Tl;dr

Today, we wrote to the Standing Committee for Information Technology which is is actively considering the issue of, “citizens data security and privacy” on the lack of any clear legal basis or legislative framework for contact tracing apps such as Aarogya Setu. As per prior analysis, since such applications are without a legal basis or have any enforceable limitation are a, “privacy minefield”. Now, because they are being made mandatory it is leading to second order harms such as exclusion. Non-compliance from installation of Aarogya Setu can also potentially lead to criminal prosecution. Due to this and more, it is incredibly important that the Standing Committee commence urgent hearings.

Background

Yesterday we studied two significant developments, that have spurred the present intervention.

  • UK report : On May 6 a report on the contact tracing application in the United Kingdom by the House of Commons. This report clearly stated that, “the government must not roll out the contact tracing app” and, “Government assurances about intended privacy protections for any data collected do not carry any weight unless the Government is prepared to enshrine these protections in legislation..” (link). We have made a similar recommendation in our working paper (link).
  • Standing committee may soon resume functioning: The appropriate body to commence a similar study and author a report is the Standing Committee for Information Technology. The Standing Committee on IT is a parliamentary committee that is actively looking at the issue of, “citizens data security and privacy” (link). While this body is not actively meeting at present due to the Covid pandemic, yesterday as per a press release the Rajya Sabha Chairman and Lok Sabha Speaker have commenced a process to examine the feasibility of remote meetings (link hat-tip Arun PS).

Spurred by this, and given our consistent engagement with parliamentary committees and legislators, we swung into action.

Lack of privacy, legality, transparency due to Aarogya Setu

Today, we wrote to the Standing Committee for Information Technology on the specific issue of any clear legal basis or legislative framework for the several contact tracing apps, notably Aarogya Setu.

We pointed out that:

  1. Impact on privacy: Many of these smartphone applications have a direct impact on individual privacy and have been documented at length in a working paper published by us earlier(link). This comprehensive working paper made in the style of a “Brandeis Brief”, surveys expert literature, contains India specific analysis and while is still in a process of development to account for subsequent events, hopefully may provide a credible basis for analysis to our legislators.
  2. Lack of legislative framework: Specifically with respect to contract tracing many smartphone applications have been launched by State and Central Governments without any underlying legal legislative framework, they suffer from issues of transparency (for eg. source code is not open sourced and there is a lack of clarity on contract conditions and service rules for the “volunteers” developing it) and further lack any feasibility reports. This is in direct violation of the fundamental right to privacy as analysed with respect to the flagship application, Aarogya Setu (link) which is being developed by the National Informatics Center (NIC) (t_hat is also avoiding transparency by being evasive to RTI queries)_.
  3. Mass surveillance and exclusion: Further, the installation of such contact tracing applications which cause mass surveillance is now being made mandatory under threat of criminal penalties. Due to this more than 45 organisations, including trade unions and more than 100 prominent individuals have endorsed a joint representation to the Ministry for Home Affairs (link).

Our request for action

In our letter we have requested for urgent hearings to be conducted. These should specially involve medical health professionals, academics from IITs and digital rights and public policy experts. Such hearings may focus not only on the privacy impacts but also the feasibility and exclusion caused by such contact tracing apps which are by their very nature mass surveillance measures.

We also stated that there is an urgent need for the Committee for engagement with the Government in order to obtain clarity and public disclosure on this deep violation of human rights. We have asked that significant Government officials - especially from the National Informatics Center (NIC) and other relevant government agencies and law enforcement - be invited to depose before the Committee in order to obtain transparency through official disclosure of the source code, product architecture and all official files including the service contracts and rules executed with the developers who are being classified as, “volunteers” in press reports.

Our final request is that that the Committee on IT to consider the suitability of a legislative framework given the feasibility of Contact Tracing itself is under growing doubt even while mass surveillance and exclusion (to livelihood or use of public facilities) caused is certain. We hope an objective, evidence based parliamentary report authored on the basis of expert inputs can help advance institutional engagement on the wide, pervasive and harmful impacts on our fundamental rights through smartphone applications such as Aarogya Setu that are increasingly being made mandatory under threat of criminal penalties.

Important Documents:

  1. Letter on issues of data privacy and security on contact tracing applications dated May 8, 2020 [link]
  2. Joint representation by 45 organisations against the mandatory use of Aarogya Setu [link]
  3. Our comparative analysis of the Aarogya Setu App [link]
  4. Working paper on Privacy Impacts by Technology Interventions around Covid-19 in India [link]