November , 2020
Aarogya Setu needs to bridge right to safety with right to privacy
11:44 am

Shivanand Pandit


Many dealings of the government indicate that the left hand of the government does not know what the right hand is doing. A notice was issued by the Central Information Commission (CIC) to the government for responding ambiguously towards an appliance lodged as per the provisions of the Right to Information Act pertaining to the procedure of creation of Aarogya Setu - a contact tracing application that has data of millions of users.


The CIC has also dispensed show-cause notices to the Central Public Information Officers of the Ministry of Electronics and Information Technology, the National Informatics Centre, and the National E-Governance Division. These organisations nosedived to provide concrete details on the process of crafting the contact tracing application, files connecting to the formation and review actions to verify for ill use of personal records of users. The Information Commissioner Vanaja Sarna noted that none of the Central Public Information Officers were capable of clarifying anything about creation of the application or giving details about files.


The Aarogya Setu app was developed in only 21 days and unveiled on April 2, 2020 by the government. As per the government’s data, the application has been downloaded by more than 16.23 crore people. The contact tracing app was made mandatory by the Ministry of Home Affairs for a number of activities including travelling during the Covid-19 pandemic.


On August 1, 2020, an RTI activist Saurav Das filed his entreaty before the CIC and appealed that the ministry has not provided a fitting response to his request for particulars of the app. A copy of the complete file having details of origin of proposition, approval process, particulars of the companies, people and government branches involved in the designing of the app was asked by the activist. He had also inquired for internal transcripts, memorandums, file recordings and communications connected to the creating and concluding of the app. Furthermore, details regarding the legislation or regulation under which the app was designed and the government’s plan for introducing a separate law for this app and its administration were also demanded by him.


On August 7, the activist complained to the CIC mentioning that Central Public Information Officer of Ministry of Electronics and Information Technology, while responding to his plea said that the application has been forwarded to the Central Public Information Officer of the National E-Governance Division of the ministry and did not provide concrete answers to his interrogations. On October 2, Das mentioned that the National E-Governance Division had responded by declaring the division does not possess any information concerning his questions.


Bearing in mind the massive amount of public interest involved in the topic, Das insisted on instant inspection of the matter to safeguard the citizens’ elemental entitlement to life and liberty. Looking at failure to apprise the utilization of people’s personal records, he also indicated that malfunction by the public authorities to execute their duties as per ‘Protocol 2020’ will have an irrevocable harmful influence on citizens’ right to confidentiality. Besides, the activist is of the opinion that the hearing of the matter will be pointless if it is postponed because the app will be unusable once the pandemic ends.


The CIC makes an entry


Considering the importance of the issue, the CIC positively acknowledged the appeal of Das and issued warnings to Central Public Information Officers of the Ministry of Electronics and Information Technology, the National Informatics Centre and the National E-Governance Division.


In the order, the information committee of the CIC questioned the National Informatics Centre which comes under the Ministry of Electronics and Information Technology, Government of India, to specify why in spite of the Aarogya Setu application assertion that the podium was fabricated, improved and hosted by it, the ministry had no knowledge on the formation of the application. The panel also voiced its astonishment that the ministry was ignorant of this notwithstanding that another body under it, MyGov, retained, rationalised and reinforced the content on the platform. The CIC instructed Central Public Information Officers to clarify the matter in writing as to how the website (https://aarogyasetu.gov.in/) was shaped with the domain gov.in, if they do not have any awareness about it.


The CIC commanded Central Public Information Officers to be present before the bench on November 24, 2020 to express the reason as to why action should not be instigated against them. They were also instructed to send a copy of all relevant documentary evidence upon which they had selected to rely upon during the trial - at least five days before the hearing. These officers should serve the copy of the order of the CIC to such persons who are accountable for the laxity and inform them to be present before the bench.


Responding to the order of the CIC, the Ministry of Electronics and Information Technology clarified that the ministry will take essential measures to obey the command. It has mentioned that the app was launched by the Indian government in a public-private-partnership mode and since April 2020, press reports were broadcasted relating to Aarogya Setu app including making the source code accessible in open domain. According to the ministry, all the details linked with the development of the app and management of the app ecosystem at various stages was shared when the code was released in open or public domain and the same was disclosed extensively in the media.


Earlier the government claimed that it did not possess any information about the design of the app but later stated that information about the app has been shared widely on different platforms. Both the actions of the government have raised many questions. Immediately after the launch of the contact tracing app, several privacy advocates and security academics raised the flag against privacy matters. The opaque privacy policy of the app has come under the radar of many industry experts as well. Robert Baptiste, popularly known as Elliot Alderson who is a French ethical hacker, also highlighted the confidentiality apprehensions over the app and said that the app had numerous security defects. However, the government did not exhibit affirmative response to it.


Additionally, the government did not answer some of the vital questions like whether users of the app don’t have the right to know how their data is being managed? When the list of beneficiaries is not kept, how do they know who has accessed their delicate personal data? Without strong security practices mechanism or data protection law, how do people of the country know there has been no violation? Could these worries have been tackled if there was a meticulous audit and review system in position? If there is no audit procedure, what is the use of the protocol? Without an anonymisation system how has data been used or handled so far?


To conclude, the CIC should not treat the hearing frantically or kindly when three main patrons that work closely with each other provided ambiguous answers to the appeal of the activist on the progression of the tracing app. The government should manage centralised health data systems like Aarogya Setu strongly. Otherwise the forthcoming Digital Health ID and National Health Stack projects will be unsuccessful and ineffectual. Therefore, if the Aarogya Setu application is executed only through comprehensive data protection law, the unpredictable hazards and disproportionate limitations of fundamental rights can be avoided. This will also expedite constitutional scrutiny. If not, the Aarogya Setu may not construct a trustworthy setu (bridge) between the government and citizens of the nation.


The writer is a tax specialist, financial adviser, guest faculty and public speaker based in Goa. He can be reached at panditgoa@gmail.com

Add new comment

Filtered HTML

  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <blockquote> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.