Our Concerns With The Aarogya Setu App
Recently, the Ministry of Electronics and Information Technology (“MEITy”) rolled out its “Aarogya Setu" application (“the App”) for Android and iOS platforms. The app aims at providing users information as to whether they are prone to a COVID-19 infection by analysing their proximity to COVID-19 positive persons. The app requires the user to submit the user’s geodata. It also uses bluetooth to connect to other registered users and from the network thus formed, analyse whether the user has come in contact with anyone who has been tested positive. The app, as per its terms of service is intended to “notify, trace, and suitably support” a registered user regarding COVID-19 infection.
We, at SFLC.IN, went through the software’s features and also took a look at its terms of service and its privacy policy. The application collects personal information some of which are sensitive personal data such as a person’s gender, and travel information. So, it was necessary to scrutinise the App in these testing times. And we do have some concerns with the App. They are as follows:
1. Violation of the law laid down by the Supreme Court– It is important to note that the Aarogya Setu app has been launched in the time of an ongoing pandemic, when the Governments are trying to maximise data collection, often at the cost of privacy rights of citizens. India does not have a law dealing with personal data protection which should be limiting data collection and processing. SFLC.IN, along with a coalition of lawyers, social activists, entrepreneurs, and concerned citizens, had recently sent a joint letter to various ministries of the Central Government and also the heads of states and union territories expressing concerns over the unwarranted and excessive collection of personal data during the ongoing COVID-19 pandemic urging the various governments to follow law enunciated in various Supreme Court judgments. If you haven’t signed on the campaign letter, you can do so by clicking here.
2. “Aarogya Setu” is not open source – Though the Central Government has a prevailing policy on adoption of open source software the Aarogya Setu app’s code has not been made open source. Making the source code available enhances transparency and this also improves security as the code is open to community audit. The app primarily collects personal data from user cellphones and cellphones are an immense repository of personal data of users and sometimes, of a user’s contacts and acquaintances. In this scenario, keeping the source code of such an app proprietary is not advisable.
3. Personal Data Collected and its Use – The app, as per its privacy policy collects the following personal information during registration and stores it in the cloud: (i) name; (ii) phone number; (iii) age; (iv) sex; (v) profession; (vi) countries visited in the last 30 days; and (vii) whether or not you are a smoker and a person’s current medical condition collected through a series of questions when the app is run for the first time to asses the condition of the user. Moreover, the App continuously collects the location data of the registered user and maintains a record of the places where the user had come in contact with other registered users.
Clause 2 (a) of the Privacy Policy states, concerning the use of collected data, that:
“The personal information collected from or about you under Clause 1(a) above, will be stored locally in the App on your device and will only be uploaded to and used by the Government of India (i) in anonymized, aggregated datasets for the purpose of generating reports, heat maps and other statistical visualisations for the purpose of the management of COVID-19 in the country and/or (ii) in the event you have tested positive for COVID-19 or have come in close contact with any person who has tested COVID-19 positive. Any personal information uploaded to the cloud will only be used for the purpose of informing you, or those you have come in contact with, of possible infection. Such personal information may also be shared with such other necessary and relevant persons as may be required in order to carry out necessary medical and administrative interventions.”
This clause enables the Government to share personal information uploaded to the cloud with “such other necessary and relevant persons” in order to “carry out necessary medical and administrative interventions. This is problematic as the clause is broadly worded allowing the data to be shared with practically anyone that the Government wants.
Moreover, the promises made in the privacy policy can also be detonated through the vagueness of Clause 2 (c) which states:
“The personal information collected will not be used for any purpose other than those mentioned in this Clause 2 save as required in order to comply with a legal requirement.” [emphasis supplied]
Nowhere in the policy documents is the phrase “legal requirement” defined. It is not unreasonable to think that this could be defined as whatever the Government wishes. This can lead to excessive collection and use of sensitive personal data. Moreover, true anonymisation of personal data has been debated by technologists and the Government has to prove that it has anonymised the data properly.
4. Very “Limited Liability” - The liability limitation clause of the Terms of Service limits the Government's liability even if inaccurate information is given by the App or in case of failure to generate true positives. It is pertinent to note that this acquits the Government’s liability in case of any harm caused due to incorrect information. Therefore the App’s policies render the App as nothing but another data grabbing exercise.
Moreover, the liability clause also exempts the Government from liability in the event of “any unauthorised access to the [user’s] information or modification thereof” (emphasis supplied). This means that there is no liability for the Government even if the personal information of users are leaked.
5. Restriction on Reverse Engineering
Section 52 clauses (ab) and (ac) of the Copyright Act, 1957 states:
“(ab) the doing of any act necessary to obtain information essential for operating inter-operability of an independently created computer programme with other programmes by a lawful possessor of a computer programme provided that such information is not otherwise readily available;
(ac) the observation, study or test of functioning of the computer programme in order to determine the ideas and principles which underline any elements of the programme while performing such acts necessary for the functions for which the computer programme was supplied;”
Through the aforementioned provisions a Central Act enables a lawful possessor of a computer programme to do any act to obtain information essential for inter-operability of an independently created computer programme and to determine the ideas and principles which underline any elements of the programme. Essentially, these provisions enable reverse engineering of a lawfully obtained computer programme.
However, the Aarogya Setu app, through Clause 3 of its Terms of Service, restricts the user from reverse engineering the App.
“...You agree that you will not tamper with, reverse-engineer or otherwise use the App for any purpose for which it was not intended including, but not limited to, accessing information about registered users stored in the App, identifying or attempting to identify other registered users or gaining or attempting to gain access to the cloud database of the Service.”
(emphasis supplied)
Reverse engineering a process through which one is able to study a computer programme and understand how the programme functions and whether the programme is doing only what it is supposed to do or what it was promised by the developers that the app would do.
It is indeed essential for security researchers to study and examine the working of an app like Aarogya Setu which is potentially a surveillance tool that collects the movements and geolocation data of its users.
A provision in a Terms of Service cannot take away a statutory right provided by a Central Act. The former is a violation of the latter. Therefore, this provision within the Terms of Service must be taken off.
Note: We are also doing a technical analysis of the Aarogya Setu app. We will upload more information if we find any more issues.