Responses by Government’s worldwide to COVID-19 pandemic has seen the infusion of

technology and public health at massive scale, heavy reliance have been placed upon Contact
tracing apps. India is not far behind, the Aarogya Setu app, which has been rigorously marketed
by the Prime Minster himself and the government, has seen rapid-fast downloads in a short
period. This fast adoption of technology has also raised privacy concerns. India is again not
behind here either. The Aarogya Setu app saw an influx of concerns over privacy, eventually
forcing the Government to update the app’s privacy policy.
There have been concerns raised regarding the compatibility of the app, with the standard laid
down by the SC in the Puttaswamy Decisions, namely that the measure restricting an
individual’s privacy has meet, the requirement of legality, suitability, necessity, proportionality
including having adequate procedural safeguards.
The European Data Protection Board [EDPB]¸ had issued guidelines last month, for Contact
Tracing apps [EU Tracing Tools Guidelines]. The purpose of the guidelines was to ensure that
the data collection carried out by an EU Member States for combating Covid-19 is in line with
the principles of effectiveness, necessity, proportionality. The principles guiding the drafting of
the EU Tracing Tools Guidelines, and the SC in the Puttaswamy Decisions, are similar therefore,
they should be relied upon by the Government, to ensure that the Setu app moves closer to being
in line with the Puttaswamy Decisions.
The concerns regarding Aarogya Setu presently primarily revolve around the issues of partial
centralization, weak encryption, lack of adequate security protocols, of transparency and
accountability. In contrast, the EU Tracing Tools Guidelines are based on the pillars of effective
data anonymization, data minimization, decentralization, transparency, and accountability to
ensuring that working of app meets the element of “proportionality” by ensuring the extent of
the data collection is strictly proportional, to the need of the interference.
The Aarogya Setu app’s first problematic aspect is its anonymization protocol. While the app
does employ an anonymization protocol, it is ineffective due to the nature of the personal
information collected and stored by it. The Setu app, collects detailed demographic information
about individuals, including their name, phone number, age, sex, profession, travel history, and
smoking history. Additionally, it collects precise locational data using both GPS and Bluetooth.
Experts have suggested that complex personal information dataset which contains multiple
demographic attributes, such as the Aarogya Setu app cannot be effectively anonymized. In a
study, with a dataset containing merely fifteen demographic attributes, the data was
deanonymized and the user identified 99.98% of the time. This concerns can only be assuaged, if
the Setu app does not collect or store demographic information of its users, this would be line
with the notion of “data minimization” under the EU Tracing Tools Guidelines and the model
apps Singapore’s TraceTogether and MIT’s PrivateKit.
Moreover, with respect of the precise locational data the Setu App collects, the EDPB had
concluded that “data pattern tracing the location of an individual over a significant period of time
cannot be fully anonymized.” EU Tracing Tools Guidelines suggests to effectively anonymize
user data, the geographical coordinates recorded, should be sufficiently, lowered and collected
data be properly aggregated.
Additionally it must be noted, that neither of the proposed amendment above would take away
the effectivity of the Setu app. The purpose of such apps is "map proximity between individuals,
as a proxy for infection risk", which can even be effective with merely less precise location data,
such as for merely Bluetooth tracking the success of Singapore's Trace Together is a case in
point.
The first flaw brings us to second important problem (and the potential) with the App, i.e. data
centralization. The data collected by App is only partial de-centralization, the data once
transferred to the Government is stored on centralized Government database. This puts the data
at huge risk as even a single successful cyber breach would ensure that large swathe of data
remains at risk. This concern is amplified, by the fact the Setu app is backed by weak security
protocols. The unique User-ID generated by the Setu App is static and is not changed regularly,
which the experts say make it vulnerable to cyber-security intrusions which may lead to sniffer
attacks which refer to cyber security intrusions to intercept unencrypted data traffic or data with
weak encryption on an network data. The centralized data coupled with static IDs and specific
information makes the risk even larger. Therefore, the Setu privacy policy should be modeled,
based on the principle of data decentralization which is central to the EU Tracing Tools
Guidelines is key to securing the collected data and privacy of its users.
The third fatal flaw that raises questions over the App’s concern for privacy, is the lack of
transparency, and accountability around it. The code of the app has not been made open source,
the Privacy policy is ambiguous and there exists very little information about how the data is
collected, stored, processed, encrypted, anonymized, to who handles the data, for what purpose
and to whom can this data be transferred. In the absence of transparency regarding the working
of the app, it becomes impossible to if the App is or is not a reasonable restrictions of citizens
privacy and the effectivities of the app.
In additional, the policy makes clear Government does not bear any responsibility if a data
breach takes place. The lack of transparency around current iteration of the app, ensures there is
no surety that the app will work in line with the principle of proportionality, but also lack of
accountability, effectively knocks from the bottom any possibility of check and balances, which
is central to the requirement of “effective procedural safeguards.”
For these concerns’ EU Tracing Tool Guidelines prescribes, that the algorithms employed by the
Setu app should not only be publicly available but should be regularly scrutinized by
independent experts. Furthermore, the that is role and responsibility of different actor which can
have access to user data collected, processed and stored by the apps like Setu have to be clearly
defined, to ensure accountability.
The fourth fatal flaw with the app is that it lacks any sunset period and allow for its data to be
shared on the vague and broad grounds for sharing data for “administrative purposes.” Both of
these flaws, coupled with the blanket of impunity the Government has shielded itself with means
the Setu app's scope can every well expanded as time passes by, be used as the EDPB has
warned the personal data collected will be further processing for “purposes unrelated to the
management of the COVID- 19 health crisis,” for instance for law enforcement purposes. This
can be ensured as the EU Tracing Tools Guidelines, suggested having a defined sunset clause
and more precisely defined policy limiting the use of collected personal data only for assisting
states in combating the Covid-19 health crisis, and this means strictly doing away with vague and
broad grounds for sharing data such “administrative reasons.”
If the above mentioned change to are implement it will ensuring that the Setu app takes
concentrate and much needed steps towards the Puttaswamy standards, for a reasonable
restriction on an individual’s privacy, by helping the app be meet the elements of proportionality
and effect procedural safeguards. However, even with government taking up each of the
suggestions above the Setu’s App there will still be legal concerns around, which this is not the
focus of the article and have been discussed in detailed by others. Addressing them in brief, the
App shall still have fulfill the requirement of reasonable nexus to the object of the measures
(suitability), legality and necessity, as laid down by the Puttaswamy decisions.
Element of legality require a specific law authorizing such intrusion, the only law that has been
invoked is National Disaster Management Act, however concerns have been raised about using
the app as a basis for restriction individual’s fundamental rights as the act does not have any
specific and explicit provision allowing restrictions of fundamental rights such as the right to
piracy and it does lay down any limitations and procedural safeguard regarding this power.
With respect to the elements of a rational nexus between the objective and the measure and
necessity and. There seems to be no particular reason why these tests would not be satisfied as
Contract Tracing does have a rational nexus with ensuring that the Covid-19 doesn’t spread.
Similarly, the element of necessity can be prima facie satisfied, the element requires the
examination if measures undertaken is the least restrictive alternative, to achieve the said
objective. The objective, of Contact Tracing apps is to create digital mapping-model indicating
the density of the infection and the movement of the virus, which can be used to tactically deploy
the limited medical resources of the state and to control and seal of the movement of the virus.
The fact that there is adopting of these apps worldwide and the fact that effective tracing apps
with coupled with effective medical infrastructure have led to success stories like South Korea
and Singapore, should prima facie make the case such apps can meet the standard of “necessity.”
Moreover given the EDPB, which is comprised of independent experts on European data law,
have themselves endorsed contact tracing apps and that they can comply with the element of a
reasonable restrictions on privacy included “necessity” do go a long way in justifying the
Constitutional validity of the Setu App.