Kerala High Court hears challenges against mandatory imposition of Aarogya Setu
Tl;dr
Today, the Kerala High Court heard two petitions challenging mandatory use of the Aarogya Setu app. The app was made mandatory for all public and private sector employees by the Ministry of Home Affairs through guidelines issued to States/Union Territories under the Disaster Management Act, 2005. IFF provided legal assistance for the petition filed by Jackson Mathew, Managing Partner of Leetha Industries which was accompanied by an expert affidavit by Professor Subhashis Banerjee from IIT Delhi. During the hearings, the Kerala High Court directed the Ministry of Electronics and Information Technology to file a reply and to state on record that data collected by the app will not be misused. The petitions are listed next on 18 May.
Download Aarogya Setu or Face Jail Time
On 1 May 2020, the Ministry of Home Affairs (MHA) issued guidelines making use of the Aarogya Setu app mandatory for all persons in containment zones and all public and private sector employees. In case of the latter, the head of the organization has been made responsible for ensuring 100% coverage of the app among employees. These directions were issued by MHA under the Disaster Management Act, 2005 (DMA) and any violation is liable to be punished under Section 51, DMA (up to 2 years imprisionment) and Section 188, IPC (up to 6 months imprisonment).
Since its launch, the Aarogya Setu app has been mired in controversy about its privacy and security practices, and we have analysed it in our working paper which provides privacy prescriptions for COVID-19 tech interventions. After the Aarogya Setu app was made mandatory for vast sections of society by MHA on 1 May 2020, John Daniel, the General Secretary of Congress Thissur District Committee filed a PIL before the Kerala High Court challenging the constitutionality of these directions. Yesterday, another writ petition was filed by Jackson Mathew, the Managing Partner of Leetha Industries which employs 50 people against Aarogya Setu being made compulsory through the threat of criminal sanction. The petition filed by Jackson Mathew is accompanied by an expert affidavit by Dr. Subhashis Banerjee, Professor of Computer Science and Engineering at IIT Delhi which highlights utility and privacy concerns with the Aarogya Setu app. IFF retained counsels provided assistance for this petition.
After the petition was filed by Jackson Mathew yesterday morning, the government has released a data access and knowledge sharing protocol for the app. We will shortly be posting an analysis of the protocol and its failure to address concerns about legality, purpose limitation, data minimization, transparency and accountability.
Contagion of Technosolutionism
Despite serious concerns about the accuracy of COVID-19 surveillance apps, governments across the world have tried to leverage these apps to contain the spread of the virus. As Susan Landau notes, when you have a hammer, it is tempting to see nails everywhere but India doesn't even have the level of smartphone and internet penetration required for such apps to even be theoretically effective. In a country where only 25% of the population has access to bluetooth enabled smartphones, the government has made the Aarogya Setu app mandatory for accessing essential services like railways and this will have a devastating exclusionary impact.
In addition to this, bluetooth and GPS signals are not an accurate estimate of whether someone has been in close proximity (6 feet or less) with a COVID-19 infected person. This can lead to a high number of false positives and false negatives which end up causing more harm than good. For instance, bluetooth signals cannot recognize physical barriers such as walls and floors which make virus transmission impossible, and therefore, they may misidentify individuals as COVID-19 positive and send the authorities on a wild goose chase. Similarly, since bluetooth based apps cannot account for surface to person transmission, they will also yield false negatives.
"Privacy by Design" Not
Despite the government repeatedly claiming that the Aarogya Setu app does not raise any privacy or security concerns, the Terms of Service and Privacy Policy of the app tell a very different story. The writ petition filed by Jackson Mathew analyses these issues in great detail but in brief, the Aarogya Setu app violates the following data protection principles:
- Legality
The Aarogya Setu app which collects sensitive health and location data of millions of Indians has been launched without any governing legislative framework. The Disaster Management Act does not provide legislative basis for deployment of the Aarogya Setu app because it does not include any provisions for collection and processing of personal data. Retired Justice BN Srikrishna who headed the Committee on Data Protection has also explained that making Aarogya Setu mandatory without an enabling legislation is completely illegal. He also pointed out that the protocol issued by the government cannot substitute legislation by the parliament. - Consent
Based on MIT Tech Review’s Tracker, India is the only democratic country which has made use of COVID-19 surveillance apps mandatory. Other countries which have made such apps mandatory are China and Turkey. However, in Turkey, only confirmed COVID-19 patients have to mandatorily download the app. - Purpose Limitation and Data Sharing:
Clause 2(a) of the Privacy Policy states personal data collected at the time of registration can be used for “medical and administrative interventions necessary” in relation to COVID-19. This suggets that data collected by the app can be used for lockdown/quarantine enforcement. This is inconsistent with global best practices. For instance, the European Commission has clearly stated that data collected by COVID-19 surveillance apps should not be used for law enforcement or commercial purposes. - Data Minimization
Aarogya Setu collects location data through GPS and it can be used to track real time movements of individuals. This violates the principle of data minimization because location data is not necessary to determine if a user was in proximity of a COVID-19 positive person and bluetooth signals are sufficient for this purpose. - Security
The Aarogya Setu app anonymizes data by assigning each user a static device identifier. This kind of weak anonymization has been highlighted as a significant privacy concern by Professor Subhashis Banerjee in his expert affidavit. He notes that unlike other apps which issue new tokens to be used as a fresh ID after pre-specified time intervals, Aarogya Setu uses a static device identifier. This combined with the fact that Aarogya Setu collects several other data points including meta data, makes the app vulnerable to an attack where users can identify other users who have been determined by the app -rightly or wrongly - as high risk spreaders. - Transparency
Clause 3 of the Terms of Service prohibits reverse engineering of the app which means that security researchers cannot independently study it to perform good faith vulnerability disclosure. The government has also refused to provide any technical specifications of the Aarogya Setu app. In contrast, other countries like Singapore, Israel and Australia have published the source code of their apps and other technical specifications relating to cryptography and bluetooth. - Accountability
Clause 6 of the Terms of Service exempt the government from any liability for a person’s inability to access the app, inaccurate information about COVID-19 status of persons in one’s proximity and any breach of user data. Clause 7 of the Terms of Service further states that the government makes no warranties about the app’s accuracy and that such services are never wholly free from defects, errors and bugs.
What happened at today's hearing?
The PIL filed by John Daniel was listed before a Division Bench of Justice Anu Sivaraman and Justice MR Anitha as Item No. 8 and it came up for hearing around 11:30 AM. During the hearing, the counsel for the Petitioner sought interim relief to ensure that no coercive action was taken against anyone for failing to download the app. The counsel for MeitY insisted that Aarogya Setu was the best app in the world and emphasized that a protocol had also been issued to address privacy concerns. The bench was disinclined to intervene at this stage because "extraordinary times call for extraordinary measures". However, the bench directed the government to file a statement on record that the data collected by the app will not be misused and listed the matter on 18 May.
The Writ Petition filed by Jackson Mathew was listed before a Single Judge Bench of Justice Gopinathan as Item 71 and it came up for hearing around 5:15 PM. During the hearing, Justice Gopinathan enquired about the previous proceeding before the Division Bench. Advocate Santhosh Mathew appearing for the Petitioner explained that this petition was not a PIL and highlighted the practical difficulties faced by the petitioner who would have to purchase smartphones for his employees and check whether they were using the Aarogya Setu app or risk criminal prosecution. The counsel appearing for MeitY once again insisted that the Aarogya Setu app is supposed to help the government fight COVID-19 and unless a large part of the population downloads it, the app will not be effective. In response, Advocate Santhosh Mathew emphasized on the aspect of criminal penalities and noted that even the Registrar or Chief Justice could be liable for imprisionment if any of the High Court employees failed to download Aarogya Setu. Justice Gopinathan acknowledged that this was a valid concern and he directed the counsel for MeitY to get instructions and file a statement on these aspects. This petition will be listed next on 18 May along with the petition filed by John Daniel before the Division Bench.
Advocate Santhosh Mathew and his team comprising of Advocates Anil Sebastian Pulickel, Vijay Paul and Jaisy Elza Joe led this important court intervention. Lawyers, Gautam Bhatia and Abhinav Sekhri, IFF retained counsels, Vrinda Bhandari, Devdutta Mukhopadhyay and Sidharth Deb also provided drafting and research assistance for this petition.
Important Documents:
- Writ Petition filed in Jackson Mathew v. Union of India (link)
- Expert Affidavit by Prof. Subhashis Banerjee (link)
#SaveOurPrivacy
#BanTheScan