INTRODUCTION #

If 2020 goes down in history as the year of Covid-19, it was also, undoubtedly, the year of digital technologies. One by one, as countries all over the world closed their borders and shuttered their businesses in the span of a few short weeks, people turned to technology as their primary communicative arena, and nation states turned to it to conduct epidemiological surveillance and monitor lockdown enforcement. Homes turned into offices, as jobs and services that could be shifted online did so, including government services, education, financial transactions, medical care and more. The volume of information, both personal and otherwise, that was being collected, stored and shared through the digital scaffolding of the internet skyrocketed.

This was true of India as well, where 688 million internet users put the country second on the global leaderboard of internet users. And yet, more than half the population of the country still lacks access to the internet. Notably, the Indian government’s 2018 Survey on Household Social Consumption: Education had found that even amongst those who could access the internet, only about 20% knew how to use it.¹² The digital divide in the country is vast, in terms of access as well as knowledge.

Data protection rights in India currently exist in a peculiar legal limbo: in August 2017, the Supreme Court of India deemed privacy to be a fundamental right, stemming from the right to life and personal liberty under Article 21 of the Constitution. The Court had also noted that privacy of personal data is a critical aspect of the right to privacy. Subsequently, the 2019 Personal Data Protection Bill was introduced by the Minister of Electronics and Information Technology in Parliament. The bill was referred to a Joint Parliamentary Committee for review, where it currently remains.

An enormous ecosystem of apps and technological tools have taken root and flourished in the country, particularly for managing the Covid-19 pandemic. Without question, accurate data are indispensable for managing a public health emergency such as Covid-19, and harnessing technological and data-driven innovations can enable governments and healthcare workers to make more informed decisions. But in the absence of any formal legal regulation, many of these tools are subject to self-regulation, as this report details.

Covid-19 in India

On January 30, 2020, the first case of Covid-19 in India was confirmed in the State of Kerala.³ The seriousness of the emergent situation was clear, as three days later the death toll in China due to Covid-19 exceeded that of the 2002-03 SARS outbreak.

The Ministry of Health and Family Welfare (MoHFW) designated the Indian Institute of Medical Research (ICMR) and the National Institute of Virology (NIV) to research and develop methodologies to tackle Covid-19. This is a notable departure from the government’s established strategy, since the Integrated Disease Surveillance Programme (IDSP), a government initiative under the Health Ministry’s National Centre for Disease Control launched in November 2004, was absent from the strategizing and monitoring of the pandemic.⁴ IDSP was created a year after the SARS outbreak with the explicit mandate of tracking diseases and pandemics. It has well-established surveillance units at the central, state and district levels that track the outbreak of diseases. These data are then compiled into detailed weekly reports, which are published on their website.

Prime Minister Narendra Modi addressed the nation regarding the pandemic for the first time on March 3, 2020, through a tweet.⁵ He stressed that there was ​“no need to panic”, and that ​“Different ministries & states are working together, from screening people arriving in India to providing prompt medical attention.”

On March 12, 2020, one day after the WHO officially declared Covid-19 a pandemic, India reported its first death from the virus, in Kalburgi, Karnataka.⁶ The government banned the entry of foreigners and suspended all visas for travel to India for a month. The next day, Health Ministry Joint Secretary Lav Agarwal spoke to reporters at a press conference and said that Covid-19 is not a health emergency, and that there was no need to panic. He also stated that 42,000 people in the country were under community surveillance.⁷

On March 22, Prime Minister Narendra Modi declared a ​“Janata [Public] Curfew”, a 14-hour lockdown from 7 am to 9 pm on a Sunday. He added: ​“Our experience of Janata Curfew will help us chart the way ahead for tackling coronavirus in India.” Anyone who was not associated with essential services, such as health, government services, sanitation and the media, was directed to stay indoors. The Prime Minister also said that in order to show the nation’s appreciation for the frontline workers who were battling Covid-19, all citizens should come out onto their balconies or yards at 5 pm, and clap or ring bells for five minutes.⁸ India had reported a total of 360 cases and tested a total of 16,021 individuals up to the Janata Curfew.

At 8 pm on March 24, 2020, Prime Minister Narendra Modi ordered a nationwide lockdown for 21 days, starting at midnight.⁹ At this point, the total number of positive cases in the country was 606. The world’s largest lockdown, for 1.3 billion people, was mandated with four hours’ notice. All international and domestic flights, all forms of public transportation, and all inter-state and intrastate travel were halted overnight. On April 14, India extended its nationwide lockdown till May 3, which was followed by two-week extensions starting May 3 and 17, with progressive relaxations in restrictions.

On March 29, 2020, the Union Home Ministry had issued an order under the Disaster Management Act to set up 11 Empowered Groups of Officers to deal with the various challenges the pandemic had created. The order, signed by the Union Home Secretary Ajay Bhalla, as Chairman of the National Executive Committee, stressed the need to synchronize efforts across ministries and departments. The Empowered Groups were for (i) planning for medical emergency; (ii) establishing the availability of hospitals, isolation and quarantine facilities, disease surveillance and testing; (iii) ensuring availability of essential medical equipment; (iv) augmenting human resource and capacity building; (v) managing supply chain and logistics; (vi) coordinating with private sector; (vii) instituting economic and welfare measures; (viii) providing information, communications and public awareness; (ix) managing technology and data; (x) channeling public grievances; and (xi) solving strategic issues related to lockdown.¹⁰ Each group consisted of senior officials from the Prime Minister’s Office and the Cabinet Secretariat.

As of November 4, 2020, at least 72 apps had been deployed by public entities in India across Android and iOS platforms, three of which can be used pan-India. Their functions, as per the features listed in their descriptions on the Android Play Store, in government notifications, media coverage, and existing research reports, include: contact tracing (4); quarantine monitoring (21); accessing essential services (12); disseminating information (34); self-assessment (25); e‑pass integration [display and/​or application for e‑passes] (9); telemedicine (6); fund-raising (10); reporting gatherings/​individuals (7); information gathering/​surveys (12); displaying heat maps (2); displaying other information on maps within the app¹¹ (6); providing the option to register as a volunteer (5).

Reflecting the mobility restriction measures that have formed the crux of Covid-management strategies in most countries, at least 30 of these apps affect the movement of users or of those in their vicinities, in the form of geo-tagging, requiring individuals to upload their selfies at fixed intervals throughout the day to verify their current location, asking users to upload photographs of their house, allowing the public to view the location of home-quarantined persons, offering an option to report violators of quarantine rules, allowing users to track the movement of Covid-19 patients in their vicinity, and so on. Twenty-seven of the apps have a dedicated privacy policy. For the remaining apps, the privacy policy is either not present, or it re-directs the users to the state’s or the developer’s website, or the link is not functional.

Other tech-enabled tools also joined the fray in the nation’s battle against Covid-19: drones, CCTV cameras, thermal scanners, online portals for travel registration, and more. The MoHFW updates their website with the number of active cases, including the number of recovered/​discharged patients and deaths. By February 8, 2020, India had about 10.8 million confirmed cases of Covid-19, the second highest in the world, and about 155 thousand deaths.¹²

In this report, we will analyze some of these apps and tech-enabled tools across three main research considerations: (i) from a public health perspective; (ii) potential for function creep and social control, by both state governments and by non-state actors; and (iii) the perspective of equal access and participation of vulnerable groups in society.

METHODOLOGY #

This report uses a mixed method research design, drawing from both semi-structured interviews and desk research. We conducted in-depth interviews with a range of key stakeholders, such as those involved in the development and deployment of the app/tech-enabled measure, senior government officials, industry leaders, epidemiologists, and public health experts. The interviews were conducted in October and November 2020. Owing to severe limitations on travel and safety imposed by the pandemic, the interviews were conducted online and via phone. We were mindful that we were reaching out to these key stakeholders, particularly government officials, in the middle of a public health emergency. Many of them understandably had extraordinarily busy schedules, which limited the number of persons we could interview within the constraints of the project’s timelines. All interviewees were informed that the guiding principle for the report is that participants are in control of the disclosure of their identity.

Many of the primary sources cited in our report were not easy to locate, as they were scattered across official websites, personal social media handles of officials, and official social media handles, in a way that blurred lines between the personal and the public. Press releases and government orders regarding several key developments were also unavailable in the public domain.

Additionally, owing to the evolving nature of the pandemic, official decisions also changed in response to the needs of the hour. This was reflected in the apps and alternative measures that we analyzed − the governing documents of these tools were updated or changed, features and functionalities were modified, official websites were taken down, and in some cases the measures were removed altogether.

Our preliminary desk research and overview of media reports suggested that there were several apps and alternative means deployed for Covid-19 management. First, we conducted an extensive mapping process of both categories: we charted all the Covid-related apps that had been deployed by public entities, using information available on the Android Play store, and through government notifications, news reports, and existing research reports.¹³¹⁴¹⁵[^16 ] We then followed a similar process for all technological and non-technological alternative measures.¹⁶

Covid-related apps

We found 72 apps in the country launched by central government, state governments, municipal corporations, and public research institutes.¹⁷ Of these 72, we listed each of the Covid-related apps that had hundred thousand or more downloads on the Android Play Store. This resulted in a list of 26 apps which we then shortlisted to those that stood out in terms of their functionalities, and those that were particularly relevant to this project’s goals. Finally, we subjected this new shortlist to a top-level analysis that asked: how likely is it that each theme that our preliminary research has deemed relevant will also be of relevance to this particular app? An overview of this analysis can be found here.¹⁸

Based on this process, it was decided that for this report:

● Aarogya Setu, which had been downloaded 100 million times on the Android Play Store, would be the primary focus.

● Three state-level apps would be briefly analyzed in light of one of their functionalities. They are: i) Quarantine Watch (asks for selfies from users); ii) CoronaWatch (public display of personal information); and iii) Corona Virus Alert App (COVA) Punjab (has a feature to report others).

In our preliminary mapping, we had to factor in certain practical considerations. First, some of the apps were in regional languages that we are not familiar with, which limited our ability to analyze their features and functions. Second, we did not download the apps for analysis, as some of their data privacy specifications were ambiguous.

As we have relied on the descriptions of the apps on the Play Store, along with secondary sources of information, we anticipate limitations as the information available could be incomplete: for instance, the descriptions on the Play Store were not always updated and the existing descriptions were not always reflective of the actual functioning of the app. To overcome these limitations to the best of our ability, we used additional sources of information, such as news sources, government press releases, and additional literature. For example, the description of Punjab’s COVA App on the Android Play Store does not list contact tracing as a feature; however, other official sources have listed it as one of the app’s functionalities.¹⁹

Alternative means

We also mapped all known technological and non-technological alternative measures used to combat the pandemic in the country. For the alternative measures, we factored in the following considerations: i) considerably less focus has been given in public discourse to technological tools that have been used to combat the pandemic, as opposed to means such as the nationwide lockdown, and ii) these tools contribute to a much larger tech-enabled ecosystem of surveillance, which could also outlive the pandemic.

Based on this process, the following tech-based alternative measures were selected:

• Drones: There was an increase in the use of drones − also known as Unmanned Aerial Vehicles (UAVs) − during the pandemic, particularly by law enforcement authorities. Some of the drones were outfitted with cameras, as well as AI (Artificial Intelligence), such as thermal scanners.

• Online portals for travel, and the National Migrant Information System (NMIS): For this measure, we will focus on the NMIS, and engage with the use of e‑passes to the extent relevant for the NMIS. This report will look at these measures in the context of the migrant crisis that unfolded in India during the lockdown.

OVERVIEW OF APPS AND ALTERNATIVE MEASURES #

Aarogya Setu #

On April 2, 2020, the Ministry of Electronics and Information Technology (MeitY) announced the launch of Aarogya Setu, an app that uses a self-assessment by the user as well as GPS and Bluetooth technology to do contact tracing, hotspot prediction, and to conduct and display a risk assessment of the user. The app also has a range of other features, which include: i) integration with the e‑pass portals used by states for the regulation of travel during the lockdown; ii) live statistics related to Covid-19; iii) information on ICMR-approved labs with Covid-19 testing facilities and emergency helpline numbers; iv) information on government advisories, orders, and best practices related to Covid-19; v) APIs (Application Programming Interfaces) to allow users to disclose their health status by displaying a QR code or by accepting a request to share their health status; and vi) an option to donate to the Prime Minister’s Citizen Assistance and Relief in Emergency Situations Fund (PM CARES), a privately audited fund established by Prime Minister Narendra Modi.

MeitY’s official press release announcing the launch said that Aarogya Setu had been ​“developed in public-private partnership.”²⁰ It described the app as being ​“a multi-dimensional bridge” that would ​“enable people to assess themselves the risk of their catching the Corona Virus infection.” Aarogya Setu is a Sanskrit phrase that translates as ​“the bridge to liberation from disease.” The app was initially released via the app stores on iOS and Android, and made available for KaiOS on May 14, 2020.

On May 26, in another press release, MeitY described it as a ​“contact tracing and self-assessment” tool, which was ​“pioneering new data driven epidemiological flattening of the curve through syndromic mapping.”²¹

Aarogya Setu was the fastest-growing mobile application in the world in April, clocking over 50 million downloads in the first 13 days and beating Pokémon GO’s world record.²² By July 2020, the app had been downloaded more than 127.6 million times.

The country’s government machinery was mobilized right from the beginning to promote the app. In a video conference with the Chief Ministers of all states to discuss the strategy for tackling Covid-19, Prime Minister Modi spoke about the need to popularize the app, and to ensure a high number of users nation-wide. He referred to South Korea and Singapore’s successes in contact tracing, and said that Aarogya Setu was ​“an essential tool in India’s fight against the pandemic.”²³

When a user registers on the app, the Aarogya Setu server assigns them an anonymous, randomized unique Device identification Number (DiD) and associates it with their mobile number. This pair – the mobile number and the DiD – as well as other personal details provided at the time of registration, are encrypted and stored in the Aarogya Setu server. When a mobile device that has Aarogya Setu installed and the GPS and Bluetooth services turned on comes within range of another such device, the app collects the DiDs and details of the interaction such as time, duration, distance and location. This information is encrypted and stored on the device.

At the backend, the nodal agency for testing, the ICMR, gets the test results from the Covid-19 labs across the country. This database has a list of the registered mobile numbers of the patients who have tested positive for Covid-19, which is shared with the Aarogya Setu server. In the event of an Aarogya Setu user testing positive, the app pulls up the list of other users who have come in contact with them in the previous 14 days, calculates their risk of infection, and communicates that to them.

Users can also take a self-assessment test which evaluates the risk of infection based on the data points collected. The following information is requested in the test: i) whether the user has any Covid-related symptoms (the options for which are listed); ii) whether the user has any pre-existing health conditions;²⁴ iii) whether international travel was undertaken in the last 14 days; and iv) whether the user has come in contact with someone who was infected with Covid-19 or whether the user was a healthcare worker who examined a Covid-infected patient without wearing protective gear.

The FAQ on the app’s website also states that Aarogya Setu collects the user’s location each time a self-assessment test is taken and that this information, along with the DiD and the results of the test, is stored on the server in an encrypted form.

The results of the risk assessment are shown on the home screen of the app in one of the following categories: i) green: low or no risk; ii) yellow: moderate risk of infection; iii) orange: high risk of infection; and iv) red: positive.²⁵²⁶

On May 6, the self-assessment option was extended to those who have access only to feature phones or landlines, through the Aarogya Setu Interactive Voice Response System (IVRS). Residents can give a missed call to the number 1921, following which they receive a call asking for their health details, along the lines of the questions on the app. Based on their responses, they receive an SMS indicating their health status.

Over time, new features have been continuously added to the app and existing features have been modified. On July 5, 2020, an update to the app introduced a feature for people to see the number of users who have been in Bluetooth-proximity to them, along with their risk levels. If a user’s screen turns yellow or orange, that is moderate or high risk, the app also provides details of the date, time, approximate location, and duration of contact with users that have tested positive for Covid-19.²⁷

An e‑pass integration feature was also added a few weeks after the launch of the app,²⁸ as were the ​“Aarogya Setu Mitr” portal and ​“Open API services portal.” The Mitr portal was launched in May 2020²⁹ as a public-private collaboration that offered free teleconsultation services, home delivery of medicines, and a feature to book Covid-19 tests. The service was suspended by the central government after the South Chemists and Distributors Association filed a petition at the Delhi High Court, which included complaints from close to 850 thousand brick-and-mortar retail chemists across the country alleging that the portal served as ​“a marketing tool for e‑pharmacies only and excluded marketing, distribution and sales by the offline chemists.”³⁰³¹

According to a MeitY press release, the Open API services portal, introduced in August 2020, allows organizations and business entities to ​“query the Aarogya Setu Application in real-time and get the health status of their employees or any other Aarogya Setu User, who have provided their consent for sharing their health status with the organization. Subject to the user’s consent, the API provides the name and the status of the user.”³² This will be discussed in detail in Pillar 2.

Aarogya Setu has a dedicated website which contains major notifications and press releases about it, an explainer on how the app works, myths about Covid-19, the total tally of confirmed and recovered Covid-19 cases, the official death toll, and more.³³ It also has an official Twitter handle which is routinely updated. Aarogya Setu is currently available in 12 languages, and the IVRS in 11.

State-Level Apps #

Aside from Aarogya Setu, the central government as well as different state governments have launched more than 70 apps with some states deploying multiple apps. As each of these apps is unique, and situated within the respective local ecosystem of the state, an in-depth analysis of each is outside the scope of this report. Instead, we will briefly analyze three functionalities, each with a focus on a different app.

QUARANTINE WATCH

By January 2021, the Government of Karnataka had launched nine apps to manage the pandemic: Corona Watch, Quarantine Watch, SRF ID, Containment zone, Yatri, Apthamitra, Health Watch, Daily Analytics and Reports Software, and Contact Tracing. The last three are for frontline workers.³⁴

The Quarantine Watch app can only be used by home-quarantined people in Karnataka who have been registered in the state’s official database.³⁵ The app requires users to answer a questionnaire to assess their symptoms, and to upload mandatory hourly selfies between 7 am and 9 pm to capture their GPS location, which is used to verify that they are quarantining.³⁶ The mandatory selfies are the reason why we have included this app in our analysis.

The app was made mandatory at various points. For instance, one of the guidelines in the ​“Revised Guidelines for Home Isolation-Home Care of Covid Positive Persons” issued by the state government on August 10, 2020, required those in home isolation to use Quarantine Watch and Apthamitra as well as Aarogya Setu.³⁷ Foreign returnees to the country were also required to download Quarantine Watch.³⁸ According to the ​“Revised Protocol for Inter-State Travelers” issued by the Government of Karnataka on August 24, 2020, monitoring through Quarantine Watch has now been discontinued.³⁹ However, at the time of writing, the app is still available on the Android Play Store.

CORONA WATCH

Corona Watch shows users the movement history of people who have tested positive for Covid-19 in the 14 days before their test.⁴⁰ According to publicly available information, one section of the app has a map display, with the current location of the user visualized as a blue dot, alongside indicators of the travel history of Covid-positive patients, and the exact dates and times of their visit. Reports also indicate that the locations shown include the homes of the patients. This feature is the reason why this app has been included in our analysis.

The app also provides users with information such as the nearest designated hospitals for treatment and centers for Covid-19 sample collection and testing.

CORONA VIRUS ALERT APP (COVA) PUNJAB

The Government of Punjab has launched a range of measures, both technological and non-technological, to deal with the pandemic.⁴¹ The COVA Punjab app was one such measure, and was the first Covid-related app launched in India.⁴²⁴³ A Covid Response Report by the state says that as of August 20, 2020, 11 other states have asked ​“for access to the App and its features.”⁴⁴ According to a tweet⁴⁵ by the Chief Medical Officer (CMO) of Punjab on March 28, 2020, the app was in the process of implementation in two provinces in Canada as well.

Based on publicly available information, the functionalities of the app are: a) geo-fencing of quarantined individuals; b) contact tracing of positive cases; c) identification of hotspots; d) allowing users to report mass gatherings and inter-state travelers in their locality; e) self-screening of symptoms; and f) display of government advisories, travel instructions, and statistics. The latest update of the app on Google Play Store allows users to obtain their Covid-19 test results as well. A recent government document also lists plasma donor registration as one of the functionalities.⁴⁶ The feature that allows users to report others is the reason we have included this app in our report.⁴⁷

While the contact tracing functionality of the app has not been described in the information available on the Android Play Store, official sources have listed it as one of the app’s features.⁴⁸ An official in charge of the app has stated that contact tracing and GPS-based tracing is done ​“using the data available with us through the application.”⁴⁹ The state is also using call record details of patients who have tested positive to trace anyone they might have had contact with in the 14 days prior to their test. There is very limited information available on the actual process of contact tracing used by the app. It has also been reported that the app uses a color coding for patients: ​“green for healthy, orange for suspect (cases) and red for confirmed cases.”⁵⁰ An official press release also mentions that the app is integrated with the ICMR platform, Aarogya Setu, and the ITIHAS platform.⁵¹ The functionality that allows users to report others is the reason we have included this app in our analysis.

Drones #

Drones, including ones equipped with AI technology, have been used by government authorities for various purposes during the pandemic, such as enforcing lockdown,⁵²⁵³ identifying curfew violators,⁵⁴ disinfecting public spaces,⁵⁵ thermal scanning,⁵⁶ and making announcements.

In April 2020, there were reports in the media that a task force called the National Drone Rapid Response Force (NDRRF)⁵⁷ had been formed to connect state officials with drone pilots. The task force was described as a ​“public-private partnership”, in which approximately 400 drones across 30 companies, as well as freelance drone photographers, worked with local administrations and law enforcement authorities in multiple cities across the country to enforce the lockdown, make announcements, and disinfect spaces.

Online Portals and the National Migrant Information System #

ONLINE PORTALS

One of the primary methods that nations used to combat the transmission of Covid-19 was the enforcement of physical distancing and mobility restrictions. This was true of India as well. In order to regulate travel, particularly during the lockdown, central and state governments introduced online portals and apps for people to apply for e‑passes, emergency passes, vehicle passes, or other confirmations (such as SMS messages) to be used as proof of permission to travel. Many of these measures continued to be in place even as the country slowly opened up. The e‑pass/​permit served as an indicator that the user had permission to travel for the specific reason mentioned in their application.

By the end of May 2020, at least 29 states and union territories had opened their own online portals where people could apply for these e‑passes for inter- and/​or intrastate travel.⁵⁸ Each state and union territory had different requirements, forms and self-declarations, mobility restrictions were imposed and enforced differently in all of them, and it appears there was no standardization of the kind of information asked. In some states, a separate link for registration was available for particular groups of stranded people, such as laborers, students, etc.⁵⁹

The National Informatics Centre (NIC) also designed and developed a centralized portal for the ​“e‑pass for movement during lockdown.”⁶⁰ As of November 20, 2020, there were 20 states and union territories listed on the national e‑pass portal, which suggests that at least 20 had linked their own portals to the NIC at some point. The portal directs the user to the respective state government’s website, and states that ownership of data would ​“lie with the respective state governments.” Powered by ServicePlus, the portal, as of November 20, says that it has received 4,424,934 applications, of which 1,798,346 were given permission to travel, 1,200,133 were being processed, and 1,426,455 were rejected. There is no information about when these counts were last updated, or why passes were rejected.

As the country moved towards reopening after the lockdown, the Ministry of Home Affairs issued a statement on August 29, 2020, that there would no longer be any restriction on inter-state and intrastate movement of people and goods, and no requirement for separate permissions/​e‑permits. They added that states and union territories were not to impose any local lockdowns outside containment zones without prior consultation with the central government.⁶¹ Though the NIC e‑pass portal is still up, many of the links to the existing state portals are non-functional.

THE NATIONAL MIGRANT INFORMATION SYSTEM

In addition to these online state websites for travel registration and portals, in the month of May a central repository named the National Migrant Information System (NMIS) was launched by the National Disaster Management Authority. This was in response to a humanitarian crisis that unfolded in the country once the lockdown was declared, as millions of migrant workers found themselves without a source of livelihood, hundreds of miles from their hometowns. Many of them were forced to journey home over the next few weeks, travelling across different states in order to do so. The NMIS was started to enable coordination between various states and transportation systems. The migrant crisis will be discussed in detail in Pillar 1 of the report.

Besides a letter addressed to the Chief Secretaries of all states from Home Secretary Ajay Bhalla, there has not been any other official documentation about the NMIS. Moreover, this system can only be accessed by state officials, and not by the general public. Thus, this report will rely on the information provided by the letter, the response to a subsequent Right to Information (RTI) request filed by MediaNama, and interviews with a senior government official and two members of a volunteer group that provided relief to migrant workers stranded due to the Covid-19 lockdown.

The letter from the Home Secretary described the NMIS as a central repository to ​“capture the information regarding movement of migrants and facilitate the smooth movement of stranded persons across States.”⁶² The letter also described the features and benefits of this portal as:⁶³ ​“Standardised system, seamless communication and coordination between different states, easy access to databases by Railways and other transportation management systems, generation of e‑pass through centralised system, easy monitoring of stranded persons etc.” It also notes that this system would help states visualize the number of migrants travelling in or out, and help states plan the logistics between themselves and the Ministry of Railways.

As for data collection, the letter said that state governments could appoint nodal officers at the state and district levels to upload data onto the portal. Alternatively, states could also share data through an API if the state already had a portal.

According to the annexes accompanying the letter,⁶⁴ states are required to provide the following information: ​“i) Name ii) Unique ID (to be generated from the NDMA System) iii) Mobile number iv) Aadhaar number⁶⁵ v) Age vi) Sex vii) Whether Migrant labour, student, tourist, pilgrim, etc. viii) Current address ix) Origin state x) Origin district xi) Residential/​permanent residence xii) Destination state xiii) Destination district xiv) States on the route (in case of bus journey) xv) Mode of transportation xvi) Bus/​train number xvii) Date of journey xviii) Coach number, in case of train xix) Expected date and time to reach destination.” However, according to the response received in the RTI filed by MediaNama, the states can upload the following information: ​“i) Name ii) Gender iii) Age iv) Mobile Number v) ID type vi) ID number vii) Migrant Origin District viii) Migrant Destination District.” The RTI also notes that it is not mandatory for states to upload the information.⁶⁶

PILLAR 1. APP RESPONSES AND ALTERNATIVE MEANS — PUBLIC HEALTH PERSPECTIVE #

The Indian Constitution mandates healthcare to be a state rather than a Central Government responsibility.⁶⁷ This makes the healthcare system in the country uneven, with a few states having more highly developed structures in place, while the majority lag behind.

India’s healthcare infrastructure is organized into primary, secondary, and tertiary levels: Sub-Centers and Primary Health Centers (PHCs) at the primary level, Community Health Centers (CHCs) at the secondary level, and Medical Colleges and District/​General Hospitals at the tertiary level. There is also a large network of sub-primary level community healthcare workers on the ground, instituted through programs that date back to 1977.⁶⁸ Currently, the largest group of community health workers are the over one million women who have been trained as Accredited Social Health Activists (ASHAs, which translates as ​“hope” in several Indian languages), through a National Rural Health Mission (NRHM) program that began in 2005. They are frontline workers tasked with the job of promoting access to improved healthcare at the household level,⁶⁹ in accordance with the NHRM’s mission, particularly in rural and ​“rurban” areas.

The Indian healthcare system is not new to pandemics or widespread public health challenges. Malaria, dengue, drug-resistant tuberculosis, chikungunya, leprosy, HIV, mumps, measles, and high maternal and child mortality rates, for instance, are only some of the concerns that it has been handling – with varying degrees of success – in the last seven decades. But Covid-19, with its high rates of transmission, has thrown the cracks in the healthcare system into stark relief. According to the MoHFW, the country’s doctor-population ratio was 1:1456 in August 2019, as against the WHO’s recommendation of 1:1000. They also state that the urban to rural doctor density ratio is 3.8:1, and that consequently, ​“most of our rural and poor population is denied good quality care, leaving them in the clutches of quacks.”⁷⁰ World Bank statistics from 2011 estimate that India has, on average, 0.7 hospital beds per 1,000 people.⁷¹

Even though public healthcare in India is funded by taxation and free for residents, the National Family Health Survey (NFHS‑3) of 2005-06, released by the MoHFW, states that private healthcare systems remain the primary source of healthcare for 70% of households in urban areas and 63% of households in rural areas.⁷² A study conducted on the same NFHS‑3 data revealed that the elderly, women, people who had lower levels of literacy, low-income communities, and other marginalized groups were more likely to use public healthcare than private.⁷³ Yet, according to a report by the Center For Disease Dynamics, Economics & Policy, most ICU beds and ventilators are found in private hospitals, with a high proportion of them concentrated in just seven states.⁷⁴

Early on in the pandemic, the central government as well as various state governments launched technological measures as part of their healthcare management efforts. In March, the Department of Science and Technology (DST) set up a Covid-19 task force for:

“Mapping of technologies from R&D labs, academic institutions, startups, and MSMEs to fund nearly market-ready solutions in the area of diagnostics, testing, health care delivery solutions, equipment supplies. Some of these solutions include masks and other protective gear, sanitizers, affordable kits for screening, ventilators and oxygenators, data analytics for tracking, monitoring, and controlling the spread of outbreak through AI and IT based solutions, to name a few.”⁷⁵

Public health experts contend that overall, the push for digital measures was happening without a parallel investment in the country’s basic health infrastructure. Dr. Thelma Narayan, an epidemiologist and health policy analyst, said:

“Why have we not invested in our public health system? People have been crying themselves hoarse on the need to strengthen the public health system. Why do Indians have one of the lowest… proportional GDP for health in the public health system? Ours is immorally and scientifically low, i.e., much below norms recommended by the WHO. It’s 1.1% of the GDP that goes to the public health system, and then you expect to counter pandemics. One can’t do that.”⁷⁶

Per capita government spending on healthcare has doubled from INR1,008 (approximately USD13.85) in 2015 to INR1,944 (approximately USD26.72) in 2020. However, the numbers are still low.⁷⁷ Rukmini S., an independent data journalist, stated that the lack of adequate administrative and health infrastructure had impeded the state’s ability to respond to the epidemic:

“The basic point that has been inescapable, but that of course the government has never owned up to, is that it simply lacks the state capacity to pull off most of the things that were essential, and that it seems to be indicating that it wanted to do – which is to increase both administrative and health infrastructure capacity, [which] are abilities that the Indian state currently just simply does not have. And you see it in the richest of cities, in Delhi and Bombay, for example, just the ability to create a dashboard of availability of beds took halfway into the pandemic to be able to get there. And it’s still not a reliable system, because of the huge range of vested interests and competing, conflicting interests that may govern healthcare in India.”⁷⁸

The nationwide lockdown announced on March 24, 2020 was ostensibly to help India’s underfunded, understaffed healthcare system prepare for Covid-19, as well as to prevent the system from getting overwhelmed. However, it led to several unintended public health consequences, as well as a larger humanitarian crisis of hunger,⁷⁹ and the escalation of gendered violence inside households, which reached a ten-year high.⁸⁰ Gunjan Singh, a labor rights lawyer based in New Delhi, said:

“Initially, you had hospitals closed, OPDs [Outpatient Departments] were closed, so all those people who wanted to have a routine check-up – people who had blood pressure issues, thalassemia patients, and a lot of HIV positive cases where people have regular medication – [couldn’t]. We had to file petitions for those services to be started – because they had just closed down everything to contain the virus. You need to have a better plan.”⁸¹

Others highlighted that data collection was critical to understand the impact of the virus and to respond adequately, and that the need of the hour was for simple, factual data from the ground. An epidemiologist with the ICMR noted:

“Terminologies like modeling, artificial intelligence, machine learning have zero role in terms of Covid-19, because it is not about technology, it is not about capacity, it is not about expertise, it is about data…The simplest expertise which is required, [at] the ground level, is to capture the actuarial factual data from the field. People are not concentrating there, people are concentrating on building models, building AI and all…For Covid-19 monitoring, we don’t require a…higher level of portal, we request [a] simplistic portal. What is simplistic? We collect actual data and factual data. Let us analyze very descriptive data − that is enough. Simple proportions, simple maps, not like kind of high funda maps, simple proportions, simple graphs, simple bar charts. And these are the things that [are] required. But many governments have heavily invested [in] multiple high funda portals, high funda maps, or GIS maps and everything.”⁸²

However, a senior government official stated that the lockdown, as well as the use of data and technology, had helped delay the peak of the pandemic, and given them time to prepare:

“I think the main advantages of the early action which the Government of India took, including the imposition of restrictions on movement and contact tracing and quarantining [people] suspected of [having Covid], and people at risk, all those. One of the main advantages was that it delayed the peak and gave hospital infrastructure time to be ready for responding to the crisis. Because if the number of cases which we saw later [had] come in March or April, then our infrastructure may have been at a very high stress. So we were able to delay the peak, that’s number one.

Number two, we were able to make the state government and district authorities aware about the hotspot or sensitive districts, so that they can make their strategy accordingly and they can use their resources in [an] appropriate manner. And the use of technology, it was perhaps for the first time in India that such use of technology was done. But then it gave us an idea about areas which can be at higher risk. In fact, we were even able to see [the] movement of specific suspected people and if they have gone into a particular gathering today or something like that. Since initially the number of cases was not very high, we could identify people who are at higher risk and warn them and advise them to get tested, right. Again, it gave us a very positive result, at least in the beginning.”⁸³

EFFICACY OF APP RESPONSES FROM A PUBLIC HEALTH PERSPECTIVE #

Aarogya Setu #

Aarogya Setu has been widely promoted by the government as India’s ​“bodyguard” against Covid-19.⁸⁴ In this section, we assess the design, features and functions of the app that are relevant from a public health perspective.

Contact tracing

For decades, contact tracing has been one of the cornerstones of communicable disease control in public health. Aarogya Setu was one of hundreds of apps that were released all over the world in the wake of Covid-19 for digital contact tracing.

The central government has maintained that Aarogya Setu has been an indispensable tool in its fight against Covid-19, and that by leveraging modern technology, the app has aided the efforts of medical and health professionals. An official press release dated May 26 described the app as ​“possibly one that has the most reach and impact compared to all other Covid-19 contact tracing and self-assessment tools combined globally.”⁸⁵

At the same time, the developers of the app have also acknowledged that there are limitations to what an app can do, particularly in the Indian context. In a webinar in April 2020, Arnab Kumar, Program Director at NITI Aayog, a government think tank, and member of the Aarogya Setu team, clarified that: ​“Smartphone-based contact tracing cannot replace manual contact tracing for a country as diverse as India.”⁸⁶ Some of the major challenges that have been pointed out by public health experts and epidemiologists, as well as the government’s responses to them, are discussed below.

a) Adoption of the app: Challenges and government responses

An international scientific consensus has emerged that the relative success of a contact tracing app depends on its uptake within the population. Though studies have shown that a critical mass of users is vital,⁸⁷ there is little evidence on the minimum percentage of users needed to ensure accuracy.⁸⁸

In India, members of Aarogya Setu’s development team have stated that the ​“effectiveness of the app would be limited unless a large number of people download the app,”⁸⁹ with one member arguing that ​“at least 50% of the population needs to download the app for it to be effective.”⁹⁰ This has been echoed by civil society members as well, who have questioned the feasibility of reaching such high numbers in a country where only about 40% of the population have a smartphone,⁹¹ and less than 36% have access to the internet.⁹²

One of the clauses in Aarogya Setu’s Terms of Service states: ​“You agree to keep the mobile or handheld device on which the App is installed in your possession at all times and to not share it with or allow anyone else to use it. You acknowledge that if you do so it could result in you being falsely assessed as likely to be infected with Covid-19 or not being assessed as such when you are.”⁹³ But in India, it is not uncommon for households to share a phone amongst family members.⁹⁴ These socio-economic realities, particularly for those who are marginalized, affect access to and the effectiveness of technologies such as a contact tracing app.⁹⁵

The developers of the app have acknowledged this issue. In an online webinar, one of them said:

“This being a function of social distancing, I think predominantly we have a lot of rural districts, and the spread has been in metros first as you see in Delhi, Madras, Chennai, Hyderabad, Bengaluru, large cities, and then tier B cities. So, we are going to get this app done in many of the congested areas and densely populated areas even within cities, then I think that would be an excellent contribution. Rather than saying that the entire country of 120 crores [1.2 billion] should have the app, if we say that, within one particular area of this population density, highly congested areas, if those areas get it, I think that will certainly reduce the incidence…We agree that we need a lot more members to use it to make it effective, but effectiveness cannot be just a percentage of the population, but [rather] a percentage of the distribution of the population. And the density of the population…We still believe that once the congested areas get this, at least Wave 2 can be stopped in a very constructive way.”⁹⁶

The issue of uptake is also gendered, given that women in India are 20% less likely than men to own a mobile phone and 50% less likely to use the internet.⁹⁷ While this will be discussed in detail in Pillar 3, it is important to note the public health ramifications of what is one of the largest mobile gender gaps in the world.

Disability rights activists have pointed out that the app is inaccessible for people with disabilities.⁹⁸ The Vice-President of the National Association for the Blind, Dipendra Manocha, said: ​“If you exclude the disabled population from something as critical as this, you are putting not only them but the entire population at risk. It can have a huge impact on the government’s Covid response.”⁹⁹ The Rights of Persons with Disabilities Act 2016 makes it mandatory for the government to provide all information in accessible formats for the benefit of people with disabilities, but there have been no reports of any modifications having been made to the app.

The app also requires users to be able to navigate the technical features of the phone, since for efficient contact tracing, the app recommends that Bluetooth and GPS location be turned on. Certain sections of the population, such as the elderly, may find it challenging to navigate these requirements.

One of the government’s bids to make the app more accessible has been the Aarogya Setu IVRS feature for feature phone and landline users.¹⁰⁰ There is no publicly available information on the number of users who have accessed this self-assessment system. But as per the FAQ section on the app’s website, those who report that they are unwell through their self-assessment get calls from doctors, as well as from Ayushman Bharat Yojana, which is a health insurance program implemented by the National Health Authority (NHA). This will be addressed in Pillar 2.

Early on in the pandemic, the government had made Aarogya Setu mandatory for all residents of containment zones, as well as all public and private sector employees.¹⁰¹ However, civil society members pointed out that making it mandatory violated the spirit of the consent-based agreement that users sign when they register on the app. The government order was amended, making it voluntary, though there have been several instances since of the app having been made mandatory or strongly recommended by different central and state government bodies, as well as by and private institutions.¹⁰²

The pushback against the mandatory nature of Aarogya Setu also indicates that in an emergency context – and possibly especially then – governments need to engender trust and transparency to ensure the support and cooperation of their people. In other words, the adoption of the app would also depend on the level of faith people have in the system.¹⁰³ Aarogya Setu has been under international scrutiny over privacy concerns over the last few months, with various claims that the app lacks transparency and is intrusive.

This will be addressed in detail in Pillar 2. An Aarogya Setu Volunteer¹⁰⁴ stated that building trust amongst the public was a vital and difficult part of their work:

“[Trust] is a very tricky affair because [in order] for me to show that this is effective, I need the people to install it, and for the people to install it they need to know that it is good for them… Sometimes [people] should believe that ​‘Okay, so many people are involved. There is a problem in hand. Let us try and see.’ See, the government did not mandate it. They have certainly valued the privacy and freedom of citizens even during the critical pandemic.”¹⁰⁵

They stated that concerns about data privacy and security of the app had affected its usage and downloads:

“Today, we are having 16.73 crore [167,300,000] users. It is the largest downloaded software, but it could have been 30 crore [300,000,000]. This type of sudden noise actually made the whole process [difficult]. It was unfortunate that people were given this fear saying that if you install Aarogya Setu, [there will be] surveillance etc., that type of fear. [But] you can delete that app any moment you want, you can delete and reinstall it anytime you want. What more can we do? So, all this is a big lesson. We don’t want this. This stupid pandemic should end in these next few months. But, beyond this, the next century, again, [if] something ever comes, next century people should understand what is happening and not make the same mistakes.”¹⁰⁶

We asked epidemiologist and health policy analyst Thelma Narayan if a contact tracing app with a sturdy privacy and data sharing protocol would be a useful public health measure from an epidemiological point of view in India. She replied:

“No, it would not. One has to keep in mind that the smartphone users don’t cover the whole population. It automatically leaves out, not just the homeless, but a huge number of people who don’t have smartphones. From an epidemiological point of view, you’d want to have more or less wide coverage… I don’t think digitization, which is promoted by a particular lobby, is actually going to help.

Additionally, besides the issue of access, digitalization is accompanied by a range of other issues. These include significant anxiety and loss of self-confidence which affect the mental health of senior citizens, persons with disabilities, and large section of the society. It can also be widely misused. Thus, it contributes to a widening of the equity gap.”¹⁰⁷

Sunita Bandewar, a bioethics expert, also echoed this, saying:

“If you look at the utility and the effectiveness or the efficiency of these apps in terms of meeting the goal, it is also linked to the adequate number [of users]. If everyone is not using the app, for whatever reason, [then] that is also a very solid ground to discontinue the app. That is a question that is being raised in the bioethicist community: what is the use of this app if we are not able to achieve that critical mass of users?”¹⁰⁸

Government officials have continued to express deep confidence in Aarogya Setu, and the role it has and will continue to play in pandemic management in India. Aarogya Setu Volunteer #1 said:

“Today, I can basically handle disease spread if people [download it]. Even now, it’s not [too] late. The whole world is seeing Wave 2.0. India can come out of Wave 2.0 if everyone installs Aarogya Setu.”¹⁰⁹

b) Bluetooth-based contact tracing

The app relies on Bluetooth technology as well as GPS location data for contact tracing, syndromic mapping and, as per the app’s website, for extending medical services and for disinfection of places travelled to by Covid-19 positive patients. An Aarogya Setu Volunteer explained why Bluetooth was chosen for contact tracing:

“The best proximity evaluation that could happen today is Bluetooth. And that is already available. We [didn’t] want to do something new. Something that people already have, some device [which people already have], can we also use it for this purpose? And if you look at it, Bluetooth was the best candidate.

We can measure two things: how close two phones in which Bluetooth is enabled are, and how long were they at this distance. So Bluetooth actually gave a good solution for our sensing problem.”¹¹⁰

About a month after the app was launched, Arnab Kumar stated that insights drawn from Bluetooth-based contact tracing had been useful for framing subsequent public health responses:

“The insights generated by Aarogya Setu in the last six weeks have been incredible. More than 100,000 people have been alerted of their possible risk of infection – low, moderate or high, based on Bluetooth-based contact tracing – and suitable medical facilities have been extended to them. The efficacy of testing based on initial recommendations from Aarogya Setu is many times higher than any other protocol followed globally. In addition, we have identified several potential emerging and hidden hotspots across the country.”¹¹¹

Most digital contact tracing apps released all over the world in 2020 use Bluetooth technology. The European Commission has also recommended the use of short-range technologies such as Bluetooth for contact tracing.¹¹² (However, it also cautions against the use of GPS, as in the case of Aarogya Setu, for reasons of privacy protection. This will be addressed in Pillar 2.) Nevertheless, from a public health perspective, the very inventors of Bluetooth technology have raised concerns about it being used for contact tracing, citing its inaccuracy in determining distance and how its signals are absorbed by everything from human bodies and clothes to walls.¹¹³ This concern has been raised by other experts as well, who have pointed out that apps that exchange digital handshakes through Bluetooth could notify people on different floors of an apartment building that they are at risk, even if they have not been in contact with each other, because it registers as a proximity event due to Bluetooth signals.¹¹⁴ Even the orientation of your phone makes a significant difference: if your phone is standing up in your pocket, portrait rather than landscape, it can make it look as if somebody across the room is just a couple of feet from you.¹¹⁵

Shubashis Banerjee, Bhaskaran Raman, and Subodh V. Sharma, Professors of Computer Science and Engineering at the Indian Institute of Technology Delhi and Bombay, have echoed several concerns about the reliability of these technologies in their assessment of Aarogya Setu, specifically about the possibility of false positives and false negatives.¹¹⁶ They point out that ​“it is unclear what interval rate of radio transmission is adequate for effective risk assessment of direct person-to-person infections,” and that too frequent transmissions will drain batteries, while too wide gaps in time will lead to false negatives.¹¹⁷ They also note that the risk of false positives/​negatives also exists when there is an inaccurate representation of the distance. For instance, signals picked up over a large distance may not be reflective of the true risk, leading to a case of false positive. Third, the Bluetooth-based proximity sensing that Aarogya Setu relies on is not sufficient to account for the indirect transmission of the virus, such as through contaminated surfaces.

Receiving multiple alerts that turn out to be false could lead to warning fatigue, and lead people to dismiss the app’s notifications. On the other hand, a false negative could also create a false sense of security, and lead individuals who have already been exposed or infected to continue interacting with others and accessing public spaces, thus increasing the risk of the virus being spread. Banerjee, Raman and Sharma concluded that this over-reliance on Bluetooth and GPS may do more harm than good, especially with the low numbers of smartphone users in India:

“Such high noise may actually create confusion and detract from the main effort by sending administrators and policy-makers on a wild goose chase. It seems entirely unlikely that such apps can do anything for estimating risk of infection at the micro-level that local community-based manual contact tracing cannot do much more effectively.”¹¹⁸

The app’s Terms of Service recommend that users keep their Bluetooth on at all times for the app to efficiently record Bluetooth contacts. Experts have flagged that this could lead to draining of the phone battery, and potentially discourage people from using the app. The ​“Frequently Asked Questions” section of the app’s official website addresses this concern and clarifies that the app uses a Bluetooth Low Energy (BLE) variant, which does not drain the phone’s battery, and that continuous efforts are being made to increase the app’s energy efficiency. Though there are possible exceptions, the BLE variant that many contact tracing apps – including Aaroya Setu – use has been standard in most phones, across operating systems, since 2012.

The developers of the app are also cognizant of the technical limitations of Bluetooth,¹¹⁹ and have stated that extensive testing was carried out prior to launch, across thirty smartphone models, keeping in mind India’s diverse phone base, to account for these performance issues. In an online webinar,¹²⁰ in response to a question about the efficacy of Bluetooth, one of the app’s developers mentioned that they use a slightly more pessimistic model when it comes to assessing risk based on Bluetooth tracing, so that no one is left out, and more testing is carried out.

An official press release dated May 26, 2020, states that the app has helped in the identification of 500 thousand Bluetooth proximity contacts. Additionally, it says:

“Those who were identified as Bluetooth contacts of Covid-19 patients or are needing assistance based on their self assessment, are contacted by the National Health Authority. So far, the platform has reached out to more than 900,000 users and helped advise them for Quarantine, caution or testing. Amongst those who were recommended for testing for Covid-19, it has been found that almost 24% of them have been found Covid-19 positive. Compare this to the overall Covid-19 positive rate of around 4.65% – 145,380 Covid-19 positive from a total of 3,126,119 tests done as of 26^th May 2020. This clearly illustrates that contact tracing is helping focus efforts on those who need testing and this will greatly augment the efforts of the Government in containing the pandemic.”¹²¹

Subsequent press releases from the government have continued to document similar success stories. According to a press release on the app’s Twitter page on October 28, almost 25% of those who had been traced using the app and had been advised to go for testing had indeed tested positive.¹²² A similar statement was made on August 22, in which the percentage of accuracy was identified as 27%.¹²³

ITIHAS and hotspot-mapping

One of the primary stated objectives of Aarogya Setu is syndromic mapping and hotspot prediction. On May 11, 2020, in a press briefing by the Chairperson of the Empowered Group on Technology, a reference was made to the name ​“ITIHAS” in the context of identifying ​“probable areas of infection.”¹²⁴ While there was no additional information regarding what ITIHAS was, he also added that an app had been developed for field officers to view hotspots and containment zones on a map.¹²⁵ While the app was not mentioned by name, desk research indicates that it may be the Sahyog App.¹²⁶

Figure 1. Image Courtesy of a Presentation by the Chairperson of the Empowered Group on Technology, May 11, 2020

On May 13, in an op-ed piece, Rahul Matthan, who heads the legal team behind Aarogya Setu, said that by ​“analysing the location history of the infected and aggregate self-declared symptoms of users collected via the self-assessment feature on the app, the team has been able to forecast over 650 hotspots across the country at a sub-post office level.” He also said that 130 of those hotspots had been officially declared as such by the Union Health Ministry 3 to 17 days after they were first identified by the Aarogya Setu team.¹²⁷

On July 24, the Directorate General of Health Services issued an order to Chief District Medical Officers and Surveillance Officers of all districts, stating that Aarogya Setu would be combined with an ​“IT-driven tool” named ITIHAS, for cluster projection. The order also mentioned the full name of ITIHAS – IT-enabled Integrated Hotspot Analysis System – and said it was meant to boost the surveillance of Covid-positive people, and improve contact tracing. It added that the ITIHAS system was anchored by MeitY, and that it was ​“capable of tracking the movement of the cases and their contacts. The system is capable of projecting a cluster development in 300 metre geography.”¹²⁸ Newspaper reports from the end of June indicate that the tool was first used in Gujarat as early as May 2020, and subsequently in multiple states all over the country.¹²⁹

We asked Aarogya Setu Volunteer #1 about ITIHAS, as information about it is still thin on the ground. They responded:

“ITIHAS is nothing but the backend of Aarogya Setu. ITIHAS collected Aarogya Setu information, and performed syndromic mapping and hotspot prediction. This data that we are collecting, we put it to good use in terms of mapping hotspots. [ITIHAS] basically collects all the self-assessment, [and] from the location information, it does the mapping on to this sub-post office level. And then there are designated health workers across the country, designated by the health department of every state. They are given login to this portal, and they get this information.

… So say, in this particular location…we noticed there are so many self-assessments coming today. So, this place has some issues…So let’s go and do some testing there. This is called syndromic mapping. We were able to find out these hotspots, go to these hotspots. Catch early, contain early was the thing.”¹³⁰

Another volunteer from the Aarogya Setu team added that they had always known that the generation of heat maps was critical:

“As much as contact tracing was useful, it had its challenges. We knew it up front, because no more than 50% of the population of the country has smartphones, and you need smartphones in order to be able to do this. And then even at that we are a billion people and at its height, there were 160 million people who used Aarogya Setu, and the numbers just don’t add up. You need maybe not 50% of the population to have a contact tracing app for it to be effective, that’s what some people say; maybe it’s still effective at, you know, 20 – 30%, but we are still short of that number. And there were challenges with that. So, as much as contact tracing was interesting, to me, it was the heat maps that were always going to be the more effective way of doing this.”¹³¹

Various press releases from the government have continued to echo claims of the app’s success with regard to helping in early testing and identification of hotspots, which has helped to channel medical interventions more efficiently:

“This approach of syndromic mapping, a novel approach of combining principles of path tracing and movement patterns of Covid-19 positive people, population level epidemiology modelling and the prevalence of Covid-19 in different regions of the country, the Aarogya Setu team has identified more than 3,500 hotspots across the country at sub-post office level. The Aarogya Setu data fused with historic data has shown enormous potential in predicting emerging hotspots at sub post office level and today around 1,264 emerging hotspots have been identified across India that might otherwise have been missed. Several of these predicted hotspots have been subsequently verified as actual hotspots in the next 17 to 25 days.”¹³²

While the government has released data on the number of hotspots and the associated benefits of identification, it has not released any specific information on where these hotspots are, or what action was taken in these locations. One of our interviewees, an independent journalist and researcher who works on privacy and cybersecurity, pointed out:

“Mr. Abhishek Singh, who’s the CEO of [the] National eGovernance Division (NeGD), [had] said that we [have] tracked so many hotspots, but we have never been told the names, despite asking: Which were these hotspots that you predicted, and therefore prevented from happening? So there’s a lot of opacity around that. And that’s quite concerning.”¹³³

An epidemiologist with the ICMR said that using Aarogya Setu’s data for hotspot prediction was important to attempt, even if no one could be sure of the reliability of the results:

“I would say it is a good exercise. [If we have data from] even 10 percent of [Aarogya Setu] users, [then that is] 1.2 million [people]. It is a very good number. It’s very good data, which is worth analyzing. The reliability of this, no one knows the answer. No one knows the answer, whether that is really valid data, no one knows the answer. But it’s worth the training and exercise, there is a lot of learning, in a pandemic, it is a process of learning, there is no one [who] knows a concrete answer. Things have fallen, and the systems have collapsed. So in a pandemic situation, it is worth trying everything, if the data is factual. With the factual data, it is really worth trying.”¹³⁴

During a speech in October 2020, Tedros Adhanom Ghebreyesus, the Director General of the WHO, spoke about various digital technologies that were being used the world over to combat Covid-19, and mentioned Aarogya Setu as well, saying that the app had ​“helped city public health departments to identify areas where clusters could be anticipated and expand testing in a targeted way.”¹³⁵

Self-assessment test of health status

In addition to contact tracing, Aarogya Setu allows users to self-report their symptoms through a questionnaire based on guidelines issued by the ICMR. The app was updated to include a feature that allows users to view the number of people who had taken a self-assessment test in their vicinity, as well as the number of those who are unwell based on the self-assessment.¹³⁶

Public health experts and other civil society members have pointed out that the effectiveness of public health measures that rely on self-reporting depends on users answering the questions truthfully. An independent journalist and researcher noted:

“A lot of it, of course, is dependent on people being truthful in these self-assessment tests. But if I’m a Zomato delivery driver, and I know that my job during a pandemic is dependent on me having the green status or having a clean status in this particular app, chances are that I would start gaming the system. Maybe I coughed 10 times today, but I won’t let the system know. I wouldn’t blame the person because he or she also has to earn and we know the economy is down in the dumps. It’s affected people belonging to working classes disproportionately more than it has affected people in the service class. So how do you make this work?”¹³⁷

An epidemiologist with the ICMR also stated that all self-reporting is inherently subjective:

“All self-reporting is subjective. So the answer [to your question on how factual self-reporting is] is that because it is not factual, that by design, we accept that uncertainty.”¹³⁸

Calculating and displaying the risk status of a user

While the self-assessment test is one of the app’s main features, it is important to note that users cannot choose their health status on the app (Green/​Yellow/​Orange). They can, however, choose to report themselves as Covid-positive (Red). The app uses an algorithm to calculate the probability of infection risk, and then categorizes users based on a range of factors, including the result of the self-assessment as well as contact tracing data. While there is no information in the public domain about the exact nature of the algorithm, the developers of the app have said it was created ​“by a set of experts who understand mathematics, population level statistics, epidemiology, medical doctors,” with insights from ICMR.¹³⁹

Arnab Kumar highlighted that while there have been success stories, the team acknowledged certain constraints to the algorithm’s success, noting that the model is continuously updated. In response to a question on the reliance on an algorithm, he stressed that:

“This assessment was a ​‘probability of risk’ and not a ​‘possibility of risk.’ People need to understand that. The true indicator of whether you have Covid or not is a (medical) test. What we are trying to do is help you with intelligence. And people should understand, including people in civil society, we are not trying to solve everything through one app. That is not possible at all. It is a technology solution for intelligence.”¹⁴⁰

Users do not need to mark themselves as Covid-positive (Red) as the app can do that automatically, using ICMR data. Aarogya Setu Volunteer #1 explained that while this feature has been met with criticism, citing MIT Technology Review​’s study of contact tracing apps from around the world,¹⁴¹¹⁴² this had been adopted on purpose, based on a number of practical considerations:

“[They said] ​‘A’ should come and self-declare that he is positive. Now, we started evaluating [our] options. Day in and day out, we are getting fake news, fake information, so many things. The flip side of this is that, suppose [if] I want to create chaos in society, I can install Aarogya Setu and go into a large crowded area. And by standing there, I am getting exposed to 500 people. Now, I [could] go and self-declare myself as positive and all those fellows will get warnings. By [doing] this, you can create chaos in society. So we weighed these two options. We found that the first option is better. Let a centralized system take the [information] from an authentic source and certify that somebody is positive.”¹⁴³

However, an option for users to upload information about their samples having been collected for testing, or to mark themselves as Covid-positive, was introduced in late April 2020. Officials have also stated that follow-up calls from medical professionals are made to those who do so, to ensure a greater degree of certainty. The following image from a presentation by the Chairperson of the Empowered Group on Technology demonstrates how this is done:

Figure 2. Image courtesy of a presentation by the Chairperson of the Empowered Group on Technology

Since users have very little control over their health status on the app, it is important to note that both false positive and false negative cases have been reported. While it is difficult to ascertain the exact reason behind each case, this raises concerns about the efficacy of the app.

In one case of a false positive, a woman was moved to a quarantine facility based on an alert generated by the app.¹⁴⁴ She eventually tested negative and was released. She maintained that she ​“did not upload anything about her medical history, and neither had she received any notifications from the app regarding her condition.”¹⁴⁵ In another case, a couple was incorrectly declared Covid-positive by the testing center, leading the app to update their status. It was reported that the app continued to show them as positive even after their health status was clarified, and they eventually lost out on a job opportunity owing to this.¹⁴⁶ There have also been reports of the app not showing positive cases in the vicinity, even though someone was known to have tested positive there.¹⁴⁷

Additionally, the mobile phone number that users provide at the time of registration on the app is the one that is checked against the ICMR database of Covid-positive patients. An incorrect number at any stage could result in misidentification, since the app determines the health status of the user. In an interview, on being asked whether they had received any grievances or complaints regarding the functioning of the app, Aarogya Setu Volunteer #1 had this to say:

“Sometimes what happens is [that] if the aged father is admitted, the mobile number of the son is given. When the son carries the [phone with] Aarogya Setu, it shows that he’s infected. This type of issue comes [up] and it’s immediately addressed. This is [similar to] when I give my mobile number for my father because he doesn’t have a mobile, and [his] test results are coming to me, and not to him. I think this is one major thing that you know, some people, even my friends, called me and said, ​‘Sir, this is the problem’, and within 15 – 20 minutes it is fixed.”¹⁴⁸

They added that this was the nature of the most frequent complaints they had received.

Reviews written by users of the app on the Android Play Store also reflect similar challenges. In a few reviews, users mentioned that the app continued to show them as positive days after they had tested negative. Since the app reviews cannot be verified, they cannot be seen as conclusive evidence. But it is noteworthy that several users seem to report similar issues, as well as feeling anxious as a result of the inaccurate information provided to them by the app. A sample of the most upvoted comments on the version of the app in use in November 2020 is shown below:

Figure 3. Screenshot of most upvoted positive comment (November 2020)

Figure 4. Screenshot of most upvoted negative comment (November 2020)

Despite these various concerns and acknowledgement of the issue by the Volunteers, a clause in the app’s Terms of Service absolves the government from liability.¹⁴⁹ Clause (6) states: ​“The Government of India will make best efforts to ensure that the App and the Services perform as described but will not be liable for (a) the failure of the App or the Services to accurately identify persons in your proximity who have tested positive to Covid-19; (b) the accuracy of the information provided by the App or the Services as to whether the persons you have come in contact with in fact been [sic] infected by Covid-19.”

Civil society members have pointed out the opacity around the algorithm the app uses to calculate the ​“risk” factor of an individual,¹⁵⁰ which will be further discussed under Pillar 2 of this report. An interviewee argued that one of the issues with relying on an algorithm, especially when it comes to healthcare, is that it is likely to provide an incomplete picture:

“In the US, there has been a lot of research, that even when you are taking symptoms in person and are not using computers etc., or data points etc., there tend to be inherent human biases against, say, black women, which is why once black women go to hospitals, they tend to have a higher death rate, followed by black men, because their symptoms aren’t treated seriously. Now, if those inherent biases – in the case of India, these would be religion, casteist biases – [get] into the system, then it’s going to get even worse, people are going to come to certain conclusions. For instance, let’s say I have an area from where I’m getting all this information. Oh, there are a lot of people who have heart disease in this area, or have hypertension. You map it against the location. And it turns out, it’s a Muslim dominated [area]. It’s entirely possible that the reason for those heart diseases could be something completely different. Maybe environmental conditions, maybe a hundred different things, maybe social conditions because you are living under so much stress of being persecuted as a minority in the country. You develop those diseases. But what is the conclusion that people might arrive at? ​‘Oh, that’s because they eat so much red meat.’ Is that the correct conclusion to come [to]? Possibly not, because it also depends on who’s doing the concluding. So whenever we talk about data and algorithms and fancy high tech, things like that, we tend to forget the human element of it. We tend to forget that these are not just technical systems, but socio technical systems. Therefore, the social aspect cannot be forgotten, ever.”¹⁵¹

Display of statistics based on live location

According to the app’s FAQ, it displays the following statistics calculated based on the phone’s live location: ​“i) Number of users within X distance from your location who have taken the self-assessment test ii) Number of Aarogya Setu Users within X distance from your location iii) Number of users within X distance from your location who have indicated one or more of the three symptoms for Covid-19 iv) Number of users within X distance from your location who have been tested Covid-19 positive v) Number of users within X distance from your location who have come in direct contact with someone [who] has been tested Covid-positive.” The user can select the value of ​‘X’ from the following options: 500 m, 1 km, 2 km, 5 km, 10 km.

Subhashis Banerjee, Bhaskaran Raman, and Subodh V. Sharma have raised concerns about possible stigmatization that could arise from displaying the infection risk within a certain radius:¹⁵² ​“Aarogya Setu reveals an estimation of ​‘infection risk’ within a radius of 10 – 500 m to its users. This seems unwise when the stigma and fear have grown larger than the disease, and there are several reports of doctors, service staff, as well as members of vulnerable communities being targeted and stigmatised for fear of spreading the virus.”

An interviewee, too, mentioned that this feature could lead to unintended consequences, especially in remote areas where the density of population is low:

“If you go into more remote parts of the country, just to give you an example, maybe Jharkhand, or maybe a place in the North East, in 500 meters, it’s entirely possible that maybe just 10 people live [there]. So then it’s quite easy to figure out who has the disease, who has the app, who’s taken a self-assessment test, etc. And then, depending on what the ruling structure is, in that particular area, you may or may not be a) persecuted for having the disease, b) for having the app, c) shamed for not having the app or not taking the self-assessment test.”¹⁵³

While there is no publicly available information on any case of stigmatization resulting from the display of this information, there have been reports of panic being spread in a particular vicinity due to a status on the app.¹⁵⁴¹⁵⁵

Collection of personal data

At the time of registration, Aarogya Setu collects certain personal information, aside from the user’s GPS location. According to the current privacy policy,¹⁵⁶ the app collects: i) name, ii) gender, iii) age, iv) profession, v) countries visited in the last 30 days, and vi) willingness to volunteer in times of need. This information is encrypted and stored on the Aarogya Setu server.

According to the privacy policy, the information collected at the time of registration will ​“only be used by the Government of India in anonymised, aggregated datasets for the purpose of generating reports, heat maps and other statistical visualisations for the purpose of the management of Covid-19 in the country or to provide you general notifications pertaining to Covid-19 as may be required.” Furthermore, it states that the ​“DiD will only be co-related with your personal information in order to communicate to you the probability that you have been infected with Covid-19 and/​or to provide persons carrying out medical and administrative interventions necessary in relation to Covid-19, the information they might need about you in order to carry out such interventions.” It is not clear specifically what functions are included in these categories.

However, data security experts have expressed concerns about the volume of personal information collected by Aarogya Setu. In our conversation with Aarogya Setu Volunteers, they offered their explanations for the collection of personal information. For instance, Volunteer #1 had this to say about why the app collects the name of the user:

“Why are we asking your name? Because when I call you and say ​‘Hello [name of person] madam,’ that [adds] a small personal touch. What is wrong if somebody knows that it is [name of person’s] mobile number?”¹⁵⁷

One of our interviewees narrated their experiences from the field, and said that referring to patients by their names can indeed help build connection:

“When I had gone along with the field people, they would call the name, [name] Didi please come out. Now, when you see this from a different [perspective], [then] oh my god privacy is lost. In terms of other aspects…in terms of care, it matters when I come and say okay [name], please come on out. Then, all these things will be different…I’m coming here to really take care of you is what actually matters to you. This is a trade-off, always. To see both sides of the coin.”¹⁵⁸

However, they also mentioned that identity information such as name does not serve an epidemiological purpose, and that other kinds of granular data were more important:

“We need to keep it very simple, which means you should not tell people to collect some 20-odd information which you are not going to analyze, which you are not going to use. Whatever [is] the information I am going to analyze, [that] only we have to capture. For example, from [an] ethics point of view, and…from epidemiological point of view, we don’t [collect] names of any [persons/​patients]. We’re not going to analyze it.

… We need to maintain a patients’ listed database at the ground level. Whereas when at the top level, when we are analyzing it, identity information is not required. But, however, [we do need] some amount of granularity related to the residents, not exactly which house, but we require [information] on which area it is.”¹⁵⁹

There had also been questions raised regarding the app collecting information on profession and age. Aarogya Setu Volunteer #1 offered the following explanation for this:

“…On profession, [if] somebody is working in the bank, somebody is working in the health department, somebody is working in a place he has to go every day, at some point we also thought that, you know, these people can be given…suppose you want to give them protection at some point. Tomorrow suppose the vaccination comes, we would like the bank workers to get it first. If they [get] Covid, you will not withdraw money. And so that is the reason why we ask for the profession. If you are a public health worker on the frontlines, then they will be getting some protection. It is a public health matter and we are in a crisis.

…. Why age? Above 65, it’s affecting badly…There are 1,000 calls at peak. [Out of] this 1,000, whom should I call first? A 70-year-old, not a 30-year-old young person who has no comorbidity.”¹⁶⁰

Aarogya Setu’s use of Bluetooth as well as GPS location data has also been a point of contention amongst both international and domestic civil society members as another instance of its excessive collection of data.^161162163 This will be addressed in detail in Pillar 2. However, Volunteer #1 said that GPS location data were helping them send timely medical interventions, especially for those who need it the most:

“…Even today we are getting around 40,000 self-assessments per day which need to be handled, and which have more than two symptoms. There are a lakh [100,000] self-assessments…[of them, the ones] with more than two symptoms is where they are very clear that we need to get them immediate medical attention. We are getting 40,000 per day…40,000 a single agency cannot call, and we need to reach also. Suppose, [if] somebody’s in real [trouble], with breathing difficulty, we want the ambulance to reach them…Unless we collect this location information we can’t do any follow up activities. That is precisely the reason why we are collecting location information.”¹⁶⁴

The FAQ on the app’s website states that GPS location data are used to predict hotspots. It goes on to list a few additional rationales for the use of GPS:

“GPS helps to not only identify users who have come in contact with each other but also to trace the paths that infected persons have traversed, so that the authorities can take necessary action to sanitise the areas traversed by the infected person and also identify persons in those areas who might have been infected even though they have not been identified as contacts on the Aarogya Setu app.”

There is no publicly available information about whether such sanitization drives have been undertaken based on the app’s data, or whether other users have been alerted based on the routes travelled by Covid-positive patients.

The ICMR epidemiologist had the following to say in relation to the use of location data in the app, indicating that it was an important factor as it provided factual information:

“There is an objectivity in Aarogya Setu, which is location [data]. That is objective information, we cannot defy it. And how many people come into close contact with another person having an Aarogya Setu app. Those are all objective. That is the biggest success of technology. Technology reduces the subjectivity, [and] it increases objectivity.”¹⁶⁵

These issues provide context for why discussions about the app’s collection of personal information tend to refer to the ​“excessive” data collection by the app, even as the developers of Aarogya Setu provide public health rationales for some of them. The debates regarding the proportionality of data collected could be indicative of the level of public trust in the app.

State-Level Apps #

QUARANTINE WATCH

On March 30, 2020, news outlets reported that Karnataka’s Health and Medical Education Minister, Dr. K. Sudhakar, had announced in a press release that all home-quarantined persons would be required to send hourly selfies using the Quarantine Watch app. The press release states: ​“If home quarantine person fails to send selfie every one hour (except sleeping time from 10 PM to 7 AM) then the government will reach such defaulters and they are liable to be shifted to government created mass quarantine [sic].” It also said that the selfie would contain the GPS coordinates of the sender.¹⁶⁶

At the backend, these GPS coordinates are used to verify the exact location of the users, enabling the administration to check if users are indeed complying with home quarantine rules. Munish Moudgill, Head of the Karnataka State War Room, which co-ordinates the state’s Covid-19 management efforts, has explained that the selfies go to a district verification team, which analyzes the selfie ​“visually” as well as using the geo-tag.¹⁶⁷ In a scenario where the location does not match the designated location, an alert is issued¹⁶⁸ by the system and further action is taken against the defaulter.¹⁶⁹

There have been multiple news reports of individuals breaching home quarantine or by-passing the rules in Karnataka, which raises public health concerns.¹⁷⁰¹⁷¹ Officials have indicated that this has been a challenge for them. In this light, an app that requires hourly selfies from the user along with the verification of GPS coordinates may discourage individuals from breaking quarantine.

On the other hand, researcher Rohini Lakshane has pointed out two possible issues with the app’s reliance on selfies.¹⁷² First, it may be possible to falsify the metadata of the photo, such as the timestamp and GPS coordinates, rendering the collection of selfies meaningless.¹⁷³ The second issue is the inaccuracy of GPS, which can be off by up to a kilometer, subject to variables such as the quality of the internet connection.¹⁷⁴ There have also been a few reports of technical glitches in the app. For instance, it was reported that in at least one case, the individual concerned was unable to upload their selfie as the app did not display the option to do so.¹⁷⁵ In all these instances, individuals could be penalized and sent to mass quarantine centers through no fault of their own.

Additionally, civil society members have questioned how the government had decided the bedtime for every single person in quarantine, and asked how possibly unwell citizens were supposed to send selfies every hour, since it would mean that they could not sleep for longer without risking being sent to the mass quarantine center.

Several people have also taken to Twitter in the wake of the government order to raise questions about the feasibility of such an app, including concerns about the lack of smartphones amongst a majority of the population, the ability of individuals to still bypass the system, the ability of government officials to verify such an enormous number of images, and so on. Regarding the latter concern, Moudgill has been quoted as saying that while this may seem ​“tedious in practice, a single person can evaluate 750−1,000” photos per day.¹⁷⁶

While the app was intended to ensure compliance, statistics from the Karnataka State War Room website show that the percentage of users who sent selfies is very low.¹⁷⁷ Though it is unclear when the data were last updated, the extent of compliance is only 0.05%.¹⁷⁸

Mandatory selfies have been criticized as an invasive measure, which could be one of the reasons for this low compliance. These concerns will be evaluated under Pillar 2 of this report.

CORONA WATCH

Some state-level apps display private information for all users to view. This section will evaluate this functionality from a public health perspective, in the context of Corona Watch.

Corona Watch shows users the places where Covid-19 patients have been in the 14 days before they have tested positive, along with the exact date and time.¹⁷⁹ News sources state that on the app, upon selecting the option to view ​“Spots Visited by Corona Patients,” a blue dot shows the user’s location, and red markers show the spots that patients have visited. Clicking these red markers gives users the date and time of the visit.¹⁸⁰ As noted earlier, according to publicly available information about the app, users can also view the home addresses of the patient on the map.¹⁸¹ A news source from March 2020 reported that in certain instances, the app goes on to reveal even more information: when a user clicked on the markers, the message ​“Met 17 year old daughter and 38 year old wife at home” was displayed.¹⁸² In some cases, patients’ office addresses and the names of the relatives they visited were also displayed on the map.¹⁸³

However, an analysis of the app conducted in April 2020 by digital rights group SFLC found that ​“The app opens up a Google Maps frame and marks the location of the infected patients and the spots they have visited. No personal details are explicitly provided by the application. However, the address, specific to the street, is given by the marker. And there is also a feature to open the coordinates within the app in Google Maps.”¹⁸⁴

SFLC’s research also indicates that the app draws its information from the K‑GIS: Covid-19 Geospatial Portal, which displays home addresses, international travel history and quarantine dates of at-risk and infected individuals in the state.¹⁸⁵ As of November 11, 2020, the K‑GIS portal allowed anyone who visits the page to see several layers of geospatial information, including highly detailed, granular information such as Patient Location, Containment Zone, Patient Buffer Zone, and so on.

Figure 5. Screenshot of K‑GIS Portal (November 2020)

Moudgil’s comments about the public health rationale for this functionality also indicate the use of telecom data in this tracking:

“We are getting the data from the health department and telecom operators. The information is being provided so that others can avoid such places. The decision was taken by the government as we are seeing more people breaking the home-quarantine rules and coming out. This is only endangering the lives of healthy people.”¹⁸⁶

Thus, as indicated by the statement above, the rationale offered for providing this information to the public is for other people to avoid these places and reduce the possible risk of infection. However, there may be certain risks to this. If the spot visited is a closed space, with a limited number of people in the vicinity at the time, this knowledge may lead to a possible identification of the patient. Moreover, while the movement history is shown for the past 14 days, it is not necessary that the patient was positive for the entirety of this duration. Given the degree of fear associated with the virus, the knowledge that a Covid-positive patient was in the same vicinity as the user may also lead to panic.

Moreover, it is not clear when the information on the map was last updated, or what the sources for the data points are. For instance, the exact locations of patients are easily visible, as one can see the names of streets, major landmarks in their vicinity, and the 100-meter containment zone around them; but since we do not know when this information was captured, it can be misleading, and potentially dangerous – both as a public health measure and as a surveillance tool.

Gunjan Singh said the general practice of publicly disclosing the personal information of patients, especially in the case of Covid-19, as the stigma attached to it is high, could lead to negative repercussions including harm to the patient:

“You don’t have to monitor people, and make their names public, make their addresses public. I mean, this poses a serious risk to their life…[There is] a lot of stigma…attached…to Covid…Because if you just paste a notice on my door, it creates a sense of panic among people…and [changes] the way people treat you. And elderly people especially.”¹⁸⁷

The Jan Swasthiya Abhiyan, a national network of over 20 organizations working on issues of health across the country, had written to the Health Minister condemning the general trend of publicly displaying the personal information of those suspected to be infected, or infected with Covid-19.¹⁸⁸ They stated that such sharing is a breach of confidentiality, does not result in containment of the disease, and instead gives a false sense of security to others. The letter also highlights how such actions could lead to fear and stigmatization, resulting in a reluctance to access testing. These public health consequences that they highlighted could also be applicable to Corona Watch’s display of the home addresses of patients.

CORONA VIRUS ALERT APP (COVA) PUNJAB

Several apps have a functionality that allows users to report other individuals, for a variety of reasons, including breaking quarantine, gathering in groups, etc. This section will examine this in the context of the COVA Punjab App.

COVA Punjab allows users to report ​“mass gatherings” and ​“inter-state travelers”. While the option to report the latter was mentioned in a press release, it has not been mentioned in the app’s description on the Play Store. Moreover, there is no publicly available information on who classifies as an ​“inter-state traveler,” how they are identified, or why they should be reported. The option to report mass gatherings is visible on the screenshot of the app on the Play Store, as well as in a tweet from the handle of the Government of Punjab.¹⁸⁹

Figure 6. This tweet shows that users can report mass gatherings by clicking a picture, and submit their remarks alongside it as well

There is no publicly available information or statements by officials on how effective such a functionality has been. In a pandemic, mass gatherings are actively discouraged by health experts, as they can increase the probability of infection. Countries around the world, including India, have taken drastic measures to ensure that physical distancing is followed, with the intention of flattening the curve and reducing the burden on health infrastructures. In this light, such a functionality could foster a sense of community-level solidarity, in looking out for each other, especially at a time when health workers or government officials cannot be expected to constantly monitor all locations.

At the same time, such a functionality could also lead to vigilantism, by individuals or communities, which is likely to have a disproportionate impact on marginalized groups.

The potential for – and impacts of – misusing this function will be further discussed under Pillars 2 and 3 of this report.

EFFICACY OF ALTERNATIVE MEASURES FROM A PUBLIC HEALTH PERSPECTIVE #

Drones #

Unmanned Aerial Vehicles (UAVs), commonly called drones, have been used by various countries around the world, including India, to combat the pandemic. Drones have primarily been used for the following three purposes:

Enforcing lockdown, identifying curfew violators, and patrolling

Different states across the country have used drones to enforce lockdown measures, ensure physical distancing in containment zones, and identify those who violate rules. In some cases, First Information Reports (FIRs)¹⁹⁰ were registered by the police against such individuals.¹⁹¹

In some cases, drones were equipped with cameras, sensors, thermal scanners or other AI. For instance, in Amritsar, a city in Punjab, drones enabled with AI, GPS, and a machine learning model were used to identify potential violators by sensing the distance between two humans and sending an alert in real time to authorities in case of a violation (which was counted as any distance less than six feet). The drones were capable of functioning during the night as well.¹⁹² In certain cases, drones were used by the police for making announcements to instruct people to follow the lockdown measures.¹⁹³

In Delhi, India’s capital, the police worked with a private company to deploy drones that could be used day and night to collect footage. According to a news source, this data would be uploaded and analyzed on an ​“Aerodyne Covid Platform.”¹⁹⁴ This platform was reported to have helped the police identify hotspots where violations were taking place, and deploy resources as needed.

Covid-19 has unquestionably put immense pressure on India’s already strained healthcare system, particularly on its frontline workers. In this regard, officials have said that drone technology, by minimizing human-to-human contact, has helped them carry out their responsibilities.¹⁹⁵ For instance, police officers have used drones to enforce the lockdown and ensure that physical distancing norms are followed, without risking infection themselves or spreading the virus.¹⁹⁶ As cited in a media report, a Senior Superintendent of Police said:

“It has become a regular part of policing. In the current lockdown, we are flying drones over places where we suspect violations of the lockdown can occur. We identify those places and ensure that police is deployed and those who violate the lockdown are booked. It is a great tool in situations where physical contact is to be avoided or minimised.”¹⁹⁷

Officials have stated that drones have proven particularly useful in getting a bird’s eye view and deploying resources even in narrow lanes where a police van may not be able to reach.¹⁹⁸

Smit Shah, Director of the Drone Federation of India (DFI), a non-governmental, not-for-profit, industry-led body, which had teamed up with the Mumbai Police to deploy surveillance drones in the city, echoed this. He described how drones helped the police enforce lockdowns in Dharavi, Maharashtra, a sprawling low-income colony, and one of the most densely-populated regions in the world:

“The first time that drones were thought [of] being used was by the Mumbai Police, particularly in Dharavi, where cases were exploding. People were not staying indoors. And it was really becoming dangerous for police personnel to scout the entire area, go into the narrow by-lanes, and tell everyone to go home. That is when they reached out to us, to try and use drones, from the primary perspective that we don’t really want to risk the police personnel, going inside each and every day. If you look at Dharavi, it’s a very, very dense slum, there are just too many people living there. Police wanted to take a chance of using drones, from a distance.

…. So there are about six or seven playgrounds, about four or five junctions inside Dharavi, where people were generally crowding. The police didn’t want to get stationed there because then you are really inside the red zone. It’s better to patrol, but permanently sitting there would be a risk. So they said they want to monitor from a distance. If they see that people are not going inside, then they’d probably send a patrol inside, they will try to tell everyone to go home and then come back…So it was increasing efficiency, and making sure they don’t cause an additional risk by going inside.”¹⁹⁹

He also talked about the challenges police personnel faced on the ground:

“It started with [the] police getting tired. They had to wear those PPE kits by protocol when they had to go past the barricade of the red zone. It was not really feasible for someone to sit there for 24 hours, and educate people, and tell them to be at home. It was mentally frustrating, as well as very difficult for people.

… We started working with the Mumbai Police. The police was really happy…[it was] less stressful to travel inside the hotspot areas.”²⁰⁰

Dharavi’s ability to contain the virus and flatten the curve within a short period of time has emerged as a success story that has been acknowledged by the World Health Organization.²⁰¹ It must be noted that Dharavi’s approach was holistic, and relied on multiple strategies besides a strict lockdown to contain the virus.²⁰² The local administration conducted proactive screening, increased welfare measures, conducted scheduled disinfection drives, and collaborated with NGOs for trust building at the community level.²⁰³

The use of drones, especially those with AI technology and cameras, raises concerns related to privacy, surveillance and ethics. While these issues will be further discussed under Pillar 2 and Pillar 3, it is important to note that such use may also have ramifications for public health. The very presence of drones can create a sense of fear amongst those surveilled, and in some areas, these fears could be heightened depending on one’s socio-economic identity.²⁰⁴ In her work, Radhika Radhakrishnan has drawn attention to how the use of drones as a surveillance tool is rooted in the criminal justice system rather than the public healthcare system, and how arrests have been made on the basis of drone footage. Thus, the use of drones by state officials, including law enforcement agencies, may indirectly contribute to creating a public perception of ​“warfare”, ​“law and order”, and ​“criminalization”, rather than one of trust and care.²⁰⁵²⁰⁶

Thermal scanning

Drones equipped with thermal scanners have been experimented with in various cities across the country.^207208209 An engineer described the process followed in Delhi:

“The people don’t need to check their temperature every day. Now people can be on their balconies and the drone will try to figure out the temperature of every individual. Then, the person having high or less than normal temperature will be asked to come down. Then the health officials will follow further procedure and the whole area will be sanitized.”²¹⁰

Using drones to detect body temperature has also been claimed to be advantageous because it allows frontline workers to carry out their responsibilities without potentially being infected.²¹¹ Additionally, as opposed to manual thermal scanning with a medical device, drones can cover larger groups of people in one go.

However, the efficacy of thermal scanning drones has been questioned.²¹²²¹³ First, experts point out that the reliability of the temperatures obtained in this manner are impacted by the distance between the drones and the individuals. As pointed out by Faine Greenwood in her analysis of fever-detection drones, drones would need to fly close to the subject to get the desired accuracy, which may not be feasible, and can raise safety issues.²¹⁴ Additionally, she notes that since drones operate at a distance, environmental factors might also impact their accuracy.²¹⁵

Secondly, besides the issues of reliability, thermal scanning drones only assess one symptom of Covid-19, which by default does not cover individuals who may have other symptoms or are asymptomatic.²¹⁶ Even if drones are used as a preliminary scanning tool and follow-up medical procedures are carried out, individuals who are singled out in this manner could experience discomfort and anxiety.

Thirdly, there are concerns raised by experts about the intrusive nature of this kind of drone usage, which ​“blurs the lines between ​‘over-the-skin’ and ​‘under-the-skin’ surveillance.”²¹⁷

Disinfection

Drones have also been used for sanitizing public spaces, especially areas that are difficult to access. In Varanasi, a city in the northern state of Uttar Pradesh, drones were used to sanitize hotspots and containment zones after these areas were identified by the area’s District Administration/​Chief Medical Officer.²¹⁸ Additionally, drones were deployed in areas such as quarantine centers and shelter homes, where manual spraying may be risky.²¹⁹ Official sources indicate that there were plans to extend these services to other cities in India.²²⁰

However, there is no conclusive evidence available on the effectiveness of drones for spraying disinfectants.²²¹ In fact, the MoHFW had issued an advisory in April 2020 contraindicating the use of disinfectants on people, which stated: ​“Even if a person is potentially exposed to the Covid-19, spraying disinfectants on external parts doesn’t kill the virus that has entered your body.”

Smit Shah explained that the places where sanitizing is most critical would be difficult for drones to access:

“Spraying was not really effective…because you really require drones to go into tight spaces, which is where you actually want to spray the sanitizer. So, imagine people sitting inside of a bus stop, you’ll really need to sanitize the bus stop, rather than the street around it. Because that’s probably where people are going to touch things more. People going through a metro station or train station, you’ll need to sanitize the station and not the area around it, because people are mostly going to touch things there.

… Some people did try it. Candidly, I don’t think it was that effective. Probably if things were my way, I would repurpose the fire engines, put a very simple nozzle on them and spray the entire damn thing.”²²²

In Mumbai, government officials decided not to use drones for disinfection, given that they would be ineffective in cleaning the places where there is likely to be maximum human contact in containment zones. An official in the municipal corporation described the rationale behind the decision: ​“Drones are not in a position to treat these touch points. It will release the disinfectant on rooftops or surfaces where the virus is not present, rendering the activity completely useless.”²²³

In September 2020, the MoHFW informed the Supreme Court through an affidavit that as per the conclusions of a meeting of experts organized by the Directorate General of Health Services (DGHS), the spraying of disinfectants on humans, including through disinfectant tunnels and fogging, is not recommended under any circumstances, as it is physically and psychologically harmful.²²⁴

Online Portals and the National Migrant Information System #

During the lockdown, various measures were introduced to regulate the movement of individuals and vehicles. These included e‑passes, vehicle permits, emergency passes, and the National Migrant Information System.

This section will evaluate these measures from a public health perspective. However, it should be noted that these technological measures were largely instituted due to the pressing demands of the situation, and thus should be understood in that specific context. The next few paragraphs provide an overview of the migrant crisis, and the interactions of migrant communities with the online state travel registration portals which together provide the context for the development of the National Migrant Information System.

Migrant workers are one of India’s most marginalized communities. Though there are no official figures, it is estimated that there are about 140 million migrant workers in India, the majority of whom do not have access to social security services or employment security. They are part of the 450 million employed in the informal sector, which accounts for about 90 – 92% of the country’s total workforce.²²⁵

When the national lockdown was declared, the vast majority of migrant workers lost their livelihoods. As a result, many of them, faced with food shortages and loss of housing, were forced to return to their hometowns, which were often hundreds of kilometers away. However, with all public transportation on hold owing to the lockdown, many workers initially had no option but to make the journey on foot. News channels began relaying live footage of thousands of migrant workers walking down India’s highways, carrying their children and their possessions on their backs.²²⁶²²⁷ Reports of migrants dying of exhaustion, hunger and accidents²²⁸ increased. In many instances, law enforcement authorities tried to stop the mass exodus, resulting in protests by workers who demanded to be allowed to go home.²²⁹ Many migrants faced police brutality, and their conditions were worsened by criminalization²³⁰ and stigmatization. Labor rights lawyer Gunjan Singh told us: ​“Migrant workers were actually going home in a desperate situation, and FIRs were registered and [migrants were] beaten up.”²³¹

The central government passed a series of travel-related orders during this time.²³² Initially, the orders prohibited migrants from travelling at all, while subsequent ones allowed it, subject to certain conditions. In the month of May, the central government designated special trains, called ​‘Shramik [Laborer] Trains’, as well as buses, to ferry the workers home. In order to gain permission to undertake inter- or intrastate travel, people had to register via online portals that had been set up by different states for this purpose.

From May 1 to July 9, 2020, the government ran 4,496 Shramik special trains for stranded migrant workers, and carried more than 6.3 million workers to their home states, earning the Railways about INR 4,300 million in fares.²³³ The railways issued a set of guidelines for running the trains, which included one that stated: ​“The train originating state will encourage all passengers to download and use Aarogya Setu App.”²³⁴

In the beginning, both the origin and destination states for the trains had to provide a No Objection Certificate (NOC), with the former having to state that the medical screenings of all travelers had been carried out, and the latter having to confirm that adequate facilities were in place to receive the passengers.²³⁵ News reports indicate that this process encountered hurdles in several states. For example, there were instances of destination states not obtaining the NOC, often right before the train was to depart, causing confusion and hardship for the migrants.²³⁶ In the state of Karnataka, NOCs were withdrawn and trains cancelled at the last minute while political leaders asked migrants to stay there, stating that industrial activities had been restarted in the state.²³⁷

Eventually, the government order was changed, and consent was not required from the destination states.²³⁸ However, there were several other administrative challenges that states had to resolve. One of the precipitating and perpetuating factors for these difficulties was the lack of data on the migrant workers in the country, which made it challenging for states to coordinate travel arrangements and logistics. The National Migrant Information System (NMIS) was introduced in response to some of these challenges.

ONLINE PORTALS

As noted earlier, various state governments started online portals for people who wished to return to their home states to register themselves. In some states, a separate portal was started for stranded people such as migrants, students, and pilgrims.²³⁹

Migrant workers, facing severe food shortages and uncertainty about their very survival, were now forced to engage with online forms and portals if they wanted to go home. This magnified their hardships, which NGOs that work with migrant workers have also documented.²⁴⁰

On May 11, 2020, a letter documenting some of these challenges was sent to the Ministry of Home Affairs by the Stranded Workers Alliance Network (SWAN), an organization that coordinates relief work with migrant workers.²⁴¹ This letter drew upon SWAN’s experience of working with 46 thousand migrant workers between March and May 2020, and highlighted the following issues:

i) There is no standardization amongst the various state portals, including data collected: ​“For example: Haryana asks for an employer name, some states ask for the industry sector and Karnataka asks for the duration of stay in the place of work, Gujarat asks for an NOC from the state the migrant is travelling from and so on.”

ii) In certain cases, registrations are required at both the place of origin as well as destination state portals, but it is not clear what the procedure is for each state, which led to some migrants being fined upon arrival in their home states.

iii) The process of registration requires a range of documents to be uploaded.

iv) A lack of transparency and certainty about the post-registration process, including no acknowledgements once registration had been completed and no information disseminated on travel schedules.

v) The emergence of a black market due to lack of timely information on train schedules, seat allotment, etc.

vi) Non-functioning of certain key state portals.²⁴²

There were also a number of administrative steps that needed to be taken by states between the time an individual registered and when they boarded the train/​bus. These steps were not standardized across states. State governments were required to conduct medical screenings for the workers prior to travelling, to make sure they had no symptoms of Covid-19. They had to make follow-up calls to everyone who had registered to travel with details of their screening. However, as documented in a report by the SWAN collective, these follow-up calls from the administration were delayed, and in some cases never came at all. One such case of a migrant worker and his pregnant wife was documented:

“Suraj and his wife Madhu, who is 4 months pregnant, were stranded in Delhi waiting for information on the train to Madhya Pradesh. They said that they had registered on the state portal around 15 days back. We registered them again on the portal again on May 28^th. They have not received any calls for screenings yet. Since Madhu is pregnant, her doctor has strictly advised her against travelling in a bus/​car/​vehicle.”²⁴³

In another case, the migrant worker received a call from the administration 15 days after registration. By then, he had already reached home, having undertaken the journey partially on foot.²⁴⁴

Describing the hurdles migrants faced, labor rights lawyer Gunjan Singh, noted:

“…regarding these portals for train/​bus ticket booking, I would like to add that these portals were badly designed and prevented migrant workers from registering. We raised this issue in the Supreme Court case on migrant workers during the pandemic and asked for a lot of modifications (such as use of regional language and less number of questions) because these portals were not useful for migrant workers. They would only collect data and would not result in timely relief for the migrant workers who wanted to return home immediately. Often, state authorities would only (make promises to) workers (about making arrangements for them to) travel back home, but (they) just could not do it, because it was badly designed.”²⁴⁵

The challenges that migrant workers faced in accessing these portals, as well as the administrative process that followed, contributed to the humanitarian crisis that unfolded during the lockdown. These challenges are particularly concerning during a public health crisis where norms of physical distancing and ​“stay at home” advisories were given. In many cases, migrant workers had to report to a designated place for medical screenings, and it is not clear whether proper precautionary measures were always taken.

THE NATIONAL MIGRANT INFORMATION SYSTEM (NMIS)

As discussed above, the central government had directed states to coordinate amongst themselves in order to make necessary arrangements for everyone stranded in the lockdown, including migrant workers. As Sakina Dhorajiwala, a volunteer at the SWAN collective, noted:

“One of the challenges for them also was coordinating among each other. Where [were] the migrants from, and where were they stranded? So that coordination was also very difficult for the administration. Each state had to figure out how to do it for themselves.”²⁴⁶

Even within each state, different departments were using different methods to collect and compile the data. Anindita Adhikari, a volunteer at the SWAN collective, said:

“… You know, when there were states that were coordinating with each other, or say, for example, police stations that were compiling databases of migrants for travel on Shramik trains, they were doing it in all kinds of formats. Some people were doing it on Excel sheets, some people were doing it on sheets, taking pictures and sending WhatsApp. I mean, that is so terribly inefficient, and silly to do when you want to combine data of hundreds and hundreds of [people] who are supposed to board a train or [to] coordinate with authorities. It was as badly done as that.”²⁴⁷

Moreover, the issues were exacerbated by the fact that no official figures related to migrant workers existed. Gunjan Singh said:

“What led to this whole crisis? The main reason was the lack of data regarding the number of migrant workers in different states. You had no idea how many migrant workers were where. This was primarily because, for years, registration of migrant workers under the Inter-State Migrant Workers Act, 1979 and other labor statutes was not done.”²⁴⁸

In light of these challenges, the National Migrant Information System was envisioned to help states improve their coordination with each other. In an interview, a senior central government official explained the role played by the portal:

“There was large scale movement of people from states like Maharashtra, Gujarat to North-Eastern states. And we were asked to develop a system, where the movement of migrants could be sort of made more easy. So what we did was we developed an online portal. Suppose one train of migrants has to go from Gujarat to Bihar, then the Gujarat government or Gujarat district authorities could upload the data of these… people on[to] the portal. As soon as they did it, it was visible to the State Government of Bihar, Orissa or Uttar Pradesh. They could give a NOC, because you should remember that initially, the movement was with the consent of the destination states. So it was taking a lot of time, and coordination issues were there, to get consent from different states to different states. So they [states] could give online consent, and the Railways also had access to this portal. So [the Railways] could say that ​‘Okay, this train has to go from this State to this State,’ and they could plot the movement of the train accordingly. Similarly, for buses, because there were movement restrictions…. The states could upload bus information or vehicle information, and could get the objections from other states and… all of this data then was stored in the system, which can be used later on if required. So, this portal was put in place, it was used to some extent by many states, and to a large extent by some states.”

In addition to helping with coordination, the letter from the Home Secretary that described he portal also made it clear that one of the main advantages of the system was the feature of ​“contact tracing and movement monitoring during Covid” through the mobile numbers collected. However, it fails to explain how contact tracing would be conducted. The letter also refers to various dashboards on the portal – ​“public dashboard, logistic management, risk index, quarantine alert etc. which are being used by states”, but does not provide any more details about these dashboards.

As indicated in the interview with the senior government official, only officials had access to the portal. The limited information available in the public domain restricted our ability to ascertain the impact of the portal. However, allowing different states to talk directly to each other may have helped in expediting the coordination process, which saves valuable time during a crisis.

However, there continued to be immense practical challenges on the ground. The SWAN collective highlighted this in a report published one month after the NMIS was instituted:

“While there are some merits of scheduling travel through a single portal, a solely technological solution to what is a massive logistical, institutional and a humanitarian crisis proved to be highly insufficient. As the large crowds that gathered in Ghaziabad on May 18^th to register for travel made clear, the repatriation of migrant workers will need much more than a technological fix.”²⁴⁹

PILLAR 2. POTENTIAL FUNCTION CREEP OF APP RESPONSES AND ALTERNATIVE MEANS — SOCIAL CONTROL BY STATE AND NON-STATE ACTORS #

In this section, we will analyze the apps and tech-enabled measures for possible function creep, which can result in potentially greater instances of social control, by both state and non-state actors. We will look at the features and functions of the app/​measure in this light, the transparency in their development and deployment, and examine the legal infrastructures in which they are embedded.

POTENTIAL FUNCTION CREEP OF APPS: SOCIAL CONTROL BY STATE AND NON-STATE ACTORS #

Aarogya Setu #

As discussed under Pillar 1, the government has maintained that Aarogya Setu has been playing a vital role in pandemic management. However, the positive comments about the app have been accompanied by concerns about privacy and a potential infringement of fundamental rights, as various digital rights advocates and legal, technical and public health experts have expressed concerns about the app morphing from a public health tool into one that has a much larger scope for surveillance.²⁵⁰ Some of these concerns are grounded in the fact that India currently does not have any legislative framework around personal data. Civil society members and digital rights groups have pointed out that besides its contact tracing functionality, the app has other functionalities, including e‑pass integration, access to telemedicine and diagnostic services, fund raising, and more, prompting questions about what they term a non-adherence to principles of necessity and proportionality.²⁵¹

The government and the app’s developers have routinely denied such claims, reiterating that ensuring the privacy of users was one of their major goals, and that several measures have been built into the app, as well as its governing documents, to achieve this.^252253254255 They have maintained that the app follows a ​“privacy by design” principle. 

Aarogya Setu Volunteer #1 also made a distinction between what they saw as the proportionality of privacy vs the need for data in a public health emergency such as the Covid-19 pandemic, when lives are at stake every day:

“I go to a mall with my [spouse], that is a private affair. But by going to the mall, [if] I’m an asymptomatic carrier of this Covid and go and spread to 100 fellows, then it is no more private. Because my action is creating issues – even life issues for somebody else.

If my action is going to hit me alone, then it is private. But my action is going to hit 100 fellows…And the more important thing is that I may be innocent. I may be an asymptomatic carrier. I don’t know whether the disease exists in me, but I’m spreading it. Completely unknown scenario. This doesn’t work, this notion of privacy, I don’t know how to interpret it in this context. You give me a solution to all the problems that we are facing. You [can] criticize it, but give me a solution. This is not a research problem in [a university]. Every day 500−1,000 people are dying.”²⁵⁶

They went on to add that they felt that the privacy debate about the app was not proportional to the steps the government has taken to ensure transparency:

“The amount of information that social media has about everyone is phenomenal. And [here] we are fighting a crisis, and then people are starting to say ​‘Oh privacy!’ We had a sunset clause, we had clear data retention policies. We have all the things there. Then they said, ​‘We don’t know what you’re doing, you do that, you will do this.’ We went and opened up the complete source code. Twenty-one days we worked, then we got the [app] running functionally, it was working correctly, which was tested, then we actually made a presentable source code, documented and everything. When you are developing a software in twenty-one days, you can’t be writing documents then. We took one month. When you present something, people should understand. Then we took a very cautious call. Then we said, okay, we took a brave call and we said, ​‘If you see a genuine problem, and hack into the system, find any bug, we will give you 1 lakh [INR100,000] per security vulnerability.’ Nothing came out.”²⁵⁷

According to the Frequently Asked Questions on the app’s website, the app follows data privacy principles such as purpose limitation, use limitation, anonymization, and more, and states that the following measures have been built into the features and functioning of the app to ensure the privacy of users:

Firstly, all the personally identifiable information (PII) collected at the time of registration is anonymised, and subsequent transactions only take place through a unique Device Identification Number (DiD) assigned to a user by the central server, to ensure re-identification is not possible. Secondly, the information collected, including GPS location data, is stored on the device locally, and is only uploaded to the server in certain cases, as laid down by the privacy policy. Thirdly, data related to contact tracing and GPS location are deleted within a stipulated time frame. Finally, following the principle of use limitation, data will only be used for purposes laid out in the privacy policy, i.e., ​“for assisting you and generating insights to help the Government of India in its Covid-19 mitigation efforts”.²⁵⁸

App design: Features and functionality

Certain features of the app, sometimes the very choices that the government has claimed help preserve privacy, have become a point of contention among technical experts. They include the following.

a) The unique Device Identification Number (DiD)

As the FAQ of the app states, the DiDs are used to ensure non re-identification. However, technical experts have pointed out that Aarogya Setu uses a static ID, as opposed to a dynamic (temporary) ID that changes frequently. This means that anyone who gets hold of the DiD could access the user’s PII, raising concerns about re-identification.²⁵⁹ As Professor Bhaskaran Raman from the Indian Institute of Technology (IIT) Bombay has pointed out: ​“Research shows that in over 95% of cases, using other outside information, one can guess real identity from pseudonymised data. If you can match pseudo-ID to real ID, the purpose of pseudo-ID is lost. You might as well be announcing your real ID.”²⁶⁰

The app’s developers have acknowledged that the app is indeed an evolving model, and the possibility of making the device ID dynamic could be taken into consideration.²⁶¹ Aarogya Setu Volunteer #2 also stated:

“The end design of the product is that we collect information and that information is de-identified because there is no personal information that’s shared. It’s just a DiD. Could it be better? Yes, of course, there are better techniques to do your DiDs…[have them] change every day and things [like] that. But, you know, those are evolutions of the same concept. The concept is [to] only share anonymized data, and that’s implemented.”²⁶²

In fact, in response to a question on the use of static ID, one of the FAQs released in May 2020 on the app’s website stated that ​“Given the current volumes of persons who have tested positive for Covid-19, the use of a static Device ID is not an immediate concern.” It also added that the team would be working towards building the dynamic model. However, at the time of writing, there is no publicly available information as to whether any changes have been made.

Some of the primary stated functions of Aarogya Setu depend directly on identifying the user accurately. For instance, as discussed in Pillar 1, follow-up calls are made to those who are assessed as needing medical help, based on their self-assessments or risk level. In such cases, the user’s name and phone number are used to contact the individual, thereby making it possible to identify them. In addition, users access the IVRS from their landlines or feature phones, and it is not clear how their data are anonymized or whether unique IDs are assigned to them.²⁶³

The additional features of the app, such as contributing to PM CARES or the integration of e‑passes, also raise concerns about the re-identification of a user.²⁶⁴ As Professor Shubasish Banerjee from IIT Bombay pointed out:

“These functionalities [such as UPI payments, e‑pass, etc.] should be compartmentalised [within the app]. If they are not, the moment you do KYC [Know Your Customer], you have strong personally identifiable information (PII) that goes out. From contact tracing, there are two privacy concerns. There is a static [device] ID that doesn’t change. The second is location. With more auxiliary information, it should be fairly straightforward to de-anonymise. If you add KYC [which an e‑pass functionality, or UPI payments does], you don’t even need a de-anonymisation attempt.”²⁶⁵

There is no public information on whether the data collected by the additional features on the app exist in separate silos, or whether they can be traced back to the personal details, contact tracing data, and the DiDs of individual users on the app. The privacy policy, Terms of Service, and access protocol of the app do not include any specifications on this.

b) Local storage of data

The second privacy-preserving design choice adopted by the developers was to ensure that most of the data collected by the app stays on the user’s phone, with a few exceptions. Aarogya Setu Volunteer #2 said:

“…So for a government, or any person who is dealing with data, who has potentially this vast trove of data, if you think about it, if you’ve around 165 million people connected to the app, constantly collecting data, it is possible to pull all that data up. But that’s just got a lot of really valuable sensitive information. So the design choice has been not to pull it up, the design choice has been to leave the data on the phone, and to have it wiped regularly. This may not be significant, but you know, I’ve worked with the government a lot. This actually represents a significant shift in their thinking about this and that’s what’s sort of reassuring.”²⁶⁶

The privacy policy of the app lays down the different scenarios in which locally-stored data are pulled up to the government-owned server, in an encrypted and anonymized form:

i) at the time of registration, all personal details as well as the user’s GPS location are sent to the server;

ii) when a user tests positive, the DiDs of other users who had been in proximity with them, the GPS location data, and time of the interaction is sent to the server;

iii) each time a user takes a self-assessment test, their test results along with their GPS location data is sent to the server;

iv) the app uploads to the server the user’s GPS location data, and a ​“record of all the places” that they have been at 15-minute intervals.

A technical analysis by independent experts states that when a new user registers on the app, the following information is sent to the server: OS version (SDK), manufacturer, model, device type, and version of the app. It also notes that the contact tracing information sent to the server also includes the Bluetooth unique address (MAC) of users, and that this information can be used to identify unique users.²⁶⁷

This last category of information, along with the DiD, is uploaded only if the user tests positive and/​or is likely to be infected based on the self-declared symptoms, and/​or if the risk assessment shows yellow or orange. The privacy policy explicitly states that the fourth category of data would not be uploaded to the server if the user has a green status. However, the policy employs broad wording in certain places, leaving it open to interpretation. For instance, it is not clear what the phrase ​“likely to be infected based on self-declared symptoms” means, and why this is a separate category in addition to the user’s status shown as yellow or orange.

In the absence of any documentation in the public realm about the algorithm that Aarogya Setu uses to calculate the risk of infection, it is unclear how many users have fallen into the category of being ​“likely to be infected.” Aarogya Setu Volunteer #2 said that the number of people whose data are pulled up is a very small fraction of the total data collected, and that for the overwhelming majority, their data have remained on their own phones:²⁶⁸

“There’s a very, very small percentage of people, of the users whose data has actually been taken up into the government servers. When I was still involved, it was…in the region of maybe 100,000−200,000 people out of the already, you know, 100 million plus [that] we’ve got, that’s a really small fraction of people whose data has been pulled up into the cloud.”²⁶⁹

However, the Internet Freedom Foundation (IFF), a digital rights research and advocacy organization, has noted that this capturing of citizens’ personal data on a centralized government-owned server − which includes the user’s location and all the details given at the time of registration, in addition to the other three instances discussed above − is occurring in the absence of a legislative framework.²⁷⁰ Moreover, as per a presentation by the Chairman of Empowered Group 9, which was uploaded by the Press Information Bureau’s Twitter handle, data are exchanged between Aarogya Setu, the NDMA and the Indian Institute of Technology, Madras, through an API:²⁷¹

Figure 7. Image courtesy of a presentation by the Chairperson of the Empowered Group on Technology

According to the IFF, this image indicates that there is a possibility that various other databases/​servers are linked with the Aarogya Setu server. They also argue that this could make the creation of permanent servers more likely.²⁷²

c) GPS-based location tracking

As noted in previous sections, Aarogya Setu uses both Bluetooth-based proximity sensing as well as GPS location. This has attracted critical attention from digital security experts, who have argued that the use of both is indicative of the collection of too much data about users.²⁷³

In a media interview, Ajay Swahney, MeitY Secretary and Head of the Empowered Group of Technology and Data Management, said that Aarogya Setu’s use of GPS should not be seen as atypical:

“If you are talking about a country like Singapore, it is the size of a city. Here [in India], you are dealing with a nation which is as vast as a continent. It is more like the size of Europe, but unlike the countries in that continent, you don’t have as many smartphones and hence, you can’t rely completely on smartphones. You have to rely on GPS. Moreover, there’s nothing great about the GPS, because this is being used in almost everything one does today. This can be used in the Indian context, and in the present situation when a person who is actually infected does not know about it and is likely to have visited many places. Now, when a person is capable of infecting 50 others, will you think about the privacy of the person or about protecting the lives of the people? So, we have to balance everything.”²⁷⁴

The technical analysis by independent experts states that the app collects two types of GPS location data: coarse (approximate location) and fine (more accurate location).²⁷⁵ It also states that Aarogya Setu uses background location, which allows it to collect location data even while users are not interacting with the app. As the report states: ​“Geo-location data is considered as highly sensitive as it could reveal users’ habits, home address, workplace data, and even religious beliefs (i.e., place of worship).”

The state’s ability to pinpoint user location through an app does raise concerns about the potential for surveillance that extends beyond medical needs, as well as an infringement of an individual’s right to privacy. As pointed out earlier, the app collects this information at several points, including at 15-minute intervals. While the argument is that this last category of information is stored locally on the device, and only pulled up to the central server in those instances laid down by the privacy policy, the ambiguity regarding how the app determines that a user is ​“likely to be infected” allows for the possibility of expansive data collection.

The collection of GPS location data is further complicated by Section 69(1) of the Information Technology Act and the accompanying Information Technology Rules. This section empowers the central and state governments to authorize government agencies to intercept, monitor or decrypt ​“any information generated, transmitted, received or stored in any computer resource” for matters that relate to: i) The preservation of India’s sovereignty or integrity; ii) The security of the state; iii) Public order; iv) Maintaining friendly relations with other countries; v) Preventing offences relating to (i) to (iv) from being incited or committed; and v) Criminal investigations. Intelligence agencies in India have tremendous leeway in accessing data, which cannot be curbed by Aarogya Setu’s Privacy Policy or Terms and Conditions.

d) The app’s algorithm

At the time of writing, there is no publicly available information regarding the algorithm that Aarogya Setu uses to determine a user’s health status. Civil society members and digital rights organizations have expressed concerns regarding this.²⁷⁶ An independent journalist and researcher said:

“Do we really want the computers making those decisions for us, especially when these algorithms, as developers of Aarogya Setu have said repeatedly, were put in place and in an iterative manner over the course of two weeks?… this was a knee jerk reaction, [a] major techno-solutionist reaction during the pandemic. Do we really want this to stay forever?”²⁷⁷

In the light of the app being made mandatory by certain public and private bodies for purposes such as travel, education, entry into workplaces, etc., cases of false positives/​negatives based on the algorithm could potentially be life-altering. In one case, it was mandatory for government employees to show a ​‘green’ status on the app.

e) Functionalities added after the app’s launch

In the months following the app’s launch, several new features that go beyond the aim of contact tracing have been added to it. We will address three of them in this section.

i) Open API Services Portal

This functionality, introduced in August 2020, allows organizations, businesses and entities to check the Aarogya Setu status of their employees or ​“any other Aarogya Setu user”, subject to their consent.²⁷⁸ The official press release states that this service was introduced to address ​“the fear/​risk of Covid-19 infections and help the people, businesses and the economy to return to normalcy.”²⁷⁹

There are separate Terms of Service for this feature, which lay down the eligibility, registration process, and other aspects of the portal. As per the official press release, this system can be accessed by organizations, businesses, and entities registered in India that have more than 50 employees.²⁸⁰ However, the Terms of Service of the system make a departure regarding the eligibility to use the service; instead of restricting the category of minimum users to merely ​“employees”, the document states the ​“Total Employees/​Customers/​Users, of the Organization/​Entity, whose health status needs to be checked through OPEN API, should be more than 50.”²⁸¹ This broadens the criteria significantly, as any entity with more than 50 users or customers could use the service.²⁸² The other clauses of the Terms of Service also reflect this language.

At present, there is no publicly available information regarding the number of organizations that have accessed this service. Digital rights group SFLC had filed an RTI seeking the list, but were denied the information by the Deemed Public Information Officer (PIO), NIC Messaging Division, stating that the ​“information sought does not serve a larger public interest.”²⁸³

However, this feature appears to be fundamentally in violation of a user’s right to privacy, as well as in contradiction to the voluntary nature of the app. Though the Terms of Service have certain clauses that safeguard the end user’s rights, such as mandating the ​“explicit consent of the user” before use, it is unclear how employees can meaningfully consent to revealing their health status to their employers, particularly if their ability to earn their livelihoods is inextricably linked to it. Concerns about the anonymity of data, false positives/​negatives, and the opaqueness of the algorithm are also pertinent here. This feature also seems to compound the risk of users providing inaccurate details in their self-assessments.

The Terms of Service place a number of obligations on the entities who use the system, and state that an inability to abide by them could result in legal action. They place limitations by disallowing any redistribution of the data that are accessed through the API. Another clause states that all accessed information should ​“only be used for the purpose of ascertaining the risk that your employees or customers or users, might have been exposed to Covid-19 and/​or for management of Covid-19 in your extended workplace and shall confirm that you have put in place appropriate organisational and technological measures to ensure compliance with this obligation.” The Terms of Service also lay down data retention and deletion policies, and direct organizations ​“to only collect as much data as is strictly necessary to achieve the stated purpose and to delete such data as soon as possible after such purpose has been served.” They further state that this time frame cannot exceed the data retention provisions set out in the Aarogya Setu Privacy Policy and the Data Access and Knowledge Sharing Protocol. The Protocol will be discussed in detail later in the report. However, it is not clear how these obligations would be monitored or enforced, which seems to potentially put a great amount of personal data in the hands of organizations or entities in perpetuity.

Another clause in the Terms of Service absolves the Government of India from any liability, and also states:

“The APIs are being made available on an ​“as-is” basis. All services such as those provided by these APIs are never wholly free from defects, errors and bugs, and the Government of India provides no warranty or representation to that effect or that the APIs will be compatible with any application, or software not specifically identified as compatible. The Government of India specifically disclaims any implied warranties of fitness for a particular purpose or non-infringement.”

This becomes particularly troubling in the light of the absence of any legal infrastructure governing the app or its APIs, which will be discussed in greater detail later in the report.

ii) E‑pass integration

The e‑pass integration functionality displays government-issued e‑passes on the user’s app, which were often required to be displayed to law enforcement authorities at checkpoints, inter-state borders, or other locations, until the end of August 2020. The app does not allow users to register for new passes; rather it shows existing e‑passes that have been issued via the government’s e‑pass portal.²⁸⁴

As was noted in the section on DiDs, this functionality is likely to render some features of data anonymization moot, as the purpose of an e‑pass is to identify a particular individual, and to display proof of them having been granted the state’s permission to travel.

iii) Interactive Voice Response System

The IVRS functionality was introduced as a public health feature meant to reach residents who do not have access to a smartphone. However, certain design choices around the IVRS system and its data collection mechanisms have invited scrutiny for possible function creep.

Figure 8. Image courtesy of a presentation by the Chairperson of the Empowered Group on Technology

For instance, as an independent researcher and journalist pointed out, the data from IVRS are sent to the health insurance program Ayushman Bharat Yojana:

“So the data is sent for validation to Ayushman Bharat. And I spent ages trying to figure out, talking to NITI officials, talking to people at NITI Aayog, ​‘OK, why are you sending this data to Ayushman Bharat?’ Which is an insurance scheme essentially. I never got an answer. So what’s going on over there?”²⁸⁵

There is no publicly available information about the rationale behind this routing, how much private information is transferred to Ayushman Bharat, for how long it will be retained, or how it will be used. Neither is it known if these data will be shared further by Ayushman Bharat with other entities, public or private.

Transparency and legal infrastructure

The issues discussed above regarding the app’s design choices and functionalities are embedded in larger concerns about the absence of laws governing personal data, as well as a lack of transparency in the development and functioning of the app. We discuss some of these, as well as the government’s responses, in this section.

a) Development of the app: Public-private partnership

The official press release announcing the launch of Aarogya Setu stated that the app had been developed in a public-private partnership. It did not, however, provide any other details regarding the individuals or entities involved. Nearly two months later, on May 26, the government released the source code of the app on Github, and listed the names of more than 70 ​“volunteers” who had contributed to the app.²⁸⁶ The names were listed across four major categories: i) Government Leadership; ii) Industry and Academia Leadership; iii) Contributors (Industry); and iv) Contributors (Government). The list did not mention the affiliations of any of the volunteers, which received criticism from data researchers and activists as a decision that added to the opacity of the app. Independent researcher Srinivas Kodali said that it ​“enables the app-makers to evade accountability.”²⁸⁷

Aarogya Setu Volunteer #1 explained their rationale behind the decision as follows:

“These are all volunteers. We said we will not put any of our designations, we’ll say these are the people. You can call and talk to us anytime. India is in a crisis. And in this crisis situation, we want to solve the problem. The 60 best brains…I can tell you that I was the dumbest [person] in that group, everybody was brilliant. You won’t believe it was something like 26 hours a day so to say [that we worked]. Absolutely no sleep. There were people who were pretty senior, with a lot of software experience, and stuff like that.”²⁸⁸

However, given the issues with proper documentation regarding the app’s creation, the lack of clarity about the private players involved in the creation, use and management of the app has raised concerns. A senior health research professional stated:

“Our data is being used to fatten the profit margins of [private companies] − whether they are small startups or big industries. Google’s consultant [is] in Aarogya Setu? I think it is quite shocking how we have gone all over the place to get all these consultants.”²⁸⁹

The Government Leadership section includes top officials from MeitY, Niti Aayog, NIC, and MyGov. The names under Contributors (Government) are all from the NIC. The membership of Industry and Academia Leadership is diverse, and includes individuals from a range of private companies, public universities, and civil society groups.²⁹⁰ There have been conflicting statements by some of these individuals regarding their involvement,^291292293 as well as by various government departments, which will be discussed below.

b) RTIs: Response from government and civil society

There have been multiple rounds of RTI requests filed by civil society members regarding various aspects of Aarogya Setu. Often, the files have been repeatedly transferred between ministries, and when answered, have been ambiguous or incomplete.

For instance, in April 2020, IFF filed multiple RTIs seeking information from the MoHFW and the NIC on the legislative framework, committees involved, and data security safeguards used by Aarogya Setu.²⁹⁴ In response, as stated in a blog post and in a series of tweets by IFF,²⁹⁵ the MoHFW said that they did not have the information, and the request was transferred to the NIC, which falls under MeitY.²⁹⁶ However, another RTI filed to MeitY received the same response, and it too was transferred to the NIC. The eventual response from NIC provided a now-defunct link to the app’s privacy policy, and to all questions about data sharing and access, repeated this phrase: ​“The information from the Aarogya Setu app is used by the officials who are involved in Covid-19 related efforts.”²⁹⁷

In a recent case, RTI activist and journalist Saurav Das filed multiple RTIs to MeitY, seeking information about the origin of the proposal, the process of approval, the government departments involved, and the communications with private persons involved in developing the app.²⁹⁸ The RTI was forwarded to the National E‑Governance Division (NeGD), which subsequently responded that they did not have this information.²⁹⁹ Using the appeal process that the RTI Act provides citizens with, Das filed for an urgent hearing with the Central Information Commission (CIC). At the hearing, according to a news report, MeitY officials were unable to answer the questions on the app’s creation.³⁰⁰ The CIC described the responses of the officials as ​“preposterous” and ​“evasive”, and issued show cause notices to the officers.³⁰¹ The Commission also noted that while files may move between departments, ​“a citizen cannot go round in circles to find out the custodian.”³⁰²

In response, a clarification was issued via a press release on Aarogya Setu’s Twitter handle, which said that the app had been developed in ​“the most transparent manner.”³⁰³ It said that the government’s response has always been clear right from the first press release,³⁰⁴ and that the app had always been described as being a public-private partnership. Additionally, it also listed a number of measures that were taken to uphold transparency, including the app’s website, and ​“several TV shows and media briefings” about how the app was assisting in the fight against Covid-19.

Officials and developers involved in the app had indeed made several appearances on talk shows and public webinars, particularly in the early months of the pandemic, to explain the workings of Aarogya Setu. At the same time, as discussed in earlier sections, there is still a lot of information that is not publicly available. For instance, while the first press release had stated that the app was developed in a public-private partnership, the names of those involved have never been mentioned in any official press release or document, and neither have the terms and conditions of the partnerships with industry players been made known.

In December 2020, the show cause notices were dropped, as no ​“malafide intentions” had been found and the commissioner found it ​“unfortunate that despite so much information available in the public domain about the app, the same was not provided to the RTI applicant.”³⁰⁵

However, in January 2021, the Delhi High Court issued notices to MeitY and NeGD regarding the denial of information about the creation of Aarogya Setu. It was reported that the Government Counsel attributed the delay in responding to Das’s RTI, and the back-and-forth that occurred between various ministries, to the fact that the app had been developed in record time, and at no expense, at a critical moment in the pandemic where the priority had been to save lives. The Counsel also reiterated that all the information was already in the public domain.³⁰⁶

An independent journalist and researcher expressed concerns regarding the minimal role the MoHFW played in the development of Aarogya Setu, which was launched as a public health intervention by the state:

“What was the Ministry of Health’s role in developing this app? That’s what I don’t get. Why are technologists building it, instead of epidemiologists, public health officials, and doctors? How does someone who runs MakeMyTrip [an Indian online travel company] and 1mg [an Indian online pharmacy]… How do they have the expertise to build a public health app?”³⁰⁷

However, in an interview, one of the app’s volunteers stated that epidemiologists had been part of their team right from the beginning, and that inputs from the medical fraternity had been factored in at all possible stages.³⁰⁸

c) The app’s source code

Aarogya Setu’s source code was not released when the app was launched. On May 6, 2020, a member of IFF filed an RTI request seeking the source code for Aarogya Setu.³⁰⁹ The source code was denied, citing Section 8 1 (d) of the RTI Act, which states: ​“Notwithstanding anything contained in this Act, there shall be no obligation to give any citizen information including commercial confidence, trade secrets or intellectual property, the disclosure of which would harm the competitive position of a third party, unless the competent authority is satisfied that larger public interest warrants the disclosure of such information.”³¹⁰ By this time, the app had been downloaded more than 100 million times.

In fact, the first privacy policy initially also prohibited reverse engineering the app, which severely limited technical analysis. This clause was eventually dropped.

The government released the source code for the Android version of the app on GitHub at the end of May 2020,³¹¹ and announced it through a Press Release titled ​“Aarogya Setu is now open source”.³¹² The source code for the iOS version was released on August 13, nearly four months after it was launched. The government also announced a bug bounty program with the aim of enhancing transparency, with a reward of INR100,000 per security vulnerability or suggestion for code improvements.³¹³

Data security experts point out that the code on Github was inconsistent with the version of the app that was available for download, and being used.³¹⁴ Data security experts have added that without the complete server-side code, cloud deployment features, resolving the issues on GitHub in real-time, and regularly updating the code repository, the app could not be considered truly open source.³¹⁵

On November 22, 2020, MeitY released the backend code for Aarogya Setu on the government-owned open source repository OpenForge.³¹⁶ Technical experts who have analyzed it have concluded that it contains only snippets of code, and is not the complete backend.³¹⁷

Technical, legal, and public health experts, as well as the media, have pointed out that the lack of transparency creates cause for concern:

“Data can easily be weaponized. There’s no doubt about that. And it can be weaponized against people, which is why legal structures, ethical use of data, being transparent about the process, [and] actually having the production code out in the public domain is important.”³¹⁸

d) Data security vulnerabilities and government responses

On April 26, 2020, an official statement released via the app’s Twitter handle said that the New York Times had tipped the Aarogya Setu team off to a bug that broadcasts its users’ precise location data to Google if they clicked on a Youtube link in their self-assessment questionnaire.³¹⁹ While the statement did not include details about how many users’ information had been revealed this way, it thanked the NYT for bringing the vulnerability to their attention. The Aarogya Setu team also said they encouraged people to come forward with any other data security issues they might find, and provided an email address to do so.

In May 2020, a security researcher and hacker who goes by the pseudonym Elliot Alderson tweeted at the Aarogya Setu handle that he had found privacy and security issues in the app and that the privacy of 90 million Indians was at stake. He followed it up with a tweet that said that 49 minutes after his first tweet, the Indian Computer Emergency Response Team and NIC had contacted him, and that he had disclosed the issues to them. He said that if they did not resolve the issues from their side, he would make the issue public. Shortly thereafter, the Aarogya Setu team acknowledged his efforts but denied any such vulnerabilities, saying that ​“no personal information of any user has been proven to be at risk.”³²⁰

Elliot Alderson then made a controversial claim that he could know who was infected at any location of his choice, and went on to list the ​“Health Status” of Aarogya Setu users in high-security locations such as the Prime Minister’s office, the Indian army headquarters, and the Indian Parliament. He also claimed that he could check the health status of any individual in a specific house.³²¹ There is no publicly available information about whether these claims were proven to be true. Alderson wrote about the app’s vulnerabilities, and said that he was happy that they had responded quickly to his report and fixed some of the issues. He added that the government should ​“stop lying, stop denying.”³²²

In August 2020, Shadow Map, a cybersecurity firm, published a blog post describing various vulnerabilities that it had found. According to a news source, the company had stated that it had found ​“certain log-in credentials used by developers of Aarogya Setu sitting, possibly by accident, on a government website, allowing them to gain access to large parts of the code and other software infrastructure that, if accessed by hackers, could expose location, contact, and health data of the users.”³²³ In response, the government called these claims ​“malicious, nefarious and unsubstantiated,” and stated that it would pursue legal action against the company. The blog post was taken down by the company, and the government is reported to have retracted its public statement.

e) Legal infrastructure

The legal framework for the Indian government’s overall pandemic response strategy has been the National Disaster Management Act 2005, which offers an umbrella clause to issue directions in order to handle a disaster. This can be read together with the Epidemic Diseases Act, 1897, and Section 69 of the Information Technology Act, 2000, as the broad legal backdrop against which Aarogya Setu has been deployed in the country. However, India currently does not have a data protection law, and therefore has no legislation that delineates oversight, accountability, transparency, proportionality or security of data collection.

In a media interview, Ajay Swahney, MeitY Secretary and Head of the Empowered Group on Technology, said that the privacy policy of the app had been drafted by data privacy experts:

“We have already brought out an exceptionally good privacy policy which is there in the app itself as well as in the MyGov and Surakshya portals. In fact, some of the best known legal experts who work in the area of data privacy have helped us draft the guidelines. We are also planning to bring out some guidelines through MeitY to further define what exactly can be done with the data. We believe that bringing out a law [to manage Aarogya Setu] at this point is not necessary. Our priority at present is to deal with the epidemic itself.”³²⁴

Aarogya Setu Volunteer #2 stated that the app’s team had been sensitive to privacy issues, and pointed out that civil society has also been playing an important role in keeping the government accountable:

“I would say that, despite the fact that we don’t have a regulator − and if we had a regulator, the regulator would hopefully do all of this itself − but despite that, civil society has actually done remarkably well to stand up and call into question a lot of these technologies…That’s one side of it. I think the other side of it is − at least from my personal experience with Aarogya Setu − the awareness and the sensitivity to issues related to privacy is very high.”³²⁵

Aarogya Setu’s Privacy Policy and Terms of Service lay down clarifications and clauses related to the app’s data collection, storage, and sharing, as well as the rights available to the users.

The app’s privacy policy has been updated twice. The second version, which was released on April 12, 2020, added clauses for things such as purpose limitation, and stopped asking users whether they were a smoker or not at the time of registration, which the first policy did. It was reported that users were informed about the changes to the policy five days after it was released, via a notification. As pointed out by MediaNama, which covered this development, this was in violation of a clause in the privacy policy itself, which stated that users would be informed of any such changes, and that renewed consent would be sought from users.

The second update, which occurred on May 24, 2020, no longer penalized reverse-engineering the app, which meant that data security experts could analyze publicly available APKs.³²⁶ It further indicated that a user’s location data from the last 30 days, rather than 14 days, would be sent to the server. It added the e‑pass integration feature, and the display of a user’s risk status. It also stated that ​“The App will also provide links to convenience services offered by various service providers.” This points to the possibility of data from the app being repurposed.

On May 11, 2020, MeitY released the Aarogya Setu Data Access and Knowledge Sharing Protocol, to govern the app’s data collection and the sharing of personal/non-personal data collected through the app.³²⁷ It was developed by the Empowered Group 9 on Technology and Data Management and lays down principles for data collection, processing, and sharing, including obligations and legal penalties for violations. The Protocol, issued a month after the launch of the app, designates MeitY as the implementing agency, and states that NIC will be responsible for collecting, processing and managing response data. It also states that ​“MeitY shall act under the overall direction of the Empowered Group 9 on Technology and Data Management.”

In an analysis of the Protocol by IFF, they pointed out that it is unclear how the Empowered Group has the legal authority to issue the Protocol, raising concerns about the possibility of function creep:

“Since Empowered Group 9 was set up by the National Executive Committee; and the chairperson of the National Executive Committee is the Union Home Secretary, we believe that the chain of command evokes concerns of possible mission creep. What is especially concerning is that India’s public health institutions have minimal leadership even as these technologies are being built to respond to a public health crisis. This is again contrary to other countries where technology systems are being controlled and operated by public health authorities. In fact they are providing reassurances to the public that data will not be shared with law enforcement authorities.”³²⁸

Secondly, the legality of the Protocol itself is unclear. For instance, IFF has argued that it is only an Executive Order, which, by its very nature, could not be used to hold the government accountable.³²⁹ Justice Srikrishna, a former Judge of the Supreme Court of India and Head of the Committee of Experts that drafted the country’s Data Protection Bill, said that the Protocol was similar to an ​“inter-departmental circular” and was a ​“patchwork” which ​“will cause more concern to citizens than it will benefit them.”³³⁰ Srinivas Kodali, an independent researcher, pointed out that ​“A protocol document is not the same as having a set of rules… Once the data leaves NIC’s server, the NIC has no way of knowing whether a state government has also shared it with its police, intelligence agencies or anyone else.”³³¹

Thirdly, digital security experts also argue that while the Protocol was an improvement on the privacy policy that existed at the time, its language allowed for very wide and worrying interpretations of some of its clauses.³³²³³³

• Under the section ​“Rationale for the Protocol”, it states the formulation of ​“appropriate health responses to not only contain the epidemic but also protect the health and safety of the community at large.” This can ​“include prevention and management of the Covid-19 pandemic, syndromic mapping, contact tracing, communication to an affected or at-risk individual’s family and acquaintances, performance of statistical analysis, medical research, formulation of treatment plans or other medical and public health responses related to the redressal and management of the Covid-19 pandemic.” This language, which is used throughout the Protocol, is ambiguous, as it is not clear what else could be included under it.

The government’s ability to collect, use, process and share the data collected is also mandated by what is deemed an ​“appropriate health response.” It also states that response data, which contains personal data, can be shared with the ​“Ministry of Health and Family Welfare, Government of India, Departments of Health of the State/​Union Territory Governments/​local governments, NDMA, SDMAs, such other Ministries and Departments of the Government of India and State Governments and other public health institutions of the Government of India, State Governments and local governments”, subject to the same mandate. The ability to access the personal details of millions of users by a range of governments and their agencies raises concerns regarding the potential for function creep.

The Protocol also allows for the sharing of data in a de-identified form, subject to the mandate mentioned above, and lists a non-exhaustive range of state institutions, departments and ministries that the data may be shared with. As discussed earlier in the report, scientists and digital rights organizations have pointed out that re-identification of data is possible. This also raises concerns about the potential for function creep.

• The Protocol states that the NIC would maintain a list of the agencies that Aarogya Setu data have been shared with only ​“to the extent reasonable.” For data sharing with third parties, the Protocol again specifies it should be done only to mandate ​“appropriate health responses,” but does not clarify what would constitute an appropriate (or inappropriate) response.

• The Protocol states that principles of ​“proportionality, necessity, and transparency” are to be followed, and that data collection should be done in a ​“non-discriminatory manner.” However, it does not detail how these principles would be interpreted or enforced.

• The Protocol lays down obligations on entities with whom data are shared, and says that they need to use the data ​“strictly for the purpose for which it is shared” and in a fair, transparent and non-discriminatory manner. It does not indicate how these obligations would be monitored or enforced.

The Protocol allows for data sharing with Indian universities and research institutions/​research entities registered in India, after the data have undergone hard anonymization. It further goes on to say that these entities ​“may share such anonymised response data with other Indian universities or research institutions/​research entities registered in India only if such sharing is in furtherance of the same purpose for which it has sought approval to access such data from the expert committee.” While the Protocol also adds that there will be penalties for de-anonymization, it is not clear how this will be enforced.

• The Protocol also made a noteworthy departure from the privacy policy that existed at the time. It said that contact, location and self-assessment data would not ​“ordinarily” be retained beyond 180 days from the date of collection, while the privacy policy had said that data would only be retained for a maximum of 60 days after the patient tested negative. This continues to be the case with the latest privacy policy − which is to say that the two governing documents of the app state two different things regarding data retention. There is also no additional information on what situations would count as ​“out of the ordinary”, or whether users would be alerted that their information had not been deleted. This raises concerns about the data collected by the app being retained or used for purposes above and beyond those currently claimed by the government.

f) Will the app or its data outlast the pandemic?

Statements from senior government officials indicate that the app is likely to be around for the foreseeable future. In May 2020, Union Minister Prakash Javadekar stated in a press briefing that: ​“This app will be a permanent help during…till we win the war against pandemic [sic].” He had been responding to a question about the privacy concerns that a Member of Parliament had raised about Aarogya Setu.

The Privacy Policy and Terms of Service of the app do not mention a sunset clause. The Aarogya Setu Data Access and Knowledge Sharing Protocol states that the ​“Empowered Group shall review this Protocol after a period of 6 months from the date of this notification or may do so, at such earlier time as it deems fit.” Legal experts from civil society organizations have questioned why the app does not have a sunset clause, and have pointed out that the clause in the Protocol is applicable only to the Protocol, and not the app.³³³ On November 10, 2020, the Protocol was extended for another six months, signaling that the app would likely remain in existence at least for another six months.³³⁴

The privacy policy does lay down a data retention policy with regard to the app’s data. It states that the personal information collected at the time of registration will be retained as long as the account remains in existence, or as long as it is needed for any ​“medical or administrative interventions.” All information relating to location, exchange of DiDs, self-assessment and its results are stored on the device for 30 days from the date of collection; if, by then, it has not been uploaded onto the server, it is purged from the app. In a scenario where the person tests positive, the data collected will be purged from the server 60 days after they have been declared Covid-free. In the case of people who have not tested positive, their information will be purged from the server 45 days after being uploaded.

An explicit option for users to delete their accounts was added on July 6, 2020. This would delete all the user data stored on the device that had not been pulled to the server. The personal information uploaded to the government server at the time of registration will be retained for 30 days after account deletion. But as per the data retention clause discussed above, it is not clear whether this option to delete accounts applies to the data of users who have tested positive for Covid-19.

The data retention policy is not applicable, however, to ​“the anonymised, aggregated datasets generated by the personal data of registered users of the App or any reports, heat maps or other visualisation created using such datasets,” as well as the ​“medical reports, diagnoses or other medical information generated by medical professionals in the course of treatment.” The policy offers no clarity regarding any of the key terms here, which raises serious concerns about function creep.

As pointed out in Pillar 1, the heat maps are part of the syndromic mapping process carried out by ITIHAS, which the government has stated to be useful from a public health perspective. Aarogya Setu Volunteer #2 stated that heat maps would help the government in its pandemic responses:

“Your data is wiped 60 days after you are declared to be cured of Covid. So that’s sort of built into the technology… It’s stated in the privacy policy, it’s the way this is designed to work… And so what will remain, of course, are these heat maps, but these heat maps don’t give you personal information, so all the aggregated anonymous information… and it’s good to keep it because that’s useful for research for the next pandemic, or just to figure out what… happened, a post mortem of this pandemic, so that we can improve our preparedness.”³³⁵

Aarogya Setu Volunteer #1 also indicated that insights generated from ITIHAS could be used at the stage of vaccine deployment, and that the overall tech-enabled framework could be repurposed for other datasets:

“ITIHAS can be used for other pandemics also. Today, ITIHAS gets its data from Aarogya Setu. Tomorrow it can also get [data] from some other things. We have understood the framework. We will have to rework and customize for other things. For example, vaccination. So you have to prioritize. Data from ITIHAS can go for the vaccination. I have, say, only 100,000 (vaccines) per state, so essentially we say that these are all the hotspots, this is where the disease is currently. The last seven months we have been predicting, and the prediction has been 100% validated now. These are all the places, now go and start injecting from this place.”³³⁶

They also indicated that the lessons learned from building Aarogya Setu could be helpful in developing ​“location-based” health services:

“This app is for contact tracing. But the lesson that we are getting is that health measures, whatever be this measure for getting it scaling, we need to start having a [system] where health will become a sort of a position-based service… So what Aarogya Setu has taught us is how to build a location-based service system… I think these types of position-based services are extremely important. This will actually make life and any medical intervention much more targeted and much more effective. And this will also give us a much more clear indication of any pandemic or any such disease, like dengue, etc…. For example, [if] there are dengue cases coming out of this locality, from this 100 x 100 meters, [then] the health authorities can go there and remove the garbage or anything where it is producing mosquitoes, rather than, say, in the entire state, [or] city. Why should we take that amount of time?… I know where the mosquitoes are, I know from where this disease is coming… I can go to the exact [spot] and find out whether there are any dustbins or stagnant water or whether drains are broken, etc. I can clean it and see if the dengue is getting eradicated from that place… The position-based app service is going to be extremely useful, especially in this context. So apps will become very useful.”

They added that they saw the creation of indigenous GIS maps as the next step in building position-based services nationwide:

“We need our own maps. [Now] we are relying on some external maps. We need our own maps…where we can store many Geographic Information Systems, GIS. We need a much more robust GIS which can switch onto these multiple domains. Not just [for] travel, but we need much more accurate GIS which can switch on to…health information, [and] which can carry many things about places. So GIS is going to become extremely crucial. And that is an integral part of any app. So, you develop any app, that app will be location-based. It will be a location-based service…We need one India map, and that India map should be robust enough to cater to many such things. This is medical, but you have many other things. That has been a very big goal.”

This indicates that the controversial GPS location feature was always, and is likely to remain, an integral and indispensable part of Aarogya Setu. They also explained that the information for indigenous GIS maps could be crowdsourced, and stated that these data were valuable:

“And that can happen very quickly with a sort of a crowdsourced effort. Like every sub-post office today, if you get, say, 100 volunteers who can give us this information, we can put [it] together and come up with a very, very interesting GIS in no time. That is something that we can do as an extension to this massive effort we have taken… It can be a volunteer-based effort… everyone has to give information about that place. Like today, that’s what we see in many of these maps, right? You get some information about… which street is there, what is there… Today [when] you go to some place, you’re asked to give a review of that place. And that’s how information is collected. So you’ll be using such services in your smartphone. And you visit some places, [and you] evaluate that place… This information has value, and it’s also revenue actually, [because] that entire place’s history is getting known. And that is how a Geographical Information System is formed. We need to do something indigenous for India.”

Aarogya Setu Volunteer #2 echoed this, and said that these maps could help in pandemic-preparedness:

“Google Maps was invented in India, and India couldn’t capitalize on the fact that the world’s most popular mapmaking technology was invented here in the country. It’s just bizarre… But the next generation of map technologies, which is very much that sort of technology, will very much be carried out in India on the ground. It can’t be done by satellites. These are really high resolution maps…and also in the third dimension… Drone maps, LIDAR maps, etc., will be able to map things in the third dimension… All of these sorts of things are going to make a huge difference. It will help ecommerce, logistics, delivery, but also it will help our emergency preparedness. So even for the next pandemic, or whatever the next disaster is that hits us, having accurate maps that are capable of giving us rich, geospatial information is critical.”³³⁷

Aarogya Setu Volunteer #1 also stated that they saw apps and location-based services as the future, particularly in light of the National Digital Health Mission (NDHM).³³⁸ The NDHM³³⁹ is an IT-based Open API-based initiative launched by the Prime Minister on August 15, 2020,³⁴⁰ which aims to digitize healthcare nationwide, using unique Health IDs for citizens, a network of healthcare providers, an insurance coverage and claims platform, telemedicine facilities, and e‑pharmacies.³⁴¹ The Health IDs are linked to the user’s phone number and/​or their Aadhaar, as well as to all their medical information, such as physicians consulted, prescriptions, diagnostic reports, summaries of previous discharges from hospital, payments, etc., all of which, according to media reports, can be shared with states, hospitals, diagnostic laboratories, and pharmacies. A pilot project was announced on the same day in six Union Territories of India. In addition, on August 26, 2020, the MoHFW released a draft of the Health Data Management Policy,³⁴² which was to act as a ​“guidance document” to ensure ​“security and privacy by design” for the protection of health data under the NDHM, and the larger National Digital Health Ecosystem (NDHE) under which it is subsumed. Civil society organizations have pointed out that a standalone policy which lacks the backing of a law, in the absence of a comprehensive Personal Data Protection Act, would be inadequate to secure sensitive information such as health data, and recommended pausing the pilot program until the bill was passed.³⁴³³⁴⁴ Prime Minister Narendra Modi, in his keynote address at the Grand Challenges Annual Meeting held on October 19, 2020, said that the Health ID would also be used for Covid-19 vaccinations in the country.³⁴⁵ On December 14, 2020, the central government approved the Policy.³⁴⁶

The NDHM has its origins in the 2017 National Health Policy, which had suggested the exploration of the use of Aadhaar in health data, the creation of registries for enhanced public health/​big data analytics, the formation of a health information exchange, and the use of smartphones/​tablets for capturing real time data.³⁴⁷ In July 2018, NITI Aayog proposed the creation of the National Health Stack (NHS) to ​“deploy a powerful technology arsenal, from Big Data Analytics and Machine Learning all the way to Artificial Intelligence and a state of the art Policy MarkUp Language” to create a ​“nationally shared digital infrastructure usable by both Centre and State across public and private sectors.”³⁴⁸ A MoHFW committee under the former Chairman of the Unique Identification Authority of India (UIDAI, the statutory authority for Aadhaar) took this up, and released the National Digital Health Blueprint in July 2019, which recommended the creation of the NDHM.³⁴⁹ In April 2020, a few days after the launch of Aarogya Setu, Arnab Kumar called the app a ​“temporary solution to a temporary problem,” and went on to state that:

“What we may have stumbled upon is the initial building block for India Health Stack so everything else apart from Covid-19 which could be linked to telemedicine, tele-consultation, etc., if people are interested, can survive beyond Covid-19, but whatever data is used for contact tracing has no life beyond this pandemic.”³⁵⁰

An independent journalist and researcher pointed out that there have been contradictory statements made by the senior members of Aarogya Setu regarding its role in the Health Stack:

“Why isn’t the communication absolutely crystal clear and unambiguous? So for instance, Arnab Kumar had said that this could be, not this is, but this could be the first building block of the National Health Stack?… And in an interview with CNN, Lalitesh Katragadda, who is one of the senior advisors for this app, he said it is the building block for the National Health Stack.”³⁵¹

In the CNN interview, Lalitesh Katragadda is quoted as saying: ​“Any residual data from the Aarogya Setu app will automatically move into the National Health Stack within the consent architecture, as soon as the health stack comes into effect.”³⁵² The CNN article goes on to say: ​“Residual data means any data that’s still on the govt server at the time the NHS becomes active. That includes location, health and personal data that has been downloaded to the server but hasn’t yet been deleted in the timeframes laid out by the government, Katragadda said.”

The independent journalist and researcher also went on to state that since some of these projects existed pre-pandemic, it raised the question of whether they should be implemented during a public health emergency:

“So, should the government be using a pandemic to push a digital agenda techno-solutionism onto people? It also raises questions of what the government should and shouldn’t do during a pandemic. Should they aim to deal with the pandemic, or to use it as an opportunity to push it to accelerate its own pre-existing agendas?”³⁵³

One of the key players building the NHS is the Swasth Alliance, a consortium ​“representing Hospitals, Health Tech players, Pharmacies, Partners and Investment Funds,” according to their website.³⁵⁴ Swasth was one of the teleconsultants on the Aarogya Setu Mitr Portal, before it was suspended. At the time of writing, there is no publicly available information regarding whether any data from Aarogya Setu will be used in the building of the NHS.

State-level Apps #

QUARANTINE WATCH

As discussed under Pillar 1 of this report, this app requires users to send selfies with their GPS coordinates in order to show that they are following quarantine. However, this has been criticized as an invasive measure which blurs the lines between public and private spheres,³⁵⁵³⁵⁶ and thus has consequences for the relationship between the state and citizens.³⁵⁷ As argued by Ayona Datta, ​“The introduction of the selfie in the quarantine app is an aspiration to extend the reach of state surveillance into intimate governance.”³⁵⁸ Coining the term ​“self(ie)-governance”, the scholar argues that ​“the Quarantine Watch app claims to replace the physical infrastructures of containment, asserting its power and authority instead through mimetic infrastructures of clicking and uploading with a smartphone.”

When asked about privacy, the Head of the State’s Covid War Room said: ​“Privacy is protected and all data stays with the government. The app is to ensure the protection of the health of all citizens.”³⁵⁹ He also said that the ​“selfies stay with the government, and are deleted after the 14-day quarantine period.”³⁶⁰

While the officials have talked about the backend process of verification, as well as the app’s data deletion policies, in media statements, there are no written documents outlining the same. The app is not governed by any specific legislation, and it does not have Terms of Service. As of November 22, 2020, there is also no specific privacy policy for the Quarantine Watch app. The link to the privacy policy redirects users to the privacy policy of the Land Records Department, Government of Karnataka.³⁶¹ As pointed out by SFLC in an analysis of the app, it is unclear whether this policy is applicable to the app.³⁶² Even in a scenario where it is applicable, there is no mention of the protocol for data deletion.

In at least a few areas in Karnataka, the app is supplemented by a few other, arguably equally invasive, measures on the ground. As detailed by an SOP (Standard Operating Procedure) ​“for enforcement of home quarantine of travellers/in-bound persons in the BBMP”³⁶³ issued by the Commissioner, in addition to the use of the app, measures taken to ensure compliance include affixing a sticker to the door of the residence of the home-quarantined person, and informing immediate neighbors and the Resident Welfare/​Apartment Owners’ Association and ​“requesting their vigil on the home-quarantined person”.³⁶⁴ The SOP also states that the Resident Welfare Association (RWA) ​“would be at liberty to engage private security personnel/​installation of CCTV cameras outside the home for supervision and monitoring of the home quarantined subject to the condition of not invading the privacy of the subject.” It is unclear who would determine if a privacy violation had taken place, or what the parameters of such an incident would be. Besides these measures, government-appointed teams under local Booth Level Officers (BLOs) are also directed to take a photograph of the home-quarantined person’s house, to ensure that the person concerned downloads the app and actively sends selfies, and to visit the house routinely to ensure compliance – all of which would be recorded on the app itself.

CORONA WATCH

Corona Watch displays the spots visited by Covid-positive patients in the 14 days before their diagnosis, as well as their home addresses. As per public information about the app, the names of patients are not displayed along with these addresses. However, we anticipate that it would not be very hard to ascertain the identity of a patient, as screenshots of the map interface indicate detailed and precise locations.³⁶⁵ Similar to Quarantine Watch, the Corona Watch app also does not have a dedicated privacy policy, and the link to the privacy policy on Play Store directs the users to a privacy policy of the Karnataka Geographic Information System.³⁶⁶

There have been documented cases of people facing stigmatization and even eviction because they have Covid-19, or were suspected of having it, which indicates high levels of stigma associated with this virus.^367368369 Therefore, the app’s display of information raises concerns about the possibility of community-level ostracism. These concerns are grounded in instances of harassment, both online and offline, that people have had to undergo when personal information about them was released into the public domain. In March 2020, officials in Karnataka released a district-wide list of the names and addresses of over 19,240 home-quarantined individuals.³⁷⁰ The list went viral, and many individuals on it reported being ostracized and harassed owing to it.³⁷¹³⁷² One individual whose home address was listed, tweeted that this was ​“Totally unnecessary considering these ppl have been hand stamped, served notice & are at home. To be treated like common criminals is terrible esp with RWA vigilantes around.”³⁷³

Since the map interface contains personal and identifying information, as well as specific details about travel history, screenshots of people’s personal information from the app, such as their residential addresses, can also persist and be misused post-pandemic, which further increases the risk of function creep.

CORONA VIRUS ALERT APP (COVA) PUNJAB

While the novel reporting feature on COVA may help authorities to stop the spread of the virus, as discussed in Pillar 1, it also raises critical concerns, as this tool can be misused. In particular, the potential for community-level enforcement to turn into community-level vigilantism is, once again, of concern. The tool allows users to take pictures of any group if they so desire. There is no information on the qualifiers needed to be a ​“mass gathering” and whether this is only applicable in public spaces. There is no publicly available information on the backend process of verification of these claims, and whether action is taken against those in the picture. Moreover, there is no immediate redress mechanism available for those whose pictures are captured. The technical analysis by independent experts also states that the app collects personal data, and sends it both to government-owned as well as to third-party stakeholders, which raises concerns about function creep.³⁷⁴

Reports of discrimination against groups based on factors such as caste, class, and gender cement the fear of misuse and negative impacts of community-level reporting. This will be discussed further under Pillar 3 of this report.

POTENTIAL FUNCTION CREEP OF ALTERNATIVE MEANS: SOCIAL CONTROL BY STATE AND NON-STATE ACTORS #

Drones #

As discussed under Pillar 1, officials have stated that drones help authorities carry out their responsibilities without putting their health at risk. At the same time, the use of drones, particularly those integrated with cameras and/​or AI, raises a range of privacy concerns, especially because they can be flown by or over areas that are traditionally private spheres, such as terraces and balconies, and outside windows.³⁷⁵ Drones can also be used to capture a large amount of footage or identify individuals from afar, without their consent. In a study of marginalized groups in the country on the lived experiences of surveillance during Covid-19, it was found that the very presence of drones can be unsettling and instill fear in people, and lead to self-censorship.³⁷⁶ These concerns will further be discussed under Pillar 3.

Overview of legislative framework for civil drones in India

At present, drones are regulated under Rule 15A of the Aircraft Rules, 1937 and the Civil Aviation Requirements (CAR) on ​“Requirements for Operation of Civil Remotely Piloted Aircraft System” issued in 2018 by the Directorate General of Civil Aviation (DGCA) under the Aircraft Rules, 1937. The Civil Aviation Requirements lay down the framework regarding the registration process for drones, permits needed to operate drones, and other operational requirements. Drones (with certain exceptions) for civilian use need to be granted a Unique Identification Number by the DGCA, and a permit is required. There are a number of clearances required for permit approval, and the rules state that an application should be submitted through the Digital Sky platform, seven days prior to the commencement of operations.

In May 2020, the Indian government granted a conditional exemption to entities under central, state, and district administrations or ​“authorized entities” from the provisions of the CAR, to use drones for aerial surveillance, aerial photography and Covid-related announcements subject to certain conditions.³⁷⁷ The Ministry of Civil Aviation (MoCA) and the DGCA launched an online portal called the Government Authorisation for Relief Using Drones portal (GARUD) to fast-track these exemptions.³⁷⁸ The conditional exemption and the GARUD portal eased the otherwise time-consuming and cumbersome process of applying for permissions as required by the Civil Aviation Requirements 2018:

“With the GARUD portal, they just said that it was a mic drop moment where you just give a form, and there’ll be someone who will click a button, and within 48 hours give you permission. That was a really bold move, at least from…the government’s perspective, where the government actually did show that forward-thinking step, that they’ll get out of the way and enable digital permissions. There was some public announcement that within 48 hours to 72 hours they would process all the applications.”³⁷⁹

In the midst of the pandemic, in June 2020, a draft of a dedicated legislative framework for the drone industry − The Unmanned Aircraft System Rules − was released by the Ministry of Civil Aviation for public comments.³⁸⁰ At the time of writing, these rules have not been notified. Once notified, these rules will replace the current Civil Aviation Requirements 2018.³⁸¹

Privacy, surveillance, and issues of transparency during Covid related operations

As noted above, through the conditional exemptions, the central, state and other authorized entities are exempt from the provisions of the existing Civil Aviation Requirements. This move can help agencies take action more quickly, without being bogged down by red tape. However, there are certain costs associated with this. Such exemptions provide the state with broad discretion and power, with limited oversight. The digital rights group IFF has called for the withdrawal of these exemptions, stating that the aerial surveillance permitted by them violates the right to privacy judgement of the Supreme Court, as the invasive nature of drones and their impact on privacy would not be proportional to the aims of the exercise.³⁸² They also point out that ​“Aerial surveillance is thus an unnecessary and intrusive measure which will only create and further the threat and anxiety of mass surveillance in the country”.³⁸³ These concerns are embedded in the past experience of use of drones by law enforcement agencies, often without much transparency.³⁸⁴ For instance, multiple RTI requests filed by MediaNama on the use of drones by the Delhi Police to monitor protestors were returned with inconsistent answers.³⁸⁵³⁸⁶

The public notice allowing for the conditional exemptions places the responsibility for drone operations on the government entity. It states that ​“The responsibility of safe operation of the RPA [Remotely Piloted Aircraft] shall rest entirely with the Government entity. Each RPA operation shall be carried out under the overall supervision and control of the Government Entity. The RPA shall, at no time, pose a risk to life, property or any other manned/​unmanned aircraft.” The exemptions also state that the government entity can use a third party operator as long as the responsibility lies with the government.

The drone operations in the country were largely carried out by various law enforcement agencies in partnership with private drone operators. However, there is a lack of documentation available in the public domain on key partnerships, and the procedures followed. For instance, we could not find any official documentation regarding the NDRRF, its formation, its roles and responsibilities, its membership, its terms and conditions, or the nature of its collaboration with law enforcement agencies, even though it has played a critical role in carrying out Covid-management operations nationwide.

a) Privacy

In our conversation with the DFI Director Smit Shah, he reiterated that the aim of the operation was to monitor the crowd at large, and not to identify any particular individual. He also added that the manner in which drones were used precluded the possibility of privacy violations:

“… It is more about monitoring and more about increasing police efficiency, rather than… nabbing people.

In case there is any particular area where people are standing, then you [would] take a picture of it and upload it to a dashboard that we had. The dashboard would have a GPS coordinate, the police control room would look at the picture, because [it’s from] probably about 100 feet to 120 feet above, in the air, so it would be a top view to see if people are there or not, and the police would then decide to act accordingly. They would dispatch a local team to look [into it].

… Our objective is not to identify people. And even if the police tried to look at footage and tried to find a police patrol on the ground, and if people are still standing around and the police arrest them, then it’s still a law and order situation. It is not really invading someone’s privacy because you’re not really peeping into someone’s window… From a pandemic perspective, from a lockdown monitoring perspective, I would still educate people saying it was not a privacy concern because no one had the time to single out people and try and catch them.”³⁸⁷

Reports of the use of drone footage to arrest violators of the lockdown suggest, however, that at least in some cases, identification is possible, and that this method has been used. In the southern state of Kerala, in Kasargod district, police personnel have claimed that they used drone footage to separate gatherings of people, and to arrest 160 – 170 violators in three days.³⁸⁸ In a media comment, a senior official explained that in addition to reviewing the recorded footage collected, the police also found the live feed from the drone useful.³⁸⁹ The Kerala Police had also posted a compilation video on their Twitter handle of lockdown violators fleeing from drones, which subsequently went viral.³⁹⁰

In another case, in the city of Mumbai, it was reported that over 45 drones were used to enforce lockdown measures.³⁹¹ This operation was carried out by a collaboration between the Drone Federation of India, Sagar Defence Engineering, DroneStark and the Mumbai Police. According to news sources, both surveillance drones and drones mounted with speakers for making announcements were used. Reportedly, live footage from the drones is sent to the control center and any recorded footage is transferred to the Mumbai Police. However, those involved with the operations have stated that recording does not add a lot of value, and if any recording takes place, it becomes the ​“property of the Mumbai Police.” There is no publicly available notice regarding this collaboration and the data sharing and data protocol followed.

Notably, an authorization letter³⁹² was also issued by the Mumbai Police stipulating conditions for drone operations: drones could be flown only in predefined areas, and at a maximum height of 100 meters, and the presence of a uniformed police officer was mandatory while the drone was flying. Media reports about the letter indicate that it said that the surveillance should not ​“interfere with the individual freedom of the citizens.”

In Mumbai, members of an upscale residential colony received an email from the residential society informing them in advance about drone surveillance that would be taking place in their area. It was reported that some wondered if the drones would hover in front of their living rooms. ​“People are appreciating the effort, but we hope that they’ll only fly the drone in common areas,” one of them is quoted as saying.³⁹³ Smit Shah, who was involved with this drone operation, said that their work had been misconstrued as a monitoring of residential spaces:

“…We were not acting as the police. It was probably just another CCTV camera, far away in the sky, just generally monitoring whether people are there or not. Some people just blew it out of proportion and said that you’re going to monitor residential areas and this and that.”³⁹⁴

There is no publicly available information about whether police personnel in other cities where drones had been used, either through the NDRRF or other drone operators, had issued directives regarding privacy.

b) Transparency

There is not much information available in the public domain regarding the nature of collaborations as well as protocols followed during the operations. But, in an interview with Smit Shah, he explained how these operations had been carried out with complete transparency:

“Mumbai was a little different, because we were trying it out for the first time, and for the first one and a half [to] two weeks we were trying to analyze how people respond. Every other city where we operated, the first day when such activities were started, at… the main chowk or marketplace, or in a significant area of the town, the entire drone team was brought, the local police came over, the local police invited local media from that particular city, and gave good interviews and talks about how they are going to use drones for the next two weeks or so. And it was in the papers, and the next day [it would be] in all of the local channels. That was our way of probably explaining, how we could probably educate people altogether… That’s how we tried to do our part.

It was never secretive… it was out there in the media as well. In a very planned way, they knew there were drones being used.”³⁹⁵

Besides the issue of prior knowledge of the operation of drones, it is unclear what the data retention and data storage policies of the law enforcement authorities are, as different states have been reported to use different procedures. It is also unclear what the protocol is regarding data transfer procedures between private drone operators and law enforcement agencies in different states, or how compliance is ensured.

As noted, reports suggest that the general protocol is that drone operators transfer all footage and photographs to police officials, and retain none of it.³⁹⁶ In some cases, the footage is sent in real time to the police control room, and in other cases, a physical copy of the data is transferred after the operation.

In the case of Kasargod, Kerala, it was reported that the footage was stored on the mobile phones of police officials and the private operators were asked to delete the footage once they had transferred it to the police.³⁹⁷ In Amritsar, drones were equipped with Artificial Intelligence (AI) that can detect the distance between two people and relay that information to the police with GPS coordinates.³⁹⁸ In a news report, the CEO of the drone company said that ​“Police forces around the country used drones to assist in enforcing the lockdown and monitor areas, but all of that was essentially manual monitoring of live feeds. That way you can maybe fly many drones, but people will have to monitor all the feed manually.” He added that recording is done in cases where the police personnel directs them to do so and that no data is retained by them: ​“The order to record footage is usually given by the senior authority watching the live feed, but in some cases, the police accompanying the operator can also ask them to record the footage,” Singh said. ​“They have their own protocol.”³⁹⁹ Thus, with varied procedures across states, it is hard to ascertain compliance.

But in our conversation with Smit Shah, he said, with regards to the functioning of the NDRRF, that drone operators had to sign an agreement letter before they started, which laid down the rules:

“Everyone had a written guideline. There was a very detailed but one-page SOP that was prepared, which clearly… [said] there was no need to record any video, first. Second, there was no need to record any high resolution video. In case there was a need, then it was to be… a low resolution image from a very high altitude, not identifying any object or any particular person. Because all these images that you capture, they are geo-tagged. So they have latitude and longitude. So you don’t really need the details of the image to identify what location this is. We just need to be objectively seeing that okay, are there too many people or not. If there are too many people, then they can follow the geo-tag, and then the local police can do their law enforcement job.

…. Does this mean that people cannot record? They can. But that would be illegal. They can be prosecuted for it… It was a written document, and when the payments were being made or when the acknowledgements were being made, it was on record. It was not only education [about the guidelines], but also some sort of a consent and agreement to those guidelines.”⁴⁰⁰

When asked how it would be possible to ensure compliance nationwide to ensure that no recordings were made or retained, he said that they did so by following the existing legal framework, and by working closely with law enforcement in the respective cities:

“So every time when an operation was being conducted, it was not the drone pilot’s operation, it was the police whom we were working with. And the entire pandemic, we worked only under the assistance of the police. So no vigilantes [were] allowed.

There were a lot of cities where we reached out, and they said, ​‘It’s a good idea, but we don’t need to use drones.’ So we said, okay, the police say they don’t want to use them, we will not become heroes or vigilantes in this. That was one clear way of working under the law and order system. And from a drone regulation perspective, things are still a little fluid.

There is a robust regulation in place, which again, talks about a platform called the Digital Sky Platform − some part of it is functional right now, some part of it is not. So absolute compliance with the very nitty-gritties of the law and the system would be seen for everyone in probably the next three to four months of time; but before that, we make sure that you are compliant to all the operational regulations. So the law talks about where you can fly, where you cannot fly, how you can fly…about the general privacy aspect. And so we did comply to all of those things. And we made sure that we operate only under the guidance and advisory of the law enforcement bodies. So that was [the] two ways through which compliance was ensured.”⁴⁰¹

In this instance, a collective of volunteers seems to have been formed at short notice to respond to the unique nature of the situation, and laws were fast-tracked to facilitate it. At the same time, it is not known whether the exemption and the GARUD portal functioned as per their stated objective, i.e., to ensure that entities can register without losing time. An RTI filed by MediaNama found that, as of June 25, 2020, no entities had been granted exemptions using the GARUD portal.⁴⁰² The media organization followed up via email to Amber Dubey, Joint Secretary, Ministry of Civil Aviation, asking for the reasons for this. The article reports that he said, ​“New changes take time to get universal acceptance.”⁴⁰³ The article further states: ​“He said that many government entities ​‘feel more comfortable sending us letters and emails than applying online on the GARUD portal.’”⁴⁰⁴ This seems to indicate that exemptions have been granted, just not through the portal itself.

In addition to this, the broad exemptions granted to government entities for Covid-related operations took place without a parallel conversation about privacy and digital rights safeguards. There was no mention of privacy in the conditional exemption notice. It must also be noted that even if the government entities were not granted an exemption to the provisions of the CAR, there are insufficient safeguards available.

Experts have routinely pointed out that the drone regulations insufficiently address the issue of privacy.⁴⁰⁵⁴⁰⁶ While there is a reference to the issue of privacy in the current drone regulations and other accompanying public documents, they fall short of addressing how these principles will be put in practice.⁴⁰⁷ The Civil Aviation Requirements only have the following clause that addresses the issue of privacy: ​“RPA operator/​remote pilot shall be liable to ensure that privacy norms of any entity are not compromised in any manner.”

The draft of the Unmanned Aircraft System Rules 2020, which would replace the current CAR once it is notified by Parliament, also falls short in this aspect.⁴⁰⁸ In the draft, as pointed out by Tripti Jain, only one clause touches upon the issue of privacy, and does so insufficiently. Clause 35 (1) states that ​“an imagery may be captured by an unmanned aircraft except in the non-permissible area after ensuring the privacy of an individual and his property.” But the rules do not specify how this will be achieved.⁴⁰⁹

These issues are compounded by the absence of a data protection law in India.

As noted above, the lack of a uniform procedure to be followed when it comes to critical issues such as data recording and data deletion raises concerns about the potential misuse that drone surveillance can have beyond the pandemic.

Online Portals and the National Migrant Information System #

ONLINE PORTALS

As discussed under Pillar 1, various online portals were launched by state governments during the lockdown to regulate movement. These portals ask for a wide range of personal information such as name, address, reason for travel, ID cards/​documents, etc. While this information may be necessary from an administrative point of view for planning and logistics, there has been no accompanying conversation about data protection measures put in place with regards to this.

It must be noted that for migrants who were stranded across the country and facing severe food shortages, such concerns are less likely to occupy their attention, as their very survival was at stake. Migrant workers had no way to meaningfully consent to the collection of data, which makes it even more critical that the state machinery takes full responsibility for ensuring that the personal information collected is secure and not reused for unrelated purposes.

None of the state portals had an accompanying privacy policy. Neither did they state their policies regarding data retention, deletion and sharing. This limits the possible data protection safeguards that would have otherwise been available. Additionally, in the absence of any clear data retention or deletion policies, it is possible that the data can be used for other purposes, including beyond the pandemic.

THE NATIONAL MIGRANT INFORMATION SYSTEM

As discussed in earlier sections of this report, the National Migrant Information System was introduced to enable faster and smoother coordination of travel arrangements for migrants between different states. This central repository hosts a vast range of information, which makes it crucial that adequate measures are taken to ensure that data privacy and security is maintained. These issues are discussed in detail below.

Privacy and data protection

While the publicly available letter from the Home Secretary does not include discussions on privacy or policies such as data retention or deletion, the response to the RTI indicates that some data protection measures were undertaken. It describes the system as an ​“indigenous GIS based application developed by the National Disaster Management Authority,” and states that the data collected are not shared with third parties.⁴¹⁰ However, the language of the public letter uses ambiguous terminology when it comes to who has access to the portal. The letter states that ​“States/​Union Territories, Ministry of Railways, and other stakeholders would be able to access the portal.” However, the letter does not define who these ​“other stakeholders” are.⁴¹¹ The letter also mentions the following as an ​“expected outcome” of the NMIS: ​“Easy accessibility of the database to the railways and other transportation management systems to plan the movement of stranded people.”⁴¹² It does not specify which other transportation management systems would have access to the data.

The second measure undertaken, as indicated in the response to the RTI, is that the data are encrypted and stored securely on a server hosted by the NIC.⁴¹³

In response to a question on whether there is a specific time frame for this portal, the RTI stated that there is not.⁴¹⁴ The publicly available letter is not very clear on this front. On one hand, it states that ​“NDMA has developed a geo-spatial portal as a decision support for current pandemic situation,” indicating that the portal’s existence would be limited in time.⁴¹⁵ However, at other points in the letter, the language used raises concerns about possible function creep. For instance, under the section that describes the various benefits of the system, there are two noteworthy points: ​“a) NDMA central repository can be used to plan and also keep in touch with the migrants for giving them benefits by states (if any), or plan their return journeys; b) Migrants can be sent alerts on their mobile numbers for various services such as date of journey, coach number, and in future for benefit transfer or contact with employers.”⁴¹⁶ This indicates a possibility of linking the repository to welfare measures that might be undertaken by states in the future. It is unclear why the repository would be used in order to contact employers.

Additionally, the RTI response states that there is no data retention and deletion policy.⁴¹⁷ There is, however, some evidence that the data collected may be used in the future. A senior central government official responded to the question about whether the portal was still functioning with the following:

“No, of course not. Because the movement of migrants was there only for a short time. So, now, it is no longer there. It was basically to monitor the movement of migrants. Now, all this information is with us. So, if it is required for some other purpose, for planning purposes for their reverse travel, etc., [then] it can be used.”⁴¹⁸

Legislative framework

At the time of writing, there is no specific legislative or executive framework governing the repository. In response to an RTI question on the same, it was stated that: ​“This is a technical platform for the use of stakeholders developed, there is no legislative or executive framework develop[ed] for this purpose.”⁴¹⁹

It should also be mentioned that there has been an overall lack of debate around privacy concerns related to the NMIS, in spite of the fact that it collects a vast trove of data from a large contingent of marginalized people. This will be further discussed under Pillar 3 of this report.

PILLAR 3. APP RESPONSES AND ALTERNATIVE MEANS: EQUAL ACCESS AND PARTICIPATION OF VULNERABLE GROUPS IN SOCIETY #

APP RESPONSES: EQUAL ACCESS AND PARTICIPATION OF VULNERABLE GROUPS IN SOCIETY #

Aarogya Setu #

Access to the app

There have been several concerns raised in the discussion regarding the introduction of contact tracing apps worldwide about the exclusion of those who do not have meaningful access to these technologies, and thus to any benefits that such technologies could bring. For instance in India, disability rights activists have pointed out that the app is still inaccessible to users who are blind or have low vision. As per WHO statistics, it was estimated that there were 62 million visually impaired people in India in 2010, 8 million of whom were blind.⁴²⁰ According to another 2010 study, India is home to more than 20.5% of the world’s blind, 22.2% of the world’s low-vision population, and 21.9% of those with vision impairment.⁴²¹ This excludes a significant proportion of the population from being able to access the public health benefits of Aarogya Setu.

Another primary concern has been regarding the lack of access to technologies and the internet. A recent report by UNICEF shows that only 24% of households in India have access to the internet.⁴²² The National Family Health Survey (NFHS) 5 (Phase 1) conducted in 2019 – 20 by the MoHFW documents both the urban-rural divide and the gender gap in accessing the internet.⁴²³ On average, only 42.6% of women have ever used the internet, and 62.16% of men. In urban India, it is 56.81% among women and 73.76% among men; while the numbers are 33.94% for women and 55.6% for men in rural India.⁴²⁴

With the proliferation of cheaper smartphones and internet packages, the country has seen a larger penetration of mobile phone use and access to mobile data over the last couple of years.⁴²⁵ Despite this, statistics show that large sections of the population still do not have access to a mobile phone. Moreover, mere access does not always guarantee meaningful use of the device. Sunita Bandewar explained:

“It is really an issue of justice. And if we cannot be inclusive on account of the digital divide, for example, [then] it is actually very problematic. I may have access to a smartphone, but if the ecology or the environment in which I live is not conducive to the use of the phone, the way I want [to] use my agency, [then] there also is a kind of denial to the access to these digital technologies.”⁴²⁶

In a study of the surveillance experiences of marginalized groups in society during the Covid-19 pandemic, Radhika Radhakrishnan has documented the way in which power imbalances and socio-cultural hierarchies impact access to technology.⁴²⁷ Drawing on interviews with civil society groups who work with marginalized communities, she notes that power imbalances in the household, which are influenced by factors such as gender, can affect this access.⁴²⁸ For example, she found that victims of domestic violence were often not able to access helpline services on phones during lockdowns due to fear that they may leave behind a digital trail.

Bhavna Jha has pointed out that even if everyone who could install the Aarogya Setu app actually did, its reach would be limited. The gendered implications of this are particularly noteworthy. Jha pointed out:

“Only 16% of women have access to or use mobile phone internet. That also has an implication on how useful contact tracing through the app would be. Women, for instance, are the ones who go out to do vegetable shopping or congregate at watering holes. Then there is the problem of rural adoption. There are also geographical disparities. Densely populated states like Orissa and Bihar have lesser smartphone internet penetration.”⁴²⁹

The government has taken many steps towards making the app inclusive. The Aarogya Setu IVRS system was introduced for feature phone and landline users with the intent of reaching out to users who do not have access to smartphones. A version of the app was also introduced for the 5 million Jio Phone users in the country, which are low-cost feature phones that run on the KaiOS platform.⁴³⁰ In addition to English, the app has been rolled out in 11 regional languages. Yet, given the socio-economic realities in the country, a large number of people are nevertheless excluded from the use of contact tracing apps such as Aaroga Setu.

The mandatory/non-mandatory nature of the app

Aside from public health considerations, one of the factors that necessitates a meaningful inclusion of users is that the app has been made mandatory in various instances. As discussed in Pillar 1, the Internet Democracy Project has documented several instances of the app being made mandatory for central, state and district administrations, as well as for entry into gated communities, to get access to health services, for inter- and intrastate travel, for entry into public and private educational institutions, and for taking examinations.⁴³¹ In certain cases, downloading the app has been made a prerequisite condition to be granted bail.

In April 2020, the central government made the app mandatory for all its officers and staff. Another order issued by the MoHFW outlining the guidelines for home isolation for mild/pre-symptomatic patients stated that the app must be downloaded and kept active at all times.⁴³² In the month of May, it also made the app mandatory for all residents of containment zones, as well as all employees, both private and public, with compatible mobile phones.⁴³³ Several private entities also made the app mandatory during this time.

An order issued on May 17, 2020 by the Ministry of Home Affairs signaled a shift in policy.⁴³⁴ The app was no longer mandatory; rather, district authorities were to ​“advise” the app’s use for those who have compatible phones, and employers had to ensure the downloading of the app on a ​“best effort basis.” Notably, as per data from the Aarogya Setu tracker, many orders issued by the central government after this have advised or suggested the app rather than making it mandatory.⁴³⁵

However, this journey of the app being mandatory and then non-mandatory is not linear, as there have been continued cases of the app being made mandatory, including by the central government, across various policy documents. For instance, according to the SOP highlighting preventive measures for Covid-19 in offices, released by the MoHFW on June 4, 2020, the installation and use of the app is mentioned as part of the measures that must be observed at all times by employees, including visitors.⁴³⁶ In another case, in the Revised Guidelines for Home Isolation of very mild/pre-symptomatic/asymptomatic Covid-19 cases issued by the MoHFW on July 2, 2020, one of the guidelines for patient isolation states that the app should be downloaded and kept active at all times.⁴³⁷ In yet another case, the Covid-19 Safe Workplace Guidelines for Industry and Establishment released by the Employees’ State Insurance Corporation (ESIC), Ministry of Labour and Employment, on September 30, 2020, recommended that the app be made mandatory for employees.⁴³⁸

Owing to these instances, particularly in a country where the digital divide is wide, those without access to smartphones could unwittingly be penalized for it. It also complicates the ability to access means of livelihood, healthcare, and other essential services for large sections of the population.⁴³⁹ The marginalized, who require greater state support during a public health crisis, could be denied this on the basis of non-possession of an app.

For example, in a news article, a home tutor spoke of how she was stopped by the security personnel at several of the residential buildings where her students lived, and asked to show the Aarogya Setu app on her phone. The temporary solution for this has been the family members coming down to the gate, and showing the security guards the app on their phones instead, which effectively nullifies the public health aspect. She is quoted as asking, ​“This whole app seems utterly arbitrary…If it’s so easy to circumvent it, what is the point of it? And what about people without smartphones? Will buildings not allow them to enter?”⁴⁴⁰ The article also mentions an incident that indicates that the app could contribute to further stigmatization of certain communities: a man in Delhi says that he ​“was grateful to the app when it first alerted him about the presence of a Covid-19 case in his vicinity. Since the app could not tell him the exact location of the Covid-positive person, Suresh first assumed it was the technician who had entered his home to repair a cable.” Later, he found out that it was the neighbor who lived in the apartment above his.⁴⁴¹

Food delivery and transportation start-ups such as Zomato, Swiggy and Uber have also made it mandatory for their delivery workers to download the app.⁴⁴² Below are two quotes from the National General Secretary of the Indian Federation of App-Based Transport Workers (IFAT), expressing their concerns, as documented in a study conducted by Radhika Radhakrishnan:

“If I don’t have trust on this app, then the choice to download or not download should be mine, not my company’s, no?…Where did you get the right to do this from? This is not your constitutional right to mandate people to download it…How do you have the right to stop someone’s livelihood and daily bread-and-butter because they did not download it?” (translated from Hindi)

“…Why are the rich not using it? Do they not know the app? Do they not trust it? Are they worried their data is getting stolen? Are they scared the app will record when they sit, stand, move?…The person who has to book an Uber does not have the app. Why is that so? If it is compulsory for the drivers, then it should be compulsory for people booking the service…If I am the CEO of Uber, why can’t I incorporate the Aarogya Setu app into the Uber app? Because my data will get stolen. Your data should not get stolen, but if the driver’s data gets stolen, that is okay?” (translated from Hindi)⁴⁴³

On June 4, IFAT released a press note expressing the ways in which the Aarogya Setu app could be used in a ​“retaliatory and exploitative” manner in the future:⁴⁴⁴

a) The data collected by the app could be shared with employers, leading to workplace surveillance and the possibility of punitive measures or other forms of action against employees.

b) The integration of their health status on the app alongside the data collected by the companies’ own apps could be used for ​“tailoring the quantum of work” that employees receive.

c) The sharing of health details could be used against employees, and such knowledge may also allow companies to evade their responsibility in the form of relief or insurance.

d) The possibility of the companies using ​“coercion for securing information from the app”, such as making the employees’ pay contingent on them possessing the app.

They also state that in the absence of a sunset clause and a data protection law in the country, the ​“snooping of an individual, accessing their contacts, camera and messages are valid concerns to consider,” and that the data collected by the companies may be used to ​“intimidate or exploit” the workers in the future.

Notably, some of these concerns expressed by IFAT are based on an assumption that the data collected by the app are being shared with private companies. At present, this is disallowed by the privacy policy and other governing documents of the app.

State-Level Apps #

QUARANTINE WATCH

The requirement for selfies by a state-prescribed app raises concerns about privacy and surveillance. As discussed in the earlier Pillars of this report, this requirement blurs the line between public and private spheres.⁴⁴⁵

While this blurring affects everyone, it can be of particular concern for women, whose respectability traditionally has depended on their primary location in the private sphere of the home. In these contexts, privacy functions not so much as a right, but as a duty for women, which they need to fulfil to be able to expect, among other things, protection from violence in the public sphere.⁴⁴⁶ The requirement to send selfies to government officials to prove one is in quarantine makes it impossible for them to continue to adhere to these norms as it makes even the private sphere public, potentially causing great discomfort on their part.

For others – some women, some men, and all gender and sexual minorities – the private sphere plays a different role in their lives. Because they do not fit the norm of what is seen as ​“respectable”, they are seen as not belonging in the public sphere and therefore are always at risk of violence there. The private sphere becomes a refuge from such constant threats. This dynamic, too, however, is disrupted by the requirement to send selfies.

CORONA WATCH

The public display of personal information is likely to have a disproportionate impact on marginalized and vulnerable groups in the state. For instance, access to the movement history of users can compromise the safety and security of women, even within the domestic sphere. It can be used as a tool for surveillance not just by the state, but by family members and other individuals as well.

We have not found evidence of this particular feature of Corona Watch being used to the detriment of marginalized communities in practice. However, there have been comparable instances of the public display of private information leading to violence and the ostracizing of particular groups.

One of the first-known instances of tracking using telecom data during the pandemic was in early March in New Delhi, before the lockdown. It was done to trace individuals who had visited or been in the vicinity of a large religious congregation organized by the Tablighi Jamaat, a Sunni Muslim missionary movement. Several states circulated lists of people who were thought to have attended the religious event, which included their names and phone numbers. This event was made a national talking point by several media outlets, who used terms such as ​“Corona Jihad”, ​“Tablighi Virus”⁴⁴⁷ and ​“Markaz mayhem”, with one channel claiming that the Tablighi Jamaat organizers had plotted to ​“defeat the efforts made by Narendra Modi’s government” to contain the spread of the disease.⁴⁴⁸ As the media coverage rose, there were reports of violence against Muslim individuals who had returned from the convention.⁴⁴⁹ There were also attacks against other Muslims, their businesses or means of livelihood, as well as mosques in different parts of the country in the following weeks.^450451452

T. Sundaraman, Convenor of the People’s Health Movement India, was quoted in a news article as saying: ​“The Tablighi incident seems to have set the pattern to treat patients like criminals, and do contact tracing through any means.”⁴⁵³

CORONA VIRUS ALERT APP (COVA) PUNJAB

As noted in earlier sections of this report, app users can take a picture of an area and send it to authorities along with comments using the ​“report a mass gathering” functionality. We have not found any reported instances of this tool being misused. However, as previously noted, there have been various reported cases of ostracizing and targeting along the lines of caste, class, religion, and gender. Allowing users to access the ​“reporting others” function further plays into such trends as this places a certain degree of power in the hands of the user. The study by Radhika Radhakrishnan, which looked into the impact of some of the state-level apps with similar features, points out that such apps legitimize community-level surveillance, and facilitate the ​“public to become spies.” In this sense, communities can carry out surveillance in a manner that was traditionally given to state institutions − but without the commitments to equality that the latter are constitutionally beholden to. In a deeply unequal society such as India, community surveillance is a common mechanism to keep existing divisions and power relations intact. Features such as ​“report a mass gathering” now give such efforts a new veneer of respectability: ​“State apps, such as the ones discussed here, provide a less risky way to carry out the same kind of community surveillance in a more socially acceptable manner.”⁴⁵⁴

The study also draws attention to the fact that because of the ability of the dominant communities to have access to the data for surveillance (in this scenario, the app), there is a greater likelihood of surveillance of marginalized communities. As noted, Muslims are among those who have been unduly targeted and discriminated against. In another case, posters were put up in a city, which read:

“Warning: Do not allow Kojja,⁴⁵⁵ Hijras⁴⁵⁶ near the shops. If you talk to them or have sex with them, you will be infected with #CoronaVirus. Beat & drive them away or call 100 immediately. Save people from Corona Virus Hijras”⁴⁵⁷

This kind of surveillance could pose a legitimate security threat, particularly to marginalized groups in the state. It can be used to target religious minorities, sex workers, LGBTQ+ people, and more. Marginalized communities are also likely to have the least degree of access to systems of redressal.

ALTERNATIVE MEANS: EQUAL ACCESS AND PARTICIPATON OF VULNERABLE GROUPS IN SOCIETY #

Drones #

In addition to the issue of privacy, as noted by Tripti Jain, drones can be used to monitor individuals and communities in a way that creates an environment of fear and self-censorship. The presence of drones can alter behavior and have a detrimental impact on the fundamental right to freedom of expression.⁴⁵⁸

The negative impact of drones on an individual’s fundamental right to privacy, as well as other rights such as the right to freedom of expression, is not uniform. Communities that are marginalized on the basis of socio-economic factors, such as class, caste, religion, gender, and sexuality, as well as protestors and other groups that are monitored by the state, are likely to be more at risk.

Radhika Radhakrishnan’s study has documented how drones have been used during the pandemic, and the impact of this on marginalized groups in the country.⁴⁵⁹ One of the individuals quoted, who is identified as a ​“daily wage laborer from a predominantly Muslim locality in Jharkhand”, described the fear people in his locality experienced when they saw drones in the sky:

“He recalls that, during Ramzan, ​‘people were coming out of their homes for the daily rozana [prayers], but social distancing was being maintained.’ At the same time, ​‘drones were deployed because maybe police were scared that people were coming out too much.’ He added that ​‘people were scared of drones capturing their images. Men used to move to the sides of the roads when drones were coming.’”⁴⁶⁰

In another instance in the study, a nurse who resides in a predominantly Muslim locality said:

“’People were not getting medicine because if they left the house, drones were coming and monitoring, and people were being scared so they’d go back inside.’

She also expressed fear about having to leave her home to attend to patients, saying, ​‘It’s not written anywhere that I am going for work… that’s why I was scared.’”⁴⁶¹

These anecdotes indicate that people, and in particular those belonging to marginalized communities, might hesitate to access, or sometimes offer, even essential services out of fear and uncertainty about the potential repercussions of being surveilled. This could defeat the very purpose for which these tech-enabled tools have been deployed during the Covid-19 pandemic.

It also points to the fact that there needs to be more information made available to the public before drone surveillance measures are enacted. While industry leaders have mentioned using media channels and emails to inform people before commencing drone surveillance, these notifications or alerts are less likely to reach or be accessible to socio-economically disadvantaged communities.

Surveillance is also gendered as women and other marginalized genders have a more troubled history with being surveilled, as well as with being able to take ownership of their bodily autonomy, in both public and domestic spheres. Here, drones complicate these spaces even further, since there is no information available about who is on the other end of the device.

It is also noteworthy that the ground zero for testing how people ​“respond” to the use of drones,⁴⁶² as well as the location where no advance notice regarding the surveillance was given, was Dharavi, a colony that is home to some of the poorest and most marginalized communities in the country, if not the world. The lack of transparency involved, and the decision by law enforcement authorities to conduct the trial run amongst a community of people who are very unlikely to have the resources to access information, or systems of redressal, is concerning.

Lastly, drones of varying technical capabilities, including those with thermal scanning and artificial intelligence, on occasion make inaccurate assessments which could have severely detrimental consequences. There is extensive scholarship and documented evidence on the biases that AI systems can have.⁴⁶³ Oftentimes, the impact of these biases have been disproportionate towards marginalized groups. As discussed previously, arrests have been made against violators of lockdown as identified from drone footage.

Online Portals and the National Migrant Information System #

NGOs and volunteers who worked on the ground during the lockdown have documented the difficulties migrant workers have faced in accessing technological tools like the different state-level online portals, as well as the coercive measures used against the workers.⁴⁶⁴ As discussed in Pillar 1, there were many hurdles that migrants had to face in order to travel.

An interviewee explained that the frequently changing regulations around travel were one cause for concern:

“The rules and regulations were also changing so rapidly. For example, in Bombay, initially, they said that you have to go to the nearest police station to register for a seat on the train. Then they said, okay, you need to get a Covid test done. So, where do you get a Covid test? And then they said, okay, only government hospital[s], you can go and get a Covid test done. And they said, okay, no more Covid testing [needed]. All this happened in a period of 10 days that decisions were changed. After that happened, we started telling people, it’s okay if you don’t get a Covid test done. But when they [would] go to the police station, they would ask for the Covid test and [the police would] say, ​‘No, get your Covid test done’. And there [were] all kinds of chaos as far as that was concerned, because things were changing so quickly as far as the rules and regulations were also concerned.”⁴⁶⁵

They also described how this impacted the migrants:

“When people were traveling by road, the Maharashtra Government had decided that they would only drop off people till [the] Maharashtra border, then they would have to actually get an e‑pass for some people who had to go to Bihar, Chattisgarh, Jharkhand, U.P. [which are] further up North. They had to get a pass for Chattisgarh, then they had to get a pass for Jharkhand…Imagine a worker having to coordinate that and figure it all out? Some people were able to go without any of it, some people had to go through with the entire procedure. There was no one uniform way of getting it done. And in desperation, people did whatever, and acted on whatever information they got. Because when you’re on the road, and you want to get to someplace, you’re going to do whatever it takes. Obviously, people paid lots of money.”⁴⁶⁶

Not only was the overall situation very unfavorable for migrant workers, evidence suggests that measures such as online portals, despite good intentions, may have worsened some of these problems. NGOs and civil society groups working with the migrants have described navigation of the online portals as a ​“nightmare.”⁴⁶⁷

In an opinion piece, Anindita Adhikari and Seema Mundoli, volunteers with the SWAN collective, note:

“One of the first things a few states did was to set up portals where the stranded workers could register to travel to their home states. Not surprisingly, the process for registration is as varied as the number of states! There is no clarity on whether the workers have to fill forms of their home states, or states to which they have migrated or both. Some forms were entirely in English, or in English and the local language of the state in which the migrants were stranded. But the majority of workers hail from Hindi-speaking states such as Jharkhand, Bihar and Uttar Pradesh. Some portals allow only individuals to register − not as families or in groups − while others had limitations on how many could register using a single mobile number. Adding to the complexity were requirements for ID with specifications of size (MB) and format (PNG, JPG). There were long lists of terms and conditions with instructions on medical screening prior to being allowed to travel and the need to get approvals from local officials. OTPs to register, SMS to track for confirmations, and e‑pass expiry timelines were the other complications. Portals of a few states had captchas to enter − one absurd example is where the person registering had to identify the squares in a grid that had palm trees! Uttarakhand also mandated the downloading of the Aarogya Setu app, mired in controversy over security issues, in order to register. If by some chance, the worker was finally successful in registering, there was no information on train schedules or fares.”⁴⁶⁸

One of the instructions on the National Informatics Centre portal, which hosts the different state travel websites/​portals, asks applicants to ​“Please use an active mobile number to receive verification OTP”⁴⁶⁹ and to ​“Keep the scanned copy of the requisite documents before applying”.⁴⁷⁰ Both these instructions indicate that the respective portals require users to own a phone with an active SIM and internet connection to be able to process their applications. As discussed in previous sections of this report, the digital divide in the country, as well as its gendered dynamics, made it very challenging for workers, particularly women, to access these services.

There are also reports of migrants being asked for money when they sought help with these forms. In one case in Mumbai, as documented by SWAN, workers were charged INR200 per form by shops that had helped them out.⁴⁷¹ In cases from Uttar Pradesh and Punjab, workers reported paying to get the forms filled out owing to reasons such as their lack of access to smartphones and their uncertainty about being able to fill out the form correctly.⁴⁷²

Some states did offer the option to register offline by reaching out to district administrations or local offices.⁴⁷³ However, according to SWAN’s reports, the constraints imposed by the pandemic often meant the offices were inaccessible. A social worker in Delhi who worked with migrant workers described the issue as: ​“These people don’t even know how to go online and register themselves. Even if we are trying to help, the portal isn’t working. The DM [District Magistrate] isn’t reachable. The only way to transport them is if we can arrange a vehicle. It’s easier to get an e‑pass to travel if you have a vehicle.”⁴⁷⁴

The National Migrant Information System, for its part, is a repository of a wide range of personal information about one of the most vulnerable groups in the country. However, there is a lack of information and clarity regarding the data protection safeguards and measures built into the NMIS system, as well as their data-sharing policies. Owing to economic and social constraints, migrant workers are likely to find it difficult to access information about the ways in which their data will be used, or systems of redressal for concerns regarding the same.

It is also important to note that while other technological measures taken by the government to combat the pandemic have received a lot of media coverage and public attention, and generated discussions in the digital rights circles within the country as well as abroad, this is not true of the NMIS. The data security of millions of migrant workers has not become a talking point in the country, and there is still very little information available in the public sphere about the development or functioning of the portal.

CONCLUSION #

In the 72 days between December 31, 2019, when the Wuhan Municipal Health Commission, China, first reported a cluster of cases of what was then described as ​“pneumonia” in Hubei Province to the WHO China Country Office,⁴⁷⁵ and March 11, 2020, when the WHO classed Covid-19 as a pandemic, the world as we knew it had changed a lot. This was atypical, since Covid-19 is by no means the first modern virus the world has faced. In the last two decades alone, we have seen the outbreak of deadly viral diseases such as Ebola and SARS, and a cornucopia of flus with high fatality rates.

And yet, none of these diseases caused the dramatic upheaval of global social and economic systems in the way Covid-19 did. Even though the words ​“unprecedented crisis” have now become a cliché that peppers everything from news reports to private communications, it is important to remember that the phrase is, by all accounts, accurate. This has been attributed to a range of factors, including the fact that illnesses such as Ebola, SARS⁴⁷⁶ and MERS are not transmitted as easily as Covid-19, and that there are currently no data to show that pre-symptomatic transmission occurs for these infections.⁴⁷⁷ This is not the case with Covid-19, where people who do not know that they have been infected, and therefore have not yet accessed healthcare services, could ostensibly still be interacting with other people as usual, thereby spreading the virus rapidly. This is one of the reasons why measures such as lockdowns and contact tracing formed the crux of public health measures in many countries early on.⁴⁷⁸

The world ground to a near-complete halt for a significant part of 2020. This in turn dealt a crushing blow, particularly to the poor and marginalized all over the world.⁴⁷⁹ The United Nations predicts that 490 million people will lose access to at least one of the following within the next year: clean water, adequate food, electricity, schools.⁴⁸⁰ The World Bank estimates that the number of people living in extreme poverty (the calculation they use being that they subsist on less than USD1.90/day) will rise by about 70 to 100 million in 2020, and that the impacts of this steep recession are likely to be long-lasting, particularly in countries such as Nigeria and India.⁴⁸¹

This context is important to remember when we assess the strategies used by the Indian government since January 2020 to control the spread of the virus. Though India is no stranger to epidemics − cholera, smallpox, bubonic plagues, and swine flu, to name a few in the last century – this was a novel virus, about which there was little to no clarity regarding the ways in which it was transmitted, incubation periods, how long the virus could survive on different surfaces, mortality rate, co-morbidity risk factors, or effective methods of treatment.

The context is also significant when we consider the mammoth task facing the Indian government not only in 2020, but in the years ahead. At a time when even the most industrialized and wealthiest nations are struggling to emerge from the economic blow dealt by the pandemic, India’s fledgling system of primary healthcare and average population density of 464.15 per km2 make it particularly vulnerable to a highly transmissible virus.

It is common, and often necessary during global public health emergencies like Covid-19, for governments to shift gears to function in crisis mode: in a democratic system, this might involve the temporary suspension of certain rights, the easing of regulations around the approval and implementation of strategic public health measures, accelerated partnerships with private entities, and a fast-tracking of the functions of administrative agencies. But the re-examination of these changes must be an on-going process: we must keep in mind that these were exceptional cases and circumstances, and not meant to become the new normal. The challenge for all democratic governments is then to subject all these changes to a rigorous and on-going analysis of whether they extend or curb the fundamental autonomy and dignity of the individual, and the welfare and security of marginalized communities.

One of the themes that came up in several of our interviews, across a diverse range of stakeholders, was the concept of trust. Trust is the linchpin of public health in a democracy − not only the citizens’ trust in the government and its decisions, but also people’s trust in one another. The Covid-19 pandemic has illustrated how, as a society, we are only as healthy as our most vulnerable citizens, and how public health is directly linked to each individual’s health. Even the wealthiest in the world could not ​“buy” their way out of this pandemic, and even the most industrialized nations in the world continue to struggle to control it.

But as is clear from the report, building trust regarding the use of tech-enabled tools in the middle of a global pandemic has been no easy feat. Even state actors have mentioned that it has been a challenge to the effective implementation of their Covid-management plans. And when one of the vanguards of the national response to Covid-19 is a contact tracing app that relies on self-reporting, the absence of trust becomes necessary to address with urgency.

Moreover, a technological ecosystem mushroomed in India during the pandemic. Some parts of it are accelerations of technological trends that existed before 2020, while others are relatively newer. At least some of the IT-enabled tools, and the data they collect, could feed into the National Digital Health Mission and the National Health Stack, to become the building blocks of nationally-shared digital infrastructures used by both public and private sectors. As technological frameworks deployed by the government and used by both state and non-state actors grow in size and scale, there needs to be a parallel and deliberate investment in creating systems for meaningful oversight and a democratic inclusion of citizens’ voices in the process.

There have been indications, as we’ve seen in this report, that this is indeed possible. For instance, government officials and the developers of Aarogya Setu have responded to several questions and concerns raised by civil society members regarding the deployment of these IT-enabled tools, and sometimes even modified their strategy, such as the changes made to the mandatory nature of Aarogya Setu. These steps towards transparency and engagement offer valuable blueprints for the building of legal and institutional structures for technological policies and data rights that champion democracy, as well as for opening deeper channels of communication between the state and each of its citizens; which, we hope, will also be the bedrock upon which the future of Covid management in India rests.

RECOMMENDATIONS #

It is clear that India’s management of Covid-19, and the road to recovery, will require extraordinary collective effort, with the government and the citizens working in tandem. We appreciate the need to mobilize technology-enabled tools in order to aid in this effort, which in turn can ease the pressure on frontline workers. We believe that this can be done while simultaneously protecting individual freedom and the right to privacy, and creating a legal and social atmosphere where citizens are able to meaningfully consent to participate in these exercises. We also believe that our collective efforts must be centered and grounded in ensuring that those among us who live in high-risk conditions are not marginalized further at any point owing to these tech-enabled public health interventions.

To that end, we put forward the following recommendations, which have been developed based on our interviews, our desk research, and the work of civil society organizations, such as NGOs, community organizations, security experts, and digital rights defenders in the country. We have also looked to international best practices of data protection as guiding principles, as well as the World Health Organization’s International Health Regulations 2005,⁴⁸² to which India is legally bound, and the Siracusa Principles on Civil and Human Rights.⁴⁸³

Technical Recommendations for Apps

• Make all existing Covid-related apps open source on all platforms, and ensure that any new ones are open source from the outset. By regularly updating GitHub and making the server-side codes publicly accessible and auditable, people can collaborate, check the codes for vulnerabilities, and start a system of peer-review.
• Make all Covid-related apps purely voluntary across all sectors, and ensure that no individual is penalized, or denied access to any service, public or private, citing their non-use.
• Switch from the use of static IDs to dynamic pseudo IDs, which are generated in the phone itself, and not the central server.
• Offer a clear and easy-to-access option to delete your account and information from the app, as well as from the server.
• Establish a practice of communicating to users the addition of any new functionalities, as well as updates to the app and/​or any of its governing documents in a simple and accessible manner, before the changes are applied.
• Minimize the amount of data collected to that which is strictly necessary, particularly personal or identifiable data; this includes doing away with the need for GPS location.
• Separate contact tracing from the additional features on the app. If necessary, design and launch an app exclusively for the former, which does not collect personal details.
• Switch the contact tracing app’s protocol to decentralized privacy-preserving proximity tracing (DP-3T), an open-source Bluetooth-based tracking protocol, so that users’ contact tracing logs are only stored locally, the details of which no central authority would be able to access.

Policy and Legal Recommendations for Apps

• Ensure that all apps have critical legal documents such as the Terms of Service and Privacy Policy, and that they are in the public domain.
• Draft these documents in language that gives individuals greater clarity, autonomy and control over their data, and the use thereof − such as, and not limited to, explicit consent requirements, the right to withdraw consent, and the right to object.
• Release into the public domain the terms of the partnership for all apps that have been developed in public-private partnership.
• Expedite the process of bringing into effect a Personal Data Protection Law with the necessary provisions to cover all Covid-related apps and IT-enabled tools.
• Hold the government liable in the event of inaccurate information about a person’s health or risk status being given by the app, or if there is any unauthorized access to users’ information.
• Resolve the contradictions and ambiguities in the apps’ existing legal documents.
• Institute a clear sunset clause for all primary and secondary data collected by the apps, and delete the data within a reasonable period of time, or as soon as they are no longer necessary, whichever comes first. Do not repurpose the data for uses that were not made explicitly clear to the user in the beginning.
• Invite independent security auditors and testers to review the security and privacy measures of the app, and provide reports on their findings.
• Release into the public domain the details of the algorithm used by the apps to do risk assessment and contact tracing.
• Provide clear information regarding the type of data collected and for what purpose, where and for how long data will be stored, with whom the data will be shared and for what purposes, and the security protocols for all of these functions.
• Hold regular transparent, democratic, and scientific processes of consultation with civil society members. 

ACKNOWLEDGEMENTS #

The authors would like to express our immense gratitude to Dr. Anja Kovacs for her invaluable insight, support and guidance in making this report a reality.

We would also like to thank Arielle Sara Varghese for her timely assistance with the citations and the transcriptions; and Sanya Aggarwal for her help with the transcriptions. We are also thankful to Radhika Radhakrishnan, Tripti Jain, and Shraddha Mahilkar for sharing their insights with us.

But most importantly, we are indebted to our interviewees, who shared their expertise and their time with us. Without them, this report would not have been possible, and we would like to place on record our deepest and most heartfelt appreciation to every single one of them.

REFERENCES #