Logo

Defender of your Digital Freedom

All Posts | Jun 05,2020

Petition Challenging the de-facto Imposition of Aarogya Setu in Karnataka High Court

The Ministry of Electronics and Information Technology (MeitY) released ‘The Aarogya Setu Data Access and Knowledge Sharing Protocol, 2020’ on May 11, 2020. We at SFLC.IN, welcome this step of the Government and express gratitude for considering concerns raised by digital right organisations, individuals, lawyers, public policy professionals and technologists.

In this Protocol, the Government has clarified that the Ministry of Electronics and Information Technology (MeitY) is the agency responsible for the implementation of this Protocol. The National Informatics Center will be the body responsible for collection, processing and managing response data collected by the Aarogya Setu application.

We appreciate that the Protocol has an option for the user to request deletion of its data, and permanent deletion of all data once the Protocol lapses. The Protocol has also followed principles of data proportionality, necessity and limitation. Principles of data sharing have been included, and obligations of entities with whom response data is shared have been chalked out as well. Through this Statement, we would like to throw light on our concerns with the Protocol-

1. Sunset Clause of the Protocol: The Protocol has a sunset clause of 6 month from the date of its notification or earlier as deemed fit by the Empowered Group on Technology. After completion of 6 months, it will be reviewed by the Empowered Group. It is nowhere mentioned that the Sunset clause is also applicable on ‘Aarogya Setu’ indicating that ‘Aarogya Setu’ might outlive the Protocol.

It is also unclear in the absence of the Protocol, how will ‘Aarogya Setu’ be deemed as legally valid considering that it derives its statutory validity through the National Disaster Management Act, 2005.

2. Clarity on Data Retention: Aarogya Setu’s privacy policy specifies that the personal information of users who have been tested positive for COVID-19 will be collected and stored in Government servers for a period of 60 days after such users have been declared cured of COVID-19. However, the Protocol states that the contact, location and self assessment data of an individual will not be retained beyond 180 days. There is no clarity or harmonisation between the privacy policy and the Protocol.

Moreover, the Protocol goes on to state that in case a specific recommendation is made in the review in this regard, the 180 days period may be modified. However, it is not clear on what grounds deviation from 180 days period will be allowed, and if users or data subjects will be asked for consent to retain their data beyond 180 days.

3. “Appropriate Health Responses” too broad a phrase: The Protocol states that the National Informatics Center (NIC) “shall collect only such response data as is necessary and proportionate to formulate or implement appropriate health responses.” The phrase “appropriate health response” is too broad and has not been specified anywhere in the Protocol. This again, goes against the principle of data proportionality and purpose limitation.

4. Deletion of Demographic Data on User’s Request:The Protocol allows a user to delete its demographic data before the 180 day stipulated period. This is a commendable step which was long demanded. However, the Protocol fails to specify the procedure through which a user can make such request.

Also, the deletion of data is only restricted to demographic data. The Protocol is silent on what will happen to contact data, self-assessment data, and location data. Why have the users not been given an option to delete contact data, self-assessment data and location data, if such data will anyway be deleted within 180 days?

5. Maintenance of List of Agencies with whom data will be shared: The Protocol states that “NIC shall, to the extent reasonable, document the sharing of any data and maintain a list of the agencies with whom such data has been shared. Such documentation shall include the time at which such data sharing was initiated, the persons or agencies who are being provided access to such data, the categories of data that are being shared and the purpose for which such data is being shared.”

The phrasing of this provision is interesting as it gives leeway to National Informatics Centre (NIC) to exclude certain agencies from the list and massively undermines the transparency principle.

6. Sharing of Response Data with Third Parties: The Ministry or Department of Government of India or State/Union Territory Government/ local government, NDMA, SDMA or public health institution of the Government of India/State Governments/ local governments will be held responsible for adherence to this Protocol by any other entity with whom such information has been shared.

However, it is not clear that in case of a breach, will the third party be held liable? The Protocol is silent on liability of such third parties in case of a breach or unauthorised use of response data.

7. Closed Source App: Time and again it has been demanded that the App should be made open source in consonance with Government’s Policy on Adoption of Open Source Software. However, the Protocol has not addressed it. Making the source code available enhances transparency and improves security as the source code is open to community audit.

8. Sharing of de- identified data: The Protocol allows sharing of response data in de- identified form with Ministries or Departments of the Government of India or the State/ Union Territory Governments, local governments, NDMA, SDMAs etc. It states that “de-identified form means data which has been stripped of personally identifiable data to prevent the individual from being personally identified through such data and assigned a randomly generated ID”.

It fails to specify if the randomly generated ID will be static or dynamic. In case of a static ID, the de-identified information can be linked back to the personal information. The government should instead use a dynamic ID to minimise risks. 

We also did a technical analysis of Aarogya Setu which can be found here. We also wrote to Minister of Railways, Minister of Civil Aviation, and Managing Director, Noida Metro Rail Corporation to consider the installation of Aarogya Setu on voluntary basis in consonance with the Ministry of Home Affairs guidelines dated 17.05.2020.

[pdfjs-viewer viewer_width=0 viewer_height=800 url=undefined download=true print=true fullscreen=true fullscreen_target=false fullscreen_text="View%20Fullscreen" zoom=auto ]
[pdfjs-viewer viewer_width=0 viewer_height=800 url=https://alpha.sflc.in/wp-content/uploads/2020/11/20200604-submissions.pdf download=true print=true fullscreen=true fullscreen_target=false fullscreen_text="View%20Fullscreen" zoom=auto ]

All Posts | May 26,2020

Our Analysis of ‘The Aarogya Setu Data Access and Knowledge Sharing Protocol, 2020’

Our Analysis of ‘The Aarogya Setu Data Access and Knowledge Sharing Protocol, 2020’

The Ministry of Electronics and Information Technology (MeitY) released ‘The Aarogya Setu Data Access and Knowledge Sharing Protocol, 2020’ on May 11, 2020. We at SFLC.IN, welcome this step of the Government and express gratitude for considering concerns raised by digital right organisations, individuals, lawyers, public policy professionals and technologists.

In this Protocol, the Government has clarified that the Ministry of Electronics and Information Technology (MeitY) is the agency responsible for the implementation of this Protocol. The National Informatics Center will be the body responsible for collection, processing and managing response data collected by the Aarogya Setu application.

We appreciate that the Protocol has an option for the user to request deletion of its data, and permanent deletion of all data once the Protocol lapses. The Protocol has also followed principles of data proportionality, necessity and limitation. Principles of data sharing have been included, and obligations of entities with whom response data is shared have been chalked out as well. Through this Statement, we would like to throw light on our concerns with the Protocol-

1. Sunset Clause of the Protocol: The Protocol has a sunset clause of 6 month from the date of its notification or earlier as deemed fit by the Empowered Group on Technology. After completion of 6 months, it will be reviewed by the Empowered Group. It is nowhere mentioned that the Sunset clause is also applicable on ‘Aarogya Setu’ indicating that ‘Aarogya Setu’ might outlive the Protocol.

It is also unclear in the absence of the Protocol, how will ‘Aarogya Setu’ be deemed as legally valid considering that it derives its statutory validity through the National Disaster Management Act, 2005.

2. Clarity on Data Retention: Aarogya Setu’s privacy policy specifies that the personal information of users who have been tested positive for COVID-19 will be collected and stored in Government servers for a period of 60 days after such users have been declared cured of COVID-19. However, the Protocol states that the contact, location and self assessment data of an individual will not be retained beyond 180 days. There is no clarity or harmonisation between the privacy policy and the Protocol.

Moreover, the Protocol goes on to state that in case a specific recommendation is made in the review in this regard, the 180 days period may be modified. However, it is not clear on what grounds deviation from 180 days period will be allowed, and if users or data subjects will be asked for consent to retain their data beyond 180 days.

3. “Appropriate Health Responses” too broad a phrase: The Protocol states that the National Informatics Center (NIC) “shall collect only such response data as is necessary and proportionate to formulate or implement appropriate health responses.” The phrase “appropriate health response” is too broad and has not been specified anywhere in the Protocol. This again, goes against the principle of data proportionality and purpose limitation.

4. Deletion of Demographic Data on User’s Request:The Protocol allows a user to delete its demographic data before the 180 day stipulated period. This is a commendable step which was long demanded. However, the Protocol fails to specify the procedure through which a user can make such request.

Also, the deletion of data is only restricted to demographic data. The Protocol is silent on what will happen to contact data, self-assessment data, and location data. Why have the users not been given an option to delete contact data, self-assessment data and location data, if such data will anyway be deleted within 180 days?

5. Maintenance of List of Agencies with whom data will be shared: The Protocol states that “NIC shall, to the extent reasonable, document the sharing of any data and maintain a list of the agencies with whom such data has been shared. Such documentation shall include the time at which such data sharing was initiated, the persons or agencies who are being provided access to such data, the categories of data that are being shared and the purpose for which such data is being shared.”

The phrasing of this provision is interesting as it gives leeway to National Informatics Centre (NIC) to exclude certain agencies from the list and massively undermines the transparency principle.

6. Sharing of Response Data with Third Parties: The Ministry or Department of Government of India or State/Union Territory Government/ local government, NDMA, SDMA or public health institution of the Government of India/State Governments/ local governments will be held responsible for adherence to this Protocol by any other entity with whom such information has been shared.

However, it is not clear that in case of a breach, will the third party be held liable? The Protocol is silent on liability of such third parties in case of a breach or unauthorised use of response data.

7. Closed Source App: Time and again it has been demanded that the App should be made open source in consonance with Government’s Policy on Adoption of Open Source Software. However, the Protocol has not addressed it. Making the source code available enhances transparency and improves security as the source code is open to community audit.

8. Sharing of de- identified data: The Protocol allows sharing of response data in de- identified form with Ministries or Departments of the Government of India or the State/ Union Territory Governments, local governments, NDMA, SDMAs etc. It states that “de-identified form means data which has been stripped of personally identifiable data to prevent the individual from being personally identified through such data and assigned a randomly generated ID”.

It fails to specify if the randomly generated ID will be static or dynamic. In case of a static ID, the de-identified information can be linked back to the personal information. The government should instead use a dynamic ID to minimise risks. 

We also did a technical analysis of Aarogya Setu which can be found here. We also wrote to Minister of Railways, Minister of Civil Aviation, and Managing Director, Noida Metro Rail Corporation to consider the installation of Aarogya Setu on voluntary basis in consonance with the Ministry of Home Affairs guidelines dated 17.05.2020.

All Posts | May 15,2020

Comparative Study of Contact Tracing Application Across the World

Comparative Study of Contact Tracing Application Across the World

We studied contact tracing applications developed by 9 countries on certain parameters. All these applications have been launched and developed by their respective state entities except for Norway whose application has been developed in public private collaboration.

S. No.ApplicationLaunched ByDeveloperNatureCentralised/ DecentralisedCompatible HardwareSource CodeSunset ClauseData Retention PeriodData CollectionRevocation of Consent to Collect DataFunctionalityBluetooth/ GPS
1.TraceTogetherSingaporeSingapore Government Digital ServicesVoluntaryCentralisedAndroid & iOSOpenUsers will be prompted to disable its functionality or uninstall it when contact tracing ceases. However, no specific sunset data has been provided.21 days (in case the user has not come in contact with a COVID-19 case)Mobile Number and a random anonymised user ID. However, anonymised data is collected about user’s device and app for improving the user experience. It does not collect user’s location data.Allows revocation of consent. Data collected is then deleted from the government server.COVID-19 Contact TracingBluetooth
2.Stopp CoronaAustriaAustrian Red CrossVoluntaryDecentralisedAndroid & iOSOpenEnd of pandemic.i. Metadata: 14 daysii. Data of suspected cases:30 daysiii. Data on device for digital handshake with intensive contacts: 7 daysNo personal data collected unless tested positiveUn-installation or withdrawal shall amount to withdrawal of consent. Allows for partial withdrawal by deactivating the automatic “digital handshake”.Medical reporting, COVID-19 contact tracingBluetooth
3.Aarogya SetuIndiaNIC eGov Mobile AppVoluntary (best effort basis)CentralisedAndroid & iOSClosed-i. If user has not come in contact with any COVID-19 positive user: 30 daysii. If user has come in contact with any COVID-19 positive user: 45 days;iii. If tested positive for COVID-19: 60 days after such person has been declared cured of COVID-19.User’s location details, age, name, sex, phone number, profession, and travel history of last 30 days.Does not provide the option of withdrawing consent for data collection. Instead, it provides that a registered user may remove registration information supplied. At one place, privacy policy states that all personal information collected at time of registration will be retained as long as user’s account remains in existence and for such period thereafter. However, there is no provision for account deletion.Medical reporting, COVID-19 contact tracing, Telemedicine consultationsBluetooth & GPS
4.CovidSafeAustraliaAustralian Department of HealthVoluntaryDecentralisedAndroid and iOSOpenEnd of Pandemic21 days;The data, however, is stored on Amazon Web Services servers.Name, mobile number, postcode, age range.On un-installation, all COVIDSafe app information will be deleted from phone. However, information stored in the secure information storage system will be destroyed at the end of pandemic. The users are also given an option to delete their information from the storage system before the end of pandemic.COVID-19 contact tracingBluetooth
5.CoronAppColombiaNational Institute of HealthVoluntary (users installing CoronApp will get access to free internet)C entralisedAndroid and iOSOpen, however,code not published yet.--Collects public, semi-private, private, and sensitive data from users; information sought at the time of registration includes name, sex, date of birth, ethnicity, and email.-Medical reporting, COVID-19 contact tracingBluetooth & GPS
6.Hamagen (‘The Shield’)IsraelMinistry of HealthVoluntaryDecentralisedAndroid and iOSOpen--Location (on user’s device) and it is cross-referenced with the Ministry of Health’s epidemiological data.Not available as information is stored in user’s device.COVID-19 contact tracingGPS
7.SmittestoppNorwayPublic-Private, The National Institute of Public Health and SimulaVoluntaryC entralisedAndroid and iOSClosedDecember 1, 2020.30 daysMobile number, age, GPS location, operating system, mobile operator, version number, phone model, Bluetooth data.Allows user to delete its personal information any time. The function for this has been provided in the App. Such information will be deleted both centrally and from the device.COVID-19 contact tracing, route trackingBluetooth & GPS
8.eRouska (‘eFacemask’)Czech RepublicMinistry of HealthVoluntaryDecentralisedAndroid.Open-30 days.If user agrees to send data from phone to server, it will retained for 12 hours. Mobile number, however, is stored for 6 months or as ascertained by the Ministry of Health.Does not track or collect information about location. Information is stored in user’s device. However, it requires a phone number for registrationAllows user to delete its data anytime from its device as well as the server of hygienists. The phone number can also be deleted. However, the ID number assigned to the user is recorded.COVID-19 contact tracingBluetooth
9StopKorona!North MacedoniaMinistry of Information Society and Administration SocialVoluntaryDecentralisedAndroid & iOS.Closed-14 daysMobile number, unique random code-COVID-19 contact tracingBluetooth

All Posts | May 02,2020

Our Statement on Aarogya Setu App being mandatory for all employees & in containment zones

Our Statement on Aarogya Setu App being mandatory for all employees & in containment zones

India is the only democratic country that has mandated the use of a contact tracing app for its citizens. The mandatory use of such an app will further exclude sections of population which have been digitally excluded. The Government has gone back on its earlier promise on the Aarogya Setu app being voluntary. There is no reason for India, which is similarly placed as other countries to do things in a way that affects the rights of citizens.

It is imperative for an app that collects data of all citizens to be open source as this allows for its code to be audited by the developer community and security experts. The app has already been found to be vulnerable and such an app cannot be forced on the citizens risking their data and security.

Most countries have opted for a data minimalistic and decentralised approach, whereas Aarogya Setu app goes against these accepted principles.

By mandating all employers to ensure the adoption of the app by their employees, the Government has made a mockery of the consent principle as the terms and the privacy policy of the app are now enforced on the people and they do not have any choice. This raises concerns about the pandemic phase being replaced by a situation where the people are made vulnerable to threats because of the leakage of their data.