Mandatory imposition of Aarogya Setu by Delhi Govt is illegal and ineffective #SaveOurPrivacy
Tl;dr
Today we wrote to the Delhi Government urging against mandatory imposition of the Aarogya Setu app. Our alarm bells were rung by a circular issued by the Excise Department which directed licensed wholesale liquor vendors to ensure mandatory use of Aarogya Setu by every worker. In our representation, we have called upon the Delhi Government to withdraw the circular issued by the Excise Department and we have also sought issuance of an advisory to all departments clarifying that use of the Aarogya Setu app is purely voluntary and no person should be denied access to goods or services for failing to use the app.
Background
The Aarogya Setu app was launched by the Ministry of Electronics & Information Technology as a proximity exposure notification app on 02 April 2020 and it has been mired in controversy since its release. Concerns have been raised about misuse and breach of sensitive personal data collected by the app and legal experts have cautioned against deployment of such technologies in the absence of a data protection law in India. Public health experts have also explained why such apps cannot substitute on the ground contract tracing by healthcare workers and questioned the government's failure to explain why information available through existing databases is insufficient. Finally, technologists have warned that Aarogya Setu relies on weak anonymization techniques which make its users susceptible to re-identification and criticized the lack of transparency surrounding the app's code and algorithms.
Stop the Voluntary-Mandatory Game
The central government has repeatedly claimed that use of the Aarogya Setu app is voluntary but ground realities paint a very different picture. We have been closely tracking mandatory imposition of Aarogya Setu by different institutions including airports, court complexes and resident welfare associations. Most recently, our alarm bells were rung by a circular issued by the Delhi Government's Department of Excise on 27 October 2020 which directed licensed wholesale liquor vendors to ensure “mandatory use of Aarogya Setu app by every worker.” The circular further stated that Bond Inspectors are required to ensure compliance with this direction and submit a certificate within 3 days.
In our representation, we have called upon the Delhi Government to withdraw the circular issued by the Excise Department mandating use of the Aarogya Setu app by liquor store workers. We have also sought issuance of an advisory to all departments of the Government of NCT of Delhi clarifying that use of the Aarogya Setu app is purely voluntary and no person should be denied access to goods or services for failing to use the app. In support of these demands, we have highlighted the following concerns about legality and effectiveness of the Aarogya Setu app and explained how its mandatory imposition could lead to privacy violations and exclusion.
(IL)Legality
Despite collecting sensitive health and location data of millions of Indians, the Aarogya Setu app lacks any legislative basis and powers have not been provided under any statutory instrument to mandate use of the app. In an interview with the Indian Express, Retired Justice BN Srikrishna who headed the Committee on Data Protection constituted by the MeitY has endorsed this view and stated that making use of the Aarogya Setu app mandatory without enabling legislation is completely illegal. Mandatory imposition of Aarogya Setu amounts to an infringement of fundamental rights of citizens because it could lead to privacy violations and exclusion, and therefore, such a measure must be supported by legislative authorization.
Inaccuracy and Ineffectiveness
In addition to these legal concerns, mandatory imposition of the Aarogya Setu app may prove to be counterproductive at achieving its intended purpose of reducing COVID-19 transmission because of the inaccuracies inherent in app based contact tracing. Apps like Aarogya Setu rely on Bluetooth and GPS signals which cannot accurately estimate whether someone has been in close proximity (6 feet or less) of a COVID-19 infected person, and this can lead to a high number of false positives and false negatives. For instance, Bluetooth signals cannot recognize physical barriers such as walls and floors which make virus transmission impossible, and therefore, they may misidentify individuals as COVID-19 positive and send the authorities on a wild goose chase. Similarly, since Bluetooth based apps cannot account for surface to person transmission, they will also yield false negatives and provide a false sense of security to infected individuals.
Past Central Government Practice
It should be noted that authorities of the central government have also recognized that use of the Aarogya Setu app cannot be made mandatory for workers. For instance, on 01 May 2020, the Ministry of Home Affairs had issued guidelines which made use of the Aarogya Setu app mandatory for all public and private sector employees and the head of an organization was responsible for ensuring 100% coverage of the app among all employees. After this decision was challenged before the Kerala High Court, MHA issued revised guidelines on 17 May 2020 which encouraged use of the Aarogya Setu app on a "best efforts" basis but stopped short of making it mandatory.
More recently on 22 August 2020, MeitY launched an Open API Service to enable employers to receive real-time information about the risk status of their employees, customers and users. However, the Terms of Service of the Open API Service clearly state that explicit consent of the user is necessary to access data collected by the Aarogya Setu app and alternative methods to avail a service must be provided to users who do not grant such consent.
Important Documents
- Representation dated 18.01.2020 to Delhi Government (link)
- Previous post titled 'Multi-domain orgs and individuals raise concerns about Aarogya Setu' dated 18 September 2020 (link)
- Previous post titled 'Victory! Aarogya Setu changes from mandatory to “best efforts” dated 18 May 2020 (link)
#SaveourPrivacy
#BanTheScan