From Aadhaar to Aarogya Setu, Vidhi’s questionable role in technology-related policy making

The Aarogya Setu, a contact-tracing app, has been touted as a major tool in India’s response to the COVID-19 pandemic. But soon after its release on 2 April, criticism started pouring in—from privacy concerns and the proportionality of its data collection, to even its technical efficacy. Arghya Sengupta, founder of the Vidhi Centre for Legal Policy, a private think tank, is among those identified as involved in the app’s development. Soumyabrata Roy / NurPhoto / Getty Images
26 August, 2020

On 28 May, Arghya Sengupta, the founder, manager and research director of the Vidhi Centre for Legal Policy, a private think tank, tweeted a list of “contributors”—released by the government—who had helped develop the controversial COVID-19 contact-tracing app, Aarogya Setu. Sengupta was listed among the “Industry and Academia Leadership” of the team. Vidhi has also consulted the central government on Aadhaar and the Personal Data Protection Bill, 2019, among several other pieces of legislation. Documents accessed by The Caravan show that the ministry of home affairs owed dues to the tune of Rs 22,14,000 to Vidhi for the fiscal period between 2017 and 2019. The MHA’s dues included payments to be made by the National Intelligence Grid, a centralised network of databases for intelligence and law enforcement agencies. 

Curiously, the MHA has never publicly announced this association with Vidhi. As per the think tank’s annual filings with the ministry of corporate affairs, the dues—Rs 90,000 by NATGRID for the fiscal year 2018–19 and Rs 21,14,000 by the MHA for the fiscal year 2017–18—were listed under “amount receivable” which is the balance of money due to a company for services delivered but not yet paid for by the customer. The MHA had contracted the think tank for an unspecified service. Notably, at the same time Vidhi was advising the central government on legislation for privacy rights which would directly impact all the monitoring and surveillance systems that come under the MHA, indicating a conflict of interest. 

Apart from this, according to a privacy-rights activist, who chose to remain anonymous, Vidhi has played a key role in transforming India’s technology-related policy making into a highly problematic process. He explained, “For some time now, technology-related policy-making started with a group of private entities … working with the government with exclusive access to data, to build software and applications. The code that is developed this way is then translated into law”—laws that Vidhi then helps formulate, almost exclusively. “The law is framed to cover and fix the vulnerabilities of the code” developed by these private entities, said the activist. Aadhaar, and now Aarogya Setu demonstrate that instead of framing a law and then bringing in software and systems that run in accordance, India has followed the practice of engaging private entities to build software and applications, and then framing the laws to fit these systems.

This diagnosis is an apt representation of the current state of privacy legislation in India. The PDPB, which was tabled in Parliament on 11 December 2019, and is yet to be passed unto law, was meant to create an overarching framework to govern all data collection, storage, requisitioning and usage. In the absence of this privacy framework, the government’s implementation of Aadhaar—which is the largest biometric-identification system in the world—and other data-gathering and surveillance systems, have faced heavy criticism.

In the past six years, the Modi government has pushed ahead with policies and monitoring systems that enable creation of citizens’ databases and mass surveillance, the absence of a privacy framework notwithstanding. In September 2019, soon after he took charge as the union minister of home affairs, Amit Shah announced his plans to revive the process of building the NATGRID.

The NATGRID is a national grid of databases from various sources including banks, credit cards, visa offices, immigration centres, even weather and flight travel details, maintained by various intelligence agencies. The project commenced in 2009 under the Congress-led United Progressive Alliance government with an outlay of around Rs 4,500 crore but was repeatedly delayed over concerns of misuse of data, among other factors. The BJP-led National Democratic Alliance government revived and fast-tracked the project and appointed an Intelligence Bureau officer, Ashok Patnaik, as its head in 2016. Soon after Shah took over, the NATGRID proposed an expansion of data points it could mine to include even social media accounts of citizens. It is currently headed by an Indian Administrative Services officer, Ashish Gupta, and was allocated around Rs 52 crore in the last budget.

It is in this wider context that Vidhi’s association with the central government becomes crucial. Vidhi’s involvement with the central government, on legislation pertaining to data and privacy, among others, is wide ranging and goes back till at least 2013. From the Aadhaar Act, 2016, the Goods and Service Taxes Act, the Financial Resolution and Deposit Insurance Bill, the PDPB, and the latest Aarogya Setu Data Access and Knowledge Sharing Protocol, 2020, Vidhi has played a key role in drafting laws on the government’s data-gathering and surveillance systems. Many of these associations also suggest a conflict of interest—for instance, in 2017, Sengupta argued on behalf of the state, against privacy as a fundamental right, in the Supreme Court. Around the same time, Vidhi and he were roped in to help formulate the draft data protection bill, under the aegis of the BN Srikrishna Committee, which deals with all aspects of citizens’ data.

Vidhi’s funding also suggests competing interests—their roster of patrons, as per the website, is a who’s who of people and organisations with direct commercial stakes in the mechanisms and the regulatory frameworks being developed for India’s evolving digital economy. For instance, Rohini Nilekani, the wife of Nandan Nilekani, one of the chief architects of Aadhaar, is a Vidhi patron.

In March 2018, in response to a question in the Rajya Sabha, KJ Alphons, then a union minister of state in the BJP government, said that the government had paid Vidhi Rs 48,15,000 over the past five years for legal services provided in drafting Aadhaar. A report by the digital business-news website, The Ken, characterised Vidhi as “a policy advisory group considered by many to be the shadow authors of the Aadhaar Act.” This assessment was reinforced when Sengupta was brought on board to defend the government’s position on Aadhaar in the Supreme Court in at least two cases, both in 2017. In Binoy Viswam vs Union of India, he appeared on behalf of the Unique Identification Authority of India, or UIDAI, a statutory authority that deals with the implementation of Aadhaar and comes under the ministry of electronics and information technology, or MEITY. The case dealt with the issue of making Aadhaar mandatory for tax filings and PAN Cards. The other case was Justice K Puttaswamy vs Union of India, where Sengupta represented the state of Haryana and the Telecom Regulatory Authority of India, and defended the Aadhaar Act against privacy concerns.

In court, Sengupta argued that privacy is not a fundamental right since the right to liberty adequately covered all aspects of privacy and there was no need to clarify privacy as a fundamental right. “Any right to privacy is conceptually unsound, and only comprehensive data protection legislation can effectively address concerns of data protection and privacy,” he said.

According to documents made public through the RTI Act, while both the cases were ongoing, on 19 May 2017, Vidhi made a presentation before Ravi Shankar Prasad, the union minister in charge of MEITY. The presentation was on a “proposal of a law for protecting personal data.” Vidhi had proposed that it would constitute a “high-level multi-stakeholder committee” to guide the development of the proposed law. The next month, MEITY put forward a proposal to constitute a committee to draft the data protection law, chaired by the former Supreme Court judge BN Srikrishna, along with Sengupta as a member. The committee was officially constituted on 31 July. As per a response in the Rajya Sabha in December 2018, by MEITY, Vidhi “was engaged to provide man power support for the functioning of the committee at the rate of Rs. 8.8 Lakhs.”

When I reached out to Sengupta for his comment on this conflict of interest, the head of communication at Vidhi, Richa Bansal, replied with “Vidhi’s institutional response,” which said that the “insinuations of conflict of interest are baseless.” As per Vidhi, “Arghya Sengupta represented the UIDAI in Binoy Viswam v. Union of India in April- May 2017. The judgment was delivered on 9 June 2017. The Srikrishna Committee, of which he was a member, was constituted only on 31 July 2017. Further, the work of the committee on data protection is much wider than Aadhaar and included protection of personal and sensitive personal data held by individuals, private sector corporations as well as governments.”

Vidhi’s response overlooked Sengupta’s involvement in the Puttaswamy case, whose judgement was delivered on 24 August 2017, and ignored one key fact—his role in the Binoy Viswam case and the presentation to MEITY overlap.

In addition, two former employees of Vidhi, who did not want to be named, told me that they heard about NATGRID approaching Vidhi for a project, at the time that they were employed with the think tank. Both of them said that the NATGRID association was not disclosed to everyone in the organisation even though Vidhi claimed to follow a “white-board policy”—all the projects that Vidhi worked on would be written on the board for everyone to see, according to the employees. One of the former employees said, “NATGRID apparently approached Vidhi in the wake of the Puttaswamy right to privacy judgement saying that because the judgement says that anything that is infringing the right to privacy needs to be backed up by law, it wanted advise whether they need a law [to function]?” The former employees told me that the practice of erecting “Chinese walls,” when law firms deal with cases with conflict of interest was very ineffective at Vidhi. 

The fact that Sengupta was arguing against privacy as a fundamental right, while being brought on board to draft a law for data protection, led to several senior lawyers and privacy-rights activists questioning the conflict of interest. “I see credibility issues when Sengupta argues in favour of Aadhaar in court in the privacy debate and, at the same time, is nominated on the Dr Srikrishna Committee, which is drafting the Data Protection Bill,” Sanjay Hegde, a senior Supreme Court advocate, told the Economic Times. As is evident, any form of the data protection bill will have a direct impact on the functioning of Aadhaar. 

In addition, another employee at Vidhi, who did not want to be identified, told me, “Vidhi did not have a tech team or data protection team. How did Vidhi get empanelled in such a high-level committee and high-stake project that was deciding the future of the country? None of us had an answer to this.” 

The draft data protection bill and the report of the Srikrishna committee were first released on 27 July 2018. The committee’s draft was criticised for falling short of key principles of data protection such as the blanket exemption given to the state to process personal data, and the failure to bring surveillance and interception activities under a data protection authority. However, the committee’s draft required the parliament to enact a law to oversee India’s intelligence agencies.

According to the draft, Indian intelligence agencies—including the Research and Analysis Wing, the Intelligence Bureau, the Defence Intelligence Agency, the Central Monitoring System and the NATGRID—were set up by executive authorisation and continue to operate without a legal framework. Hence, the parliament would have to enact a law to oversee the intelligence agencies and create a mechanism to ensure compliance with the DPB. The absence of such a law, which does not exist yet, is “potentially unconstitutional,” according to the committee’s report.  

After its release, the draft bill went through several rounds of inter-ministerial consultations, and public feedback, until an updated bill, the PDPB, 2019, was finally introduced in the parliament last December. The timing behind the tabling of the Bill and its contents were heavily criticised by the opposition, privacy-rights activists and Srikrishna himself—it was introduced the same day that the highly contentious Citizenship (Amendment) Act, 2019 was passed by the Rajya Sabha amid rising protests across the country. In several conversations with media publications, Srikrishna said that the latest draft presented in Parliament defeated the basic premise and mandate of protecting the fundamental right to privacy. He said that the updated draft instead contained several clauses that compromise the right to privacy. 

“We had suggested in the draft that there will be no processing of data from anyone without the consent,” Srikrishna said to The Hindu. “If it is without consent or without a legislative warrant then it should comply with the three principles — an objective has to be achieved, proportionality and reasonability.” The law would be constitutional only if these factors are laid down, he added. “However, if the government itself … will at any time say I want my officer to certify data in the interest of sovereignty of India, he can take anything from anybody. Not just personal data, they have made it wider and said even non-personal data can be accessed by agencies in the Bill. This is what is dangerous.” 

Section 35 of the draft PDPB said that the central government can direct any agency of the government to process personal data if it thinks it is necessary in the interest of, and to prevent offences against the “sovereignty and integrity of India, the security of the State, friendly relations with foreign States, public order.” This essentially takes away all safeguards against abusive data-collection, and processing by the government and gives unrestrained powers to government agencies to access the data of citizens. Other damaging provisions include clauses proposing verification of social-media users; government access to anonymised data or non-personal data by directing data fiduciaries; lack of safeguards for anonymisation; and weakening of the Data Protection Authority, which was expected to act as an independent regulator. 

Srikrishna went to the extent of saying, “Somebody should challenge it before the Supreme Court on the grounds that it is unconstitutional.” Curiously, in stark contrast to Srikrishna’s stance, Sengupta, who had been a member of the original committee, defended the updated PDPB presented by Ravi Shankar Prasad, who is also the union minister for law and justice. “The Bill is largely in keeping with the structure suggested in the report by the committee. There are no significant changes in its structure,” Sengupta said to the Hindustan Times. 

Sengupta’s diametrically opposing stance to Srikrishna pointed towards Vidhi’s leanings with respect to the privacy-rights argument, especially considering its involvement with Aadhaar. In August 2017, when the Supreme Court ruled that the right to privacy was a fundamental right, the news website Livemint quoted one of the co-founders  at Vidhi, Alok Kumar Prasanna, who said, “The court ruling today opens up a fresh round of debate where the government will have to defend Aadhaar against all facets of privacy.” He added, “If the government asks that they want biometric information of citizens who don’t wish to part with it, it will have to explain how the demand for such information is just, fair and reasonable.” 

Prasanna’s comment suggested that the government should come up with legal explanation for going ahead with the Aadhaar project, rather than making any changes to the biometric database to address the privacy concerns. Two years later, in January 2019, the Modi government presented the Aadhaar and Other Laws Amendment Bill, 2018, which allowed “voluntary use” of Aadhaar for using bank accounts and sim cards. 

Vidhi’s conflicting interests on the privacy debates and legislation extends to the funding it receives and is symptomatic of the push-and-pull that drives policy formation on the sector in the country. The centre receives funding from several sources such as the Mahindra Group, the Pirojsha Godrej Foundation, the Vikram Sarabhai Foundation, the Jamsetji Tata Trusts, Gourab Banerji, Mohandas Pai and Rohini Nilekani. 

Nandan Nilekani’s role as the chief architect of the Aadhaar system while also being associated with a legal think tank that worked on drafting the policy brings to light the issues in the process of formulating tech-related policy and legislation in the country currently. 

Till 2017, Nandan was a mentor of the Indian Software Product Industry Roundtable, or iSPIRT—a lobby of volunteers, several of whom were once part of the UIDAI. iSPIRT is a non-profit group that developed and promotes India Stack, which is a unified digital infrastructure for all digital databases, including Aadhaar. It was created based on a report drafted by the Technology Advisory Group on Unique Projects in 2011, by a team headed by Nandan when he was the chairman of UIDAI. India Stack provides a set of Aadhaar-specific application programming interfaces, or APIs. APIs are the building blocks of software architecture that are required by third-party entities to use Aadhaar. The digital activist, who wished to remain anonymous, told me that it was private entities like iSPIRT who first started “volunteering” with the government and gained access to copious amounts of previously inaccessible data to create complex digital eco-systems.  

Lalitesh Katragadda, a “Core Volunteer” at iSPIRT, is a lead member of the team developing Aarogya Setu, according to the secretary at MEITY, Ajay Sawhney. The contract-tracing mobile application to track and monitor COVID-19 cases is mandatory for many sections of the public, and government and private employees. Vidhi has provided legal inputs to the government on the development of this application too—Sengupta is a member of the team that contributed to the legal framework of the app. 

A perusal of the list of “contributors,” who worked on the app, released by the government and further retweeted by Sengupta showed that many of the people involved with the Aarogya Setu project are working on developing the National Health Stack, too. The NHS is a centralised database of health records of all citizens that is currently being developed under the aegis of the Niti Ayog. The Aarogya Setu app is an “initial building block for India Health Stack,” according to Arnab Kumar, program director, Frontier Technologies at the Niti Ayog. The NHS went live for testing with a host of APIs over a month ago. 

On 22 June, Katragadda, too, told CNN Business that some information from the app will be automatically transferred to the NHS. The Swasth alliance, a group of private telemedicine groups involved with the development of NHS, has Nandan on its advisory council while iSPIRT is the advisor and designer architect of the NHS. One has to wait to see whether Vidhi would be drafting the legal framework for NHS too. Another vocal supporter of Aadhaar and India Stack is Kiran Mazumdar Shaw, the chairperson and managing director of Biocon, who is listed as patron on Vidhi’s website. 

In addition, Katragadda is also the chief product and technology officer at Avanti Finance, a non-banking finance organisation. The founding directors of the NBFO are Ratan Tata, the former chairperson of the Tata Group; Vijay Kelkar, the chairperson of National Institute of Public Finance and Policy, an autonomous research institute under the ministry of finance; R Venkataramanan, a former senior member of Tata Trusts and Nandan Nilekani. 

According to a press release published on the website of Tata Trusts in August 2016, Avanti Finance’s “aim is to leverage on the social sector presence of Tata Trusts and other like-minded partners and the rapidly-evolving India Stack (Jan Dhan – Aadhaar – Mobile), UPI and payments bank ecosystem.” The fact that a key person developing the Aarogya Setu app is also in the leadership position at a private firm that has financial interests in the digital system being developed is also indicative of a conflict of interest. 

When I reached out to Katragadda over email, I received a response from Divya Ranganath, who identified herself as Avanti’s “Communications Partner.” She said, “Lalitesh Katragadda is serving as an advisor on Aarogya Setu at the behest of the government, in his personal capacity.” Nita Tyagi, a core volunteer at iSPIRT, did not respond to questions regarding Katgradda’s role in Aarogya Setu, if any members of the group were working with the app and how they were selected for the project. Instead, Tyagi said that “iSPIRT has no role in the development of Aarogya Setu.” Tyagi added that the group conceptualised ideas on “the challenges in the healthcare landscape of the country” and these ideas come “under DEPA (Data empowerment and Protection Architecture), openly shared on its websites and blogs. The ideas have appealed to both Govt and private sectors alike. The bunch of ideas currently under discussion is the ones grouped under the Health Stack.”     

The data security and privacy issues with Aarogya Setu have already been demonstrated by ethical hackers and digital activists. Privacy-rights activists have also raised concerns about the storing and processing of health records and the lack of transparency regarding the private entities involved in developing the health-stack project. According to an analysis on the website LiveMint by professors of the Indian Institutes of Technology, “Aarogya Setu appears to be a classic example of technological-solutionism. Coupled with inadequate privacy protection, it does not appear to be proportionate. We need to introspect about the processes that led to its emergence as a foremost scientific and policy response tool in our fight against covid.” These concerns are not misplaced. 

On 4 April, the Internet Freedom Foundation, a digital-rights advocacy group, filed the first of a series of RTIs with the ministry of health and family welfare, MEITY, NITI Aayog and the National Informatics Centre for information on the legislative framework, and collection, storage and access of data protocols for the Aarogya Setu app. The two ministries and NITI Aayog said they did not have the requested information and transferred the query to the NIC. “The MOHFW may not be the central agency in the development of the app. But, what is clear from the RTI responses is that the ministry is not even a stakeholder in the conversation regarding the development of Aarogya Setu,” Apar Gupta, the executive director of IFF, said. 

The issues of transparency plaguing the development of the app do not end here. Till the end of May, almost two months after the app had been launched, there was no clarity on who were the people working on developing the project. On 15 May, Sawhney, from MEITY, told the Business Standard that the Aarogya Setu project was “like a ‘Team India’ effort with the contribution of around 80 of the best minds, and an almost equal participation by government agencies such as the National Informatics Centre (NIC) and NITI Aayog, and the private sector.” He said that he had invited Katragadda to work on the project. “I requested Lalitesh to come on board because, though we already had a team in place, we wanted someone very senior and respected to be at the helm of managing the product they were building.” However, there were no details on who these eighty people were and the IFF was also not provided this information. 

In the same news report, Katragadda said that the app “was produced by some of the best minds of India who came together to figure out what we could do using computing and smartphones so that we could achieve, with limited resources, the kind of containment that would require far more resources.” The question of how were these “best minds” chosen and assigned to work on a government digital infrastructure project that holds the personal data of twelve crore Indians—the official number of citizens who have installed the app on their phones—is still unanswered. 

On 27 May, Sawhney officially released the names of the people working on the app in a press conference. The list was also made public on the open source website GitHub, and named 71 people initially. Apart from government officials, it included names of industry heads and academicians, among others. All the non-governmental participants were working in a “personal capacity.” 

The problem of inducting private members as volunteers without any selection procedure or official announcement has also been raised by many digital-rights activists. According to Gupta, since volunteers do not classify as government employees or contractors, they are not under any obligation to meet the expectation of the service expected. “There will also be a lack of accountability if there is any deficiency in terms of product and the outcomes. Further, they are working and have high level of access to sensitive personal data,” he said. 

Gupta also pointed out that volunteers also happen to be working professionals with private organisations. “They may be employed at places where there is principal financial interest in building products. What will be the conflict-of-interest protocols?” He pointed out that “the technical development and legal advice is being done without any service conditions attached to them.” 

However, Vidhi and its promoters have chosen to spin the Aarogya Setu project as a unique and desirable model for all further digital infrastructure development in the country. On 6 June, Mohandas Pai published an article in the Sunday Guardian which said, “Aadhaar, the world’s most extensive one-sweep identification-inclusion program, is a premier volunteer-led PPP, as are DigiLocker, UPI, e-KYC in India Stack and other critical platforms. This model is a unique and valuable asset as these are all public goods, not owned by private enterprise, and also not wholly managed by the government per se.” The article was co-written by Nisha Holla, a technology fellow at the central government-run Centre for Cellular and Molecular Platforms, which comes under the ministry of science, technology and earth sciences.  

The article also spoke of the Aarogya Setu project as a “volunteer-led open-source public-private-partnership (PPP), and this model has come to define India’s tech-enabled governance.” It termed this model as “This is digital democracy in action.” 

None of the government agencies and ministries—the ministry of home affairs, MEITY, the ministry of health and family welfare, Niti Aayog—including Sawhney, responded to any queries regarding Vidhi. 

Srinivas Kodali, a researcher who works on data and internet, told me, “If they are calling it PPP, where is the agreement? We don’t see any agreement in the case of Aarogya Setu.” He added, “When you are a ‘volunteer,’ there is no liability and you can do whatever you want. The whole system is being made for the benefit of the private sector and nothing for the benefit of the individual.” Kodali said that the Setu app was being built “to benefit the Health Stack and that is the reason it is being made mandatory, and people can build companies and become rich. What is being called innovation is actually stealing people’s data to make money.”