COVID-19: Report Says Aarogya Setu App Failed to Follow Government’s Own Rules

The Centre’s highly controversial Aarogya Setu App, purportedly designed for the contact tracing of COVID-19 cases, is in the limelight again after RTI responses revealed that the government failed to implement its own rules pertaining to data security.

A report in The Quint cited RTI replies by the government which did not seem to provide any substantial responses or clarity on who citizens’ data was shared with, the security practices behind safeguarding such data or whether its use was subject to audits.

It is to be noted that India currently does not have a data protection framework in place with the Personal Data Protection Bill, 2019, not law yet. More so, Justice B.N. Srikrishna, who headed the committee which initially drafted the proposed legislation, has been highly critical of the form it later acquired.

In the absence of a framework to safeguard its citizens data, the Union Government put rules in place which laid out how the data collected by the Aarogya Setu App would be used and under what conditions. The procedure was called the ‘Aarogya Setu Data Access and Knowledge Sharing Protocol 2020’. While the app itself went live on April 2, 2020, the rules came about more than a month later, on May 11.

The Quint report mentions that several such rules, drafted specifically for the app, were not followed.

Section 6 (c) of the Aarogya Setu protocol mentions that the National Informatics Centre (NIC) “shall, to the extent reasonable, document the sharing of any data and maintain a list of the agencies with whom such data has been shared. Such documentation shall include the time at which such data sharing was initiated, the persons or agencies who are being provided access to such data, the categories of data that are being shared and the purpose for which such data is being shared.”

In response to an RTI query, the government responded that it had shared data with “Ministry of Health & Family Welfare, ICMR, State Governments (i.e., State Health Secretary at the state level and District Magistrate at the district level)”. The information does not mention when the data was shared, who it was shared with, or the purpose of sharing it.

Under the section titled ‘Obligations of entities with whom response data is shared’, the protocols also mention under Section 7 (a) : “Any Ministry, Department of the Government, NDMA, SDMAs or public health institution shall also implement reasonable security practices and procedures as prescribed under any law for the time being in force.”

In its reply to RTI queries about the security measures, however, the government reportedly said that it no information about the same to share and forwarded the query to all health secretaries and district magistrates in the country.

Regarding the audit mechanisms in place for the data, the protocol, under Section 7 (b) stated that parties with whom data was shared “shall not re-use the data for any other purpose or disclose the data to any other entity and remain subject to audit and review of their data usage by the Central Government.”

However, in its response to an RTI query, the government said that information requested about an audit was “not applicable” since the data was apparently only shared with government agencies.

Questions surrounding the Aarogya Setu app have not just surfaced. Earlier this week, the Central Information Commission (CIC) issued show-cause notices to the chief public information officers at the Ministry of Electronics and Information Technology, the NIC and the NeGD (National E-Governance division) after their evasive reply to an RTI application that sought information about who created it.

Justice B.N. Srikrishna also backed concerns surrounding app in May, saying that it would cause “more concern to citizens than benefit”. Concerns have also been raised over the efficacy of the app.

In September, four organisations – Jan Swasthya Abhiyan, All India People’s Science Network, Internet Freedom Foundation and Forum for Medical Ethics Society – in a joint statement questioned the app’s design, deployment, policies regarding data storage, preservation of privacy and data sharing, as well as overall policy implementation and inadequate legal frameworks for data protection and grievance redressal.

The organisations, which conducted a detailed analysis of the Aarogya Setu App, said they found that it did not conform to key technical best practices being developed internationally. Among technical, legal and ethical issues, the analysis found that the AS App’s centralised data storage system enables exporting of people’s sensitive personal details to an external government-operated server, which is linked with the Indian Council of Medical Research database and others.

“These are being provided to third parties such as research universities and private consultancy firms. Overall, this is an expansive approach to data collection and extraction, and clearly undermines privacy of people’s data,” the organisations said.