Photo credits: "The Internet" by Ben Chun is licensed under CC BY-SA 2.0

[BigDataSur-COVID] Consent Design Flaws in Aarogya Setu and The Health Stack

by Gyan Tripathi and Setu Bandh Upadhyay

“The use of a person’s body or space without his consent to obtain information about him invades an area of personal privacy essential to the maintenance of his human dignity,” observed the Canadian Supreme Court in the matter of Her Majesty, The Queen v. Brandon Roy Dyment, (1988) 2 SCR 417 (1988).

The Government of India released its digital contact tracing application “Aarogya Setu” (the app) on April 2, 2020, following a rampage of similar digital contact tracing (DCT) applications worldwide. Some DCTs, like the one in Singapore, have been largely successful, while others like in Norway had to be pulled owing to assessment by the country’s data protection authority, which raised concerns the application posed a disproportionate threat to user privacy — including by continuously uploading people’s location. Interestingly, Aarogya Setu not only continuously collects people’s location, but it also binds it with other Personally Identifiable Information (PII).

While India has more than 17 other similar apps at various state levels, Aarogya Setu is perhaps the most ambitious digital contact tracing tool in the world. However, the app has been the center of heavy public backlash for posing a grave threat to the constitutionally guaranteed right to privacy.

According to the much-celebrated judgment in K. S. Puttaswamy v. Union of India (the judgment), any restriction on the fundamental right to privacy must pass the three-prong test of legality, which postulates the existence of law; need, defined in terms of a legitimate state aim; and proportionality which ensures a rational nexus between the objects and the means adopted to achieve them; Aarogya Setu fails on all three counts with a lack of any legislative backing, unclear and shifting objectives that the state could have achieved with the deployment of the application, and owing to the huge amount of Personally Identifiable Information (PII) it collects, the near-opaque team of researchers that ‘volunteered’ to build it, the faulty technology used, lack of any legislative backing, absence of clear guidelines on usage and data storage, and lack of any data protection authority oversight.

Following a slew of legal challenges and public outcry, the government released the Aarogya Setu Data Sharing and Storage Protocol (the protocol) which was intended to govern the data-sharing practices of the data collected by the app between governments (Central and State), administrative bodies and medical institutions. However, there was a continued lack to provide an effective mechanism to check the practicality and execution of the protocol. Subsequent responses sought under the Right to Information queries revealed that the data management and sharing protocols as envisaged in the document were never realized. Earlier, various activists and security experts had criticized the government for releasing an incomplete source code while claiming that it was making the application ‘open-source’. Therefore, in the case of Aarogya Setu, there was a systematic breakdown of established laws and reasonable expectations of privacy.

While the judgment also talks about granting more practical ways of control over information by the citizens, and the same is also talked about in Section 11 of the proposed Personal Data Protection Bill, 2019 by way of specific consent, the very architecture of the application does not allow users to exercise control over their data. In an event that a person is tested positive for the novel coronavirus, the application would upload not only their data but also the data of all those with whom they came in contact, based on the interaction they have had in the previous fourteen days.

The 9th Empowered Group, constituted by the Union Government for ‘Technology & Data Management’, to do away with the discrepancy and/or duplicity of data of the individual who had tested positive, opted for 2-way communication between the application and the Ayushman Bharat dashboard, umbrella scheme for healthcare in India. This has been revealed by the minutes of the meeting obtained under the Right to Information by the Internet Freedom Foundation. The minutes show that the data collected through Aarogya Setu was not only integrated with Ayushman Bharat but was also in communication with Aarogya Rekha, the geo-fencing surveillance employed by governments to enforce quarantine measure and track those who were put under mandatory quarantine, institutional or home.

Fears of a scope creep are already manifesting in the Aarogya Setu development team’s plans for integrating telemedicine, e-pharmacies, and home diagnostics to the app in a separate section called AarogyaSetu Mitr.

On 7 August, the National Health Data Mission (NDHM) released its strategic document detailing the requirement of digitizing all medical registries and thereby creating a National Health Stack (the health stack) based on a June 2018 white-paper by NITI Aayog, policy think tank of the Government of India. The National Health Authority, the nodal agency for Ayushman Bharat, indicated that it would migrate all data collected by the Aarogya Setu application and integrate it with the health stack. Various media reports and occasional public statements have confirmed that the data collected by the Aarogya Setu app would be the starter for the health stack.

It is here that lies a grave point of concern: owing to the faulty data collection mechanism of the application, lack of an express concern for data sharing with Health Stack, and inherent flaws within the health stack, millions will be put at risk of algorithmic or systematic exclusion. There is a massive effort deficit in the competence and effort of public and private providers of health care services in India. It is often observed that healthcare workers are absent for more part of their jobs, and even in cases they are, allied conditions like lack of proper equipment and facilities are a major block. As algorithms and artificial intelligence systems are made commonplace in the healthcare sector, on the pretext of them being more cost-effective and accurate, and equal importance should be given to lack of records, already stretched health infrastructure, outdated research, overburdened medical institutions, and personnel. The subsequent use of data collected, and the use of automated tools for decision making might also exacerbate the existing problems such as underrepresentation of minorities, women, and non-cis males.

There is a lack of any specific legislation concerning the disclosure of medical records in India. However, under the regulations notified by the Indian Medical Council, every medical professional is obligated to maintain physician-patient confidentiality. But this obligation does not extend to other entities, third parties, and data processors responsible for processing patient data, either under the mandate of a state body or a body corporate.

Presently, India has an outdated Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules of 2011 in force, but the rules fail to provide a comprehensive framework based on other internationally accepted practices. On matters of health information security, India currently has a draft Digital Information Security in Healthcare Act which provides for the establishment of eHealth Authorities and Health Information Exchanges at central as well as state-level

Computational systems are mostly data-driven and are ultimately based on the brute force of complex statistical calculations. Since the technical architecture of the proposed National Health Stack is unknown at moment, it further adds to the uncertainty on how the data shared would be used. These raises, as Prof. Hildebrandt points out, the question of to what extent such design should support legal requirements, thus contributing to interactions that fit the system of checks and balances typical for a society that demands that all of its human and institutional agents be “under the rule of law”. The issue of consent is very inherent to the rule of law, as in the digital social contract it ensures the individualistic right to self-determination.

The need for an informed consent overlaps with the ‘purpose limitation’ and ‘collection limitation’ principles, part of the core Fair Information Principles (FIPs), as part of the Guidelines governing the protection of privacy and transborder flows of personal data, by OECD, which came out first in 1980. The principles stipulate that “There should be limits to the collection of personal data and any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject”, all while ensuring that “the purposes for which personal data are collected should be specified not later than at the time of data collection and the subsequent use limited to the fulfillment of those purposes or such others as are not incompatible with those purposes and as are specified on each occasion of change of purpose”.

Privacy, like other abstract and subjective freedoms, cannot be reduced to the fulfillment of certain conditions, nor it can be given a delineated shape. However, we must endeavor to give users at least some level of control so that they can better understand and balance privacy considerations against countervailing interests.


About the authors

Gyan Tripathi is a student of law at Symbiosis International (Deemed University), Pune; and a Research Associate with Scriboard [Advocates and Legal Consultants]. He particularly loves to research the intersection of technology and laws and its impact on society. He tweets at @tripathi_gy.

Setu Bandh Upadhyay is a lawyer and policy analyst working on Technology Policy issues in the global south. Along with a law degree, he holds a graduate Public Policy degree from the Central European University. He has a diverse set of experiences working with different stakeholders in India, East Africa, and Europe. Currently, he is also serving as the Country Expert for India for the Varieties of Democracy (V-Dem project). He tweets at @setubupadhyay.