Internet Freedom Foundation Aarogya Setu civil-society challenge (2020–2021)

On 1 May 2020 the Indian Ministry of Home Affairs issued Order No 40-3/2020-DM-I(A) under the Disaster Management Act 2005 making installation of the government's Aarogya Setu COVID-19 contact-tracing app mandatory for all public and private sector employees, with each organisation's head responsible for ensuring 100% coverage and non-compliance carrying criminal penalties of up to two years' imprisonment under Section 51 of the Disaster Management Act and up to six months' imprisonment under Section 188 of the Indian Penal Code. Within a week the Internet Freedom Foundation had coordinated a 45-organisation, 100-plus-individual joint civil-society letter to the Ministry, drafted a Kerala High Court writ petition for a Kerala paper-cup manufacturer challenging the constitutional validity of the order, and seeded the broader pan-India civil-society coalition whose pressure led the Ministry to substitute "best effort basis" for mandatory imposition in the 17 May 2020 Lockdown 4.0 guidelines — the campaign's substantive headline victory and the Indian civil-society reference position on COVID-19 contact-tracing apps. Behind that headline outcome ran a longer, less-headlined arc of parallel litigation in the Karnataka High Court, a multi-month documentation programme tracking the rolling gap between the nominal voluntary framing and the de facto coercive imposition that continued at state and agency level, and a clear public-record articulation of why a centrally-architected, source-closed, criminally-enforceable mass-surveillance app could not lawfully be the Indian state's primary contact-tracing instrument in the absence of a data-protection statute, an independent regulator, and a proportionality-tested deployment framework.

The 1 May 2020 Ministry of Home Affairs order

Aarogya Setu was released in early April 2020 by the National Informatics Centre under the Ministry of Electronics and Information Technology as the Indian Union government's official COVID-19 contact-tracing and self-assessment app for Android and iOS. For the first month the app's official framing was voluntary. That changed on the evening of 1 May 2020, when the Ministry of Home Affairs issued Order No 40-3/2020-DM-I(A) under the Disaster Management Act 2005 making use of the app "mandatory for all employees, both private and public," with the head of each organisation specifically tasked with ensuring "100% coverage of [the] Aarogya Setu app." In containment zones, the order extended the same coverage obligation to local authorities for all residents within the zone. Non-compliance was made criminally enforceable under Section 51 of the Disaster Management Act 2005 (up to two years' imprisonment) and Section 188 of the Indian Penal Code (up to six months' imprisonment). At a stroke, the world's then-second-most-populous workforce had been told that installation of a state-operated contact-tracing app was a condition of going to work, on pain of criminal prosecution, in the absence of any data-protection statute and without independent audit of the underlying contact-tracing protocol.

The 2 May 2020 joint civil-society letter

The Internet Freedom Foundation had been publishing technical and constitutional critiques of the app since its launch — including a protocol study finding that the app used static device identifiers rather than the dynamic privacy-preserving tokens used in comparable contemporaneous international contact-tracing protocols — and was positioned to coordinate a fast civil-society response. Within twenty-four hours of the 1 May order, IFF had assembled a joint letter signed by 45 Indian civil-society organisations and more than 100 prominent individuals, sent to the Ministry of Home Affairs on 2 May 2020 calling for the immediate withdrawal of the mandatory order. The signatory list drew across trade unions, people's movements, digital-rights organisations, public-health experts, former civil servants and bureaucrats, activists, academics, technologists, journalists, and lawyers — a deliberately cross-sectoral coalition assembled to demonstrate that the objection was not narrowly digital-rights-coded but cut across Indian civil society's broader concerns about surveillance, labour rights, and constitutional governance during the lockdown. The letter's central argument was that the constitutional protections recognised by the Indian Supreme Court in Justice K.S. Puttaswamy v. Union of India (2017) required that any state-mandated digital-surveillance system meet the tests of legality, necessity, and proportionality, and that the 1 May order met none of those tests: there was no primary-legislation basis for compulsory installation of a state surveillance app, no demonstrated necessity (the public-health goal could be pursued through voluntary opt-in installation), and no proportionality assessment of the privacy intrusion.

The Kerala High Court Jackson Mathew petition

Alongside the joint letter, IFF moved to seed strategic litigation. On 5 May 2020 IFF and residents of Gautam Buddh Nagar District submitted a parallel representation — led by Advocate Ritwick Shrivastav — against the Uttar Pradesh state government's overlapping Noida-specific mandatory order. The campaign's principal legal-track vehicle, however, was a Kerala High Court writ petition filed by Jackson Mathew, Managing Partner of the Kerala paper-cup manufacturer Leetha Industries, which employed more than fifty workers at the time of filing and whose business model exposed the absurdity of the 100%-coverage compliance burden — a substantial fraction of Mathew's workers did not own smartphones, and a substantial further fraction owned devices incompatible with the app, making criminal liability for non-coverage practically impossible to escape regardless of good faith. The petition was drafted by IFF lawyers and led on the record by Advocate Santhosh Mathew with Advocates Anil Sebastian Pulickel, Vijay Paul, and Jaisy Elza Joe; the IFF support team comprised IFF retained counsels Gautam Bhatia and Abhinav Sekhri and IFF in-house lawyers Vrinda Bhandari, Devdutta Mukhopadhyay, and Sidharth Deb. The petition was accompanied by an expert affidavit by Professor Subhashis Banerjee of the IIT Delhi Department of Computer Science and Engineering, setting out the technical defects in the app's contact-tracing protocol — including the static-device-identifier weakness that compromised the protocol's anonymisation properties relative to the dynamic-token approach used in comparable international protocols.

At the first hearing on 12 May 2020 before Justice P. Gopinathan, the Kerala High Court Single Judge Bench remarked that the mandatory imposition was "problematic" — pointing to the practical impossibility of full compliance given the share of Indian workers without smartphones and the operating practicality of workplaces functioning at fifty per cent capacity — and asked the Centre to file a statement, listing the next hearing for 18 May 2020. The petition's prayer included an interim direction restraining the government from sharing personal data collected by Aarogya Setu with third parties for the purposes of issuing e-passes or providing access to convenience services, and a direction requiring the government to give wide publicity to the voluntary nature of the app across electronic, print, and social media, including on the app's own interface. On 20 August 2020 the matter was listed before Justice Anu Sivaraman, who directed that the petition be consolidated with other connected matters — including a public-interest-litigation brought by petitioner John Daniel — before a Division Bench comprising Justice Anu Sivaraman and Justice MR Anitha; the consolidated bench was scheduled to be heard after the Onam holidays in September 2020.

The 17 May 2020 dilution

The campaign's principal substantive outcome arrived four days after the Kerala High Court's "problematic" remark. On 17 May 2020, the Ministry of Home Affairs issued the Lockdown 4.0 guidelines for the 18–31 May 2020 period substituting the original mandatory language with "employees on best effort basis should ensure that Aarogya Setu is installed by all employees having compatible mobile phones" — a substantial dilution that removed the criminal-penalty hook for non-installation, withdrew the 100%-coverage compliance obligation, recognised the device-compatibility constraint explicitly, and reframed the employer obligation from absolute liability to good-faith effort. IFF's own statement characterising the outcome called the change "a small but significant win" attributable to the combined pressure of the joint civil-society letter and the pending Kerala High Court writ petition. The framing was deliberately modest: the campaign was clear that "best effort basis" still permitted considerable de facto coercion at the state and agency level, that it did not address the underlying protocol defects, that it did not constitute primary-legislation protection of a sort the campaign had been calling for, and that it did not establish the constitutional principle that a public-health emergency does not authorise mandatory installation of a state surveillance app under criminal-penalty enforcement. But it did remove the central legal-coercion architecture, and it did so within sixteen days of the original order — fast enough that no employee in India faced a Disaster Management Act prosecution for non-installation.

Parallel Karnataka litigation: Anivar Aravind

Running in parallel to the Kerala petition was an independent public-interest-litigation in the Karnataka High Court, filed by Anivar A. Aravind, an advisory-board member of Software Freedom Law Centre, India (SFLC.in). The SFLC-led Anivar Aravind v. Union of India (WP(C) 7483/2020) challenged the de facto mandatory imposition of Aarogya Setu on substantively the same grounds — unconstitutional in the absence of specific legislation governing data collection and processing, disproportionate, lacking informed consent — and was represented by Senior Advocate Colin Gonsalves and SFLC counsel Clifton D' Rozario, Avani Choksi, and Ali Zia Kabir. The Karnataka High Court interim order of 19 October 2020 held that the State of Karnataka and its instrumentalities cannot deny any service or benefit to any citizen for not having installed Aarogya Setu, and the bench found prima facie that no informed consent had been obtained from users for the data-sharing arrangements set out in the Aarogya Setu Data Access and Knowledge Sharing Protocol 2020. Over the course of the litigation, the Karnataka petition extracted explicit on-the-record commitments from the Union government through the Ministry of Railways, the Airports Authority of India, and the Ministry of Civil Aviation, and from Bangalore Metro Rail Corporation Limited, that Aarogya Setu installation could not be made a condition of access to their services — the most substantive set of central-agency commitments the broader civil-society campaign secured.

The Internet Democracy Project tracker

The fourth working leg of the campaign was documentation. The Internet Democracy Project, an independent New Delhi–based digital-rights research project, launched its Aarogya Setu mandatory-or-not tracker on 8 May 2020 and closed it on 1 March 2021 — an eleven-month documentation programme designed to surface the gap between the government's official voluntary framing and the de facto pattern of central and state-agency coercion that persisted through and after the 17 May 2020 dilution. By the time the tracker closed, the project had recorded 155 distinct instances of mandatory or coercive imposition: 74 cases of straightforward mandatory imposition by particular central or state agencies, 10 cases of proposed future mandatory status, 15 cases of specifically coercive imposition (including the practice of courts conditioning bail on installation), and 56 cases of strong recommendation. The tracker's principal finding was that the post-17-May voluntary framing was best understood as a removal of the central legal-coercion architecture rather than a removal of de facto coercion as such — the Ministry of Health, for example, mandated the app for office workers on 13 February 2021 while merely advising it for international arrivals four days later. The tracker's data fed directly into the Karnataka HC PIL evidence base and became the principal Indian civil-society reference dataset on the actual rather than nominal pattern of pandemic-era mass-tracing-app imposition.

Coalition shape and campaign repertoire

The campaign is structurally distinct from the corpus's other IFF-anchored campaign, Project Panoptic, in coalition architecture and repertoire. Project Panoptic is a single-organisation campaign with technology-partner contributors, structured around a tracker-dataset-and-public-petition vehicle on a multi-year horizon; the Aarogya Setu challenge was a fast, broad-coalition campaign built around four parallel working legs — the 45-organisation joint letter, the Kerala High Court strategic-litigation vehicle, the parallel Karnataka HC PIL led by a peer civil-society organisation, and the eleven-month documentation tracker — pressed into service over an emergency-paced sixteen-day window between the 1 May and 17 May 2020 MHA orders, then continued at lower intensity for a further ten months. IFF's role across the four legs was anchoring rather than monopolising: IFF coordinated the joint letter and drafted the Kerala petition; SFLC.in led the Karnataka PIL; the Internet Democracy Project ran the tracker; and the broader 45-organisation coalition supplied the cross-sectoral signatory legitimacy that the joint letter rested on. The repertoire combined fast joint-statement coordination, dual-jurisdiction strategic litigation, an expert technical-defect affidavit supplying the protocol-level critique, ongoing documentation, and IFF's standing channels into parliamentary engagement and policy submission — pushing the Aarogya Setu critique into the wider Indian debate on data protection legislation, which would culminate (along a separate but related track) in the Personal Data Protection Bill cycle and ultimately in the Digital Personal Data Protection Act 2023.

Place in the make-AI-good movement

The campaign matters to the wider make-AI-good corpus on three connected counts. First, it is the corpus's principal Indian civil-society case study of pandemic-era mass-surveillance-app advocacy — the only sustained Indian counterpart to the wider international civil-society response to government COVID-19 contact-tracing app rollouts, and the South Asian counterpart to comparable European and North American civil-society work on national contact-tracing app rollouts during the same period. The campaign's central public-record argument — that the legitimate public-health goal of digital exposure notification cannot lawfully be pursued through a state-mandated, source-closed, criminally-enforceable, centrally-architected app in the absence of primary-legislation safeguards — is the Indian civil-society reference position that subsequent Indian privacy and data-protection debate now sits on. Second, the campaign is the corpus's clearest articulation of the connection between digital-public-infrastructure governance and pandemic-emergency surveillance: the 1 May 2020 order presupposed the existence of a state-operated mass-installation app under criminal-penalty enforcement, which presupposed in turn the underlying Aadhaar/UPI/digital-identity DPI stack that IFF's wider AI and algorithmic-accountability work tracks; the post-2020 contact-tracing controversy is recognisable as a continuous thread with the corpus's broader concerns about automated welfare administration, biometric authentication, and algorithmic public-service delivery in India. Third, the campaign's coalition-and-litigation repertoire — joint civil-society letter coordinated by a digital-rights anchor, dual-jurisdiction strategic litigation in two state High Courts, expert technical-defect affidavit supplying the protocol critique, and an independent eleven-month documentation tracker — is the South Asian template for fast civil-society response to state-mandated emergency-surveillance systems, and is the working model on which subsequent Indian and regional civil-society organisations have drawn when designing pushback against later state-deployment proposals (the IndiaAI Mission's algorithmic-governance components, the AgriStack and DigiLocker decision-making layers, and the various state-level facial-recognition deployments that the Project Panoptic campaign would subsequently track).