India: Employees face criminal penalty if they don’t download contact-tracing app

Case Study, COVID-19, India, Surveillance & Human Rights

On April 2, the Indian government launched a Covid-19 contact-tracing app using Bluetooth and location data called Aarogya Setu which means “bridge to health” in Sanskrit.

The government initially claimed the use of the app would be voluntary but, within two weeks, its download was made mandatory for Central Armed Police Forces personnel and employees of Prasar Bharati, India’s largest public broadcasting agency Prasar Bharati.

A couple of weeks later, on May 1, it was announced that all employees, public and private, would have to download the app and that non-compliance would result in a criminal penalty.

In a New Dehli court, people accused of crimes were ordered to download the app and register as a “Covid-19 warrior” as part of their bail conditions, a practice that has occurred in courts across India. The app currently has reportedly more than 100 million users.

Source code

On May 20, the Ministry of Railways announced that, for train services beginning on June 1, it would be mandatory for train passengers to download the app. On May 21, Airports Authority of India announced that it would mandatory for passengers to download the app with the exception of children under the age of 14.

There has been confusion over the alleged publication of the app’s source code.

The Government claimed to have released the source code, but experts have pointed out that the source code released by the Government is not the for the same version of the app as is currently being used by people.

There has also been no independent oversight of the app and it remains unclear who has access to the data collected via the app.

External server

When one downloads the app, the user has to submit data such as name, age, gender, and travel history, while the information is then exported to an external server.

India has no national data privacy or data protection law and there are no strong, transparent policy or design limitations on accessing or using the app’s data. In addition, there is no “sunset clause”, it is not known when the app will no longer be mandatory and if the app will be repurposed after the pandemic.

It’s also not clear to whom a user can turn to if they wish to make a complaint or if they even can make such a complaint.

While India does not have a national data privacy or data protection law, the field is covered to a great extent by the judgment of a nine-judge Bench of the Supreme Court in the Puttaswamy case. In Puttaswamy, the Supreme Court laid down five criteria to satisfy the proportionality standard for use of any privacy infringing technology.

These are: (i) it must have a legislative basis; (ii)it must pursue a legitimate aim; (iii) it should be a rational method to achieve the intended aim; (iv) there must not be any less restrictive alternatives which can also achieve the intended aim; and (v) the benefits must outweigh the harm caused to the right holder.

Legislative framework

The Aarogya Setu App fails the very first criteria of the proportionality standard because it does not have a legislative framework to govern its functioning and to ensure adequate procedural safeguards. With regard to the specific case of collection and processing of health data of individuals during endemics, the Supreme Court held that this would be permissible only if the data were anonymised.

Further, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 specify that health data can be collected and processed by body corporates only with the consent of the individual.

The rules also impose various obligations on body corporates relating to purpose limitation, notice, storage limitation, right to access and correction and right to opt-out.

Thus, the Aarogya Setu App is in violation of the existing legal framework drawn by the Supreme Court and the rules drafted by the Government of India.

Safeguards

On May 1, the Internet Freedom Foundation, along with the Human Rights Law Network and other experts, sent a joint letter to the Prime Minister of India outlining their concerns about the app and calling for it to cease being mandatory for workers.

The letter also highlighted the Indian government’s failure to uphold legal obligations in terms of privacy and data protection safeguards and how Aarogya Setu deviates from international best practices for contact-tracing apps.

On May 28, HRLN filed a Writ Petition before the Karnataka High Court challenging the mandatory use of Aarogya Setu and seeking a declaration that use of the app be voluntary. The Kerala High Court had already issued notice to the Government of India on a petition challenging mandatory use of the app.

On June 12, in a significant U-turn by the Government of India, it informed Karnataka High Court that the app is optional, and not mandatory, for air and train travel.

It told the court that if someone does not have the app, they can fill a self-declaration form instead and travel. A memo to this effect was submitted to the court and the matter was adjourned until July.

Drones

A second method of surveillance used by India in response to Covid-19 is the use of drones by police to monitor people violating lockdown restrictions.

In Mumbai drones announce to passers-by that they face charges if they’re found to have left their home without a valid reason, while artificial intelligence-equipped drones used in Punjab and Bangalore monitor night-time curfews and measure the distance between people who are outdoors during the day-time.

These AI-equipped drones can reportedly detect humans from a distance of one kilometre and notify police if people are standing too close to each other.

Drones have also been used to monitor Friday prayers at mosques after reports that several people who attended a religious event at Nizamuddin Markaz in Delhi in March, organised by Muslim group Tablighi Jamaat, were later found to have test positive for Covid-19.

This practice of monitoring mosques has helped feed into a disturbing and dangerous Islamaphobic misinformation campaign that Muslims were purposely spreading the virus.

In the early stages of the pandemic, serious concerns were also raised about the publication of names, addresses and phone numbers of people suspected of having Covid-19 through newspapers and social media. Posters outlining the names of people quarantining were also placed outside their homes.

The Central Government later advised that people affected by Covid-19 or under quarantine should not be identified.

Pic: Drone Federation of India

(Labelled for non-commercial re-use)