Logo

Defender of your Digital Freedom

All Posts | May 19,2020

Aarogya Setu to be installed on “Best Efforts Basis”. No longer Mandatory

Aarogya Setu to be installed on “Best Efforts Basis”. No longer Mandatory

SFLC.in welcomes the Home Ministry Guidelines dated 17.05.2020 that no longer mandates the installation of Aarogya Setu application for government and private employees, and individuals in containment zones. Under the new guidelines, an employer will not be liable in case the employee fails to install Aarogya Setu in its device. This welcome move is the result of the efforts of civil society organisations, technologists, policy professionals and citizens who had relentlessly voiced their opinion against mandatory installation of Aarogya Setu app.

SFLC.in along with a coalition of concerned individuals and organizations had sent a joint representation letter to the Government of India and the state governments, expressing concerns over the unwarranted and excessive collection and processing of personal data during the ongoing COVID-19 pandemic. The full text of the representation can be accessed here.

The Joint Representation also inspired a public initiative where SFLC.in asked the citizens to raise their voice and urge the Government of India to resort to strict legal  measures and adhere to the  privacy and data  protection principles for the  collection and processing of personal data during the ongoing pandemic. We received an overwhelming response to the initiative.

We had published a detailed analysis of the legal issues involved the application as well as a technical analysis of the application. We also issued a statement on the ‘Mandatory’ use of Aarogya Setu App.

SFLC.in had also sent a representation to the Chairperson of Committee on Information Technology raising our concerns around the privacy violations taking place during the COVID-19 pandemic, and to prepare a report on the same.

This is just the beginning, and we will continue to keep track of the issue as we need to ensure that the app is not made de facto mandatory for citizens by means of it being required for accessing various services and public places.

Amid security and privacy concerns, the Aarogya Setu app still remains a closed source application. The Privacy Policy, Terms and Conditions, and the Protocol fall short on various data protection principles which have been highlighted by us as well as other organisations and individuals.

We will continue our fight to defend digital rights of citizens and look forward to your support..

All Posts | Apr 20,2020

Our Analysis of the Indian COVID-19 Apps

Our Analysis of the Indian COVID-19 Apps

The Central Government had recently launched the Aaryogya Setu app, a surveillance application developed for tracing users who might have come within the proximity of people who have tested positive for COVID-19. In addition to this Central Government developed app, there are other active applications that have been developed by various State Governments and local authorities pertaining to personal and other data collection, and monitoring in relation to the COVID-19 pandemic.

While we applaud the efforts taken by each State/UT government and the Central Government in combating this deadly disease, we are also concerned with the arbitrary use of state power in different situations in conducting excessive collection and processing, and unauthorised sharing of personal data, unbridled surveillance and tracing of people during this pandemic spread in India. Earlier, we had joined hands with different organisations and concerned citizens in sending a joint letter expressing our concerns regarding the collection and processing of personal data during this time to various heads of the Central & State Governments. You can read the letter here.

We had done an analysis of the Terms of Service and Privacy Policy of the app and had expressed our concerns over the same. You can read about them here. Apart from the Aarogya Setu app, we have also analysed the policy documents of the different State/UT applications. While the applications have been developed independently by each government, we have observed some questionable trends, practices and policy provisions pertaining to the apps. The comparative analysis can be found in tabular form hereunder. The observations are summarised as follows:

  1. Absence of Terms of Service/Privacy Policy: It is shocking to see the absence of Terms of Service or a Privacy Policy that binds the developer/publisher of the app and its end user. In case of entities who are Internet intermediaries Rule 3 of the Information Technology (Intermediaries Guidelines) Rules, 2011 mandate that an intermediary shall publish within the platform, the terms of use, rules and regulations, and privacy policy pertaining to the platform operated by the intermediary. In comparison, some COVID-19 based applications do not even have the Terms of Service accessible to the users though personal data is collected. In some cases, the link provided to the Privacy Policy redirects to the policy of the website of the developer, which may be a private entity to whom the development of the app was outsourced by the government concerned. This is a shocking practice as the absence of the policy documents attempts to drive away any liability of the government concerned if there is any misuse of the data collected. The apps terms are governed by laws of the country where the developer runs its primary business. In some applications, which are covered by the terms of the website of the private entity that has developed the app for the government concerned rather than specific terms and conditions covering the use of the app.
  2. Unspecific Terms and Policies: While some of the apps that we looked into have privacy policies in place, they are not specific with regards to the app that the policy covers. Some of the applications have generated privacy policies from a Firebase application that generates privacy policy from a generator which is hosted here. This practice in itself is not condemnable.However, these policies lack clauses that cover important aspects such as data retention, and purpose limitation for the processing of data collected. Add to this, the terms try to avoid liability to the maximum it can, even in cases of data leaks and harms caused.
  3. Closed Source: We had mentioned this issue in our analysis of the Aarogya Setu app. Not every state in India has an open source software policy in place. However, it is important for the State to make the source code of the software that it develops open source when these are aimed at citizen welfare and when it purports to handle health and travel information pertaining to citizens. This increases the trust of the citizens in the software and increases its usage. Moreover, open source software security is further strengthened when there exists the possibility of community audit by independent security researchers and developers.
  4. Excessive Permissions: The Indian COVID-19 apps also implement the surveillance feature of excessive permissions for accessing and controlling various elements of the smartphone in which the app is installed. Excessive permissions are required by applications that undertake tracing and surveillance through capturing information from different internal broadcasts from components of the device. In some cases, apps which are only informative and intended to issue advisories have sought permissions for location, photos, storage and camera.

Comparative Table of Observations of the Various COVID-19 Apps in India

GovernmentName of the App (link)Policy DetailsTerms/Privacy/FOSSPermissionsData CollectedRemarks/Concerns
Central GovernmentCOVID19 Feedback (app) Installs: 100,000+Terms of Service: No Privacy Policy: Yes Open Source: NoContactsPhotos/Media/ FilesWi-Fi Connection InfoIdentityStorageOthers1. User’s full name2. Phone number3. Email4. Office address5. Residence addressesThere is no accessible policy document within the app. This app is intended to take feedback from people who have taken a COVID-19 test as to the quality of the test.There is no Terms of Service covering the application.According to the privacy policy it is only applicable to the “website” (which is unclear). It has to be inferred that the privacy policy only covers the parent website (ncog.gov.in; which did not load) rather than the application.The privacy policy is short and does not mention the purpose for which the data collected will be used. It does not mention anything about data retention and where will the data be stored.
Arunachal PradeshCOVID CARE (app) Installs: 1000+Terms of Service: No Privacy Policy: No Open Source: No* Location* Phone* Photos/Media/Files* Storage* OtherNot knownThis app has been developed by a private company named Atsuya Technologies Pvt. Ltd. The app’s Google Play Store description says that it offers “Quarantine & Contact Health Tracing for Covid Suspects in Arunachal Pradesh”. It is a big concern that a surveillance tool is being operated without any terms of service or privacy policy. Even the website of the developer does not have a privacy policy or terms of service.The app can be used only by people who are in the Quarantine List. A message which says “This mobile number is not in Quarantine List” appeared when one of our associates tried registering an account in the app.The app’s interface has the Arunachal Pradesh Emblem and a web portal has reported that the App was developed by the Govt. of Arunachal Pradesh.
Bhopal Municipal Corpn.(in partnership with an unknown pvt. entity) Niramaya App (app) Installs: 1000+Terms of ServiceYes Privacy Policy: Yes Open Source: No* Location (GPS & Network based) * Others 1. Home Location2. GPS Information3. Mobile Number4. Full name5. Age6. Gender7. Home Address8. Cookies and Usage data9. Device details10. Browser broadcastsThis app is intended for users to request a Corona test indicating the symptom(s) they are experiencing or if they have been in contact with anyone tested postive or if they have travelled internationally.The terms of service and the privacy policy are not visible/accessible within the app. They can be accessed by visiting the app’s website.It is not clear as to who has developed the Niramaya app. The private entity’s identity is unknown. It has been indicated neither in the website nor the app.The terms of service ascribes very limited liability to the developers even if correct information is provided. Also, it seems to absolve the developer from liability even in case of data leaks. The terms state that “[t]his includes but is not limited to the loss of data or loss of profit, even if NIRAMAYA was advised of the possibility of such damages.”The NIRAMAYA app, in its Terms of Service has a problematic clause which states:“Any material, information, or idea submitted or posted on this Web site/Mobile App will be considered non-confidential and non-proprietary. NIRAMAYA may share or otherwise use your submission for any purpose whatsoever. If any of the information submitted constitutes personal data, you agree that NIRAMAYA may transmit such personal data across national and international boundaries for any business purpose.This is a problematic clause giving a blanket permission to the app publisher in using the data.Moreover, the policy documents use generic clauses which might suggest that the policy documents were ripped off from a template. This was confirmed to be true, as we found similarly worded provisions in the privacy policies of some websites with that of the Niramaya app’s privacy policy.
ChhattisgarhCG Covid-19 ePass (app) Installs: 50,000+Terms of Service: No Privacy Policy: Yes Open Source: No* Photos/Media/Files* Storage* Camera* Other1. Name2. Travel Plans3. Vehicle Number4. Aadhaar/PAN Card5. Photo6. Address7. Cellphone numberAs per the app’s description, “[t]he Government of Chhattisgarh has launched this app to issue State-wide and Intra-district e-Pass for vehicular movement during the lock-down period...”Only the privacy policy of the app is visible inside the application.The application has been developed by ASC AllSoft IT Consulting Pvt. Ltd. a Raipur based company.The privacy policy of the application specifically addresses the governance of the application, though it is hosted on the AllSoft’s website. However, the privacy policy has been generated from the above mentioned Firebase app which uses generic terms and does not mention the policies as to data retention.Moreover, the privacy policy states that the app may use third party cookies and the user has the option to refuse cookies trading off the ability to use some portions of the app. However, no such option is visible within the app.
ChhattisgarhKavach (app) Installs: 50,000+Terms of Service: No Privacy Policy: Yes Open Source: No* Location (GPS & Network based)* Photos/Media/Files* Storage* Other1. Personal demographic2. Location3. IP addresses4. Device details5. Personal InformationThis app “developed by Government of Chhattisgarh to provide preventive care information and other government advisories.” The app does not offer a Terms of Service document for the users.The Privacy Policy document is accessible within the application (not uploaded in Play Store).As per the Privacy Policy personal information will be shared only with Service Providers. Info such as IP addresses, domain name, browser type, Operating Sytem, Date and time of the visit, pages visited, IMEI/MSI number, device ID, location information, language settings, handset make and model will be collected but will not be linked with the true identity of individuals visiting the KAVACH app.Once registered, the user’s account continues even if the app is deleted or from the phone. The privacy policy does not provide for how much data will be retained after the pandemic or the mode of retention.It is a matter of concern that an app only intended to provide information and advisories require permission to access location, photos, media, files and the storage.
Faridabad AdministrationJan-Sahayak (app) Installs: 1000+Terms of Service: No Privacy Policy: Yes Open Source: No* Location (GPS & Network based)* Phone* Other1. Domain name of the ISP2. IP Address3. Browser & OS information4. Presumably information submitted through the app.This app, currently live in Faridabad and Panipat, has been developed by a private firm (OfBusiness) for the District Administration of Faridabad, for helping its citizens during the COVID-19 crisis by communicating requests from the user to the administration’s personnel.When the user tries to register an account for the first time, a message appears indicating that by signing in, the user agrees with the Terms of Use and Privacy Policy. However, there are no links to the Terms of Use or Privacy Policy placed in the login page for the user to read and accept. The Terms of Use and the Privacy Policy are not viewable even after registration.Again, this app also operates without a Terms of Service document. The Privacy Policy is accessible on the application’s website. However, the Privacy Policy is written to cover the use of the website rather than the application.A simple word search in a search engine revealed that the Privacy Policy was generated or copied from a template as the same text was found in the privacy policies of other websites.
GoaCovid Locator (app) Installs: 5000+ Terms of Service: No Privacy Policy: Yes Open Source: No* Location (GPS & Network based)* Phone* Device ID & call information* Other1. Name2. Gender3. Home Address4. Cellphone NumberThis is a tracing and surveillance app developed by the Government of Goa. The stated purpose of the app is “to help authorities to better locate patients who are under home quarantine.”The app supplies information from various sources (including covid19india.org/) and makes it accessible through the app.The app features a tracking service of people under quarantine. However, tracking is enabled only when the user gives consent by giving a “missed” call at a number communicated through SMS.There are no Terms of Service available and the privacy is policy has to be accessed through the app’s Google Play Store page.It is easy to find that the Privacy Policy was built from the Firebase app template which essentially is a generic template with boilerplate clauses which does not talk about how much and how long will the data collected be retained.
Goa(in co-operation with Innovacer Inc.) Test Yourself Goa (app) Installs: 50,000+Terms of ServiceYes Privacy Policy: Yes Open Source: No* Other (full network access)1. Name2. Gender3. Home Address4. Mobile number5. Location (upon consent)6. Any other information submitted through the application.The app is aimed at assisting its users for COVID-19 testing by checking the user’s risk for the disease.The app does not have a specific privacy policy. The Google Play Store page of the app directs a person to the privacy policy of the website of the developer. The Privacy Policy therein states “This Privacy Policy explains how we collect, use, and share information collected from including its domain and subdomains as well as any software, platform, or application owned or licensed by Innovaccer (collectively, the "Services").”Further, the Privacy Policy goes on to say that it is incorporated into the Terms of Service. However, the Terms of Service that is linked within the Privacy Policy govern “the use of web pages, software and content located within www.innovaccer.com including its domain and subdomains and apply generally to any of Innovaccer’s or its affiliates’, subsidiaries’ or joint ventures’ websites (collectively, the "Site").”Therefore, the Terms of Service technically does not apply to the “Test Yourself Goa” app but only to the website and associate websites of Innovacer Inc.The Privacy Policy spells out a detailed list of data that is collected and whether the company discloses it or sells it. As per what the current provisions stipulate, the company does not sell any data.However, the Privacy Policy in a clause pertaining to International Visitors, states that “[o]ur Services are hosted in the United States and intended for visitors located within the United States.” It is therefore, unclear as to why this Privacy Policy has been bundled with the “Test Yourself Goa” application.
Greater Chennai Corpn.GCC – Corona Monitoring(app) Installs: 10,000+Terms of Service: Yes (within the application) Privacy Policy: Yes Open Source: No* Location (GPS & Network based)* Photos/Media/Files*Storage* Camera* Other This app is a monitoring app developed by the Greater Chennai Corporation. The app is only accessible for users within Greater Chennai as users from other locations cannot go beyond the signup page.The Terms of Service (Terms and Conditions) can be viewed upon installation. The terms stipulate that the data collected will be completely deleted in 3 months.However, the privacy policy (not shown in the signing page) link within the Google Play Store page directs the user to the Privacy Policy of ‘iWasteX” app of the Madras Waste Exchange, a scheme under the Greater Chennai Corporation.
HaryanaHaryana Sahayak (app) Installs: 100+Terms of Service: No Privacy Policy: Yes Open Source: No* Location (GPS & Network based)* Photos/Media/Files* Storage* Other1. Mobile Phone Number2. Name3. Location4. Results of Quick health check-up within the appg5.The app has been developed by the Electronics & Information Technology department of the Government of Haryana.The app is intended to provide with information on COVID-19 updates to the users, take health check ups and get information on confirmed cases, COVID-19 hospitals and essential commodities near the location of the user.The app features and in-app health check-up (self-check) facility. Officers from the health department may call up the user based on the result of the health check up.The app does not show the Terms of Service or the Privacy Policy within the app. The Privacy Policy of the app is hosted on the Haryana Government’s website.The Privacy policy governing the use of the app states, that while the data collected will be stored in a centralised database in anonymised aggregated datasets for the purpose of management of COVID-19 within the state, “[s]uch personal information may also be shared with such other necessary and relevant persons as may be required in order to carry out necessary medical and administrative interventions.” This is problematic as these provisions are worded vaguely and broadly and broad interpretation can fit in almost anyone that the government can share the data with.It is clearly spelled out (Clause 2) in the app that the information provided at the time of registration is intended to be retained as long as the government can. The policy states that this information will be retained as long as the account (of the user) exists. However, there is no option within the application to delete the user’s account. Further, the provision exempts the information collected through the user submissions and makes it unclear as to what happens to that data. Moreover, the possibility of true anonymisation personal data is debatable Hence, this provision may not hold good for the protection of personal data. Therefore, more clarity is required in the provisions of the Privacy Policy.
Himachal PradeshCorona Mukt Himachal (app) Installs: 10,000+Terms of Service: No Privacy Policy: No Open Source: No* Location (GPS & Network based)* Wi-Fi connection information* OtherUnknownThis app is apparently intended for persons under quarantine, as it won’t allow users not in the quarantine list to register.Neither the Terms of Service nor the Privacy Policy governing the use of the application is found within the app or the Google Play Store page.
KarnatakaQuarantine Watch (app) Installs: 10,000+Terms of Service: No Privacy Policy: Yes Open Source: No* Location (GPS & Network based)* Phone* Photos/Media/Files* Storage* Camera* OtherUnknownThis app is apparently intended for persons under quarantine, as it won’t allow users not in the quarantine list to register.Neither the Terms of Service nor the Privacy Policy governing the use of the application is found within the app.The Google Play Store’s link to the Privacy Policy points to the Privacy Policy of the website of the landrecords department of the Government of Karnataka. The privacy policy appears to cover only that website though the word “Our Service” is used in a provision. Itis not clear hoe this policy can be made applicable to the Quarantine Watch application.
KarnatakaCorona Watch (app) Installs: 100,000+Terms of Service: No Privacy Policy: Yes Open Source: No* Location (approx. & precise)* Phone* Photos/Media/Files* Storage* WiFi Connection Information* Device ID & call information* Other1. Name2. Mobile number3. Address4. Gender5. GPS Location6. Log Data7. Session InformationThis app, developed by Karnataka Geographic Information System (KGIS), is intended for displaying the location and spots visited of persons who have been diagnosed with COVID-19 within the state of Karnataka and also the locations of home quarantined. The app opens up a Google Maps frame and marks the location of the infected patients and the spots they have visited. No personal details are explicitly provided by the application. However, the address, specific to the street is given by the marker. And there is also a feature to open the co-ordinates within the app in Google Maps. The app is presumably used also by government officials for data collection.The Terms of Service and Privacy Policy are not accessible within the app. The Terms of Service is not available in the Google Play Store page either.The Privacy Policy linked in Google Play Store redirects to KGIS’s website, where the privacy policy of the app is hosted. The Privacy Policy is the same policy that is used for the KGIS website. It is therefore not clear whether the privacy policy actually applies to the Corona Watch app as the name of the app is not specifically mentioned in the privacy policy.The privacy policy enumerates the data collected and stipulates that the data will be retained on servers within India. However, it is not mentioned for how long will the data be retained or whether the data collected will be deleted after the pandemic.The application also logs Log Data (error data) and session data through cookies. The relevant provision stipulates that the user can deny cookies, however, no such option is available in the app.
KarnatakaCorona Contact Survey (app) Installs: 1000+Terms of Service: No Privacy Policy: Yes Open Source: No* Location (GPS and network-based)* Phone* Photos / Media / Files* Storage*Wi-Fi connection information* Device ID & call information* Other This is an app intended only for departmental use. Only the persons whose cellphone numbers are registered with the government can register the app in their phones.The privacy policy used by the Corona Watch app is used to govern the use of this app as the privacy policy linked in Google Play Store directs to the same.
KeralaGoK Direct - Kerala (app) Installs:Terms of Service: No Privacy Policy: Yes Open Source: No* Photos/Media/Files* Storage* OtherUnknownThis app has been developed by the Information & Public Relations Department of the Government of Kerala. This application is intended to communicate alerts with the users on COVID-19 updates. The app also enables users to visit the WhatsApp api to get alerts from the World Health Organisation (WHO). The application also features a helpline button which enables users to connect to the Direct Intervention System For Health Awareness (DISHA) operated by the Government of Kerala.There are no Terms of Service accessible within the application. The Privacy Policy is accessible from the application and the app’s Google Play Store page. However, both links point to a privacy policy document hosted on the website of the developer (Qkopy Online Services Pvt Ltd.) and as per its provisions pertain, to an application called “Qkopy X” which is a product of Qkopy. So, essentially the app does not have an effective privacy policy governing its use.
Madhya PradeshMP Covid Response App (app) Installs: 10,000+Terms of Service: No Privacy Policy: Yes Open Source: No* Location* Phone* Photos/Media/Files* Storage* Device ID & call information* Other1. Name (not mandatory)2. Phone Number3. IMEI4. Location of the user5. Patient information6. Location of recent patientsThis is a monitoring tool, developed by the government of Madhya Pradesh to identify citizens suffering or susceptible to contracting COVID-19. The app also features list of public health centres and government guidelines.The application does not show a Terms of Service document or the Privacy Policy within it. The Privacy Policy of the app is linked in the Google Play Store page.The privacy policy of the app, hosted in a sub-domain the National Health Mission (MP) website, indicates that the app collects information through 3 interfaces; from the citizens, from the hospitals, and from the Government officers. They are used to collect information about patients, location of recent patients, user reports, etc.The privacy policy, states that submitting names are not mandatory. However, that does not make much difference as the phone number, the location and the IMEI number are collected.The privacy policy stipulates that “[n]o personal data (such as name, number, age filled by user while app downloading) of suspected patient will be shared with other users” and that “[o]bjective is to ensure community safety without any personal data breach.” This however, is not assured with provisions on the kind of data and the duration for which it will be retained, whether it will be anonymised if retained and whether the users will be able to correct incorrect personal data etc.
MaharastraMahakavach (app) Installs: 10,000+Terms of Service: No Privacy Policy: Yes Open Source: No * Contacts* Photos/Media/Files* Camera* Storage* Location* Phone* Other1. Name2. Gender3. Age4. AddressMahakavach is a “digital contact tracing app for Covid-19”. The application has been developed by the Maharashtra State Innovation Society, a nodal agency of the government of Maharashtra. The accessibility of this app is limited to either suspected COVID-19 patients or to those persons already in quarantine. Therefore, only those users who have been issued an authorisation code can access the application.It has been reported that the government has mandated users to adhere to a system of ‘selfie attendance’ though which the government attempts to photographically track the location of the users. It is also reported that users are also required to constantly update their quarantine status and upload their Coronavirus tests to aid government in tracking their progress.The privacy policy of the app has been generated from the Firebase-based policy generator app. The privacy policy of the app refers to a “Terms and Conditions” which is available in the app. However, we have not been able to verify this is true as we could not access the app without an authorisation code.Should there occur an error in the app, data such as the device’s IP address, device name, software version and “other statistics”, which has not been defined, are collected and stored via third party products.Additionally, while the policy allows the users to ‘opt-out’ of cookies, we were not able to verify whether this provision has been enabled in the app. Some of the other apps we had analysed did not provide for the feature though the privacy policy mentioned it.With respect to accessibility to personal information and sharing of data, the policy states that the use and sharing of data will remain limited to the confines of the policy. This in turn extends to third parties which may be engaged to ‘facilitate the service’, ‘provide the service on behalf of the government’, ‘assist in analysing how the service is used’ and interestingly so, ‘perform Service-related services.’ Here, access is granted only for tasks assigned to such third parties on behalf of the government. However, these tasks, as aforementioned, lack concrete definition and thus, may provide scope for exploitation.As with the other apps based on the same policy, the privacy policy of Mahakavach fails to stipulate provisions on data retention.
OdishaCOPE Odisha (app) Installs: 1,000+Terms of Service: No Privacy Policy: Yes Open Source: No* Location* Photos/Media/Files* Storage/Camera* Other The app, as per its description, is intended for people under quarantine, citizens and officers.This app also has used the Firebase policy generator for generating the privacy policy. The major difference with the other policies is that the privacy policy of COPE Odisha stipulates that it embeds only Google Play Services as a third party service within the app.The app when opened displays the following message: “As per the Government’s mandate, you are required to give permission to the application to access your device location. We request you to cooperate with us in such difficult times. Any violation may amount to actions as per law. Kindly tap on ‘ALLOW’ whenever such permissions are requested.”The above provision is of concern. It is unclear as to which mandate is the message referring to. It is also unclear as to which Government agency has developed the application so as to find the mentioned ‘mandate’. Such a mandate has not been found in the Health & Family Welfare Department of the Government of Odisha in the Master Circulars issued by the department.The app also does not give accessible links to the Terms of Service and the Privacy Policy.
OdishaCOVID-19 Odisha (app) Installs: 1,000+Terms of Service: Yes (within the app) Privacy Policy: Yes Open Source: No* Location* Photos/Media/Files* Storage* Other1. Name (required)2. Age (required)3. Gender4. District (required)5. Pin Code6. Address (at least one line is required)7. Any illness experienced by the user8. Cellphone number9. Password (for account)10. Device detailsThis app, developed by the Odisha government, is stated to be a COVID-19 risk management app.The app is intended only for the residents of Odisha. The app collects personal information during the registration process. During the same the user has to give his/her consent for the Terms & Conditions of the app.However, the Terms & Conditions is essentially a declaration from the user giving consent to share his personal data with the government and also agreeing for monitoring of his/her location. The declaration uses broad terms which take from the user “consent to the usage of all relevant personal data” that has been provided and will be providing from time to time and the “dynamically tracked location.The link to the Privacy Policy is provided in the Google Play Store page which leads to a short policy document in which it is essentially stipulated that the user will be notified of the purpose of collection of data and that it will not be shared with third parties.However, the policy is silent as to data retention, user access to the data collected, and the user’s right to correct incorrect data.
PuducherryTest Yourself Puducherry (app) Installs: 10,000+Terms of Service: Yes Privacy Policy: Yes Open Source: No* Full Network Access1. Region2. Language(The app is intended only for users within Puducherry territories)Developed by Innovacer Inc. in association with the Government of Puducherry, the Test Yourself Puducherry app is intended for users within Puducherry to “check [their] risk for COVID-19” through informational and educational content through the app.The app opens up to the user seeking acceptance to the Terms of Use and the Privacy Policy of the app. Firstly, the Terms of Use does not explicitly refer to the app by name. The name “Test Yourself Puducherry” does not appear in the Terms of Use. So, it has to be inferred.The Terms of Use explicitly states that the application is not intended for diagnosis or treatment.The Terms of Use seems comprehensive in covering usual terms present in software licenses. However, the app itself remaining closed-source is still a concern.However, clauses in the the Privacy Policy are problematic. Firstly,the Privacy Policy document is a general document used for Innovacer’s website, and any of Innovacer’s software, platform or application. Secondly, the Privacy Policy is linked to a different Terms of Use intended only for the website of Innovacer and for any software located within the website. This is different from the app’s Terms of UseAccording to the Privacy Policy the services are hosted in the United States and intended for visitors located in the United States. The clause titled “International Visitors” indicate that the developers intended US laws to be governing data collection. The Privacy Policy is comprehensive in covering different aspects but it is not made subject to Indian laws. This is a fundamental concern and a major flaw.
PunjabCOVA Punjab (app) (iOS) Installs: 500,000+Terms of Service: No Privacy Policy: Yes Open Source: No* Location* Photos/Media/Files* Storage* Camera* Other1. Personal demographic2. Location3. Device information4. Usage details5. User submissions The Corona Virus Alert (COVA) is an app developed by the Government of Punjab. The app is intended to be an alert system for the users.However, it is surprising to see that too much permission is sought for by the app when it is only an alert system.The privacy policy is accessible within the app (when signing in) and from Google Play Store.Once registered, the user’s account continues even if the app is deleted from the phone. The privacy policy does not mention how much data will be retained after the pandemic or the mode of retention.It is a matter of concern that an app only intended to provide information and advisories require permission to access location, photos, media, files and the storage.
RajasthanRajCovidInfo (app) Installs: 1,000+Terms of Service: Yes (shown within the app during signup) Privacy Policy: Yes Open Source: No* Location* Photos/Media/Files* Storage* Camera* Other1. Full Name2. Mobile Number3. Address4. Pin Code5. Health condition6. Family member assessment.7. SelfieThis app, developed by the Department of IT & Communication, has been developed to provide COVID-19 government guidelines and health advisory.Though it is stated that the app is used only to issue guidelines and health advisory. the excessive permissions sought for by the app is of concern.The privacy policy linked within the Google Play Store page directs to the Privacy Policy of the website of the Department of IT & Communication. This is a fundamental issue and flaw common with some of the other COVID-19 centred apps developed by state governments in India.Additionally, a Terms of Service & Policy is displayed during sign up when the app is first used. The short document recommends setting the user’s location sharing to ‘Always’. The document also requests not to switch off the user’s mobile phone, do not disable the user’s Internet connection, provide location access and update the app regularly. It is not unreasonable to suspect that this app also is intended to be a monitoring tool.The app also collects information on the user’s health condition (voluntary) and also of family members (voluntary). The app also has the feature for users to upload their selfies.This app repeats the failures of similar apps by not mentioning anything about data retention and the future use of collected data except for the fact that the data won’t be used by persons other than Government officials.
Surat Municipal Corpn.SMC COVID-19 Tracker (app) Installs: 50,000+Terms of Service: No Privacy Policy: Yes (can be downloaded from within the app) Open Source: No* Location* Phone* Photos/Media/Files* Storage* Camera* Wi-Fi connection information* Device ID & call information* Other1. Email2. User account3. Device information4. Location (presumably)This app has been developed by the IT department of the Surat Municipal Corporation to “track people who have abroad or interstate travel history and persons who have come in direct contact with positive COVID-19 individual.”A summary of what the app does is explained in the Google Play Store page of the app. However, the Privacy Policy linked in the Google Play Store directs to the privacy policy of the website of the SMC.The actual Privacy Policy of the app can be downloaded from within the app. However, the privacy policy has been generated from the above mentioned Firebase app which uses generic terms and does not mention the policies as to data retention.Moreover, the privacy policy states that the app may use third party cookies and the user has the option to refuse cookies trading off the ability to use some portions of the app. However, no such option is visible within the app.The app, however, can only be used by registering with an official travel id issued to persons who have submitted their travel history details at SMC’s portal.
Tamil NaduCOVID-19 Quarantine Monitor Tamil Nadu (official) (app) Installs: 100,000+Terms of Service: No Privacy Policy: Yes (but does not apply) Open Source: No* Photos/Media/Files* Camera* Storage* Location* Wi-Fi connection information* Phone* OtherUnknownThe app only allows users to register and use the app if their mobile number is enlisted in the State Quarantine List.There are no other accessible links within the app other that the login form and button.The privacy policy of the application provided in the Google Play Store page does not cover the app as it is the privacy policy of the ‘esevai’ (e-Service) portal of the Tamil Nadu government and has not explicitly mentioned the app at all.
TelaganaT COVID'19 (app) Installs: 10,000+End-User License Agreement (EULA): Yes Privacy Policy: Yes Terms and Conditions: Yes Open Source: No* Calendar* Location* Phone* Photos/Media/Files* Storage* Camera* Microphone* Wi-Fi connection information* Device ID & call information* Other This app has been developed by the Government of Telangana to “provide citizens with preventive care information and other government advisories”.However, for an information and advisory serving app, it asks for several permissions which include monitoring components including ‘extra location provider commands’ which pertains to state of location.The Privacy Policy linked in the Google Play Store page directs to the website of presumably the developer of the application, Quantela Inc., a company based in the US.The app however features three documents which must be accepted in order to use the app. The first of the three documents (End-User License Agreement) directs to the Terms and Conditions of an app named ‘Smart City Software Atlantis’, a product of Quantela Inc. The second document (Privacy Policy) directs to a general privacy policy document that applies to all of Quantela Inc’s services. The third document directs to the Terms and Conditions of the website callhealth.com apparently owned by CallHealth Services Pvt. Ltd., a Hyderabad-based company.It is unclear from these documents which document applies squarely to the app and who is the entity actually behind the development of the app.Though the Privacy Policy mentioned above is a general document, it could be inferred to be the governing document.
UttarakhandUttarakhand CV 19 Tracking System (app) Installs: 5,000+Terms of Service: No Privacy Policy: Yes Open Source: No* Location* Photos/Media/Files* Storage* Camera* Other1. Name2. Gender3. Father’s/Spouse’s name4. Phone Number5. Age6. Address7. District8. Symptoms9. Duration of symptoms10. Overseas travel details11. Health condition12. Location Co-ordinates13. Google Map locationThis app is designed to collect information from user submissions to determine whether the user has contracted COVID-19 or not. If found to be having issues, the app stipulates that a medical team will come and help the user. This service is restricted only to residents of Uttarakhand.Neither a Terms of Service nor a Privacy Policy document is accessible within the app. The Google Play Store page hosts a link to a privacy policy.Sadly, it is the policy generated apparently from the Firebase application, Firebase app which uses generic terms and does not mention the policies as to data retention.
Uttar PradeshUP Self- Quarantine App (app) Installs: 10,000+ Terms of Service: No Privacy Policy: Yes Open Source: No* Location* Other1. Name2. Age3. Gender4. Address5. Mobile Number6. Password (for the account)This app is explicitly described as an app for “Corona COVID19 Surveillance”.This app does not have an accessible Terms of Service or Privacy Policy document.The privacy policy link in the Google Play Store page directs to the U. P. government’s COVID19 web portal. A policy document is not uploaded there either.
West BengalCOVID-19 West Bengal Government (app) Installs: 10,000+Terms of Service: No Privacy Policy: No Open Source: No* Location* Phone* Other1. Name2. Mobile3. Age4. Gender5. Address6. Next of kin details7. Symptoms (may be submitted only if they are persistent and eligible to be notified).This application is to monitor the users location. The user may update his symptoms and personal details if he/she wants it.There is no accessible link to a Terms of Service or Privacy Policy documents within the app.The privacy policy link in the Google Play Store page directs to the website of the Government of West Bengal.