Logo

Defender of your Digital Freedom

All Posts | Apr 20,2020

Our Analysis of the Indian COVID-19 Apps

Our Analysis of the Indian COVID-19 Apps

The Central Government had recently launched the Aaryogya Setu app, a surveillance application developed for tracing users who might have come within the proximity of people who have tested positive for COVID-19. In addition to this Central Government developed app, there are other active applications that have been developed by various State Governments and local authorities pertaining to personal and other data collection, and monitoring in relation to the COVID-19 pandemic.

While we applaud the efforts taken by each State/UT government and the Central Government in combating this deadly disease, we are also concerned with the arbitrary use of state power in different situations in conducting excessive collection and processing, and unauthorised sharing of personal data, unbridled surveillance and tracing of people during this pandemic spread in India. Earlier, we had joined hands with different organisations and concerned citizens in sending a joint letter expressing our concerns regarding the collection and processing of personal data during this time to various heads of the Central & State Governments. You can read the letter here.

We had done an analysis of the Terms of Service and Privacy Policy of the app and had expressed our concerns over the same. You can read about them here. Apart from the Aarogya Setu app, we have also analysed the policy documents of the different State/UT applications. While the applications have been developed independently by each government, we have observed some questionable trends, practices and policy provisions pertaining to the apps. The comparative analysis can be found in tabular form hereunder. The observations are summarised as follows:

  1. Absence of Terms of Service/Privacy Policy: It is shocking to see the absence of Terms of Service or a Privacy Policy that binds the developer/publisher of the app and its end user. In case of entities who are Internet intermediaries Rule 3 of the Information Technology (Intermediaries Guidelines) Rules, 2011 mandate that an intermediary shall publish within the platform, the terms of use, rules and regulations, and privacy policy pertaining to the platform operated by the intermediary. In comparison, some COVID-19 based applications do not even have the Terms of Service accessible to the users though personal data is collected. In some cases, the link provided to the Privacy Policy redirects to the policy of the website of the developer, which may be a private entity to whom the development of the app was outsourced by the government concerned. This is a shocking practice as the absence of the policy documents attempts to drive away any liability of the government concerned if there is any misuse of the data collected. The apps terms are governed by laws of the country where the developer runs its primary business. In some applications, which are covered by the terms of the website of the private entity that has developed the app for the government concerned rather than specific terms and conditions covering the use of the app.
  2. Unspecific Terms and Policies: While some of the apps that we looked into have privacy policies in place, they are not specific with regards to the app that the policy covers. Some of the applications have generated privacy policies from a Firebase application that generates privacy policy from a generator which is hosted here. This practice in itself is not condemnable.However, these policies lack clauses that cover important aspects such as data retention, and purpose limitation for the processing of data collected. Add to this, the terms try to avoid liability to the maximum it can, even in cases of data leaks and harms caused.
  3. Closed Source: We had mentioned this issue in our analysis of the Aarogya Setu app. Not every state in India has an open source software policy in place. However, it is important for the State to make the source code of the software that it develops open source when these are aimed at citizen welfare and when it purports to handle health and travel information pertaining to citizens. This increases the trust of the citizens in the software and increases its usage. Moreover, open source software security is further strengthened when there exists the possibility of community audit by independent security researchers and developers.
  4. Excessive Permissions: The Indian COVID-19 apps also implement the surveillance feature of excessive permissions for accessing and controlling various elements of the smartphone in which the app is installed. Excessive permissions are required by applications that undertake tracing and surveillance through capturing information from different internal broadcasts from components of the device. In some cases, apps which are only informative and intended to issue advisories have sought permissions for location, photos, storage and camera.

Comparative Table of Observations of the Various COVID-19 Apps in India

GovernmentName of the App (link)Policy DetailsTerms/Privacy/FOSSPermissionsData CollectedRemarks/Concerns
Central GovernmentCOVID19 Feedback (app) Installs: 100,000+Terms of Service: No Privacy Policy: Yes Open Source: NoContactsPhotos/Media/ FilesWi-Fi Connection InfoIdentityStorageOthers1. User’s full name2. Phone number3. Email4. Office address5. Residence addressesThere is no accessible policy document within the app. This app is intended to take feedback from people who have taken a COVID-19 test as to the quality of the test.There is no Terms of Service covering the application.According to the privacy policy it is only applicable to the “website” (which is unclear). It has to be inferred that the privacy policy only covers the parent website (ncog.gov.in; which did not load) rather than the application.The privacy policy is short and does not mention the purpose for which the data collected will be used. It does not mention anything about data retention and where will the data be stored.
Arunachal PradeshCOVID CARE (app) Installs: 1000+Terms of Service: No Privacy Policy: No Open Source: No* Location* Phone* Photos/Media/Files* Storage* OtherNot knownThis app has been developed by a private company named Atsuya Technologies Pvt. Ltd. The app’s Google Play Store description says that it offers “Quarantine & Contact Health Tracing for Covid Suspects in Arunachal Pradesh”. It is a big concern that a surveillance tool is being operated without any terms of service or privacy policy. Even the website of the developer does not have a privacy policy or terms of service.The app can be used only by people who are in the Quarantine List. A message which says “This mobile number is not in Quarantine List” appeared when one of our associates tried registering an account in the app.The app’s interface has the Arunachal Pradesh Emblem and a web portal has reported that the App was developed by the Govt. of Arunachal Pradesh.
Bhopal Municipal Corpn.(in partnership with an unknown pvt. entity) Niramaya App (app) Installs: 1000+Terms of ServiceYes Privacy Policy: Yes Open Source: No* Location (GPS & Network based) * Others 1. Home Location2. GPS Information3. Mobile Number4. Full name5. Age6. Gender7. Home Address8. Cookies and Usage data9. Device details10. Browser broadcastsThis app is intended for users to request a Corona test indicating the symptom(s) they are experiencing or if they have been in contact with anyone tested postive or if they have travelled internationally.The terms of service and the privacy policy are not visible/accessible within the app. They can be accessed by visiting the app’s website.It is not clear as to who has developed the Niramaya app. The private entity’s identity is unknown. It has been indicated neither in the website nor the app.The terms of service ascribes very limited liability to the developers even if correct information is provided. Also, it seems to absolve the developer from liability even in case of data leaks. The terms state that “[t]his includes but is not limited to the loss of data or loss of profit, even if NIRAMAYA was advised of the possibility of such damages.”The NIRAMAYA app, in its Terms of Service has a problematic clause which states:“Any material, information, or idea submitted or posted on this Web site/Mobile App will be considered non-confidential and non-proprietary. NIRAMAYA may share or otherwise use your submission for any purpose whatsoever. If any of the information submitted constitutes personal data, you agree that NIRAMAYA may transmit such personal data across national and international boundaries for any business purpose.This is a problematic clause giving a blanket permission to the app publisher in using the data.Moreover, the policy documents use generic clauses which might suggest that the policy documents were ripped off from a template. This was confirmed to be true, as we found similarly worded provisions in the privacy policies of some websites with that of the Niramaya app’s privacy policy.
ChhattisgarhCG Covid-19 ePass (app) Installs: 50,000+Terms of Service: No Privacy Policy: Yes Open Source: No* Photos/Media/Files* Storage* Camera* Other1. Name2. Travel Plans3. Vehicle Number4. Aadhaar/PAN Card5. Photo6. Address7. Cellphone numberAs per the app’s description, “[t]he Government of Chhattisgarh has launched this app to issue State-wide and Intra-district e-Pass for vehicular movement during the lock-down period...”Only the privacy policy of the app is visible inside the application.The application has been developed by ASC AllSoft IT Consulting Pvt. Ltd. a Raipur based company.The privacy policy of the application specifically addresses the governance of the application, though it is hosted on the AllSoft’s website. However, the privacy policy has been generated from the above mentioned Firebase app which uses generic terms and does not mention the policies as to data retention.Moreover, the privacy policy states that the app may use third party cookies and the user has the option to refuse cookies trading off the ability to use some portions of the app. However, no such option is visible within the app.
ChhattisgarhKavach (app) Installs: 50,000+Terms of Service: No Privacy Policy: Yes Open Source: No* Location (GPS & Network based)* Photos/Media/Files* Storage* Other1. Personal demographic2. Location3. IP addresses4. Device details5. Personal InformationThis app “developed by Government of Chhattisgarh to provide preventive care information and other government advisories.” The app does not offer a Terms of Service document for the users.The Privacy Policy document is accessible within the application (not uploaded in Play Store).As per the Privacy Policy personal information will be shared only with Service Providers. Info such as IP addresses, domain name, browser type, Operating Sytem, Date and time of the visit, pages visited, IMEI/MSI number, device ID, location information, language settings, handset make and model will be collected but will not be linked with the true identity of individuals visiting the KAVACH app.Once registered, the user’s account continues even if the app is deleted or from the phone. The privacy policy does not provide for how much data will be retained after the pandemic or the mode of retention.It is a matter of concern that an app only intended to provide information and advisories require permission to access location, photos, media, files and the storage.
Faridabad AdministrationJan-Sahayak (app) Installs: 1000+Terms of Service: No Privacy Policy: Yes Open Source: No* Location (GPS & Network based)* Phone* Other1. Domain name of the ISP2. IP Address3. Browser & OS information4. Presumably information submitted through the app.This app, currently live in Faridabad and Panipat, has been developed by a private firm (OfBusiness) for the District Administration of Faridabad, for helping its citizens during the COVID-19 crisis by communicating requests from the user to the administration’s personnel.When the user tries to register an account for the first time, a message appears indicating that by signing in, the user agrees with the Terms of Use and Privacy Policy. However, there are no links to the Terms of Use or Privacy Policy placed in the login page for the user to read and accept. The Terms of Use and the Privacy Policy are not viewable even after registration.Again, this app also operates without a Terms of Service document. The Privacy Policy is accessible on the application’s website. However, the Privacy Policy is written to cover the use of the website rather than the application.A simple word search in a search engine revealed that the Privacy Policy was generated or copied from a template as the same text was found in the privacy policies of other websites.
GoaCovid Locator (app) Installs: 5000+ Terms of Service: No Privacy Policy: Yes Open Source: No* Location (GPS & Network based)* Phone* Device ID & call information* Other1. Name2. Gender3. Home Address4. Cellphone NumberThis is a tracing and surveillance app developed by the Government of Goa. The stated purpose of the app is “to help authorities to better locate patients who are under home quarantine.”The app supplies information from various sources (including covid19india.org/) and makes it accessible through the app.The app features a tracking service of people under quarantine. However, tracking is enabled only when the user gives consent by giving a “missed” call at a number communicated through SMS.There are no Terms of Service available and the privacy is policy has to be accessed through the app’s Google Play Store page.It is easy to find that the Privacy Policy was built from the Firebase app template which essentially is a generic template with boilerplate clauses which does not talk about how much and how long will the data collected be retained.
Goa(in co-operation with Innovacer Inc.) Test Yourself Goa (app) Installs: 50,000+Terms of ServiceYes Privacy Policy: Yes Open Source: No* Other (full network access)1. Name2. Gender3. Home Address4. Mobile number5. Location (upon consent)6. Any other information submitted through the application.The app is aimed at assisting its users for COVID-19 testing by checking the user’s risk for the disease.The app does not have a specific privacy policy. The Google Play Store page of the app directs a person to the privacy policy of the website of the developer. The Privacy Policy therein states “This Privacy Policy explains how we collect, use, and share information collected from including its domain and subdomains as well as any software, platform, or application owned or licensed by Innovaccer (collectively, the "Services").”Further, the Privacy Policy goes on to say that it is incorporated into the Terms of Service. However, the Terms of Service that is linked within the Privacy Policy govern “the use of web pages, software and content located within www.innovaccer.com including its domain and subdomains and apply generally to any of Innovaccer’s or its affiliates’, subsidiaries’ or joint ventures’ websites (collectively, the "Site").”Therefore, the Terms of Service technically does not apply to the “Test Yourself Goa” app but only to the website and associate websites of Innovacer Inc.The Privacy Policy spells out a detailed list of data that is collected and whether the company discloses it or sells it. As per what the current provisions stipulate, the company does not sell any data.However, the Privacy Policy in a clause pertaining to International Visitors, states that “[o]ur Services are hosted in the United States and intended for visitors located within the United States.” It is therefore, unclear as to why this Privacy Policy has been bundled with the “Test Yourself Goa” application.
Greater Chennai Corpn.GCC – Corona Monitoring(app) Installs: 10,000+Terms of Service: Yes (within the application) Privacy Policy: Yes Open Source: No* Location (GPS & Network based)* Photos/Media/Files*Storage* Camera* Other This app is a monitoring app developed by the Greater Chennai Corporation. The app is only accessible for users within Greater Chennai as users from other locations cannot go beyond the signup page.The Terms of Service (Terms and Conditions) can be viewed upon installation. The terms stipulate that the data collected will be completely deleted in 3 months.However, the privacy policy (not shown in the signing page) link within the Google Play Store page directs the user to the Privacy Policy of ‘iWasteX” app of the Madras Waste Exchange, a scheme under the Greater Chennai Corporation.
HaryanaHaryana Sahayak (app) Installs: 100+Terms of Service: No Privacy Policy: Yes Open Source: No* Location (GPS & Network based)* Photos/Media/Files* Storage* Other1. Mobile Phone Number2. Name3. Location4. Results of Quick health check-up within the appg5.The app has been developed by the Electronics & Information Technology department of the Government of Haryana.The app is intended to provide with information on COVID-19 updates to the users, take health check ups and get information on confirmed cases, COVID-19 hospitals and essential commodities near the location of the user.The app features and in-app health check-up (self-check) facility. Officers from the health department may call up the user based on the result of the health check up.The app does not show the Terms of Service or the Privacy Policy within the app. The Privacy Policy of the app is hosted on the Haryana Government’s website.The Privacy policy governing the use of the app states, that while the data collected will be stored in a centralised database in anonymised aggregated datasets for the purpose of management of COVID-19 within the state, “[s]uch personal information may also be shared with such other necessary and relevant persons as may be required in order to carry out necessary medical and administrative interventions.” This is problematic as these provisions are worded vaguely and broadly and broad interpretation can fit in almost anyone that the government can share the data with.It is clearly spelled out (Clause 2) in the app that the information provided at the time of registration is intended to be retained as long as the government can. The policy states that this information will be retained as long as the account (of the user) exists. However, there is no option within the application to delete the user’s account. Further, the provision exempts the information collected through the user submissions and makes it unclear as to what happens to that data. Moreover, the possibility of true anonymisation personal data is debatable Hence, this provision may not hold good for the protection of personal data. Therefore, more clarity is required in the provisions of the Privacy Policy.
Himachal PradeshCorona Mukt Himachal (app) Installs: 10,000+Terms of Service: No Privacy Policy: No Open Source: No* Location (GPS & Network based)* Wi-Fi connection information* OtherUnknownThis app is apparently intended for persons under quarantine, as it won’t allow users not in the quarantine list to register.Neither the Terms of Service nor the Privacy Policy governing the use of the application is found within the app or the Google Play Store page.
KarnatakaQuarantine Watch (app) Installs: 10,000+Terms of Service: No Privacy Policy: Yes Open Source: No* Location (GPS & Network based)* Phone* Photos/Media/Files* Storage* Camera* OtherUnknownThis app is apparently intended for persons under quarantine, as it won’t allow users not in the quarantine list to register.Neither the Terms of Service nor the Privacy Policy governing the use of the application is found within the app.The Google Play Store’s link to the Privacy Policy points to the Privacy Policy of the website of the landrecords department of the Government of Karnataka. The privacy policy appears to cover only that website though the word “Our Service” is used in a provision. Itis not clear hoe this policy can be made applicable to the Quarantine Watch application.
KarnatakaCorona Watch (app) Installs: 100,000+Terms of Service: No Privacy Policy: Yes Open Source: No* Location (approx. & precise)* Phone* Photos/Media/Files* Storage* WiFi Connection Information* Device ID & call information* Other1. Name2. Mobile number3. Address4. Gender5. GPS Location6. Log Data7. Session InformationThis app, developed by Karnataka Geographic Information System (KGIS), is intended for displaying the location and spots visited of persons who have been diagnosed with COVID-19 within the state of Karnataka and also the locations of home quarantined. The app opens up a Google Maps frame and marks the location of the infected patients and the spots they have visited. No personal details are explicitly provided by the application. However, the address, specific to the street is given by the marker. And there is also a feature to open the co-ordinates within the app in Google Maps. The app is presumably used also by government officials for data collection.The Terms of Service and Privacy Policy are not accessible within the app. The Terms of Service is not available in the Google Play Store page either.The Privacy Policy linked in Google Play Store redirects to KGIS’s website, where the privacy policy of the app is hosted. The Privacy Policy is the same policy that is used for the KGIS website. It is therefore not clear whether the privacy policy actually applies to the Corona Watch app as the name of the app is not specifically mentioned in the privacy policy.The privacy policy enumerates the data collected and stipulates that the data will be retained on servers within India. However, it is not mentioned for how long will the data be retained or whether the data collected will be deleted after the pandemic.The application also logs Log Data (error data) and session data through cookies. The relevant provision stipulates that the user can deny cookies, however, no such option is available in the app.
KarnatakaCorona Contact Survey (app) Installs: 1000+Terms of Service: No Privacy Policy: Yes Open Source: No* Location (GPS and network-based)* Phone* Photos / Media / Files* Storage*Wi-Fi connection information* Device ID & call information* Other This is an app intended only for departmental use. Only the persons whose cellphone numbers are registered with the government can register the app in their phones.The privacy policy used by the Corona Watch app is used to govern the use of this app as the privacy policy linked in Google Play Store directs to the same.
KeralaGoK Direct - Kerala (app) Installs:Terms of Service: No Privacy Policy: Yes Open Source: No* Photos/Media/Files* Storage* OtherUnknownThis app has been developed by the Information & Public Relations Department of the Government of Kerala. This application is intended to communicate alerts with the users on COVID-19 updates. The app also enables users to visit the WhatsApp api to get alerts from the World Health Organisation (WHO). The application also features a helpline button which enables users to connect to the Direct Intervention System For Health Awareness (DISHA) operated by the Government of Kerala.There are no Terms of Service accessible within the application. The Privacy Policy is accessible from the application and the app’s Google Play Store page. However, both links point to a privacy policy document hosted on the website of the developer (Qkopy Online Services Pvt Ltd.) and as per its provisions pertain, to an application called “Qkopy X” which is a product of Qkopy. So, essentially the app does not have an effective privacy policy governing its use.
Madhya PradeshMP Covid Response App (app) Installs: 10,000+Terms of Service: No Privacy Policy: Yes Open Source: No* Location* Phone* Photos/Media/Files* Storage* Device ID & call information* Other1. Name (not mandatory)2. Phone Number3. IMEI4. Location of the user5. Patient information6. Location of recent patientsThis is a monitoring tool, developed by the government of Madhya Pradesh to identify citizens suffering or susceptible to contracting COVID-19. The app also features list of public health centres and government guidelines.The application does not show a Terms of Service document or the Privacy Policy within it. The Privacy Policy of the app is linked in the Google Play Store page.The privacy policy of the app, hosted in a sub-domain the National Health Mission (MP) website, indicates that the app collects information through 3 interfaces; from the citizens, from the hospitals, and from the Government officers. They are used to collect information about patients, location of recent patients, user reports, etc.The privacy policy, states that submitting names are not mandatory. However, that does not make much difference as the phone number, the location and the IMEI number are collected.The privacy policy stipulates that “[n]o personal data (such as name, number, age filled by user while app downloading) of suspected patient will be shared with other users” and that “[o]bjective is to ensure community safety without any personal data breach.” This however, is not assured with provisions on the kind of data and the duration for which it will be retained, whether it will be anonymised if retained and whether the users will be able to correct incorrect personal data etc.
MaharastraMahakavach (app) Installs: 10,000+Terms of Service: No Privacy Policy: Yes Open Source: No * Contacts* Photos/Media/Files* Camera* Storage* Location* Phone* Other1. Name2. Gender3. Age4. AddressMahakavach is a “digital contact tracing app for Covid-19”. The application has been developed by the Maharashtra State Innovation Society, a nodal agency of the government of Maharashtra. The accessibility of this app is limited to either suspected COVID-19 patients or to those persons already in quarantine. Therefore, only those users who have been issued an authorisation code can access the application.It has been reported that the government has mandated users to adhere to a system of ‘selfie attendance’ though which the government attempts to photographically track the location of the users. It is also reported that users are also required to constantly update their quarantine status and upload their Coronavirus tests to aid government in tracking their progress.The privacy policy of the app has been generated from the Firebase-based policy generator app. The privacy policy of the app refers to a “Terms and Conditions” which is available in the app. However, we have not been able to verify this is true as we could not access the app without an authorisation code.Should there occur an error in the app, data such as the device’s IP address, device name, software version and “other statistics”, which has not been defined, are collected and stored via third party products.Additionally, while the policy allows the users to ‘opt-out’ of cookies, we were not able to verify whether this provision has been enabled in the app. Some of the other apps we had analysed did not provide for the feature though the privacy policy mentioned it.With respect to accessibility to personal information and sharing of data, the policy states that the use and sharing of data will remain limited to the confines of the policy. This in turn extends to third parties which may be engaged to ‘facilitate the service’, ‘provide the service on behalf of the government’, ‘assist in analysing how the service is used’ and interestingly so, ‘perform Service-related services.’ Here, access is granted only for tasks assigned to such third parties on behalf of the government. However, these tasks, as aforementioned, lack concrete definition and thus, may provide scope for exploitation.As with the other apps based on the same policy, the privacy policy of Mahakavach fails to stipulate provisions on data retention.
OdishaCOPE Odisha (app) Installs: 1,000+Terms of Service: No Privacy Policy: Yes Open Source: No* Location* Photos/Media/Files* Storage/Camera* Other The app, as per its description, is intended for people under quarantine, citizens and officers.This app also has used the Firebase policy generator for generating the privacy policy. The major difference with the other policies is that the privacy policy of COPE Odisha stipulates that it embeds only Google Play Services as a third party service within the app.The app when opened displays the following message: “As per the Government’s mandate, you are required to give permission to the application to access your device location. We request you to cooperate with us in such difficult times. Any violation may amount to actions as per law. Kindly tap on ‘ALLOW’ whenever such permissions are requested.”The above provision is of concern. It is unclear as to which mandate is the message referring to. It is also unclear as to which Government agency has developed the application so as to find the mentioned ‘mandate’. Such a mandate has not been found in the Health & Family Welfare Department of the Government of Odisha in the Master Circulars issued by the department.The app also does not give accessible links to the Terms of Service and the Privacy Policy.
OdishaCOVID-19 Odisha (app) Installs: 1,000+Terms of Service: Yes (within the app) Privacy Policy: Yes Open Source: No* Location* Photos/Media/Files* Storage* Other1. Name (required)2. Age (required)3. Gender4. District (required)5. Pin Code6. Address (at least one line is required)7. Any illness experienced by the user8. Cellphone number9. Password (for account)10. Device detailsThis app, developed by the Odisha government, is stated to be a COVID-19 risk management app.The app is intended only for the residents of Odisha. The app collects personal information during the registration process. During the same the user has to give his/her consent for the Terms & Conditions of the app.However, the Terms & Conditions is essentially a declaration from the user giving consent to share his personal data with the government and also agreeing for monitoring of his/her location. The declaration uses broad terms which take from the user “consent to the usage of all relevant personal data” that has been provided and will be providing from time to time and the “dynamically tracked location.The link to the Privacy Policy is provided in the Google Play Store page which leads to a short policy document in which it is essentially stipulated that the user will be notified of the purpose of collection of data and that it will not be shared with third parties.However, the policy is silent as to data retention, user access to the data collected, and the user’s right to correct incorrect data.
PuducherryTest Yourself Puducherry (app) Installs: 10,000+Terms of Service: Yes Privacy Policy: Yes Open Source: No* Full Network Access1. Region2. Language(The app is intended only for users within Puducherry territories)Developed by Innovacer Inc. in association with the Government of Puducherry, the Test Yourself Puducherry app is intended for users within Puducherry to “check [their] risk for COVID-19” through informational and educational content through the app.The app opens up to the user seeking acceptance to the Terms of Use and the Privacy Policy of the app. Firstly, the Terms of Use does not explicitly refer to the app by name. The name “Test Yourself Puducherry” does not appear in the Terms of Use. So, it has to be inferred.The Terms of Use explicitly states that the application is not intended for diagnosis or treatment.The Terms of Use seems comprehensive in covering usual terms present in software licenses. However, the app itself remaining closed-source is still a concern.However, clauses in the the Privacy Policy are problematic. Firstly,the Privacy Policy document is a general document used for Innovacer’s website, and any of Innovacer’s software, platform or application. Secondly, the Privacy Policy is linked to a different Terms of Use intended only for the website of Innovacer and for any software located within the website. This is different from the app’s Terms of UseAccording to the Privacy Policy the services are hosted in the United States and intended for visitors located in the United States. The clause titled “International Visitors” indicate that the developers intended US laws to be governing data collection. The Privacy Policy is comprehensive in covering different aspects but it is not made subject to Indian laws. This is a fundamental concern and a major flaw.
PunjabCOVA Punjab (app) (iOS) Installs: 500,000+Terms of Service: No Privacy Policy: Yes Open Source: No* Location* Photos/Media/Files* Storage* Camera* Other1. Personal demographic2. Location3. Device information4. Usage details5. User submissions The Corona Virus Alert (COVA) is an app developed by the Government of Punjab. The app is intended to be an alert system for the users.However, it is surprising to see that too much permission is sought for by the app when it is only an alert system.The privacy policy is accessible within the app (when signing in) and from Google Play Store.Once registered, the user’s account continues even if the app is deleted from the phone. The privacy policy does not mention how much data will be retained after the pandemic or the mode of retention.It is a matter of concern that an app only intended to provide information and advisories require permission to access location, photos, media, files and the storage.
RajasthanRajCovidInfo (app) Installs: 1,000+Terms of Service: Yes (shown within the app during signup) Privacy Policy: Yes Open Source: No* Location* Photos/Media/Files* Storage* Camera* Other1. Full Name2. Mobile Number3. Address4. Pin Code5. Health condition6. Family member assessment.7. SelfieThis app, developed by the Department of IT & Communication, has been developed to provide COVID-19 government guidelines and health advisory.Though it is stated that the app is used only to issue guidelines and health advisory. the excessive permissions sought for by the app is of concern.The privacy policy linked within the Google Play Store page directs to the Privacy Policy of the website of the Department of IT & Communication. This is a fundamental issue and flaw common with some of the other COVID-19 centred apps developed by state governments in India.Additionally, a Terms of Service & Policy is displayed during sign up when the app is first used. The short document recommends setting the user’s location sharing to ‘Always’. The document also requests not to switch off the user’s mobile phone, do not disable the user’s Internet connection, provide location access and update the app regularly. It is not unreasonable to suspect that this app also is intended to be a monitoring tool.The app also collects information on the user’s health condition (voluntary) and also of family members (voluntary). The app also has the feature for users to upload their selfies.This app repeats the failures of similar apps by not mentioning anything about data retention and the future use of collected data except for the fact that the data won’t be used by persons other than Government officials.
Surat Municipal Corpn.SMC COVID-19 Tracker (app) Installs: 50,000+Terms of Service: No Privacy Policy: Yes (can be downloaded from within the app) Open Source: No* Location* Phone* Photos/Media/Files* Storage* Camera* Wi-Fi connection information* Device ID & call information* Other1. Email2. User account3. Device information4. Location (presumably)This app has been developed by the IT department of the Surat Municipal Corporation to “track people who have abroad or interstate travel history and persons who have come in direct contact with positive COVID-19 individual.”A summary of what the app does is explained in the Google Play Store page of the app. However, the Privacy Policy linked in the Google Play Store directs to the privacy policy of the website of the SMC.The actual Privacy Policy of the app can be downloaded from within the app. However, the privacy policy has been generated from the above mentioned Firebase app which uses generic terms and does not mention the policies as to data retention.Moreover, the privacy policy states that the app may use third party cookies and the user has the option to refuse cookies trading off the ability to use some portions of the app. However, no such option is visible within the app.The app, however, can only be used by registering with an official travel id issued to persons who have submitted their travel history details at SMC’s portal.
Tamil NaduCOVID-19 Quarantine Monitor Tamil Nadu (official) (app) Installs: 100,000+Terms of Service: No Privacy Policy: Yes (but does not apply) Open Source: No* Photos/Media/Files* Camera* Storage* Location* Wi-Fi connection information* Phone* OtherUnknownThe app only allows users to register and use the app if their mobile number is enlisted in the State Quarantine List.There are no other accessible links within the app other that the login form and button.The privacy policy of the application provided in the Google Play Store page does not cover the app as it is the privacy policy of the ‘esevai’ (e-Service) portal of the Tamil Nadu government and has not explicitly mentioned the app at all.
TelaganaT COVID'19 (app) Installs: 10,000+End-User License Agreement (EULA): Yes Privacy Policy: Yes Terms and Conditions: Yes Open Source: No* Calendar* Location* Phone* Photos/Media/Files* Storage* Camera* Microphone* Wi-Fi connection information* Device ID & call information* Other This app has been developed by the Government of Telangana to “provide citizens with preventive care information and other government advisories”.However, for an information and advisory serving app, it asks for several permissions which include monitoring components including ‘extra location provider commands’ which pertains to state of location.The Privacy Policy linked in the Google Play Store page directs to the website of presumably the developer of the application, Quantela Inc., a company based in the US.The app however features three documents which must be accepted in order to use the app. The first of the three documents (End-User License Agreement) directs to the Terms and Conditions of an app named ‘Smart City Software Atlantis’, a product of Quantela Inc. The second document (Privacy Policy) directs to a general privacy policy document that applies to all of Quantela Inc’s services. The third document directs to the Terms and Conditions of the website callhealth.com apparently owned by CallHealth Services Pvt. Ltd., a Hyderabad-based company.It is unclear from these documents which document applies squarely to the app and who is the entity actually behind the development of the app.Though the Privacy Policy mentioned above is a general document, it could be inferred to be the governing document.
UttarakhandUttarakhand CV 19 Tracking System (app) Installs: 5,000+Terms of Service: No Privacy Policy: Yes Open Source: No* Location* Photos/Media/Files* Storage* Camera* Other1. Name2. Gender3. Father’s/Spouse’s name4. Phone Number5. Age6. Address7. District8. Symptoms9. Duration of symptoms10. Overseas travel details11. Health condition12. Location Co-ordinates13. Google Map locationThis app is designed to collect information from user submissions to determine whether the user has contracted COVID-19 or not. If found to be having issues, the app stipulates that a medical team will come and help the user. This service is restricted only to residents of Uttarakhand.Neither a Terms of Service nor a Privacy Policy document is accessible within the app. The Google Play Store page hosts a link to a privacy policy.Sadly, it is the policy generated apparently from the Firebase application, Firebase app which uses generic terms and does not mention the policies as to data retention.
Uttar PradeshUP Self- Quarantine App (app) Installs: 10,000+ Terms of Service: No Privacy Policy: Yes Open Source: No* Location* Other1. Name2. Age3. Gender4. Address5. Mobile Number6. Password (for the account)This app is explicitly described as an app for “Corona COVID19 Surveillance”.This app does not have an accessible Terms of Service or Privacy Policy document.The privacy policy link in the Google Play Store page directs to the U. P. government’s COVID19 web portal. A policy document is not uploaded there either.
West BengalCOVID-19 West Bengal Government (app) Installs: 10,000+Terms of Service: No Privacy Policy: No Open Source: No* Location* Phone* Other1. Name2. Mobile3. Age4. Gender5. Address6. Next of kin details7. Symptoms (may be submitted only if they are persistent and eligible to be notified).This application is to monitor the users location. The user may update his symptoms and personal details if he/she wants it.There is no accessible link to a Terms of Service or Privacy Policy documents within the app.The privacy policy link in the Google Play Store page directs to the website of the Government of West Bengal.

All Posts | Apr 01,2020

Open letter for restoration of 4G internet in Jammu and Kashmir in wake of COVID-19

Open letter for restoration of 4G internet in Jammu and Kashmir in wake of COVID-19

SFLC.in wrote an open letter to the Principle Secretary of Union Territory of Jammu and Kashmir as well as Home Minister Amit Shah on March 31 requesting them to restore 4G internet speed in Jammu and Kashmir.

Kashmir has been facing an internet blackout since August 4, 2019 and it is only recently that citizens have gained access to the internet at 2G speed. The current order issued by the Centre following the top court's ruling states that the speed of the internet will be restricted to 2G till April 3, 2020 after which the order will be pending a review.

COVID-19 is an unprecedented pandemic which has resulted in public health chaos. As of March 31, 2020, the number of cases of COVID-19 in Jammu and Kashmir has reached 55. To fight this global pandemic, timely information is needed which isn't possible without reasonably high speed internet access. Restricted internet has led to citizens of the UT, not being able to download informative videos as well as resource material for dissemination of necessary and accurate information, when a lot of rumours and misinformation are doing the rounds. Timely information both to the general public, medical professionals and media is needed to fight the pandemic.

In order to contain the spread of infection and monitor patients, telemedicine is important along with access to high speed internet for doctors to be able to access material online and to do video consultations with other healthcare practitioners as well as patients.

There is a severe lack of information among the citizens in Jammu and Kashmir owning to the fact that information cannot be accessed without proper internet. Multimedia content including that issued by the Health Ministry and WHO cannot be accessed as well. There are a number of students, working professionals and other citizens who have been asked to work from home due to the lock down in view of the corona virus, and this is possible only if unrestricted internet access to internet is allowed.

Sub- clause (d) of Clause 4 o the Annexure to order no. 40-3/2020 dated 24-03-2020 issued by the Ministry of Home Affairs states that telecommunications, internet services, broadcasting and cable services, IT and IT enabled services are exceptions to lock-down for essential services. Functional high speed internet is a pre-requisite to contain the pandemic as well as to mitigate the damage both in terms of health of the citizens and economy.

In our letter, we have requested the government to consider the prevailing extraordinary circumstances and restore 4G internet in Jammu and Kashmir on an urgent basis.

About SFLC.IN

SFLC.IN is a donor-supported legal services organisation that brings together lawyers, policy analysts, technologists, and students to protect freedom in the digital world. SFLC.in promotes innovation and open access to knowledge by helping developers make great Free and Open Source Software, protect privacy and civil liberties for citizens in the digital world by educating and providing free legal advice and help policy makers make informed and just decisions with the use and adoption of technology.

For further communication:
Prasanth Sugathan
Voluntary Legal Director, SFLC.IN
prasanth@sflc.in

All Posts | Mar 31,2020

Joint Letter to the Central and State Governments on Unwarranted, Excessive, Collection and Processing of Personal Data of Individuals during the ongoing COVID-19 Pandemic

March 31, New Delhi: Delhi-based non-profit legal services organization SFLC.IN along with a coalition of non-profit organisations, civil society groups, lawyers, public policy professionals, technologists, social activists, entrepreneurs, and citizens voice their concerns urging the government to resort to strict legal measures to regulate and supervise the collection, and subsequent processing of personal data of individuals during the ongoing COVID-19 pandemic. A joint letter was sent to Shri Amit Shah, Home Minister, Shri Harsh Vardhan, Minister of Health and Family Welfare, Shri Ravi Shankar Prasad, Minister of Electronics and Information Technology, as well as heads of various State Governments urging them to process the personal data of individuals within the territory of India, and conduct the monitoring of persons, only as per the law laid down through various judgments of the Supreme Court of India and the norms and principles enunciated therein. Any unwarranted, excessive, collection and processing of personal data can cause irreversible harms or violations of informational and bodily privacy of an individual. The organisations who have signed are CCAOI, Digital Empowerment Foundation, Free Software Movement of India, Internet Democracy Project, Internet Freedom Foundation, Internet Society-Delhi Chapter, IT For Change, SFLC.in and Swathanthra Malayalam Computing. Prasanth Sugathan, Voluntary Legal Director, SFLC.in said that “Central and State Governments are taking various steps like publishing information of patients and persons under quarantine and are coming out with apps that collect and process personal information. Although this is an extraordinary situation, care should be taken to ensure that the personal information of individuals are handled securely and with due care respecting their privacy rights. Any measure adopted for public health purpose should be the least intrusive and should not violate the privacy rights of individuals. Publishing of route maps and contact tracing should be done without publishing the personal details of patients” The letter highlights the following principles that the governments should follow while processing data during the ongoing Covid-19 Pandemic: Time-Limited: All measures related to the public emergency response to COVID-19 should be temporary in nature and limited in scope and should not become permanent features of governance. The personal data collected for the purpose of public health should only be retained during the response to the pandemic and deleted automatically without maintaining any copies, once the pandemic has been declared to be over. Necessity and Proportionality: Any collection, processing of personal data, including health data, shall be necessary and proportionate for the purpose of combating the pandemic and public health. In some states the list of persons who are under quarantine have been made public in the guise of public monitoring. This is excessive and a disproportionate invasion into the privacy of the individuals under quarantine. Transparency and Accountability: Processing of personal data must be conducted transparently, and appropriate notices must be provided about use, collection and purpose in an easy to read, plain language format. Individuals must be informed as to the volume, extent, and purpose of the personal data belonging to them being collected, processed, stored or transferred to any person. Use Restrictions: No use of the data unconnected to public health should be allowed. Use of such data for advertisement and commercial purposes unrelated to public health should be completely prohibited. No discrimination shall be meted out to individuals in the collection and processing of personal data during this pandemic and such personal data shall not be used to discriminate any individual in the future. Security:Security protections for data processing during the Covid-19 pandemic should not be compromised and the data must be maintained securely and must be exchanged only through secure platforms and hardware.  Any apps related to COVID-19 promoted by the Government should be secure and their data collection should be in tune with the principles mentioned herein. No Surveillance without Due Process:Any surveillance required to respond to the pandemic should be temporary and only to the extent and degree allowed by provisions of the Indian Telegraph Act, 1885 and the Information Technology Act, 2000 and the rules notified under these statutes. Any surveillance pursuant to the aforementioned statutes and other relevant laws such as the Epidemic Diseases Act, 1987, and the Code of Criminal Procedure, 1973 used for the monitoring of individuals during this pandemic are subject to judicial review. About SFLC.IN SFLC.IN is a donor-supported legal services organisation that brings together lawyers, policy analysts, technologists, and students to protect freedom in the digital world. SFLC.in promotes innovation and open access to knowledge by helping developers make great Free and Open Source Software, protect privacy and civil liberties for citizens in the digital world by educating and providing free legal advice and help policy makers make informed and just decisions with the use and adoption of technology. For further communication: Prasanth Sugathan Voluntary Legal Director, SFLC.IN prasanth @sflc.in +91 9013585902