New report raises fresh concerns over govt's Aarogya Setu application

The critically acclaimed movie - The Dark Knight - revolves around a machine, created by Batman, which he uses to track the real-time movement of people in the city of Gotham in order to keep tabs on his nemesis.

This raises several privacy concerns for citizens that are voiced by other characters in the movie, and in the end, the machine is destroyed altogether.
 

This analogy was given by the think-tank, Dialogue (founded by researcher Kazim Rizvi), in a report published on Wednesday and co-authored by the body's research scholars, in collaboration with lawyers.

With the Aarogya Setu application (app) becoming a bone of contention between the Centre and Opposition leader Rahul Gandhi raising concerns on it, this report, published on Wednesday, could potentially add fuel to this debate as it questions the application’s legality and raises various privacy concerns.
 

The Centre has made the downloading of the app mandatory vide an order dated May 1, 2020 in all public and private offices, as well as in containment zones. However, the report suggests that the app does not have any legal standing. 

“Neither an Ordinance, or an Act has been passed by the president or Parliament to give a legal foothold to this application,” it says.  It notes that the existence of the app may go against the tenets of the judgment in the Puttaswamy case, which establishes the Right to Privacy as a Fundamental Right.
 

Privacy concerns
 

The report has raised several privacy concerns. It notes that to increase transparency, the app must be an open source app, and that data auditing must be allowed to settle concerns regarding lack of checks and balances. Secondly, the app must clearly define its purpose to ensure that the data collected cannot be misused.
 

It further states that even though the app’s privacy policy says the information will remain anonymous, it does not elaborate upon the method used for anonymisation. The co-authors suggest that the time frame for storing data must be capped at 21 days, from the current time frame of 30/45 days for mobile and server, and 60 days for a positive patient.

“Timelines should be based on medical relevance as well as the realistic duration for necessary administrative steps to be taken,” it notes. The report adds that the privacy policy must have a sunset clause to prescribe the anonymised data to be purged from its servers. Moreover, even though the application says that data will not be shared with anyone, except health professionals, it must also disclose the sharing protocol to decrease the risk of misuse.
 

Finally, it also emphasises on the need to have scrutiny at every step. “The government is pushed against making two choices in real time — whether to maximise  technology input in the shortest span of time thereby limiting the spread of the virus; or deploying strong checks and balances to prevent future surveillance. We believe that there needn't be a choice between the two options,” the report concludes.
 

 "Without a data protection law in our country, it is necessary that utmost caution be taken to adhere to privacy principles," says Rizvi.