- MeitY has issued Aarogya Setu's privacy protocols after about a month.
- The Protocol underlines that user data should not be retained beyond 180 days.
- The data collected by Aarogya Setu app is for purposes of tracking covid-19 cases in India.
Aarogya Setu, Indian government's digital platform to track covid-19 patients, has rekindled the advocacy for user privacy. Having amassed over nine crore downloads, Aarogya Setu landed into the soup after a prolific French hacker unearthed one too many privacy issues with the app, outrightly causing defiance among certain citizens. The outrage grew further after the government said Aarogya Setu should mandatorily be installed on smartphones of Noida residents. Now, in its attempt to quell the privacy and surveillance concerns over the Aarogya Setu app, the Ministry of Electronics and Information Technology (MeitY) has issued privacy and access protocol for the app after nearly a month of its launch.
In a notification issued on Monday, May 11, the MeitY has published what it is calling the "Aarogya Setu Data Access and Knowledge Sharing Protocol" to define the scope of the collection of user data and its handling by the related authorities. The government has outlined that the app has been built keeping in mind the privacy and security of user data collected for the purpose of tracking covid-19 patients and minimise the spread of the pandemic further. The Protocol has been designed in accordance with the precautionary measures, issued by the government, to formulate health responses that "not only contain the epidemic but also protect the health and safety of the community at large."
According to MeitY, these health responses require data of individuals for the management of the covid-19 pandemic, syndromic mapping, contact tracing, and communication between them. The Aarogya Setu is designated to carry out most of these responses and needs confidential information of individuals. The information includes travel history, device information, location data, contact data, demography, and self-assessment data, which is collected by the app only after the user has permitted it. But what happens after the data is collected or what if the user wants to pull out of participating in the health response regime?
The government did not specify the extents for which the data was being collected and possibly stored on servers. The French hacker had previously pointed out security flaws in the app, as severe as potentially revealing number of infected patients and their location. Although the government rebutted the claims of the hacker, insisting the app is safe and secure for public use. Meanwhile, the hacker vouched for an open-source system for the Arogya Setu app, which could possibly make security researchers fix the errors as and when they appear in the app. While the government has not said anything on making Arogya Setu available as open-source, it has laid down certain protocols.
The data collected by the Arogya Setu app can be used by the National Informatics Centre, Ministry of Health, NDMA, SDMA, local government authorities, and any government-related department.
No third party involvement unless a very specific reason
While the protocol says the data will not be shared with third parties, there are certain relaxations. According to the notification, the user data can be shared with third parties "only if it is strictly necessary to directly formulate or implement health responses." The third parties will be under the obligation under what the Protocol has stated.
What all data is collected and what is kept on the phone
Especially, the contact and geographical data of a user should remain on the device the app is installed on. However, there are caveats to this rule. The government says the data may be uploaded to government-authorised servers "for the purpose of formulating or implementing appropriate health responses." The yardstick to identify the difference between the relevance between the two sets of data has, however, not been specified by the government.
Most importantly, the Protocol has mentioned the no data should be retained beyond the period as deemed necessary to fulfil the purposes. At maximum, the contact, location, and self-assessment data should be "permanently" erased after 180 days from the day they were recorded by the app. However, the demographic data could still be retained by NIC for as long as the Protocol related to the covid-19 pandemic remains into effect. The user can request NIC to delete that data and the agency should remove that data within a period of 30 days.
The MeitY has constituted what it calls an "empowered group" that will review the protocol after every 6 months from the date of its issuance, or even review it prematurely if necessary. This protocol shall remain into effect for a period of six months, per the notification.