CoWin App: No Specific Privacy Policy, No Info on Developer, Cost

The app’s privacy policy links to the Health Data Management Policy of the Union Health and Family Welfare Ministry

Published
Cyber
4 min read
An organisation advocating for online civil liberties, found in its preliminary review that the app does not have a specific privacy policy. Image used for representational purposes. 
i

CoWin app, the Centre’s glitch-prone digital platform rolled-out to manage the COVID-19 vaccination program, has also emerged as opaque regarding basic information about its development and functioning.

Information sought under the the Right to Information Act regarding the app has also been stonewalled, eliciting comparisons with Aarogya Setu’s lack of transprency and raising questions around an application designed to handle sensitive data of over a billion citizens.

An RTI seeking information on the developer of the CoWin app, as well as on the cost incurred and audit practices, was transferred from one ministry to another, before stating that ‘no information is available’.

An online civil liberties organisation has also found that CoWin app does not have a specific privacy policy. Instead, the privacy policy hyperlinked to the app redirects to the Health Data Management Policy, 2020, a Union Health Ministry document, dealing with the creation of national health IDs and digitising of health records.

The rejection of basic information comes months after the Central Information Commission had termed a similar denial of information by Ministry of Electronics & IT on the Aarogya Setu app as ‘preposterous’.

No Privacy Policy with CoWin App

The Software Freedom Law Centre, India (SFLC.In), an organisation advocating for online civil liberties, found in its preliminary review that the app does not have a specific privacy policy. An app’s privacy policy specifies how it collects, stores, processes and shares data pertaining to individuals.

SFLC.In also points out that the CowinApp does not list down the official email address of Union Health Ministry officials. Instead, it has listed a Gmail address.

“The app does not have a specific Privacy Policy which governs data collected and processed by the App, open sourcing, data sharing, liability etc (sic),” SFLC.In states in its tweet. 

“The privacy policy hyperlinked to the app redirects to the Health Data Management Policy, 2020,” SFLC.In adds.

So, what exactly is this policy? And why is it acting as a substitute to an actual privacy policy of an app?

This Health Data Management Policy, 2020, essentially asserts the government's intent to promote the newly-announced national health ID, along with the national health stack.

The policy is the first step in realising the NDHM’s guiding principle of ‘Security and Privacy by Design’ for the protection of individuals’/data principal’s personal digital health data privacy

SFLC.In explains that the Health Data Management Policy is an umbrella policy, which acts as a guidance document across the National Digital Health Ecosystem and can’t substitute adequately as a specific policy for an app.

“The problem of replacing a specific privacy policy with an umbrella policy for the Co-WIN app is that the latter does not have specific provisions on data sharing, purpose limitation, data minimisation, data retention and the likes, with respect to the Co-WIN App.” 
Prasanth Sugathan, Legal Director, SFLC.In

Moreover Co-WIN is not an open-source application and therefor is not open to scrutiny by third party auditors. “There are no provisions for liability related to data breaches either,” Sugathan adds.

Denial of RTI Info

Given the multiple glitches that CoWin suffered from the first day of the vaccination drive, the app has invited attention to its development and design.

However, at least two separate RTIs seeking information on the app have failed to get any information on it.

A collective called ‘Legal Squad’ filed an RTI with the Union Health Ministry on 5 January, seeking specific details on the individuals and government departments associated with the development of the app, and audit measures that exist to check for misuse of the personal data.

This was transfered to the Union Electronics & IT Ministry (MeitY). It is known as the CoWin app, which comes under the administration of the Ministry of Health & Family Welfare.

On 19 January, MeitY responded stating, “With regard to information sought, no information is available with innovation & IPR Division, MeitY.”

A separate RTI, filed by SFLC India on 12 January has also sought specific information regarding the privacy assessment of Co-WIN, list of developers, file notings and cost incurred on developing the app.

“There is a lot of opacity behind who developed the app, its security implications considering that it is not open source, the data sharing, and data retention, said SFLC.In’s Sugathan, adding, “This puts sensitive data of individuals at risk and open to misuse.”

Parallels With Aarogya Setu’s Lack of Transparency

The Central Information Commission (CIC) had slammed the Ministry of Electronics and Information Technology (MeitY) for having ‘no clue’ about the origin of the government’s vaunted coronavirus tracing app, Aarogya Setu, and issued show-cause notices to information officers in the ministry for their evasive replies to RTI requests on this issue.

“None of the CPIOs were able to explain anything regarding who created the app, where are the files, and the same is extremely preposterous,” the order of Information Commissioner on 27 October had stated.

The CIC’s order and observations related to a complaint by RTI activist and independent journalist Saurav Das, who had filed several RTI requests regarding the Aarogya Setu app.

On 1 August, Das had sent queries to the CPIOs at MeitY, asking for details and documents on the creation of the Aarogya Setu app, including the origin of the proposal, how it was approved, which government departments were involved, and copies of communications with private persons involved in developing the app.

On 2 October, after nearly two months, the NeGD said they did not have any information relating to his queries.

“It seems this government never learns. Previously in my Aarogya Setu case too, MeitY said that it does not have information and kept transferring the RTI like a game of ‘passing the parcel’,” Saurav Das told The Quint.

Das says after the Central Information Commission passed some scathing remarks after his second appeal, some information came forth. But till date, he has not got the information sought relating to Aarogya Setu’s creation. The case is currently pending before Delhi High Court.

“I believe a similar fate awaits Co-WIN. Both these apps collect a lot of sensitive information and we do not know how this data is being handled. Co-WIN is a bigger issue since this is directly related to the Digital Health ID,” Das said.

He added, “When the government starts hiding information and files relating to them, it raises genuine apprehensions and questions.”

(The Quint is available on Telegram. For handpicked stories every day, subscribe to us on Telegram)

Stay Updated

Subscribe To Our Daily Newsletter And Get News Delivered Straight To Your Inbox.

Join over 120,000 subscribers!