Four weapons have emerged in our fight against coronavirus. The World Health Organization (WHO) calls them testing, isolation, tracing and treatment. These weapons work at different stages and have limitations of their own. The only way to flatten the curve and save precious lives is to get ahead of the virus and prevent it from infecting the next person. At a stage where a person has already been diagnosed and has been an active spreader, testing can help segregate people requiring a differential degree of care and other quarantine measures. Isolation and social distancing translating into lockdowns have proved to be effective. In the absence of a vaccine, which appears to be months away on a very optimistic note, or an effective treatment, millions of innocent individuals will lose their lives. Amongst all these measures the only pro-active measure is rapid contact tracing followed by pre-emptive testing and treatment if required. In wake of limited utility of manual contact tracing, social distancing and violation of lockdowns, governments all across the world have been constrained to use technology for prospective contact tracing and establishing co-presence. Approaches range from use of aggregated telecom data to GPS location information and Bluetoothbased beacons.
The Indian government’s Aarogya Setu app works by collecting user location data locally from GPS/Bluetooth and collates it with an IT-enabled operations framework. The app asks for necessary functional permissions including access to data storage, device location and control over Bluetooth protocol. Compared with similar apps used in Singapore, Hong Kong and South Korea, Aarogya Setu follows the stringent Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules (“SPDI Rules”), 2011. If compared with other state government applications, Aarogya Setu adheres to much stricter standards of privacy, purpose and justification. A detailed report by the Internet Freedom Foundation (IFF) which compares Singapore’s TraceTogether, MIT’s Private Kit (Safe Path’s Project) and Aarogya Setu while raising concerns about each of these applications, explains that the Indian government app stores the location data locally and does not upload it until and unless a medical event occurs. The use of 256- bit AES, a strong encryption technology, ensures that sensitive personal information of the user remains intact.
Data is encrypted in transit as well as at rest. Personal information provided at the time of registration is encrypted and anonymised before being uploaded to the government cloud where it is stored in a secure encrypted server. Europe which has a very stringent GDPR (privacy and data protection) regime has permitted anonymised telecom data and other metadata to be used for prediction of possible infection spread. In fact, backchanneling/extralegal arrangements between government authorities and TSPs appears to be common in Europe. Belgian telecom operators are granting public authorities database access, while in Germany Deutsche Telekom is affording its Federal Disease Prevention Agency ‘regulated access’ to its location data. In comparison to the above surveillance technology-based approaches, Aarogya Setu appears to be minimally invasive, voluntary and designed with principles of privacy in mind. It also anonymises personal information of the user into a Unique Identity which is used for processing of medically significant events only. The legal framework of the Supreme Court’s judgement in KS Puttaswamy (Retd) and Anr v Union of India (2017), while developing jurisprudence on the fundamental right to privacy, also explicitly observed that when it comes to a public health epidemic, authorities may use health records, provided they ensure the anonymity of the patients. Restriction of right to privacy may be justifiable in the circumstances subject to the principle of proportionality and must be considered in relation to its function in society and be balanced against other fundamental rights.