Ankit Kapoor*
In India, the unfolding COVID-19 pandemic has gone through two-waves, registering over 3.1 crore cases and killing over 4.2 lakh people.[i] It has collapsed the economy and overburdened the healthcare system. In an effort to contain the volume and pace of transmission, the Government of India launched its contact-tracing application, Aarogya Setu, on 2nd April, 2020. However, unlike its global contemporaries, this App additionally serves as an informational tool, self-assessment tool, and situational awareness tool.[ii] These manifold purposes alter the type and manner of data collection, thereby raising privacy concerns. These concerns are particularly important during a pandemic, where urgency may confer wide administrative discretion, leading to mass surveillance or usage of collected data beyond this pandemic. This discussion is particularly important since, in a year of its release, it has become the world’s most downloaded contact-tracing app, and generated significant controversy.[iii]
Currently, there is no statute that deals with state liability for privacy infringement. But in KS Puttaswamy v. Union of India [“Puttaswamy”],[iv] the Supreme Court [“SC”] recognized the right to privacy as a fundamental right, enforceable against the state. It established a four-fold test for its infringement: legality, legitimate goal, proportionality, and procedural safeguards. Using this test, I will argue that while the requirements of legality and a legitimate goal have been satisfied, the privacy infringing act is disproportionate and without adequate procedural safeguards.
Testing Features of Aarogya Setu against the Constitutional Standard
The right to privacy entitles the individual with the autonomy to make personal life decisions (positive aspect), and restrains the state from unwarranted interference (negative aspect). In Puttaswamy, the SC explicitly recognized the need to protect both these aspects, even during epidemics.[v] Thus, notwithstanding the circumstances, the features and operation of the app must be consistent with the right to privacy. Notably, the first three prongs of the above-mentioned test are necessary conditions.
- Legality
The infringement of personal privacy by the state must be through a valid and existent law. The government has not passed any legislation or promulgated any ordinance specifically for the app. Therefore, the question is whether it has the power to do so under any existing legislations. So far, the government has invoked the Epidemic Diseases Act, 1897, and the Disaster Management Act, 2005 to justify its actions in containing COVID-19.[vi]
The 1897 Act empowers the central government to frame regulations during epidemics if the existing law is insufficient. However, this conferral is authorized in the limited context of inspecting vessels at ports, and detaining people for the same. Thus, there is no power to curtail the right to privacy under this Act.
The 2005 Act empowers the central government to take all such measures as it deems necessary or expedient for the purpose of disaster management. The term disaster, under Section 2(d), does not ordinarily extend to epidemics. However, on 14 March, the Home Affairs Ministry declared the coronavirus outbreak as a “notified disaster”, thus bringing it within the fold of Section 2(d).[vii] Therefore, releasing an app to contain COVID-19 would be within the powers of the government within the Act.
However, the sweeping powers under this Act make direct and collateral privacy breaches more susceptible. Considering this, the government must consider framing a specific law. Even the BN Srikrishna Commission had recommended the existence of a specific law. However, the government has evaded this by carving out an exception for health emergencies in Personal Data Protection Bill, 2019 [“the Bill”].
The need for a specific law is especially important since the rights and obligations of the parties have been defined only in the service terms and privacy policy, whose enforceability remains clouded.[viii] Subsequently, the Government issued the Aarogya Setu Data Access and Knowledge Sharing Protocol, 2020 to establish data obligations. While the Protocol certainly addressed some gaps unaddressed by the Privacy Policy,[ix] the relationship between the two is unclarified, and there are inconsistencies between them.[x] More importantly, the Protocol is in the nature of an executive order, thereby evading any necessary parliamentary scrutiny.
Unfortunately, the government has treaded in the opposite direction. They had originally declared the installation of the app to be mandatory.[xi] However, on backlash, they have obligated employers to ensure compliance on a “best efforts” basis instead.[xii] In practice, the government, and many private players due to the threat of non-compliance, have still insisted on mandatory usage of the app, without passing any specific legislation.[xiii]
- Legitimate Goal
Any invasion of an individual’s privacy by the state must have a legitimate goal. Indeed, the collection of information to contain an epidemic would be a legitimate goal. However, there is a presumption that this goal must be precise and clearly defined.[xiv] While the privacy policy alludes to only containment as the goal, the intentions of the government are much broader. It plans to integrate telemedicine,[xv] and welfare services within the app.[xvi] Alarmingly, it has added an e-pass feature on the app, to permit limited movement during the lockdown, without mentioning this purpose or feature in its policy.[xvii] Recently, it even officially broadened the App to link the CoWIN portal to facilitate vaccine registration.[xviii]
While the government certainly has a legitimate goal, it must clarify all its intended goals for which this app will be used. These concerns are deeply-grounded given that the intended goals in the app’s privacy policy have already been amended once without the knowledge or consent of the users.[xix]
- Proportionality
In Justice K. S. Puttaswamy v. Union of India (II),[xx] the SC held that there are three necessary conditions for a privacy restricting measure to be proportionate: firstly, it must be a suitable means of furthering the legitimate goal (rational connection stage); secondly, there must not be any less restrictive, but equally effective alternative (necessity stage); thirdly, the measure must not have a disproportionate impact on the right-holder (balancing stage).
- Rational Connection Stage
The app collects information to trace and inform people who have crossed paths with an infected user.[xxi] Furthermore, it prepares anonymized and aggregate datasets,[xxii] such as reports or heat maps, which helps in situational awareness and performance assessment. Thus, the app is a suitable means to the goal of containing COVID-19.
While the App does have a rational connection, its efficiency is questionable. Reportedly, the App has been unable to pick up details about people on“two sides of a shopping mall or even on two sides of a wall”.[xxiii] This can be tied to the weakness of Bluetooth technology as regards contact tracing.[xxiv] Despite this lower efficiency, it is still valuable given the persistently escalating case burden in the country. This is because even limited efficiency allows substantial health-related and economic cost savings.[xxv]
- Necessity Stage
There are three features that warrant analysis: usage of GPS, manner of Bluetooth usage, and extent of collected data.
- Usage of GPS
To trace contact between users, the app uses both Bluetooth and GPS.[xxvi] Critics have contended that the application’s use of GPS is redundant, thus violative of proportionality.[xxvii] They argue that Bluetooth is adequate to register contact between user’s devices, as shown by Singapore’s TraceTogether.[xxviii]
While the sole usage of Bluetooth is certainly “less restrictive”, it is not an “equally effective alternative” as GPS serves the unique purpose of preparing anonymized and aggregated datasets.[xxix] These are in-turn used to guide policymaking in, inter alia, understanding hotspots and planning relaxations.[xxx] It must be remembered that while Aarogya Setu may serve as a contact-tracing application, it is not necessary for its goal to be limited to that. As argued earlier, the government’s intended goal is much broader- to contain the pandemic. Therefore, using GPS does not violate proportionality.
- Extent of Information Collected
Apart from location, Bluetooth ID, and result of the self-assessment test, the app collects a user’s name, age, phone number, sex, profession, and countries visited in the last 30 days.[xxxi] These six pieces of information are then hashed with a unique digital ID, and uploaded on the server.[xxxii] The predominant concern has been regarding the collection of data on sex and profession. However, these concerns are unfounded since this collection serves a role in dataset analysis and policymaking. Given our limited and dynamic understanding of COVID-19, the data on sex helps understand the gendered implications of this virus, if any. The data on profession could aid in a phased-out relaxation of the lockdown.
- Manner of Storing Unique Digital ID Bluetooth Usage
In Aarogya Setu, the Unique Digital ID (“DID”), which contains the user’s personal information, is uploaded onto servers without any obfuscation.[xxxiii] This is a downgrade from earlier requirement of hashing such ID in static form, which itself was quite susceptible to third-party privacy breaches.[xxxiv] This is unlike TraceTogether, where the DIDs of the users are random, and changed every 15 minutes.[xxxv] This obfuscation protocol is much more effective and less restrictive in data collection and security. Therefore, the app’s manner of storing DIDs violates proportionality.
In essence, while the usage of GPS and extent of information collected are not disproportionate, the manner of storing DIDs certainly is.
- Balancing Stage
Most alarmingly, the app has a disproportionate impact on the user. This is because of the unfair data retention, no notice of security breaches, and effectively no liability on the government. I will elaborate on each in turn.
- Unfair Data Retention
Once the app has been uninstalled, the data is retained for another 30 days.[xxxvi] Notably, this period adds to the ordinary 45 days retention policy,[xxxvii] without any justification. Moreover, it must be noted that the app’s service terms or privacy policy do not have a sunset provision, or any clause that categorically nullify the app post the pandemic. Judging by the government’s statements,[xxxviii] it is more likely that the app will be repurposed. This concern is compounded by the fact that there are methods to de-anonymize the datasets.[xxxix] Thus, the data collected during this pandemic may be unjustifiably used for other purposes.
- No Notice of Security Breach
While the government has utilized the highest security standards in storage and uploading of data,[xl] the user has no right or means to know if a breach of his/her data has occurred. Obtaining knowledge of a breach is the first step for a user to mitigate the ensuing disproportionate impact. Therefore, not providing or denying access to this knowledge compounds the disproportionate impact.
- Limited Government Liability
In the service terms, the government has waived its liability in relation to the usage of the App.[xli] Thus, even if the government unfairly/illegally discloses information or permits unauthorized access to a user’s information, the user would have no remedy. This is despite the fact that this negligence can cause grave adversities, such as discrimination or ostracization. The public declaration of name and contact details of COVID-19 patients in Ahmedabad, Karnataka, and Punjab indicate the frequency of violation of the app’s own service terms and privacy policy.[xlii]
Moreover, the IT Rules only obligate data processors to provide a privacy policy, and do not prescribe remedies for its breach.[xliii] Furthermore, even the remedy of compensation under the S. 43A of the Information Technology Act, 2000 exempts the state. However, through subsequent amendments to the Privacy Policy, the Government amended paragraph 6 of Terms of Services (3.0) to only limit government liability over accuracy of identification and notification. Thus, it may be argued that unauthorized usage is remediable as a contractual violation in court. The only other remedy the user has is to rescind the contract by uninstalling the app. These are discernibly disproportionate to the loss he/she can potentially suffer.
- Concerns with the anonymization of and access to collected data
In de-identified form, the collected can be shared with ministries/departments at any level or disaster management authorities or public health institutions so long as it for formulation/implementation of critical health response.[xliv] NIC is required to document the agencies/persons, time, and categories of data shared.[xlv] However, this is only ‘to the extent reasonable’,[xlvi] thus providing a scope for evasion of this obligation. These concerns are well-founded given instances like the Jammu & Kashmir administration sharing such data with law enforcement agencies.[xlvii]
While the Protocol establishes an obligation to anonymize the data, it has so far merely formed a committee to establish these anonymization protocols,[xlviii] without anything actually being done. The continued usage of appropriate anonymization protocols is important since the App has the potential to create a social graph of users by tracking their contact.[xlix] When combined with the government’s existing database, this significantly expands their surveillance powers.
- Procedural Safeguards
Notably, this prong is not binding in law. Nevertheless, it is persuasive as it provides a normative lens to view state interference in personal privacy. Furthermore, Justice Kaul had proposed this prong to only echo the central requirement under Article 21 of checking abuse of state interference through a “procedure established by law”.[l] However, in a technological paradigm, mere assurances in law against state abuse are inadequate.
To its credit, the government had addressed a bulk of the first stream of privacy concerns by updating its privacy policy. However, contrary to the app’s own privacy policy, a notice of this change was not issued, and revised consent was not sought.[li] While, in theory, this amendment addresses and clarifies concerns such as weak security and extremely broad purposes, it does not provide users with the practical means to verify the same. Currently, there are no means of transparently auditing the app because it is not open source in any meaningful sense for two reasons.[lii] Firstly, the code repository remains stagnated since its release, with a huge backlog of queries and flagged issues. Secondly, the server-side code has not been released. Given that most of AS’ important functions are stored and performed on the server, not the device, little can be gathered without the server-side code.
The government’s failure to provide information about the process of creation of the App only adds to the existing skepticism over inadequate safeguards.[liii] This has been compounded by their evasion of RTI questions regarding the App,[liv] and their refusal to the let the concerned RTI activist attend the show cause hearing.[lv] The Delhi High Court had to intervene to issue a notice to the Public Information Officers of several ministries, who later apologized.[lvi] Thus, the user has to blindly rely on the good conscience of government officials to adhere to its own policy. However, recent events where the government has violated its own privacy policy justifies skepticism towards the absence of external accountability.[lvii] To ensure greater transparency and accountability, the government must open the source-code or even hire independent third-party auditors.
Conclusion and Way Forward
The app and its features infringe the fundamental right to privacy, as they fail to satisfy the necessary and balancing condition of proportionality. Although there is legality to the app, the government must consider enacting a specific law to address the large scale impact and legal ramifications. The government’s legitimate goal, though presently valid, is unclear due to undefined features on the app and several future plans. Most importantly, the infringing action violates proportionality as it is not the least restrictive means, and has a disproportionate impact on the user. Thus, the app’s features must be amended to meet global standards. Lastly, the government must make appropriate amendments to the source code for greater transparency.
*Ankit Kapoor is a third-year BA-LLB (Hons.) student at the National Law School of India University, Bangalore.
[i] ‘Coronavirus Cases’ (WorldOMeter, 24 July 2021) <https://www.worldometers.info/coronavirus/country/india/> accessed 24 July 2021.
[ii] Aditi Agarwal, ‘India government releases COVID-19 contact tracing app’ (Medianama, 2 April 2020) <https://www.medianama.com/2020/04/223-aarogya-setu-coronavirus-contact-tracing-app-launched/> accessed 24 July 2021.
[iii] Praphul Singh, ‘India’s Aarogya Setu becomes world’s most downloaded contact-tracing app’ (WION, 16 July 2020) <https://www.wionews.com/india-news/indias-aarogya-setu-becomes-worlds-most-downloaded-contact-tracing-app-313748> accessed 24 July 2021.
[iv] (2017) 10 SCC 1.
[v] KS Puttaswamy (n 4) [182] (DY Chandrachud J).
[vi] Gautam Bhatia, ‘An Executive Emergency: India’s Response to Covid-19’ (Verfassungsblog, 13 April 2020) <https://verfassungsblog.de/an-executive-emergency-indias-response-to-covid-19/> accessed 24 July 2021.
[vii] FP Staff, ‘Coronavirus Outbreak: The Disaster Management Act explained’ (Firstpost, 26 March 2020) <https://www.firstpost.com/health/coronavirus-outbreak-disaster-management-act-provides-legal-backing-for-punitive-measures-allows-govt-to-access-emergency-funds-all-you-need-to-know-8190161.html> accessed 24 July 2021.
[viii] Myanna Dellinger, ‘Is a Website’s Privacy Policy a Binding Contract?’ (ContractsProf Blog, 10 August 2010) <https://lawprofessors.typepad.com/contractsprof_blog/2010/08/is-a-websites-privacy-policy-a-binding-contract.html> accessed 24 July 2021.
[ix] Vidhi Desk, ‘Aarogya Setu’s Data Access and Knowledge Sharing Protocol, 2020’ (Vidhi Center for Legal Policy, 11 May 2020) <https://vidhilegalpolicy.in/blog/aarogya-setus-data-access-and-knowledge-sharing-protocol-2020/> accessed 24 July 2021.
[x] For instance, the privacy policy requires that personal data of user who has tested positive be purged after 60 days of her treatment and within 30 days of collection for user who has not been tested positive. On the other hand, the protocol provides a larger limit of 180 days since collection, regardless of former or latter. While this may be justifiable for former (180 days could serve as a broader upper-limit, thus even if treatment extends beyond this period, the 60-day limit of the policy could be infructuous, making retention for another 60 days after treatment impermissible), it is plainly inconsistent with the latter.
[xi] Danny Cyril D Cruze, ‘Aarogya Setu now mandatory for employees in India’ (Livemint, 2 May 2020) <https://www.livemint.com/news/india/aarogya-setu-now-mandatory-for-employees-in-india-here-s-how-to-register-11588408846545.html> accessed 24 July 2021.
[xii] ET Bureau, ‘Mandatory to best effort basis: Aarogya Setu app rule eased for companies (The Economic Times, 18 May 2020) <https://economictimes.indiatimes.com/tech/internet/mandatory-to-best-effort-basis-aarogya-setu-app-rule-eased-for-cos/articleshow/75794985.cms?from=mdr> accessed 24 July 2021.
[xiii] Tanisha Ranjit, ‘Aarogya Setu: Mandatory or not? We traced it for eleven months through our Tracker’ (Interner Democracy Project, 22 April 2021) <https://internetdemocracy.in/2021/04/aarogya-setu-mandatory-or-not-we-traced-it-for-ten-months-through-our-tracker> accessed 24 July 2021.
[xiv] Internet Freedom Foundation, Privacy prescriptions for technology interventions on Covid-19 in India (IFF Working Paper No 3, 2020) para 2.4-2.6.
[xv] Aditi Agarwal, ‘Aarogya Setu will include telemedicine, greater personalisation’ (Medianama, 22 April 2020) <https://www.medianama.com/2020/04/223-aarogya-setu-upcoming-features/> accessed 24 July 2021.
[xvi] Kashish Aneja & Nikhil Pratap, ‘Implement Aarogya Setu, but only through law’ (The Hindu, 21 April 2020) <https://www.thehindu.com/opinion/op-ed/implement-aarogya-setu-but-only-through-law/article31391708.ece> accessed 24 July 2021.
[xvii] ‘E-pass feature on Aarogya Setu app is now live, here’s what it brings’ (The Times of India, 20 April 2020) <https://timesofindia.indiatimes.com/gadgets-news/e-pass-feature-on-aarogya-setu-app-is-now-live-heres-what-it-brings/articleshow/75250100.cms> accessed 24 July 2021.
[xviii] ANI, ‘No Glitches, COVID-19 Vaccine Registration Only On Co-WIN Portal, Arogya Setu App: Empowered Group Chairman’ (NDTV, 2 March 2021) <https://swachhindia.ndtv.com/no-glitches-covid-19-vaccine-registration-only-on-co-win-portal-arogya-setu-app-empowered-group-chairman-57003/> accessed 24 July 2021.
[xix] HT Correspondent, ‘Aarogya Setu privacy policy updated: What’s new’ (Hindustan Times, 17 April 2020) <https://www.hindustantimes.com/tech/aarogya-setu-app-updates-privacy-policy-what-s-new/story-mEklzeoSq1XVZ16CYkYPRM.html> accessed 24 July 2021.
[xx] (2018) 1 SCC 809 [120] (AK Sikri J).
[xxi] Privacy Policy, Aarogya Setu Application, cl. 2(a).
[xxii] Privacy Policy, Aarogya Setu Application, cl. 2(a) (i).
[xxiii] Rashme Sengal, ‘Mere paas app hai: Four months later, how good is Aarogya Setu?’ (National Herald, 29 August 2020) <https://www.nationalheraldindia.com/india/mere-paas-app-hai-four-months-later-how-good-is-arogya-setu-app> accessed 24 July 2021.
[xxiv] ‘Hindsight is 20/20: Assessing outcomes from Aarogya Setu’ (Internet Freedom Foundation, 8 March 2021) <https://internetfreedom.in/the-past-and-future-of-aarogya-setu/> accessed 24 July 2021.
[xxv] Saurav Basu, ‘Effective Contact Tracing for COVID-19 Using Mobile Phones: An Ethical Analysis of the Mandatory Use of the Aarogya Setu Application in India’ (2020) 30(2) Cambridge Quarterly of Healthcare Ethics <https://www.cambridge.org/core/journals/cambridge-quarterly-of-healthcare-ethics/article/effective-contact-tracing-for-covid19-using-mobile-phones-an-ethical-analysis-of-the-mandatory-use-of-the-aarogya-setu-application-in-india/8A902BBEF6722241E28458BB70FC1195> accessed 24 July 2021.
[xxvi] Privacy Policy, Aarogya Setu Application, cl. 1.
[xxvii] Amber Sinha, ‘Aarogya Setu App Could Work, But At What Cost?’ (The Quint, 15 April 2020) <https://www.thequint.com/voices/opinion/modi-corona-lockdown-extension-aarogya-setu-app-contact-tracing-covid-patients-data-privacy> accessed 24 July 2021.
[xxviii] Jason Bay, Joel Kek, et al, ‘BlueTrace: A privacy-preserving protocol for community-driven contact tracing across borders’ (Government Technology Agency, 9 April 2020) <https://bluetrace.io/static/bluetrace_whitepaper-938063656596c104632def383eb33b3c.pdf> accessed 24 July 2021.
[xxix] Privacy Policy, Aarogya Setu Application, cl. 2(a).
[xxx] Privacy Policy, Aarogya Setu Application, cl. 2(a) (i).
[xxxi] Privacy Policy, Aarogya Setu Application, cl. 1(a).
[xxxii] Ibid.
[xxxiii] ‘Our Analysis of Aarogya Setu’s Updated Privacy Policy and Terms of Service’ (SFLC.in, 24 July 2021) <https://sflc.in/our-analysis-aarogya-setus-updated-privacy-policy-and-terms-service> accessed 24 July 2021.
[xxxiv] Anand Venkatanarayanan, ‘How The Aarogya Setu App Handles Your Data’ (Bloomberg Quint, 17 April 2020) <https://www.bloombergquint.com/coronavirus-outbreak/covid-19-how-the-aarogya-setu-app-handles-your-data> accessed 24 July 2021.
[xxxv] Ibid.
[xxxvi] Privacy Policy, Aarogya Setu Application, cl. 3.
[xxxvii] Privacy Policy, Aarogya Setu Application, cl. 3(b).
[xxxviii] Richa Rashmi, ‘Aarogya Setu: Bridging Health & Well-being as India Battles Coronavirus’ (News18, 20 April 2020) <https://www.news18.com/news/opinion/aarogya-setu-bridging-health-well-being-as-india-battles-coronavirus-2585051.html> accessed 24 July 2021.
[xxxix] Alex Hurn, ‘Anonymised’ data can never be totally anonymous, says study’ (The Guardian, 23 July 2019) <https://www.theguardian.com/technology/2019/jul/23/anonymised-data-never-be-anonymous-enough-study-finds> accessed 24 July 2021.
[xl] Privacy Policy, Aarogya Setu Application, cl. 5.
[xli] Terms of Service, Aarogya Setu Application, cl. 6.
[xlii] Internet Freedom Foundation (n 14) para 3.2.
[xliii] Harsh Walia & Supratim Chakraborty, ‘India: Data Protection Laws and Regulations 2021’ (ICLG, 6 July 2021) <https://iclg.com/practice-areas/data-protection-laws-and-regulations/india> accessed 24 July 2021.
[xliv] Aarogya Setu Data Access and Knowledge Sharing Protocol 2020, cl. 6(b).
[xlv] Aarogya Setu Data Access and Knowledge Sharing Protocol 2020, cl. 6(c).
[xlvi] Aarogya Setu Data Access and Knowledge Sharing Protocol 2020, cl. 6(c).
[xlvii] Bisma Bhat, ‘Breach of Privacy? JK Admin shared user data collected through Aarogya Setu App with Police’ (FreePressKashmir, 20 March 2021) <https://freepresskashmir.news/2021/03/30/breach-of-privacy-jk-admin-shared-user-data-collected-though-aarogya-setu-app-with-police/> accessed 24 July 2021.
[xlviii] Aarogya Setu Data Access and Knowledge Sharing Protocol 2020, cl. 7-8.
[xlix] Kritti Bhalla, ‘Aarogya Setu For Citizen Surveillance? A Delhi HC Order Gives Rise To Privacy Fears’ (Inc42, 16 April 2021) <https://inc42.com/buzz/as-feared-aarogya-setu-turned-into-citizen-surveillance-app-in-delhi-hc-order/> accessed 24 July 2021.
[l] Vrinda Bhandari, Amba Kak, Smriti Parsheera,, & Faiza Rahman, ‘An Analysis of Puttaswamy: The Supreme Court’s Privacy’ (2017) 11(1) IndraStra Global.
[li] HT Correspondent (n 19).
[lii] ‘Four months on, Aarogya Setu is still not open-source. WHY and WHEN is what the nation really wants to know!’ (Internet Freedom Foundation, 19 August 2020) <https://internetfreedom.in/aarogya-setu-should-be-open-source-now/> accessed 24 July 2021.
[liii] Gaurav Vivek Bhatnagar, ‘Centre Apologises for ‘Irresponsible Submissions’ Regarding Aarogya Setu Before CIC’ (The Wire, 8 December 2020) <https://thewire.in/government/centre-irrespinsible-submissions-aarogya-setu-rti-response> accessed 24 July 2021.
[liv] ‘A look at Aarogya Setu through the Right to Information lens’ (Internet Freedom Foundation, 27 May 2020) <https://internetfreedom.in/aarogya-setu-through-the-right-to-information-lens/> accessed 24 July 2021.
[lv] ‘Govt officials to justify denial of information about Aarogya Setu in secret hearing before CIC’ (Internet Freedom Foundation, 23 November 2020) <https://internetfreedom.in/cic-legal-notice-aarogya-setu-show-cause-hearing/> accessed 24 July 2021.
[lvi] ‘Delhi HC issues notice to govt in petition challenging denial of RTI regarding Aarogya Setu’ (Internet Freedom Foundation, 19 January 2021) <https://internetfreedom.in/delhi-hc-hearing-aarogya-setu/> accessed 24 July 2021.
[lvii] Internet Freedom Foundation (n 14) para 3.2.