By Aparajita Lath
The Aarogya Setu app that was launched on 2nd April and that has been made mandatory for certain sections of society, continues to raise to several questions regarding effectiveness, security, privacy and technology. As of May 8, this app has 9 crore users and is one of the world’s top 10 most downloaded apps. Users are probably treating this app just like any other app. Given that it has been launched by the Government of India, the expectations of safety and reliability, for most such users, is presumably high.
The app, however, is not open source and the terms of service impose a blanket prohibition on reverse engineering. Due to this, independent auditing of the app, by the community in general has not been possible. An ethical hacker has reportedly identified vulnerabilities but the government maintains that the app is safe. Security researchers and privacy advocates have argued that if the app is mandatory, then people have a right to know what the app is really doing. For this, the app’s code should be opened/ revealed for the community to understand its actual functioning. Reports state that the government is now planning to open source the code of the app.
Software per se is entitled to thin protection as a ‘literary work’ under the Act. The Act also affords users several fair dealing rights with respect to computer programs, some of which permit reverse engineering of varying degrees. For instance, section 52(1)(ac) allows users to observe, study or test the functioning of the computer programme in order to determine its underlying ideas and principles while performing such acts necessary for the functions for which the computer programme was supplied. This fair dealing clause, is a research exemption, and permits users to unlock the functionality of the software, its underlying principles and ideas while loading, running, displaying or doing any other acts that are necessary for performing the functions for which the program was supplied. Reverse engineering is also permitted as per section 52(1)(ab) where the purpose is to obtain information essential for achieving inter-operability of computer programs.
Rajiv has discussed the concept of reverse engineering, in detail, on this blog here and here. SFLC has made reference to these reverse engineering fair dealing rights, the prohibition of reverse engineering in the Aarogya Setu app terms and the need to remove such a prohibition. Certain commenters have argued that section 52(1)(ac) cannot be read as a right to reverse engineer software – to them it is a ‘testing and integration’ provision. Section 52(1)(ac) is a clear research exception and not an integration exemption. This fair dealing right allows users to determine underlying ideas/ principles of the software through monitoring the functions of the program. Ideas/ principles are not copyrightable and users are permitted to test the software to reverse engineer the ideas/ principles of the app. Section 52(1)(ab), on the other hand, is an integration exemption – since reverse engineering (which could include through decomplication) under this section is only permitted for integrating/ achieving inter-operability of computer programs.
In any case, it is difficult to argue that the Act does not permit any kind of reverse engineering whatsoever. Since this term is a technical term, if the app wanted to prohibit certain kinds of behavior through reverse engineering, to begin with, reverse engineering should have probably been defined under the terms of service. Since it has not been defined and since the Act permits certain kinds of reverse engineering, can the terms of service of the app impose a blanket prohibition on reverse engineering i.e. make users contract out of their fair dealing rights?
Certain legislations e.g. labour-related legislations like the Employees Compensation Act, 1923 (ECA), Minimum Wages Act, 1948 (MWA), explicitly prohibit employees from contracting out of the rights/ benefits conferred to them by these statues (e.g. Section 17 ECA and Section 25 MWA). The Act, however, does not expressly prohibit users from contracting out of their fair dealing rights. It can therefore be argued that private parties are free to contractually forego user rights (the right to reverse engineer) and that parties have the freedom to contract as they like.
However, the freedom to contract argument may be rebutted on the ground that this app is being imposed as mandatory and users have no meaningful choice but to accept the terms (whether reasonable or not). Further, it can be argued that any contractual provision that defeats the purpose of a statute or one which is against public policy is unenforceable (section 23 of the Contract Act). The Copyright Act grants ‘exclusive rights’ to authors/ owners, but also imposes limitations on these exclusive rights that are in the nature of the user’s rights. Such a balancing of rights, is not a mere default position, but a conscious policy decision of balancing competing interests. Further, statutory rights that are designed to serve a public purpose and which operate for the general benefit of the community should not be permitted to be waived by private agreements. Shamnad and Pankhuri have also highlighted in their response (page 74 & 75) to a survey on copyright user rights that user rights cannot be contracted out of and have cited Delhi High Court and ITAT decisions which state that ‘holders of copyright are not entitled to impose any restrictions curtailing fair use’ and that any conditions put in a license restricting its fair or reasonable use will be ignored.
Making users contract out of their fair dealing rights is questionable, especially given the present context where such rights may serve a public purpose of identifying vulnerabilities with an app launched by the government, used by crores of people, that collects vast amounts of personal and sensitive information.
In addition to the above, given that ethical hackers are investigating this app and the government is committed to opening up the code, should this blanket prohibition be taken seriously if reverse engineering, to the extent permitted under the Copyright Act, is used to serve a public purpose?
*The author is a lawyer based in Bangalore.