This joint statement was drafted by the Forum for Medical Ethics Society, Jan Swasthya Abhiyan, All India People’s Science Network, and Internet Freedom Foundation. The other four endorsee organizations are Janchetna Sansthan, Lok Manch, Rethink Aadhaar Campaign India, and the Right To Food Campaign. The statement presents a set of 16 demands to safeguard the sensitive personal data of citizens and prevent exclusion.
The Aarogya Setu mobile app has been mired in controversy was introduced by the government as a contact tracing app in April. Internet and privacy activists have raised concerns about commercial or law enforcement use of sensitive personal data collected by the app. They have cautioned against the deployment of such technologies in the absence of a data protection law in India. Others have complained of the app’s alleged weak anonymization practices which make its users susceptible to re-identification and criticized the lack of transparency surrounding the app’s code and algorithms.
The demands are around proportionality, legality, necessity, and oversight structure. Some of the demands are the full release of specifications including cryptography, anonymization specifications, Application Programming Interface (API) specifications, and Bluetooth specifications. The statement has also demanded the release of the source code for the current version of the App, saying the released code does not match with the one in use. It added that the app must not in any way be made mandatory by government or private actors.
The statement also suggested that the government should commit to permanently destroy the data and systems being built via AS App at the end of the COVID-19 pandemic.
“Among other things, the focus must be on assuring the public that these are temporary interventions which will not devolve into permanent surveillance and monitoring systems,” it said.
In terms of legality, the statement said suitable legislation is required aim to hold the Union and State governments and private actors accountable for leakage or any inappropriate use of App data during epidemics and communicable disease outbreaks. It added that under this legislative framework, governments may only access patient data through hospital records, and must preserve patient anonymity.
The statement suggested the agencies/institutions concerned should publish periodic reports informing the public if, and to what extent, the App is augmenting the Government’s response in treating and containing the spread of Covid-19.
” Based on such feedback loops, these institutions should be empowered to make decisions for course correction or even discontinuation of the programme itself, and the permanent destruction of the systems created,” it said.