A project of the Centre for Internet and Society, India
Supported by Omidyar Network India
In an effort to contain the spread of COVID-19, governments across the world have used contact tracing as a means to identify and map the spread of the virus. This has led to a large-scale push for digital contact tracing in the form of smartphone applications that alert users in case of potential exposure to someone who has been infected. These applications can generate heat maps of areas with high rates of infection, and have proven useful in identifying emerging hotspots. However, in the rush to introduce digital methods of contact tracing, concerns around privacy, surveillance and potential discrimination and exclusion remain unaddressed. Governments must keep in mind that digital contract tracing cannot replace manual contract tracing, and successful contact tracing is a result of manual and digital contact tracing working in tandem.1 Applications have also reported cases of false positives and false negatives, and require high participation from the local population to be of any real significance.
In India, the National Informatics Centre (NIC) developed the Aarogya Setu application to serve as a contact tracing, syndromic mapping and self-assessment digital service, in addition to a number of similar applications released by state governments.2 The application collects demographic, health data and real-time location data and colour codes users based on the risk that they pose to others due to their health status, and maps infection hotspots.
We examine the Aarogya Setu application against a series of tests in our evaluation framework in order to determine whether the use of Digital ID in this application is legitimate, human-rights respecting, and balanced against potential risks.
Aarogya Setu has been deployed in the absence of an appropriate statutory framework and is not codified in a valid law. It was initially mandated by the Ministry of Home Affairs on the basis of a Government Order (G.O.)3 that finds its basis in the Disaster Management Act, 2005. No legislation has been passed by Parliament to authorise the creation and mandatory deployment of the application. In response to data protection concerns around the application, the government released the Aarogya Setu Data Access and Knowledge Sharing Protocol, 20204 (“Protocol”) which lays down broad principles of data protection, along with the Android and iOS source code of the application.5 India also presently lacks a data protection framework, which leaves the collection and use of data collected from the application to the vagaries of executive orders.
The framework governing the use of Aarogya Setu in India is not codified in valid law, and is made up entirely of delegated legislation.
The use of Aarogya Setu must correspond to a legitimate aim in the law governing it. It is necessary to point out that the application is not codified in a valid law. A reading of the G.O. (drawn from the Disaster Management Act, 2005) in combination with the Act could satisfy the legitimate aim test. The present COVID-19 pandemic would qualify as a disaster under Section 2(d) of the Act, 2005 and deployment of the application for digital contract tracing could be justified as a form of disaster management under Section 2(e). The Disaster Management Act aims to provide effective management of disasters and matters connected therewith or incidental thereto.
In the absence of a valid law, these objectives could qualify as a legitimate aim.
In the absence of primary legislation governing the application, we will have to rely on its Protocol and Privacy Policy for a definition of the actors and purposes. The Protocol directs the Privacy Policy to clearly specify the response data and the purpose for which it is collected by NIC.6
The Protocol states that the NIC can share information with the Ministry of Health and Family Welfare, Government of India, Departments of Health of the State/Union Territory Governments/local governments, National Disaster management Authority (NDMA), State Disaster Management Authorities (SDMAs), and other Ministries and Departments of the Government of India and State Governments and other public health institutions of the Government of India, State and local governments, where such sharing is strictly necessary to directly formulate or implement an appropriate health response.7 The NIC can also share response data in de-identified form (defined in the Protocol as data which has been stripped of personally identifiable data to prevent the individual from being personally identified through such data and assigned a randomly generated ID8) with such Ministries or Departments of the Government of India or the State/Union Territory Governments, local governments, NDMA, SDMAs and such other public health institutions of the Government of India or State Governments or local governments with whom such sharing is necessary to assist in the formulation or implementation of a critical health response.9 Data can also be shared with Indian universities and research institutions/entities registered in India - however, what constitutes a research institution or entity has not been clearly defined and can be broadly interpreted.10 This could potentially include pharmaceutical companies, for instance, who could then have access to sensitive health information without sufficient safeguards in the absence of a data protection framework.11
The Privacy Policy states that the purpose of the application is for collected data to “be used by the Government of India in anonymized, aggregated datasets for the purpose of generating reports, heat maps and other statistical visualisations for the purpose of the management of COVID-19 in the country or to provide you general notifications pertaining to COVID-19 as may be required.”12 The Protocol states that collected data will be used “strictly for the purpose of formulating or implementing appropriate health responses and constantly improving such responses.”13
In addition to plans to integrate more functions such as telemedicine within the application, Aarogya Setu is intended to become the “initial building block for India Health Stack”,14 which is indicative of growing function creep of the application beyond its original stated purpose.15
While there is a lack of clarity in specifying all of the actors who will have access to collected data, the purpose of the application has been clearly articulated. However, the Protocol and Privacy Policy can be easily modified with no oversight, and the functions of the application are slowly expanding.
The use of the ID system by private actors has not been adequately regulated.
Apart from government entities, other actors such as Indian universities, and research institutions and entities registered in India have access to anonymised data. The Protocol and Privacy Policy are unclear on the criteria for qualifying as a research institution or entity. Moreover, there is no requirement that this research cannot be for-profit or even only in the field of Covid-19 research, opening the doors for private companies to access data by classifying themselves as research entities.
Further, researchers have documented how information from the application can be easily used by anyone for non-COVID surveillance purposes, such as estimating population spread in a particular area, or even spying on army bases.16
There is also no restriction on private parties mandating use of the application for any purpose.
An Open API platform set up by Aarogya Setu also allows third-party apps to check the health status (and no other personal information) of a user with their consent. There are protective measures including user notification in case of breach, anonymisation, encryption and audit logs.17 However, there are concerns that a reading of the other clauses in the terms and conditions suggests that third party applications will have access to data apart from “health status” but must commit to not use it.18 The requirements are loose enough to allow any company registered and operating in India with more than 50 employees, customers or users to be authorised to access the API.19 With the intended use of the application as the basis of the National Health Stack, integration with third parties raises the possibility of the application being forming the basis of an immunity passport to access services and gain entry to spaces (which can lead to exclusions and discrimination).
The Protocol states that the NIC shall collect only such “response data as is necessary and proportionate to formulate or implement appropriate” health responses.20 While the Protocol broadly outlines the kinds of data that will be collected, it directs the Privacy Policy to provide a more detailed list of data collected and the purposes for which it will be used. This data is collectively referred to as response data in the Protocol.21 The response data consists of:
In the absence of a statutory legislation governing the application, these categories of collected data have only been enumerated in the Protocol and Privacy Policy, both of which could be amended to expand their scope without legislative oversight.
There is no explicit provision for user notification mechanisms on how user data is used or shared (including with third parties), or for breach of user data.
This is particularly concerning because of the sensitive nature of the data collected by the application (such as health information and real-time location), and the harms that could arise out of unauthorised disclosure or sharing of this information.
The later updates to the application now notify the user of any changes to the privacy policy. However, it is important to note that while the application itself is available in multiple local languages, the Privacy Policy and Terms of Service are only available in English, which makes such notifications (and consent on the basis of this) meaningless to a majority of users.
Users of the application fill in their own demographic details, as well as a self-assessment of their health, and the application allows them to access and correct this information at will. The Protocol also directs the NIC to “document the sharing of any data and maintain a list of the agencies with whom such data has been shared. Such documentation shall include the time at which such data sharing was initiated, the persons or agencies who are being provided access to such data, the categories of data that are being shared and the purpose for which such data is being shared”, however only to the extent reasonable.22 There is no provision for how users may access this data. Moreover, neither the Protocol nor the Privacy Policy enables users to confirm whether their information is held by the NIC or any government agency after the specified retention period.
While users are given the option of deleting their Aarogya Setu account (which would also delete response data from their phone), the application clearly states that this will not cause response data to be deleted from government servers.23 Moreover, while use of the application is voluntary on paper, it is still de facto mandatory for many in order to access essential services. For instance, when it is mandated by employers, opting out of using the application is not a realistic option.
While users have some rights over their information, they cannot confirm their data or delete their own data from government servers, and many cannot opt out of using the application at all.
As stated in the Protocol, any violations would lead to penalties under Sections 51 to 60 of the Disaster Management Act, 2005.24
However, there are no other redressal mechanisms for users specifically relating to the application.
Principles of data minimisation are followed to varying degrees.
The Protocol limits the NIC from collecting more data than is necessary and proportionate, and “strictly for the purpose of formulating or implementing appropriate health responses and constantly improving such responses”.25 Of the information collected by the application, the collection of real-time location leads to obvious concerns about surveillance, but has been justified on the grounds of the contact tracing aim of the application. However, the need for a user to enter their professional status in order to use the application remains unclear.
Moreover, while there are limits to sharing only information that is strictly necessary, there is no requirement that the information must be strictly proportionate for the appropriate health response.
The Privacy Policy states that location data will be retained on the mobile device for a period of 30 days from the date of collection after which, if not already uploaded to the Server, it will be purged from the application. Location and COVID-19 positive/high likelihood of infection status (which results in all information automatically being uploaded to the server) will, to the extent that such information relates to people who have not tested positive, be purged from the server 45 days after being uploaded. This information for persons who have tested positive for COVID-19 will be purged from the server 60 days after such persons have been declared cured of COVID-19.26 As per the Protocol, the NIC must permanently delete self-assessment, location and contact data after 180 days under ordinary circumstances,27 but is silent on what would constitute extraordinary circumstances that would allow data to remain on the server after this period, except that it can be carried out on a recommendation by the Empowered Group.
Considering the sensitive nature of the information collected and stored by the application, there are inadequate obligations on the disclosure of this information, particularly to third parties.
The NIC can share information with the Ministry of Health and Family Welfare, Government of India, Departments of Health of the State/Union Territory Governments/local governments, NDMA, SDMAs, and other Ministries and Departments of the Government of India and State Governments and other public health institutions of the Government of India, State Governments and local governments, where such sharing is strictly necessary to directly formulate or implement an appropriate health response.28 It can share response data in de-identified form (defined in the Protocol as data which has been stripped of personally identifiable data to prevent the individual from being personally identified through such data and assigned a randomly generated ID) with such Ministries or Departments of the Government of India or the State/Union Territory Governments, local governments, NDMA, SDMAs and other public health institutions of the Government of India or State or local governments with whom such sharing is necessary to assist in the formulation or implementation of a critical health response.29
It has been pointed out that the Protocol, while allowing sharing of data with “research institutions” and “research entities”, has not defined what would constitute these entities, giving wide scope for third party entities to potentially access sensitive medical information.30 As highlighted previously, users will not be notified when their information has been shared with a third party, or what information has been shared and to whom.
The use of Aarogya Setu is no longer mandatory. However, it has been made mandatory for many essential purposes, and there is no restriction on private parties (such as employers) mandating the use of the application.
Since many users do not have a meaningful choice to opt-out of the application, this will have exclusionary impacts.
There is no data protection law in place (and no sufficient judicial or legislative oversight) governing the use of personal data for Aarogya Setu.
Information collected through the application is stored in a centralised server, with no clear information about its functioning.
There is no clearly articulated mitigation strategy built into the design of the application.
Despite having introduced a bug bounty programme,31 there have been instances where potential security issues were publicly dismissed, and articles reporting these concerns have been withdrawn or taken down.32
1 | Susan Froetschel and Douglas P. Olsen, “Commentary: Manual contact tracing still the gold standard for COVID-19 response”, Channel News Asia, May 30, 2020, https://www.channelnewsasia.com/news/commentary/coronavirus-covid-contact-tracing-app-who-new-zealand-us-infect-12782748. ↑ |
2 | A Survey of Covid 19 Apps Launched by State Governments in India (July 14, 2020), https://cis-india.org/internet-governance/stategovtcovidapps-pdf. ↑ |
3 | Government Order No. 40-3/2020-DM-I(A), Ministry of Home Affairs, May 02, 2020 https://www.india.gov.in/sites/upload_files/npi/files/MHA_%20new_guidelines.pdf. ↑ |
4 | Government Order No. 2(10)/2020-CLeS, Ministry of Electronics and Information Technology, May 11, 2020, https://www.meity.gov.in/writereaddata/files/Aarogya_Setu_data_access_knowledge_Protocol.pdf [“Aarogya Setu Protocol”]. ↑ |
5 | The server-side source code of the application has not been made public, which means that the backend use of collected data cannot be monitored. ↑ |
6 | Aarogya Setu Protocol, supra, Clause 5(a). ↑ |
7 | Aarogya Setu Protocol, supra, Clause 6(a). ↑ |
8 | The Privacy Policy of the application does not mention any standards of anonymisation and encryption, only stating that “The App is equipped with standard security features to protect the confidentiality and security of your information”. ↑ |
9 | Aarogya Setu Protocol, supra, Clause 6(b). ↑ |
10 | Guest Report: Bridging Concerns with Recommending Aarogya Setu (June 20, 2020), https://cis-india.org/aarogya%20setu%20privacy [“CIS Report”]. ↑ |
11 | CIS Report. ↑ |
12 | Clause 2(a), “Aarogya Setu Privacy Policy”, Aarogya Setu (mobile application), last accessed September 10, 2020 [“Privacy Policy”]. ↑ |
13 | Aarogya Setu Protocol, supra, Clause 5(b). ↑ |
14 | Aditi Agrawal, “Aarogya Setu will include telemedicine, greater personalisation; may act as building block for India Health Stack”, Medianama, April 22, 2020, https://www.medianama.com/2020/04/223-aarogya-setu-upcoming-features/. ↑ |
15 | Aditi Agrawal, “Aarogya Setu will include telemedicine, greater personalisation; may act as building block for India Health Stack”, Medianama, April 22, 2020, https://www.medianama.com/2020/04/223-aarogya-setu-upcoming-features/. ↑ |
16 | Tweet by @rajbhagatt, Twitter, last accessed September 10, 2020, https://twitter.com/rajbhagatt/status/1302618044439511043. ↑ |
17 | Aditi Agrawal, “Aarogya Setu launches Open API Services Portal: All you need to know”, Medianama, August 22, 2020, https://www.medianama.com/2020/08/223-aarogya-setu-open-api-services/. ↑ |
18 | Aditi Agrawal, “Aarogya Setu launches Open API Services Portal: All you need to know”, Medianama, August 22, 2020, https://www.medianama.com/2020/08/223-aarogya-setu-open-api-services/. ↑ |
19 | “Aarogya Setu Open API Terms of Service”, Open API Services Portal, National Informatics Centre, last accessed September 10, 2020. https://openapi.aarogyasetu.gov.in/tandc. ↑ |
20 | Aarogya Setu Protocol, supra, Clause 5(b). ↑ |
21 | Aarogya Setu Protocol, supra, Clause 3. ↑ |
22 | Aarogya Setu Protocol, supra, Clause 6(c). ↑ |
23 | “Delete My Account”, Aarogya Setu (mobile application), last accessed September 10, 2020. ↑ |
24 | Aarogya Setu Protocol, supra, Clause 9. ↑ |
25 | Aarogya Setu Protocol, supra, Clause 5(b). ↑ |
26 | Aarogya Setu Protocol, supra, Clause 3(b). ↑ |
27 | Aarogya Setu Protocol, supra, Clause 5(e). ↑ |
28 | Aarogya Setu Protocol, supra, Clause 6(a). ↑ |
29 | Aarogya Setu Protocol, supra, Clause 6(b). ↑ |
30 | CIS Report. ↑ |
31 | Tech Desk, “Aarogya Setu source code available: How to access, details of bug bounty programme”, The Indian Express, May 27, 2020, https://indianexpress.com/article/technology/tech-news-technology/aarogya-setu-source-code-bug-bounty-programme-6429331/. ↑ |
32 | Business Line Bureau, “Centre pulls up agency on ‘malicious article’ about Aarogya Setu App”, Business Line, August 12, 2020, https://www.thehindubusinessline.com/news/centre-pulls-up-agency-on-malicious-article-about-aarogya-setu-app/article32339119.ece. ↑ |