Rights

Aarogya Setu Privacy Woes: Over 40 Organisations Push Back Against Mandatory Usage of COVID-19 App

The covering letter to the petition says that the recent MHA order "marks a dramatic shift from a model of encouragement and trust to one of coercion and compulsion."

New Delhi: Over 40 technology rights and civil society organisations have written to the Prime Minister’s Office (PMO), protesting against the mandatory use of the ‘Aarogya Setu’ app, a COVID-10 digital contact tracing initiative that has been criticised for was launched  to help stop the spread of COVID-19.

The petition – which was sent on May 1, with a cover letter sent on May 2 after the home ministry’s most recent order – expresses “serious concern about violation of privacy of workers through mandated use of the Aarogya Setu mobile app”.

“At present, the Aarogya Setu app is operating in a legal vacuum and its Privacy Policy and Terms of Service do not comply with data protection principles of purpose limitation, data minimisation, storage limitation, accuracy, integrity and confidentiality, and transparency and fairness in processing,” the petition says.

“In the absence of a legislative guarantee containing a sunset clause, sensitive personal data… could be misused for profiling and mass surveillance even after the COVID-19 outbreak is over.”

The signatories include organisations like Amnesty India, People’s Union for Civil Liberties, Asia Dalit Rights Forum, All India Central Council of Trade Unions, PUDR, Indian Journalists Union, MKSS and Indian Federation of AppTransport Workers. Over a hundred other prominent individuals have also endorsed the petition including retired bureaucrats, advocates and other civil society leaders.

Also read: How Reliable and Effective Are the Mobile Apps Being Used to Fight COVID-19?

A separate cover letter to the petition sent by the Internet Freedom Foundation on May 2 asks for a specific review of the recent home ministry order mandating that all office workers download the app and that there be 100% coverage of the same in containment zones.

“Through this covering letter we at IFF assert that the original text of the demands… have clearly indicated the harm and injury which will be caused due to the mandatory imposition of Aarogya Setu. We assert that the reasoning and the demands which require a greater focus on health care and labour rights during this time are the preferred constitutional obligation and goal as opposed to the mandatory installation of a smartphone application. Worse, the non-compliance invites a criminal penalty thereby being a threat not only to the livelihood but also the liberty of workers all across India,” the letter says.

“This marks a dramatic shift from a model of, ‘encouragement’ and trust to one of, coercion and compulsion which we urge your offices to kindly reconsider.”

Both letters can be read below in full.


1 May 2020

Subject: Representation to protect privacy, autonomy and dignity of workers during COVID-19 outbreak

Dear sir,

We, the undersigned organizations, collectives and individuals write this representation to your offices to express serious concern about violation of privacy of workers through mandated use of the Aarogya Setu mobile app. We acknowledge the severity of the COVID-19 crisis which has gripped the country and maintain that it is especially during such public health emergencies that we must ensure the privacy and dignity of essential frontline workers is protected.

During the ongoing COVID-19 crisis, the government has embraced the use of technology for health surveillance and it launched a mobile app called Aarogya Setu for self- assessment and contact tracing on 02 April 2020. While the government initially claimed that the use of Aarogya Setu would be purely voluntary, downloading the app was soon made mandatory for all Central Armed Police Forces personnel and employees of Prasar Bharati. However, as per news reports, army personnel have been instructed not to use the Aarogya Setu app at office premises, operational areas and sensitive locations due to data security concerns.

In addition to government employees, gig and platform workers employed by private companies like Zomato and Urban Company (formerly known as Urban Clap) are also now being forced to use the Aarogya Setu app and share sensitive personal information like health and location data with the government without adequate privacy protections. At present, the Aarogya Setu app is operating in a legal vacuum and its Privacy Policy and Terms of Service do not comply with data protection principles of purpose limitation, data minimization, storage limitation, accuracy, integrity and confidentiality, and transparency and fairness in processing.

So far, some companies, notably Zomato and Urban Company, have mandated use of Aarogya Setu for their delivery workers. As lockdown restrictions are gradually eased and other food delivery services, e-commerce platforms and ride hailing apps resume operations, they may take the decision to mandate use of Aarogya Setu for their workers. In the near future, mandatory use of Aarogya Setu may also extend beyond the gig economy and undermine the rights and interests of workers in the traditional economy such as factory workers.

While many delivery personnel and drivers share location data with their companies as part of routine business operations, the privacy risks posed by the Aarogya Setu app are much higher for two reasons. First, the Aarogya Setu app will collect sensitive health data in addition to location data. Second, while location data was previously only shared with the employer, it will now also be available to government agencies through the Aarogya Setu app. Therefore, the intrusion on the privacy of gig and platform workers is significantly greater than ordinary workplace surveillance. In any case, companies already have access to data about the location of workers and their interactions with customers, and contact tracing is possible even without the Aarogya Setu app.

It is pertinent to note that the Central Government has not mandated private companies to use Aarogya Setu and it remains a voluntary measure, however, in effect it is being made mandatory by such entities. A news report titled ‘Draft e-com SOP: COO responsible for meeting norms, staff to download Aarogya Setu app’ published by the Economic Times on 19 April 2020 suggests that the Government had privately circulated a Draft Standard Operating Procedure for E-commerce with stakeholder companies which mandates use of Aarogya Setu by all workers. The Draft Standard Operating Procedure also holds the Chief Operating Officer of the company responsible for any failure to abide by these guidelines. Therefore, mandating use of Aarogya Setu appears to be a liability reducing measure by private companies and it amounts to the government indirectly mandating use of the app after publicly assuring citizens that it would not do so.

The Aarogya Setu app has been heavily criticized for failing to adhere to internationally recognized data protection principles endorsed by the Hon’ble Supreme Court in the landmark judgement in K.S. Puttaswamy v. Union of India (2017 10 SCC 1). In Puttaswamy (Privacy), the Court recognized that privacy was a fundamental right guaranteed under the Constitution of India. The Court further noted in the age of Big Data, collection and processing of personal data of individuals can reveal a lot about their lifestyle, choices and preferences. The Court acknowledged that in certain circumstances, the use of such technologies may be justified if the government was pursuing a legitimate goal. However, even in such circumstances, these technologies must be deployed in a necessary and proportionate manner.

In order to satisfy the proportionality standard adopted in Puttaswamy (Privacy), the use of any privacy infringing technology must satisfy five criteria. First, it must have a legislative basis. Second, it must pursue a legitimate aim. Third, it should be a rational method to achieve the intended aim. Fourth, there must not be any less restrictive alternatives which can also achieve the intended aim. Finally, the benefits must outweigh the harm caused to the right holder. In the present case, Aarogya Setu fails the very first prong of the proportionality standard because it does not have a legislative framework to govern its functioning and to ensure adequate procedural safeguards. In the absence of a legislative guarantee containing a sunset clause, sensitive personal data about health and movement of gig workers collected by the Aarogya Setu app could be misused for profiling and mass surveillance even after the COVID-19 outbreak is over.

In the specific context of health data, the judgement in Puttaswamy (Privacy) emphasized on the need for a data protection legislation to ensure that personal data was not used to discriminate against individuals on the basis of their health status. The Court further went on to note that the government may collect and process health data of individuals during epidemics to design appropriate policy interventions but such data must be anonymized.

The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 issued under Section 43A of the Information Technology Act, 2000 similarly classify health data as “sensitive personal data” and specify that health data can be collected and processed by body corporates only with the consent of the individual [Rule 5(1)]. The Rules also impose various obligations on body corporates relating purpose limitation [Rule 5(2) and 5(5)], notice [Rule 5(3)], storage limitation [Rule 5(4)], right to access and correction [Rule 5(6)] and right to opt-out [Rule 5(7)].

The proposed Digital Information Security in Healthcare Act also lays down stringent safeguards to preserve the confidentiality of digital health data and associated personally identifiable information. The draft legislation recognizes that individuals must consent to collection and sharing of their health data and it outlines specific purposes for which health data can be utilized by different entities. Pertinently, the proposed Act permits use of digital health data for epidemic control only after it has been anonymized or de-identified and it prohibits employers from accessing the health data of workers under any circumstances. Therefore, even though India does not have a comprehensive data protection legislation at present, the importance of protecting health data of individuals has been recognized by the judiciary and the government.

In addition to lacking legislative basis, the Aarogya Setu app deviates from international best practices for contact tracing apps and fails to comply with data protection standards for the following reasons:

a. Lack of Consent: The use of Aarogya Setu cannot be considered voluntary anymore as it has been made mandatory for delivery workers. Therefore, there is no scope for delivery workers to refuse consent or opt-out.

b. Lack of Data Minimization: Registration for the Aarogya Setu app requires sharing large amount of personal data: name, phone number, age, sex, profession, countries visited in the last 30 days and smoking habits. This is inconsistent with the principle of data minimization.

c. Lack of Transparency: While it is claimed that personal data collected by Aarogya Setu is aggregated and anonymized, there is no publicly available information about what processes and techniques are followed for aggregation and anonymization. This is relevant because there is high risk of re-identification unless personal data is properly anonymized. Therefore, the app must be subjected to thorough security testing by governmental and independent agencies.

d. Lack of Algorithmic Accountability: The Terms of Service for Aarogya Setu exempt the government from any liability arising out of misidentification of an individual’s COVID-19 status. Therefore, individuals are left at the mercy of opaque algorithms which perform risk assessment and do not have any remedy in case of false positives. If gig and platform workers were falsely identified as high risk individuals by Aarogya Setu’s algorithm, they would be required to self- isolate and lose their income and freedom of movement.

e. Unauthorized Data Sharing and Risk of Function Creep: There is no prohibition on sharing of personal data collected by the Aarogya Setu app with third parties. The government is allowed to share this personal information with “other necessary and relevant persons” for “necessary medical and administrative interventions.” The Privacy Policy for Aarogya Setu fails to specify which government departments will have access to personal data collected by the app. Therefore, sensitive personal data collected for contact tracing may also be used by law enforcement agencies for punitive purposes.

f. Risk of external transfer and integration with other databases: Personal data collected by the Aarogya Setu may be transferred to an external cloud-based server and there is no guarantee that it will only be stored locally on the individual’s device. Reports suggest that the data collected by Aarogya Setu is being integrated with other databases maintained by the Indian Council for Medical Research and Integrated Disease Surveillance Programme. This is worrisome because it is difficult to delete such integrated datasets and secondary inferences at a later stage.

Classified as independent contractors, gig and platform workers do not enjoy the same level of income and job security as legally recognized employees. They are particularly vulnerable during the COVID-19 crisis when finding alternative employment is practically impossible and they lack bargaining power vis a vis companies or the government. Therefore, they should not be forced to download the Aarogya Setu app which lacks transparency and accountability in its present form.

The International Labour Organization’s guidance on applicable labour standards during the COVID-19 pandemic dated 23 March 2020 also clearly states that governments must put in place measures to protect the privacy of the workers. It also instructs governments to ensure that health surveillance is not used for discriminatory purposes or in any other manner prejudicial to their interests.

In addition to these privacy concerns, there is also a need for governmental intervention to provide income security to gig and platform workers who have been unable to work during the lockdown or have witnessed a significant drop in their earnings due to low demand. Gig and platform workers are paid per delivery and they are not guaranteed a stable income. As a consequence, despite toiling for long hours during these difficult times, many gig and platform workers are still struggling to make ends meet because there are not enough deliveries for everyone. Further, personal protective equipment and medical insurance should be provided to gig and platform workers who are at risk of contracting COVID-19 due to exposure to many customers every day.

In collaboration with gig workers’ unions, Tandem Research and Centre of Internet & Society have developed a comprehensive charter of recommendations for COVID-19 relief measures to protect the socio-economic well-being and health of gig workers, and we urge your Ministry to address these issues of financial relief and occupational health safety as well.

Considering the damaging impact of the Aarogya Setu app and COVID-19 lockdown on the privacy, autonomy and dignity of workers, we urge your office to undertake the below mentioned measures in collaboration with the private sector. a. Take cognizance of privacy concerns associated with Aarogya Setu and issue an advisory clarifying that use of the app should not be made mandatory for workers in the gig economy and also the traditional economy. b. In addition to (a), to ensure greater safety, rely on certain methods of risk mitigation such as working with companies to provide daily temperature checks and personal protective equipment to all gig and platform workers who continue working during the COVID-19 pandemic. c. Further, devise the right incentive structures both for companies and workers to ensure that gig and platform workers are able to sustain themselves during the lockdown and those displaying symptoms of COVID-19 are not forced to work to ensure their livelihood. This includes provisions for medical insurance and financial relief to all gig and platform workers who have been unable to work during the lockdown or have witnessed a significant decrease in earnings due to low demand.

Kind Regards,

Access Now, ADF India, All India Central Council of Trade Unions, All India Union of Forest Working People, Amnesty India, Asia Dalit Rights Forum, Association for Progressive Communications, Association for Protection of Democratic Rights, Bachchao Project, Chennai Metropolitan Construction and Unorganised Workers Union, Common Cause, Delhi Solidarity Group, Digital Empowerment Foundation, Feminism in India Forum Against Oppression of Women, Bombay Foundation for Media Professionals, Free Software Community of India, Human Rights Law Network, Indian Delivery Lions Organization, Indian Federation of App Transport Workers, Indian Journalists Union, Indian Social Action Forum, Indic Project, Internet Democracy Project, Jan Swasthya Abhiyan, Mumbai Jharkhand Nagrik Prayas, LABIA – A Queer Feminist LBT Collective, Medianama, Metacept Mazdoor Kisan Shakti Sangathan, National Alliance of People’s Movements, National Adivasi Alliance, National Fishworkers’ Forum, Pakistan-India Peoples’ Forum for Peace & Democracy, India Chapter Point of View, Pothe Ebar Namo Sathi, Project Constitutionalism, People’s Union of Civil Libertie, People’s Union for Democratic Rights, Red Dot Foundation, Socialist Party of India, Swathanthra Malayalam Computing, Tandem Research and United Christian Forum.


Dated: 2 May 2020

Subject: Covering letter for the Joint representation against the mandatory installation of Aarogya Setu

Dear sir,

Internet Freedom Foundation (IFF) is a digital liberties organisation registered as a public charitable trust which aims to ensure that technology respects and furthers fundamental rights of internet users in India. We work across a wide spectrum of issues, with expertise in free speech, electronic surveillance, data protection, net neutrality and innovation. In particular, we believe in the democratizing potential of technology and work towards ensuring that every Indian has access to a free and open internet.

We write this covering letter with a copy of a joint representation signed by 44 organisations and 104 individuals on the issue of the Aarogya Setu App dated May 1, 2020. This representation made on the occasion of labour day is to state the negative impact of requiring the installation of the Aarogya Setu App on ordinary workers across the country. The endorsements are from trade unions, people’s movements, digital rights organizations, public health experts, former civil servants and bureaucrats, activists, academics, technologists, journalists, lawyers etc.

Subsequent to this joint representation we note that an Order No 40-3/2020-DM-I(A) has been issued on May 1, 2020 around 6:00 PM by the Ministry of Home Affairs requiring mandatory installation of Aarogya Setu. This goes against the core demands of the joint representation which is attached to this covering letter. We at IFF in continuation of this Joint Representation dated May 1, 2020 through this covering letter request specific review of Order No 40-3/2020-DM-I(A).

Presently the Order No 40-3/2020-DM-I(A), which has been issued under Section 10(2)(I) of the Disaster Management Act, 2005 mandates for the mandatory installation and operation of Aarogya Setu in two specific ways: a. First, after classification of the districts into three zones, for the Red (Hotspots) Zones, a further sub-classification has been made for, “containment zones”. As per the Order under Section 3(iii), “The local authority shall ensure 100% coverage of Aarogya Setu app among the residents of Containment Zones”. b. Second, at Para 15(i) further reference is made for, “all the district magistrates” to, “strictly enforce the lockdown measures” for, “public and workplaces, as specified in Annexure I”. This direction extends to all three zones.

Annexure I further states at Point No. 15 that, “Use of Aarogya Setu app shall be made mandatory for all employees, both private and public. It shall be the responsibility of the Head of the respective Organisations to ensure 100% coverage of this app among employees”.

Kindly note there are no exceptions or conditionality provided in these directions which place emphasis on 100% coverage in effect meaning total and complete mandatory installation of Aarogya Setu for all workers, all across the country.

We further note that Order No 40-3/2020-DM-I(A) indicates criminal penalties for non-compliance in Paragraph No. 16 that states, “Any person violating these lockdown measures and the National Directives for Covid-19 Management will be liable to be proceeded against as per the provision of Section 51 to 60 of the Disaster Management Act, 2005, besides legal action under Section 188 of the IPC and other legal provisions as applicable”. The specific provision that may be attracted for prosecution under the Disaster Management Act, 2005 is Section 51(b) that provides for a maximum punishment of up to 1 year for disobedience, and 2 years when such actions may lead to a loss of life. The penalty for conviction under Section 188 of the IPC extends to 6 months imprisonment.

Through this covering letter we at IFF assert that the original text of the demands that are attached and endorsed by a wide collective of organisations and individuals have clearly indicated the harm and injury which will be caused due to the mandatory imposition of Aarogya Setu. We assert that the reasoning and the demands which require a greater focus on health care and labour rights during this time are the prefered constitutional obligation and goal as opposed to the mandatory installation of a smartphone application. Worse, the non-compliance invites a criminal penalty thereby being a threat not only to the livelihood but also the liberty of workers all across India. This marks a dramatic shift from a model of, “encouragement” and trust to one of, coercion and compulsion which we urge your offices to kindly reconsider.

Kindly find attached more detailed reasons on the impact of Aarogya Setu in the Joint Representation endorsed by 44 organisations and 104 individuals for your consideration. As stated before the underlying demands, reasoning and justifications remain unchanged and valid. In view of this we urge your offices to generally require that Aarogya Setu (without prejudice to the larger concerns around it) remains at the very least a purely voluntary measure.

More specifically, we urge you to make specific changes to Order No 40-3/2020-DM-I(A) considering the spirit and text of this joint representation.