Data of 160 Mn Aarogya Setu Users Unsafe! Govt Ignored Safeguards

Video Editor: Ashutosh Bhardwaj
Video Producer: Hera Khan

More than 160 million Indians should be worried right now. Why?

Because these 160 million Indians are the ones who have downloaded the government's flagship Aarogya Setu app.

On 2 April 2020, the National Informatics Centre (NIC) announced that it was launching the Aarogya Setu contact-tracing app developed by a unique public-private partnership, which was meant to help India's fight against COVID-19.

Given that the app collected sensitive personal data from each person – from their health status to live tracking their location – there were concerns that this data could be misused if it fell into the wrong hands.

In a move that seemed to downplay those concerns on 11 May 2020, the Ministry of Electronics and Information Technology and NIC announced the creation of the Aarogya Setu Data Access and Knowledge Sharing Protocol.

The NIC is supposed to document sharing of data, and maintain a list of agencies and persons with whom such data has been shared.

But when asked for details about whom the data had been shared with the NIC only provided a generic list of which categories of entities the data could be shared with, rather than an actual list of entities it had shared data with.

Any entity – government or private – with whom Aarogya Setu data is shared by the NIC, is supposed to implement 'reasonable security practices and procedures'.

As India still does not have a data protection law, it was expected that the NIC/MEITY would ensure there were model procedures/practices in place, especially since the app data can be shared with not just Health Secretaries of all states, but ALL the 700+ District Magistrates around the country.

The NIC just shifts responsibility to the entities which have received the data, and reveals that there are no model safeguards in place meaning this safeguard has become an eyewash as well.

Any party with whom data is shared under the Protocol cannot re-use the data for any other purpose or disclose the data to any other entity.

To ensure this is followed, the Protocol specified that any such entity would “remain subject to audit and review of their data usage by the central government”.

But in a bizarre response, the NIC said that the questions about the mechanism are 'inapplicable' in light of sharing of data with government entities even though the audit mechanism is supposed to apply to them as well!

One of the most-touted safeguards in the Protocol was that any data shared with research organisations trying to find ways to combat COVID-19, which is a key part of the whole idea of Aarogya Setu, would go through a process of 'hard anonymisation'.

This would mean that no third party would be able to identify which person the data belonged to, and would ensure privacy was not violated, even as the app data was used to full potential.

But the RTI replies reveal that the Expert Committee that the government was supposed to set up to figure out how to do this hard anonymisation, is still 'in the process of being set up'.

The NIC also dodged a question about what has been done to anonymise such data shared till now.

This approach by the government is extremely concerning as it means the data of millions of Indian citizens who have signed up on the Aarogya Setu app is essentially unprotected at this point, and can be misused without any accountability.