It is now official what privacy activists have long been worried about. Responses to RTI queries reveal that the Government of India has failed to implement measures to safeguard and secure data of millions of Indians collected by the controversial COVID-19 tracing app, Aarogya Setu.
Two days after the Ministry of Electronics and Information Technology (MEITY) and National Informatics Centre (NIC) were pulled up by the Central Information Commission for evasive answers about the app’s creation, this author can now exclusively reveal that the government has failed to implement key provisions of the ‘Aarogya Setu Data Access and Knowledge Sharing Protocol 2020’.
These revelations, including a lack of audit mechanisms and any procedure for anonymisation of data, raise serious questions about the government’s attitude towards protection of the data and privacy of millions of Indians, and the trust that can be imposed in digital health initiatives like this.
What Is This Aarogya Setu Protocol?
On 2 April 2020, the NIC, which falls under the MEITY, launched the Aarogya Setu App in order to help with contact tracing of COVID-19 in India. It has since been downloaded by over a 160 million users.
After its launch, several privacy experts raised a number of privacy concerns associated with the usage of this app. Attempting to allay such fears, the Centre created the Aarogya Setu Protocol and notified it on 11 May 2020.
The Protocol governs the collection of data by the app and data sharing of personal/non-personal data collected through it. It lays down penalties and obligations for sharing data with government agencies, third parties, and research institutions.
MEITY is designated as the agency responsible for the implementation of this Protocol and its developer, the NIC is “responsible for collection, processing and managing response data collected by the Aarogya Setu app”.
Readers must note that the Aarogya Setu Protocol is not a legislation, or even a government policy. It is a mere set of rules that the government claimed it would follow – but which were nonetheless vital for ensuring protection of the personal data of the users of the app.
How Has the Govt Failed to Implement the Safeguards in the Protocol?
The NIC’s responses to an RTI application by this journalist dated 1 August 2020, revealed that the NIC had failed to implement crucial safeguards.
It should be noted that like the queries regarding the creation of the app, the NIC initially failed to answer these queries, and only provided its responses on 15 October after a first appeal under the RTI Act.
1. DOCUMENTATION OF PARTIES WITH WHOM DATA IS BEING SHARED
Para 6(c) of the Protocol requires the NIC to document, to the extent reasonable, “the sharing of any data and maintain a list of the agencies (and persons) with whom such data has been shared”.
The documentation should include details like the time at which such data sharing was initiated, the persons or agencies that are being provided access to such data, the categories of data that are being shared and the purpose for which such data is being shared. Para 7(b) of the Protocol also says that response data received by govt entities should not be shared onward with any third party unless “strictly necessary to directly formulate or implement appropriate health responses.”
The Vidhi Centre for Legal Policy, which helped draft the Protocol, explained at the time that
“This ensures that there exists a paper-trail, which can be examined to identify any misuse or irresponsible sharing of the data. Further, NIC is required to maintain a list of agencies with whom the data was shared. Together, these measures institute a strong framework for accountability in data sharing under this Protocol.”
Has this safeguard been implemented?
Not as per Protocol.
When asked to furnish details of the agencies/persons with whom the data has been shared, the NIC gave an extremely generic response:“Ministry of Health & Family Welfare, ICMR, State Governments (i.e., State Health Secretary at the state level and District Magistrate at the district level)”
This response merely states the categories of entities with whom data has been shared, rather than the list of entities as it was supposed to maintain. It does not specify which State Health Secretaries and District Magistrates the data has been shared with.
The NIC gave no details about which third parties have been given Aarogya Setu data, only saying that the question is ‘inapplicable’ in light of its earlier generic response. In a separate RTI query, they refused to answer whether intelligence or law enforcement agencies have received this information.
2. SECURITY PRACTICES AND PROCEDURES
Para 7(a) of the Protocol requires all parties, government or private, with whom data is being shared to “implement reasonable security practices and procedures as prescribed under any law” to handle the data.
This measure was essential as India still does not have a data protection law. Unfortunately, the Protocol did not specify what such reasonable security practices and procedures were to be, though as Vrinda Bhandari, of counsel for the Internet Freedom Foundation notes, it was expected that MEITY and the NIC would notify some reasonable security practices and procedures.
Has this safeguard been implemented?
MEITY and the NIC have not created any reasonable security practices and procedures.
On being asked to provide the details of such “reasonable security practices and procedures” implemented by parties receiving data, so as to safeguard it from security breach or leaks, the NIC said it had no information on this and transferred the RTI to all health secretaries and district magistrates across the country.
3. AUDIT AND REVIEW MECHANISM
Para 7(b) of the Protocol states that any party with whom data is share cannot re-use the data for any other purpose or disclose the data to any other entity and to “remain subject to audit and review of their data usage by the Central Government”.
Though the Aarogya Setu Protocol failed again to specify what audit and review mechanism would be put in place, the importance of this provision cannot be overstated. Srinivas Kodali, a leading independent researcher on data, governance and the internet in India, explains:
“The audit mechanisms are vital to ensure parties who get access to this highly sensitive data do not re-sell it or share it with others, including third parties down the line. Only audits will ensure they are not mis-using this data. In the past data shared by Ministry of Road Transport with condition of no sharing ended up being shared by third party firms dis-regarding the guidelines. Given we still have no data protection law and data protection authority, these audits become essential for accountability.”
Has this safeguard been implemented?
In a bizarre response to the query about whether an audit/review mechanism had been put in place, the NIC said that in view of it sharing data with the Health Ministry, ICMR, State Health Secretaries and District Magistrates, the “question is not applicable.”
4. ANONYMISATION PROTOCOLS TO BE DEVELOPED BY AN EXPERT COMMITTEE
Para 8(a) of the Protocol allowed data to be shared with universities/research organisations if such data had gone through ‘hard-anonymisation’, i.e., the data had been stripped of its identity based on some protocols, so that no third party is able to identify any individual to whom that data belongs.
These protocols for hard anonymisation were to be developed, reviewed and updated on a regular basis by an expert committee appointed by the Principal Scientific Advisor to the Government of India.
According to Vidhi, this process was crucial to ensure that “the privacy interests of users are not harmed in the process of enabling academic research”, and that it was buttressed by making non-compliance punishable. This safeguard was particularly important given the manner in which Aarogya Setu had been touted in the government’s own press releases as a "bridge between public and private sectors”.
Has this safeguard been implemented?
Not till now.
The NIC’s reply reveals that the expert committee has still not been appointed and that the committee setup is “in progress”, despite six months having passed. Due to this, even the anonymisation protocol has not been created. The NIC also refused to answer if any data has been shared with universities/research organisations so far.
Why Should You Be Concerned About These Revelations?
Shouldn’t the millions of users of the app know who their data is being shared with?
The NIC responses indicate that they have only shared data with MoHFW, ICMR, State Health Secretaries and District Magistrates. But as can be seen, the NIC has no clue how these second parties are handling the data (including which third parties they’ve handed the data to), and have failed to even keep a record of which second parties they have sent the data to.
It is important to note that as per the official file notings of the MEITY, one of the main reasons for creation of this Protocol was due to “several Govt. and private players who are interested to provide solutions analyzing the same data”. This raises doubts, says Srinivas Kodali, over the NIC’s lack of information about third parties getting access to data so far.
The MEITY and the NIC, knowing fully well that India does not have a data protection law, has failed to monitor how data of millions of Indians is being handled, stored and used by the second parties, especially by those 700+ District Magistrates across the country.
Given the lack of guidance in the Aarogya Setu Protocol, shouldn’t there have been some sort of model safeguards put in place for these DMs to follow?
“The Indian Government cannot collect vast amounts of sensitive personal health data without clear legal authorisation and oversight,” explains Raman Jit Singh Chima, Asia Policy Director at digital rights watchdog Access Now. The failure to set up any model standards for all these government entities “would not only be in violation of international standards – including the guidance of WHO – and the practices of other democracies, but in violation of the fundamental right to privacy.”
Vrinda Bhandari says that the failure to do so “means we have no confirmation of the data security measures being adopted, which further undermines trust in the project.”
Tied to this failure to put in place any safeguards is the NIC’s refusal to answer a query on whether or not intelligence and law enforcement agencies are receiving Aarogya Setu data, and how they are using it. Any such information can only be shared in de-identified format as per the Protocol, but again, the NIC refused to answer with whom such de-identified data has been shared.
Could these concerns have been addressed if there was a rigorous audit and review mechanism in place?
Unfortunately, the NIC have now informed us that even this is not in place.
Their bizarre response to the query – that such a mechanism is not applicable since the data is being shared with the MoHFW/health departments/district magistrates – makes no sense since the audit mechanism under Para 7(b) is meant for reviewing those very government entities.
“Without audit and review mechanisms, it it possible that government agencies across the breadth of India – as well as private agencies (such as employers) – have made copies of this sensitive data,” Chima explains. “This is a failure to learn from several recent scandals, including the copying of Aadhaar and electoral data in different Indian states.”
Kodali said that this response indicates a broader flawed approach to data security in the government, where an audit might only be invoked after a breach, rather than beforehand, to prevent a breach:
“MEITY is trying to solve issues of data protection with rules and laws instead of actually promoting a culture of mandatory audits and breach reporting. There is no intention from the ministry to go after private firms and inspect how they are safeguarding personal data. Right now the game is to deflect when someone asks serious questions and ignore when no one is watching. This RTI response shows that this appears to now be the case even for government entities, where CERT-empaneled audits are required.”
Anivar Aravind, a public interest technologist who serves on the board of SFLC.in, a non-profit society working on citizens’ rights in digital space suggested that “the best audit mechanism is fully open sourcing the Aarogya Setu code base and ensure citizen participation in it”.
While the government insists that it has now made the source code available, experts disagree, with one of the concerns being the failure to publish the full data, including on efficacy of the app. The failure to do this and have any audit mechanism in place makes “the app effort looks like it is made more for data sharing than addressing the stated purpose of contact tracing”, Anivar says.
Anivar’s petition in the Karnataka High Court, challenging the voluntary-mandatory imposition of Aarogya Setu on citizens for availing various services and benefits, has led to the court passing an important interim order restricting this imposition.
With none of these safeguards in place, the potential risks from Aarogya Setu data being shared with third parties increases – and with it, the need for anonymisation.
This is why the failure to appoint the expert committee for developing the ‘hard anonymisation’ protocol poses a great privacy hazard. As Kodali explains:
“Sharing data anonymised or not, without an individual’s consent can affect them in ways that one can’t imagine, depending on who has access to the data. If anonymisation of data is not happening at all, the risks are higher. The data shared with third parties will eventually be sold to data brokers and private firms who will exploit it tomorrow if not today. The severity of risks can only be determined based on the amount of data being shared, which is unknown for now.”
Recently, Justice (Retd) B N Srikrishna, who headed the expert committee on framing the data protection bill had said that even anonymous data is not foolproof and can be de-anonymised in future. The failure to have any protocol in place to even perform this limited safeguard, therefore, raises even further doubts about the seriousness with which the government is taking the privacy of 160 million Indians.
Without a strong legislative oversight over centralised health data systems like Aarogya Setu, and the upcoming Digital Health ID and National Health Stack projects that are being vociferously pushed by the private sector, privacy will remain but a myth.
The Quint has reached out to the NIC for a response to this article, and will include any response received in full as and when it is provided.
(Saurav Das is an independent journalist and RTI Activist. He tweets @OfficialSauravD. This is a report and analysis, and the views expressed are the author’s own. The Quint neither endorses nor is responsible for them.)