Multi-domain orgs and individuals raise concerns about Aarogya Setu #SaveOurPrivacy

Tl;dr

8 organizations and 145 individuals have written to MoHFW, MeitY and the IT Standing Committee raising serious technical, legal, ethical and implementation concerns regarding Aarogya Setu and other apps introduced during the COVID-19 pandemic. This joint statement was drafted by the Forum for Medical Ethics Society, Jan Swasthya Abhiyan, All India People’s Science Network and Internet Freedom Foundation based on multi-domain experience and it situates COVID-19 apps like Aarogya Setu within the  public health system in India. The joint statement also presents a clear set of 16 demands to safeguard sensitive personal data of citizens and prevent exclusion.

Background

The Aarogya Setu mobile app was introduced by the government as a proximity exposure notification app on 02 April 2020 and it has been mired in controversy since its release. Concerns have been raised about commercial or law enforcement use of sensitive personal data collected by the app by legal commentators who have cautioned against deployment of such technologies in the absence of a data protection law in India. Public health experts have also explained why such technologies cannot replace on the ground contract tracing by healthcare workers and questioned the government's failure to explain why information available in existing government databases is insufficient. Finally, technologists have warned that Aarogya Setu adopts weak anonymization practices which make its users susceptible to re-identification and criticized the lack of transparency surrounding the app's code and algorithms.

Joint statement by multi-domain civil society groups

This joint statement was drafted by the Forum for Medical Ethics Society, Jan Swasthya Abhiyan, All India People’s Science Network and Internet Freedom Foundation and it has been endorsed by 8 organizations and 145 individuals. The other four endorsee organizations are Janchetna Sansthan, Lok Manch, Rethink Aadhaar Campaign India and the Right To Food Campaign. A full list of endorsees can be found in the joint statement linked at the bottom of this post.

Yesterday i.e. 17 September 2020, we sent the joint statement to the Ministry of Health & Family Welfare, Ministry of Electronics & Information Technology and the Parliamentary Standing Committee on Information Technology. The statement presents a clear set of 16 demands to safeguard sensitive personal data of citizens and prevent exclusion in access to healthcare and other essential facilities which are listed below.

I. For proportionality

1. There is a constitutional obligation to adopt the least restrictive/intrusive measure to achieve the stated purpose. These thresholds can be benchmarked against known technological best practices and models, and the kinds of interventions adopted by other constitutional democracies. The design of
   interventions must also ensure that they do not disproportionately impact people from certain backgrounds, identities, and regions.
2. A full release of specifications including cryptography, anonymization specifications, Application Programming Interface (API) specifications, and Bluetooth specifications.
3. Release of the source code for the current version of the AS App, given the fact that the released code does not match with the one in use, and release of the server-side code.
4. Development of a comprehensive privacy impact assessment, articulating accompanying risks associated with large scale roll-out of the App.
5. Commitment (i.e. sunset clauses that are clearly present in primary legislation) to permanently destroy the data and systems being built via AS App at the end of the COVID-19 pandemic.
6. The AS App must not in any way be made mandatory by government or private actors;
7. Among other things, the focus must be on assuring the public that these are temporary interventions which will not devolve into permanent surveillance and monitoring systems.

II. For legality

1. Suitable legislation is required aim to hold the Union and State governments and private actors accountable for leakage or any inappropriate use of App data during epidemics and communicable disease outbreaks.
2. Under this legislative framework, governments may only access patient data through hospital records, and must preserve patient anonymity.
3. These frameworks should be solely under the control of public health institutions.

III. For necessity

1. The government must establish contextual necessity of the new technological interventions like the AS App which monitors people’s movements since this is already being done by other actors (like telecom service providers).;
2. Grounds for treating the existing government databases, such as those maintained by ICMR and other existing surveillance mechanisms and hospital records as inadequate for the current purposes of responding to the pandemic
3. The expected advantage of interventions for collection of health and related information is collected, the actual technical effectiveness of the interventions itself, and a detailed cost-benefit/privacy impact analysis to evaluate risks before rolling out such Apps
4. Necessity as a dynamic construct, and that it is embedded through the life cycle of the AS programme. Within it there is a need for continual review of the programme as regards principles of transparency and accountability.

IV. Oversight Structures and Processes

1. The required legislation must create independent institutions for oversight separated from the political executive.
2. Towards this end, the agencies/institutions concerned should publish periodic reports informing the public if, and to what extent, the App is augmenting the Government’s response in treating and containing the spread of Covid-19. Based on such feedback loops, these institutions should be empowered to make decisions for course correction or even discontinuation of the programme itself,
   and the permanent destruction of the systems created.

Important Documents

1. Joint Letter dated 17.09.2020 to MoHFW, MeitY and IT Standing Committee (link)