On 14 April’s speech announcing the extension of India’s national lockdown till 3 May 2020, the country’s Prime Minister requested citizens to download the Aarogya Setu application.
The application remains a privacy minefield and it does not adhere to principles of minimization, strict purpose limitation, transparency, and accountability, say experts at Internet Freedom Foundation (IFF).
In a working paper titled “Privacy Prescriptions for technology interventions on COVID-19 in India,” Sidharth Deb, policy and parliamentary counsel at IFF analyze the application, highlight how it is inconsistent with the right to privacy, is conceivably a risk toward a permanent system of mass surveillance and suggest clear recommendations to arrest these risks.
Aarogya Setu asks its users to provide both Bluetooth and location services access. This is meant to help the application identify contact traces of a Coronavirus positive patient.
The users have to enter their mobile phone number, verified with a one-time password, their name, age, gender, profession, travel history, and known contact with a coronavirus patient.
“As such, the Aarogya Setu application appears to clearly be inconsistent with privacy-first efforts which are being considered by technologists and governments,” wrote Sidharth Deb.
“Critically, India lacks a comprehensive data protection law, outdated surveillance and interception laws, or any meaningful proposals for meaningful reform. In domains like disaster relief, most apps that are purported as ‘contact tracing’ technologies, they often devolve into systems of movement control and lockdown enforcement,” he added.
“To protect people’s right to privacy, countries say that contact tracing will be used strictly for disease control and cannot be used to enforce lockdowns or quarantines. Aarogya Setu retains the flexibility to do just that or to ensure comply legal orders and so on,” observes IFF, an Indian digital liberties organization that seeks to ensure that technology respects fundamental rights.
They also blamed the central government for having a blanket liability limitation clause inserted into the app’s service agreements and privacy policies.
“This means citizens cannot hold the Government accountable or seek judicial remedy should they wish to ensure the Government’s processes are compliant with the right to privacy,” it adds.
Sidharth Deb also observed that the current Government has failed to provide any defined period by when it intends to review, delete and ultimately destroy its systems and data which is collected under the Aarogya Setu project.
Many reports confirm that this server is being linked with other government datasets.
“Such linking increases risks of permanent systems of mass surveillance,” Deb said.