrouded in secrecy. In conclusion, there is no way to know if the safeguards in place are working and effective.
Coupled with the working of Aarogya Setu being classified, there is also no way of holding the government responsible; as per the updated privacy policy, the government is not responsible for any data breach. Consequently, Aarogya Setu falls woefully short of satisfying the element of "adequate procedural safeguards" of the Puttaswamy decisions.
To bridge this gap as the PDP and EU Guidelines suggest that the algorithms employed by the app should be publicly available. The EU Guidelines mandate it should also be regularly evaluated by independent experts bodies, the reports of which are to be made publicly available, for "widest possible scrutiny."
To ensure accountability, the PDP bill requires the data fiduciary to make public the specified procedure for redressal of grievances. Firstly, Aarogya Setu is covered in a blanket of impunity, so there cannot be an effective redressal. Moreover, the app does not lay down any procedure to ensure resolution of user grievances – the app merely provides a single email ID as a point of contact, which is grossly inadequate.
Finally, the PDP Bill requires for conduction of a data impact assessment [DIA] when undertaking "any processing involving new technologies or large scale use of sensitive personal data" before conducting such exercise.
Unfortunately, the Protocol and the privacy policy of the app do not make any mention of such a DIA. Briefly, if the Aarogya Setu, as the lockdown is eased, is expanded, and made mandatory for any activity, then this must be done after a DIA by independent experts.
If the mentioned safeguards from the EU Guidelines and the PDP Bill are implemented, it will ensure that the Aarogya Setu comes closer to Puttaswamy standards, by satisfying the requirement of "proportionality" and "adequate procedural safeguards." However, for Aarogya Setu to be constitutionally compliant, it still must fulfill the elements of legality, suitability, and necessity present of the Puttaswamy standards.
A specific legislature must back Aarogya Setu for it to meet the standard of legality. Such legislation must authorize the collection of data and provide for limitations and procedural safeguards to ensure compliance with data protection principles.
Currently, the app and the Protocol are based on the umbrella clause of the National Disaster Management Act [NDMA]. The validity of the NDMA as a basis for placing restrictions on individuals' fundamental rights is seriously contested. Justice BN Srikrishna, the chair of the Data Protection Bill Committee, has said that these legislations are insufficient to make Aarogya Setu a lawful exercise.
Concerning the requirement of suitability, it mandates a reasonable nexus to be present between the measure employed and the purpose that it aims to achieve. The efficacy of these apps is based on two primary assumptions; i.e., there exists large-scale testing and substantial smartphone penetration. Only when these assumptions are met can the apps be efficientand hence possess the reasonable nexus to satisfy the element required. However, in India, neither of these prerequisites are met. Questions have been raised about India's capability to test on a large scale, and the smartphone penetration in India is severely lacking.
While the necessity standard requires more in-depth analysis, one outside the purview of this article, there is prima facie a good case for such apps being necessary. Contact tracing apps, along with adequate bio-surveillance infrastructure deployed worldwide, have led to success stories like South Korea, Taiwan, and Singapore. Even the EU has endorsed contact tracing apps. These instances suggest that contact tracing apps can be considered a necessary response to combat the COVID-19 crisis.
The introduction of the Protocol is a much-needed step towards compliance with the standards set by the law. It solves significant flaws with the Aarogya Setu app, yet, it nearly does not do enough to ensure that the app is entirely in compliance with the law. The App's failure to provide effective anonymization by collecting less-specific data and the lack of transparency around its functioning remains exceptionally worrisome.
At the same time, the technologies we employ during our crises cannot be seen without their social, political, and historical context. As and when we debate the constitutionality, the efficiency, and the likes of these measures, forgetting our history and our context means inviting the tyranny to our door with open hands. In the name of a crisis response, we cannot and must not allow intrusions into our life and attacks against liberty.
One may say that a crisis requires decisive actions, and thus what has been coming our way must be accepted. However, decisiveness does not warrant a decision lacking in concern for constitutional rights. Our deference to the rule of law, to our history and our constitutional ethos, will be decisive in the formation of our new normal, as we come out from the other end of this crisis.
(Rudraksh Lakra is a second-year student at Jindal Global Law School, and Ayan Gupta is a first-year student at the National Law University Delhi)
Note: This is an opinion piece, and the views expressed are the authors' own.