Data of 160 Mn Aarogya Setu Users Unsafe! Govt Ignored Safeguards

Is Aarogya Setu app a threat to data privacy? Government RTI response shows it ignored its own safeguards.

Updated
News Videos
4 min read

Video Editor: Ashutosh Bhardwaj
Video Producer: Hera Khan

More than 160 million Indians should be worried right now. Why?

Because these 160 million Indians are the ones who have downloaded the government's flagship Aarogya Setu app.

The Aarogya Setu app stores sensitive personal data in bulk for contact-tracing and tackling COVID-19, and the government just revealed that it has ignored its own safeguards enforced to protect data privacy of the app users.

On 2 April 2020, the National Informatics Centre (NIC) announced that it was launching the Aarogya Setu contact-tracing app developed by a unique public-private partnership, which was meant to help India's fight against COVID-19.

Given that the app collected sensitive personal data from each person – from their health status to live tracking their location – there were concerns that this data could be misused if it fell into the wrong hands.

In a move that seemed to downplay those concerns on 11 May 2020, the Ministry of Electronics and Information Technology and NIC announced the creation of the Aarogya Setu Data Access and Knowledge Sharing Protocol.

Unfortunately, in its responses to an RTI request by independent journalist and RTI activist Saurav Das, the NIC has revealed that even though it’s been nearly six months since the release of the Protocol, many of these vital safeguards haven’t been put in place.

Safeguard 1 – The Paper Trail

The NIC is supposed to document sharing of data, and maintain a list of agencies and persons with whom such data has been shared.

But when asked for details about whom the data had been shared with the NIC only provided a generic list of which categories of entities the data could be shared with, rather than an actual list of entities it had shared data with.

Screenshot of the RTI response.
Screenshot of the RTI response.
(Photo: Accessed by The Quint)

Safeguard 2 – Security Practices

Any entity – government or private – with whom Aarogya Setu data is shared by the NIC, is supposed to implement 'reasonable security practices and procedures'.

As India still does not have a data protection law, it was expected that the NIC/MEITY would ensure there were model procedures/practices in place, especially since the app data can be shared with not just Health Secretaries of all states, but ALL the 700+ District Magistrates around the country.

The NIC just shifts responsibility to the entities which have received the data, and reveals that there are no model safeguards in place meaning this safeguard has become an eyewash as well.

Screenshot of the RTI response.
Screenshot of the RTI response.
(Photo: Accessed by The Quint)

Safeguard 3 – Audit & Review Mechanism

Any party with whom data is shared under the Protocol cannot re-use the data for any other purpose or disclose the data to any other entity.

To ensure this is followed, the Protocol specified that any such entity would “remain subject to audit and review of their data usage by the central government”.

But in a bizarre response, the NIC said that the questions about the mechanism are 'inapplicable' in light of sharing of data with government entities even though the audit mechanism is supposed to apply to them as well!

Screenshot of the RTI response.
Screenshot of the RTI response.
(Photo: Accessed by The Quint)

Safeguard 4 – 'Anonymisation' of Data

One of the most-touted safeguards in the Protocol was that any data shared with research organisations trying to find ways to combat COVID-19, which is a key part of the whole idea of Aarogya Setu, would go through a process of 'hard anonymisation'.

This would mean that no third party would be able to identify which person the data belonged to, and would ensure privacy was not violated, even as the app data was used to full potential.

But the RTI replies reveal that the Expert Committee that the government was supposed to set up to figure out how to do this hard anonymisation, is still 'in the process of being set up'.

Screenshot of the RTI response.
Screenshot of the RTI response.
(Photo: Accessed by The Quint)

The NIC also dodged a question about what has been done to anonymise such data shared till now.

This approach by the government is extremely concerning as it means the data of millions of Indian citizens who have signed up on the Aarogya Setu app is essentially unprotected at this point, and can be misused without any accountability.

Published: 
Stay Updated

Subscribe To Our Daily Newsletter And Get News Delivered Straight To Your Inbox.

Join over 120,000 subscribers!