Blog

In a recent decision, the Delhi High Court set a bail condition on Umar Khalid of installing the Aarogya Setu app for monitoring of movement

The decision confirms the fears of privacy rights groups around the use of Aarogya Setu app and data for surveillance of citizens

Last month, J&K Administration has admitted that it shared the Aarogya Setu data with the local police of one district in the UT

There has been a lot of controversy around the use of Covid-19 contact tracing apps around the world including India’s Aarogya Setu. The fears of the app being used as a possible surveillance tool to keep a track of citizens in the country have seemingly been confirmed now. While the government has denied these from the very beginning, a recent order by the Delhi High Court paints a completely different picture.

Yesterday (April 15), the Delhi High Court granted bail to activist Umar Khalid seven months after his arrest under the stringent Unlawful Activities (Prevention) Act (aka UAPA) of 1967 for his alleged involvement in the Delhi riots of 2020. While the charges under UAPA are still pending, the court has decided to let Khalid out on bail against the payment of INR 20,000 bond and a surety of like amount.

While all that is part of due legal procedure, there is one condition that has most definitely raised a lot of eye brows — Khalid has to install the Aarogya Setu app on his mobile phone.

Yes, while Covid cases are on a rise once again and contact tracing is essential, the court order is unlikely to have come due to this reason. There have been no other cases in the past year where such a condition has been set for bail. The use of Aarogya Setu in this manner is akin to an ankle monitor or other devices used by law enforcement agencies to track bailed or under-trial persons.

Apar Gupta, executive director of internet rights group Internet Freedom Foundation (IFF), said, “The installation of Aarogya Setu as a pre condition has not clearly been articulated and there have also been existing concerns that Aarogya Setu data, which includes a person’s physical movements, will also be shared with authorities beyond it being there for health purposes.” He further noted that there is no legal limitation at present to Aarogya Setu deployment apart from the protocol and there is no legal basis to restrict its sharing of information of the police department.

The bail condition hints towards the much larger privacy implication not just for Khalid but for the 100 Mn+ users that have installed Aarogya Setu on their phones. Is the government constantly tracking all movements? It also brings up the issue of tracking of individuals for non-Covid-19 reasons, which was a claim that the government had denied in the past.

It has been less than one year since the Ministry of Electronics and Information Technology (MeitY) tried to reiterate the non-survelling nature of the Aargoya Setu app by launching ‘The Aarogya Setu Data Access and Knowledge Sharing Protocol, 2020’, which very clearly indicate that use of the app’s data will be “strictly” limited to formulating, implementing or improving appropriate health responses.

But at the same time, Aarogya Setu data has been used for non-health reasons. The administration of Jammu and Kashmir admitted last month that it did share user data collected by Aarogya Setu app with the local police in the union territories’ Kulgam district. The data included the list of people that tested positive of Covid as well as the data related to recoveries and casualties. While many may ignore such processes citing it as a price of maintaining law and order in the country, it still does pose a grave threat to an individual’s right to privacy.

IFF’s Gupta told Inc42 that whenever a personal data is collected in a data protection framework, it needs to be utilised for the specific purpose it has been gathered for. This is known as the principle of purpose limitation. “Essentially using someone’s data gathered for health purposes for law enforcement essentially makes it a surveillance app,” he said.

Aarogya Setu, the contact tracing app launched in April 2020, uses Bluetooth and GPS-based location tracking to identify potential encounters with suspect or coronavirus-positive cases. It detects other devices with the Aarogya Setu app installed and alerts users based on proximity to the device, so the app has a potential to create a social graph of users by tracking everyone they have been close to.

Research firm Defensive Lab Agency believes that this social graph, combined with the government’s existing databases, can expand the power of surveillance.

Besides this, French ethical hacker Robert Baptiste, who goes by the name Elliot Alderson on Twitter, has also found flaws in Aarogya Setu app previously, which compelled the government to make the app open-source.

The most ironic aspect of the use of Aarogya Setu as a potential surveillance tool is the fact that India itself is underway to introduce the country’s first data protection policy and scrutinising private companies like Facebook and WhatsApp on how they utilise their users data. Earlier this week, competition watchdog Competition Commission of India (CCI) told the Delhi highlight that WhatsApp’s recent policy update could lead to excessive data collection and stalking of its users.

“The government has never been completely honest when it comes to Aarogya Setu and this has been disappointing because technology needs to be used effectively to tackle Covid, at present. It has also undermined the trust in technical deployments around how the pandemic is being handled. I would like to express my disappointment on this, that Aarogya Setu has been a missed opportunity to utilise technology, which would have improved trust, adoption and also helped manage the pandemic is a much better way,” IFF’s Gupta said.