In early May, Raman*, an employee of Standard Chartered bank in Chennai, received an order from his workplace. With most companies planning to start services in Tamil Nadu at least partially, it was only natural that guidelines and instructions would be given to employees. What Raman didn't expect, however, were mandatory orders to download the Aarogya Setu app, which has been launched by the Central Government.
The document sent to him while covering other general rules regarding hygiene and safety, also said, "All employees coming to office should download the Aarogya Setu App and make sure they have signed in, as per the Government Guidelines. The App will be checked by security in the office before entry.”
"We are still working from home as of now and we will have to see how they react if we don't download the app only when we get to the office," Raman tells TNM. "But why should we be forced to download this app at all?" he asks.
Raman's question has been repeated by employees of many companies across the country, who have received mails, documents and even informal instructions asking them to download the Aarogya Setu app. This is a result of an order issued by the Ministry of Home Affairs on May 1, stating that there should be '100% coverage' of Aarogya Setu for employees in the public and private sectors, people in containment zones and those flying in from other countries or arriving by train. The government has also maintained that companies that do not ensure compliance can face penalties or legal repercussions.
However, several experts on privacy and technology have pointed out that the application is not completely secure. Ethical hacker Robert Baptiste from France, who goes by the name Elliot Anderson on Twitter, had flagged security concerns in the app. While the government thanked him for his concern, they dismissed the allegation that the personal information of persons registered on the app is at risk.
When questions persisted over whether information collected through the app will be used by the state for surveillance of individuals, Union Information Technology Minister Ravi Shankar Prasad stated that, "If someone has so much issue with it, then simply don't download it."
However, this is not what companies across the country are telling their employees, based on MHA guidelines.
This story documents at least 45 companies that have instructed staff to download the app and some have asked for proof of download and registration. While several people TNM spoke to said they downloaded the app, some willingly and others because they had no other choice, many who are yet to install the app expressed concerns over privacy.
The Aarogya Setu app, as of Friday, has over 10.27 crore Indians using it. To use the app, you need to key in your name, gender, age and profession. The app then asks you to take part in a health assessment in which you need to give details regarding symptoms you are experiencing and travel history. Based on that the app decides if your infection risk is low or if you must take action regarding your risk of infection. It also asks that your GPS or bluetooth remain switched, so that it can constantly track your location.
"I am concerned that my data will get into the wrong hands," says Raghu*, an employee of Cognizant from Bengaluru. "They ask us personal questions about our health and also have details like age and phone number. In the wrong hands, this data could lead to this information being used against us," he adds.
And while Raghu fears a potential data breach, others question why the government should be aware of their location at all times.
"Why should location be constantly recorded at all times?" asks Raman. "And okay, let's say that thanks to the location being recorded , I get to know that someone in the area I am in is affected, then what should I do? In what specific way does this app help us? And what is the guarantee that people are keying in the correct details?" he asks.
Srinivas Kodali, an independent researcher working on data and governance, explains that people's concerns about privacy and the app stems from their lack of trust in the system and those collecting the data.
"Indians have seen how Aadhaar data has been handled with several leaks of information reported and the government claiming in the highest court that citizens don't have a right to privacy," he says. "Moreover, India does not have a data protection law that citizens can rely on if there is a breach or if their data is misused. And at the end of the day, this order boils down to a question of employee rights. Can a company really force you to download the app?" he asks.
Several employees, both from the private and public sector pointed out that the 'mandatory' nature of the app was problematic. While those who are still working from home have avoided downloading the app, others have installed it, sent screenshots to their superiors and uninstalled it from their phones. Employees in the technology field meanwhile have even snipped down the code of the app to protect their data and showed false results to their managers.
Speaking to TNM, Pavan Duggal, a cyber law expert and Supreme Court advocate, states that these precautions are not unwarranted.
"The Aarogya Setu app has a large number of legal challenges and doesn't comply with both the Information technology Act and the fundamental right to privacy in its current form," he says. "A study by the Massachusetts Institute of Technology (MIT) has scored the app only 2 out of a possible 5 points," he adds.
According to reports, in its review, MIT suggests that there is no information on who has access to the database and that there is no transparency policy.
"Section 43 of the IT Act requires the app to have reasonable security. The law has mandated this but it is not being carried out in practice,' says Pavan Duggal.
Section 43 states that a person is liable for punishment if he/she 'downloads, copies or extracts any data, computer data base or information from such computer, computer system or computer network including information or data held or stored in any removable storage medium.'
"The app also works against the present privacy rights as it captures data every 15 minutes and there is no information on which agencies can access this data. Tomorrow, this could lead to surveillance and monitoring of individuals which is a huge violation of Article 21 (Right to privacy)," says the advocate. "This can be contested in court but till now nobody, not even the companies who are liable for penalty, have taken this matter up," he adds.
Srinivas points out that this could be a result of fear and panic that COVID-19 has caused. He explains that while businesses want to resume service or production, employees are afraid to question orders directly.
"In the current scenario where unemployment is high and people losing jobs, nobody wants to question these orders," he says. "But instead of stressing on the need for physical distancing and hygiene in offices when they resume, this has shifted the focus to a technological 'solution' which does not make sense. Especially when the information is crowd sourced and there is no assurance of the veracity of input fed into the app."