Indian government fails to safeguard users Aarogya Setu data
RTI's responses puts a spotlight on government's lacklustre approach towards privacy
Privacy safeguard measures not implemented, NIC reveals
Since its launch back on April 2, Aarogya Setu, India’s contact tracing app for COVID-19 has been marred in controversy over its data collecting methods. There have been several concerns raised in the past over the kind of access the government has over citizen’s data collected by the app.
As India’s Data Protection Bill is still being analysed by a government committee, there’s no law to safeguard that data. However, shortly after launching the Aarogya Setu app for Android and iOS smartphones, the Ministry of Electronics and Information Technology (MEITY) issued the Aarogya Setu Data Access and Knowledge Sharing Protocol 2020 on May 11. These are essentially set of rules and security measures that the app must follow to safeguard user’s data from potential misuse.
RTI responses reveal government’s lacklustre approach to Aarogya Setu data
Now, as per an exclusive report by Saurav Das, an independent journalist and activist, the Indian government has failed to deploy the said security protocols leaving over 160 million users data exposed to potential risk. In the report, Saurav states that the National Informatics Centre (NIC) has failed to keep a track of access to Aarogya Setu data which means that it doesn’t know the exact entities who have accessed the data till now. The NIC responded to the RTI by giving names of the government departments instead of the names of the entities who have accessed the data. “Ministry of Health & Family Welfare, ICMR, State Governments (i.e., State Health Secretary at the state level and District Magistrate at the district level),” the response read.
RTI responses by NIC reveal there is no list of data recipients, no audit and no anonymisation of data taking place. #AarogyaSetuApp protocol ignored by its own makers- the Govt of India. A huge privacy risk!
— Saurav Das (@OfficialSauravD) October 30, 2020
Furthermore, MEITY and NIC have no information whether the entities with whom the data has been shared have implemented “reasonable security practices and procedures” as mentioned in the Aarogya Setu Data Access and Knowledge Sharing Protocol 2020. Interestingly, the protocol does not define “reasonable security practices” in detail.
Additionally, the Protocol also warrants an expert committee to be set up by the government for developing hard anonymisation methods so that the user’s private details remain anonymous for anyone accessing the Aarogya Setu data. This rule was made so that the user’s data cannot be backtracked to individuals while being accessed by Indian universities, research institutions and entities. As per the guidelines, only after the hard anonymisation of user’s data can it be shared with the said entities. Surprisingly, in its response to Saurav’s RTI appeal, the NIC has confirmed that the set up of the “expert committee” is still in progress and has “refused to answer if any data has been shared with universities/research organisations so far.” To reiterate, the Aarogya Setu app was launched back on April 2 and it has been over six months since the committee is being set up to hard anonymise the Aarogya Setu data.
Another interesting reply that’s been put to light by Saurav’s RTI query is that the Aarogya Setu Data Access and Knowledge Sharing Protocol 2020 specifically mentions that the sharing of Aarogya Setu data is “subject to audit and review of their [entity] data usage by the Central Government”. However, the response by NIC states that this is “not applicable” as the data is shared with government entities.
An audit or review of the Aarogya Setu data is important so that the entities with access to user’s data don’t misuse it, explains Srinivas Kodali, an independent researcher.
If there is a ever a serious independent audit of #AarogyaSetu. The skeletons will be unearthed. All the data was long shared without any anonymisation to third parties as just database dumps.
— Srinivas Kodali (@digitaldutta) October 30, 2020
This comes after the Central Information Commission (CIC) hollered up MEITY, NIC and other concerned departments for obstructing sharing of information and offering an “evasive reply” over an RTI application filed by Saurav earlier. In it, the CIC has sought an explanation from the NIC on how there is no data available on the creation of Aarogya Setu, especially when it is hosted on a government server.
According to the Aarogya Setu website that is maintained by MyGov and MEITY, over 162,500,000 million people have downloaded the app across Android, iOS and KaiOS platforms. As to the question of who has access to the personal data of these users, the government seems to have no record which makes the requirement of privacy laws in India all the more important now.