Logo

Defender of your Digital Freedom

All Posts | Aug 26,2020

Roundtable on Encryption, September 3rd, 5:00 PM-6:30 PM

Roundtable on Encryption, September 3rd, 5:00 PM-6:30 PM

On September 3rd, 2020, Software Freedom Law Centre, India (SFLC.in) organized a multi-stakeholder round-table discussion to "Individual Liberty vs. National Security" debate, and to address the concerns arising from conflicting encryption regulations across the world through the lens of members of civil society, journalists, technologists and lawmakers.
The report of the round-table can be found below:

[pdfjs-viewer viewer_width=0 viewer_height=800 url=undefined download=true print=true fullscreen=true fullscreen_target=false fullscreen_text="View%20Fullscreen" zoom=auto ]

All Posts | Aug 19,2020

Aarogya Setu is Optional for Air Passengers, Airport Authority Informs Karnataka High Court

Aarogya Setu is Optional for Air Passengers, Airport Authority Informs Karnataka High Court

SFLC.IN's advisory board member Mr. Anivar A Aravind filed a petition in the Karnataka High Court challenging the voluntary-mandatory nature of Aarogya Setu and invasion of privacy rights in the absence of a specific legislation governing data collected by it. He is represented by Senior Advocate Mr. Colin Gonsalves, counsels from SFLC.In, Advocate Clifton D’ Rozario and Advocate Ali Zia Kabir in the matter.

The petition was listed for hearing today i.e. 19.08.2020 before the division bench of Hon'ble Chief Justice Abhay Okay and Justice Ashok K. Kinagi.

In today’s hearing, Senior Advocate Colin Gonsalves brought to the notice of the Bench that the Government, despite placing it on record on 12.08.2020 that Aarogya Setu is not mandatory in nature, has repeatedly shifted its stance on it. He also pointed out that this is a substantial departure from the voluntary nature of Aarogya Setu. He highlighted that Aarogya Setu is still mandatory for incoming international passengers in Karnataka, and that the Department of Personnel and Training has also made it mandatory for its employees. He also brought the Justice Puttaswamy (II) judgment to the bench's notice which states that in the absence of a specific legislation, citizen’s data cannot be collected irrespective of voluntary nature of the scheme. The counsel for Bangalore Metro Rail Corporation Ltd. (BMRCL) contended that BMRCL has not commenced its operations yet and the draft Standard Operating Procedure (SoP) by the Ministry of Housing and Urban Affairs states that Aarogya Setu has to be installed by all the commuters.

The Airport Authority of India also clarified that state-wise quarantine guidelines have been revised on 03.08.2020 and have now made Aarogya Setu voluntary for air passengers.

The Bench has directed the parties to clarify their stance on Aarogya Setu on 03.09.2020. It has also taken the Airport Authority of India’s revised quarantine guidelines on record.

[pdfjs-viewer viewer_width=0 viewer_height=800 url=undefined download=true print=true fullscreen=true fullscreen_target=false fullscreen_text="View%20Fullscreen" zoom=auto ]

All Posts | Jul 30,2020

Letter to Rajasthan Government Against Mandating Aadhaar For COVID-19 Testing

Letter to Rajasthan Government Against Mandating Aadhaar For COVID-19 Testing

It was brought to our notice that the Rajasthan's Ministry of Medical, Health and Family welfare vide their guidelines dated 25.07.2020 has made it mandatory to add a person's Aadhaar details in RT-PCR application during sample collection for COVID-19. 

This decision by the Government of Rajasthan is in violation of the judgment of the Supreme Court in Justice Puttaswamy v. Union of India (2019 (1) SCC 1) wherein it was held that Aadhaar is mandatory only for :

a) filing Income Tax returns; and

b) for availing government subsidies charged upon the Consolidated Fund of India. 

This step by the Government of Rajasthan is in violation of the Puttaswamy judgment, and will exclude people who do not have Aadhaar cards. 

Any step taken by the Government(s) must be constitutionally tenable and in consonance with the law of the land. Through these letters to the Chief Minister of Rajasthan, Minister of Health, and Principal Secretary of Health, we have urged them to withdraw the mandatory requirement of Aadhaar for RT-PCR mobile app when the samples for COVID-19 tests are collected.

[pdfjs-viewer viewer_width=0 viewer_height=800 url=undefined download=true print=true fullscreen=true fullscreen_target=false fullscreen_text="View%20Fullscreen" zoom=auto ]

 

All Posts | Jul 17,2020

Karnataka High Court Allows Amendment of Petition in Aarogya Setu Case

Karnataka High Court Allows Amendment of Petition in Aarogya Setu Case: Update on Petition Challenging Aarogya Setu's Voluntary-Mandatory Status and Lack of A Specific Legislation

SFLC.IN's advisory board member Mr. Anivar A Aravind filed a petition in the Karnataka High Court challenging the mandatory nature  of Aarogya Setu and invasion of privacy rights in the absence of a specific legislation governing data collected by it. SFLC.IN's team has been assisting Senior Advocate Mr. Colin Gonsalves, Advocate Siddharth Baburao and Advocate Ali Zia Kabir in the matter. 

The petition was listed for hearing today i.e. 17.07.2020 before the division bench of Hon'ble Chief Justice Abhay Okay and Justice M. Nagarprasanna. Before this, the Central Government had stated it on record that Aarogya Setu is not mandatory for air or rail services

In today's hearing, the arguments were made by Senior Advocate Mr. Colin regarding the admissibility of application to the amendments to the petition and impleadment of Ministry of Health and Family Welfare and Bangalore Metro Rail Corporation as respondent parties. Recently, the Bangalore Metro Rail Corporation had made it mandatory for commuters to install Aarogya Setu and the Ministry of Health and Family Welfare had released a SoP making Aarogya Setu mandatory for employees in all offices.

The amendments to the petition included the recent updates in the Aarogya Setu App which allow sharing of user data with third parties, deletion of user's account within 30 days, and health status of persons with whom the user came in contact with. The amendment also raised the point that Aarogya Setu's Android Source Code is partially open source and iOS source code is yet to be released in public domain.

The Karnataka High Court has allowed amendments to the petition and has given time until August 14 to the respondents to file their responses and objections.

[pdfjs-viewer viewer_width=0 viewer_height=800 url=undefined download=true print=true fullscreen=true fullscreen_target=false fullscreen_text="View%20Fullscreen" zoom=auto ]

All Posts | Jun 05,2020

Petition Challenging the de-facto Imposition of Aarogya Setu in Karnataka High Court

The Ministry of Electronics and Information Technology (MeitY) released ‘The Aarogya Setu Data Access and Knowledge Sharing Protocol, 2020’ on May 11, 2020. We at SFLC.IN, welcome this step of the Government and express gratitude for considering concerns raised by digital right organisations, individuals, lawyers, public policy professionals and technologists.

In this Protocol, the Government has clarified that the Ministry of Electronics and Information Technology (MeitY) is the agency responsible for the implementation of this Protocol. The National Informatics Center will be the body responsible for collection, processing and managing response data collected by the Aarogya Setu application.

We appreciate that the Protocol has an option for the user to request deletion of its data, and permanent deletion of all data once the Protocol lapses. The Protocol has also followed principles of data proportionality, necessity and limitation. Principles of data sharing have been included, and obligations of entities with whom response data is shared have been chalked out as well. Through this Statement, we would like to throw light on our concerns with the Protocol-

1. Sunset Clause of the Protocol: The Protocol has a sunset clause of 6 month from the date of its notification or earlier as deemed fit by the Empowered Group on Technology. After completion of 6 months, it will be reviewed by the Empowered Group. It is nowhere mentioned that the Sunset clause is also applicable on ‘Aarogya Setu’ indicating that ‘Aarogya Setu’ might outlive the Protocol.

It is also unclear in the absence of the Protocol, how will ‘Aarogya Setu’ be deemed as legally valid considering that it derives its statutory validity through the National Disaster Management Act, 2005.

2. Clarity on Data Retention: Aarogya Setu’s privacy policy specifies that the personal information of users who have been tested positive for COVID-19 will be collected and stored in Government servers for a period of 60 days after such users have been declared cured of COVID-19. However, the Protocol states that the contact, location and self assessment data of an individual will not be retained beyond 180 days. There is no clarity or harmonisation between the privacy policy and the Protocol.

Moreover, the Protocol goes on to state that in case a specific recommendation is made in the review in this regard, the 180 days period may be modified. However, it is not clear on what grounds deviation from 180 days period will be allowed, and if users or data subjects will be asked for consent to retain their data beyond 180 days.

3. “Appropriate Health Responses” too broad a phrase: The Protocol states that the National Informatics Center (NIC) “shall collect only such response data as is necessary and proportionate to formulate or implement appropriate health responses.” The phrase “appropriate health response” is too broad and has not been specified anywhere in the Protocol. This again, goes against the principle of data proportionality and purpose limitation.

4. Deletion of Demographic Data on User’s Request:The Protocol allows a user to delete its demographic data before the 180 day stipulated period. This is a commendable step which was long demanded. However, the Protocol fails to specify the procedure through which a user can make such request.

Also, the deletion of data is only restricted to demographic data. The Protocol is silent on what will happen to contact data, self-assessment data, and location data. Why have the users not been given an option to delete contact data, self-assessment data and location data, if such data will anyway be deleted within 180 days?

5. Maintenance of List of Agencies with whom data will be shared: The Protocol states that “NIC shall, to the extent reasonable, document the sharing of any data and maintain a list of the agencies with whom such data has been shared. Such documentation shall include the time at which such data sharing was initiated, the persons or agencies who are being provided access to such data, the categories of data that are being shared and the purpose for which such data is being shared.”

The phrasing of this provision is interesting as it gives leeway to National Informatics Centre (NIC) to exclude certain agencies from the list and massively undermines the transparency principle.

6. Sharing of Response Data with Third Parties: The Ministry or Department of Government of India or State/Union Territory Government/ local government, NDMA, SDMA or public health institution of the Government of India/State Governments/ local governments will be held responsible for adherence to this Protocol by any other entity with whom such information has been shared.

However, it is not clear that in case of a breach, will the third party be held liable? The Protocol is silent on liability of such third parties in case of a breach or unauthorised use of response data.

7. Closed Source App: Time and again it has been demanded that the App should be made open source in consonance with Government’s Policy on Adoption of Open Source Software. However, the Protocol has not addressed it. Making the source code available enhances transparency and improves security as the source code is open to community audit.

8. Sharing of de- identified data: The Protocol allows sharing of response data in de- identified form with Ministries or Departments of the Government of India or the State/ Union Territory Governments, local governments, NDMA, SDMAs etc. It states that “de-identified form means data which has been stripped of personally identifiable data to prevent the individual from being personally identified through such data and assigned a randomly generated ID”.

It fails to specify if the randomly generated ID will be static or dynamic. In case of a static ID, the de-identified information can be linked back to the personal information. The government should instead use a dynamic ID to minimise risks. 

We also did a technical analysis of Aarogya Setu which can be found here. We also wrote to Minister of Railways, Minister of Civil Aviation, and Managing Director, Noida Metro Rail Corporation to consider the installation of Aarogya Setu on voluntary basis in consonance with the Ministry of Home Affairs guidelines dated 17.05.2020.

[pdfjs-viewer viewer_width=0 viewer_height=800 url=undefined download=true print=true fullscreen=true fullscreen_target=false fullscreen_text="View%20Fullscreen" zoom=auto ]
[pdfjs-viewer viewer_width=0 viewer_height=800 url=https://alpha.sflc.in/wp-content/uploads/2020/11/20200604-submissions.pdf download=true print=true fullscreen=true fullscreen_target=false fullscreen_text="View%20Fullscreen" zoom=auto ]

All Posts | May 26,2020

Our Analysis of ‘The Aarogya Setu Data Access and Knowledge Sharing Protocol, 2020’

Our Analysis of ‘The Aarogya Setu Data Access and Knowledge Sharing Protocol, 2020’

The Ministry of Electronics and Information Technology (MeitY) released ‘The Aarogya Setu Data Access and Knowledge Sharing Protocol, 2020’ on May 11, 2020. We at SFLC.IN, welcome this step of the Government and express gratitude for considering concerns raised by digital right organisations, individuals, lawyers, public policy professionals and technologists.

In this Protocol, the Government has clarified that the Ministry of Electronics and Information Technology (MeitY) is the agency responsible for the implementation of this Protocol. The National Informatics Center will be the body responsible for collection, processing and managing response data collected by the Aarogya Setu application.

We appreciate that the Protocol has an option for the user to request deletion of its data, and permanent deletion of all data once the Protocol lapses. The Protocol has also followed principles of data proportionality, necessity and limitation. Principles of data sharing have been included, and obligations of entities with whom response data is shared have been chalked out as well. Through this Statement, we would like to throw light on our concerns with the Protocol-

1. Sunset Clause of the Protocol: The Protocol has a sunset clause of 6 month from the date of its notification or earlier as deemed fit by the Empowered Group on Technology. After completion of 6 months, it will be reviewed by the Empowered Group. It is nowhere mentioned that the Sunset clause is also applicable on ‘Aarogya Setu’ indicating that ‘Aarogya Setu’ might outlive the Protocol.

It is also unclear in the absence of the Protocol, how will ‘Aarogya Setu’ be deemed as legally valid considering that it derives its statutory validity through the National Disaster Management Act, 2005.

2. Clarity on Data Retention: Aarogya Setu’s privacy policy specifies that the personal information of users who have been tested positive for COVID-19 will be collected and stored in Government servers for a period of 60 days after such users have been declared cured of COVID-19. However, the Protocol states that the contact, location and self assessment data of an individual will not be retained beyond 180 days. There is no clarity or harmonisation between the privacy policy and the Protocol.

Moreover, the Protocol goes on to state that in case a specific recommendation is made in the review in this regard, the 180 days period may be modified. However, it is not clear on what grounds deviation from 180 days period will be allowed, and if users or data subjects will be asked for consent to retain their data beyond 180 days.

3. “Appropriate Health Responses” too broad a phrase: The Protocol states that the National Informatics Center (NIC) “shall collect only such response data as is necessary and proportionate to formulate or implement appropriate health responses.” The phrase “appropriate health response” is too broad and has not been specified anywhere in the Protocol. This again, goes against the principle of data proportionality and purpose limitation.

4. Deletion of Demographic Data on User’s Request:The Protocol allows a user to delete its demographic data before the 180 day stipulated period. This is a commendable step which was long demanded. However, the Protocol fails to specify the procedure through which a user can make such request.

Also, the deletion of data is only restricted to demographic data. The Protocol is silent on what will happen to contact data, self-assessment data, and location data. Why have the users not been given an option to delete contact data, self-assessment data and location data, if such data will anyway be deleted within 180 days?

5. Maintenance of List of Agencies with whom data will be shared: The Protocol states that “NIC shall, to the extent reasonable, document the sharing of any data and maintain a list of the agencies with whom such data has been shared. Such documentation shall include the time at which such data sharing was initiated, the persons or agencies who are being provided access to such data, the categories of data that are being shared and the purpose for which such data is being shared.”

The phrasing of this provision is interesting as it gives leeway to National Informatics Centre (NIC) to exclude certain agencies from the list and massively undermines the transparency principle.

6. Sharing of Response Data with Third Parties: The Ministry or Department of Government of India or State/Union Territory Government/ local government, NDMA, SDMA or public health institution of the Government of India/State Governments/ local governments will be held responsible for adherence to this Protocol by any other entity with whom such information has been shared.

However, it is not clear that in case of a breach, will the third party be held liable? The Protocol is silent on liability of such third parties in case of a breach or unauthorised use of response data.

7. Closed Source App: Time and again it has been demanded that the App should be made open source in consonance with Government’s Policy on Adoption of Open Source Software. However, the Protocol has not addressed it. Making the source code available enhances transparency and improves security as the source code is open to community audit.

8. Sharing of de- identified data: The Protocol allows sharing of response data in de- identified form with Ministries or Departments of the Government of India or the State/ Union Territory Governments, local governments, NDMA, SDMAs etc. It states that “de-identified form means data which has been stripped of personally identifiable data to prevent the individual from being personally identified through such data and assigned a randomly generated ID”.

It fails to specify if the randomly generated ID will be static or dynamic. In case of a static ID, the de-identified information can be linked back to the personal information. The government should instead use a dynamic ID to minimise risks. 

We also did a technical analysis of Aarogya Setu which can be found here. We also wrote to Minister of Railways, Minister of Civil Aviation, and Managing Director, Noida Metro Rail Corporation to consider the installation of Aarogya Setu on voluntary basis in consonance with the Ministry of Home Affairs guidelines dated 17.05.2020.

All Posts | May 02,2020

Our Statement on Aarogya Setu App being mandatory for all employees & in containment zones

Our Statement on Aarogya Setu App being mandatory for all employees & in containment zones

India is the only democratic country that has mandated the use of a contact tracing app for its citizens. The mandatory use of such an app will further exclude sections of population which have been digitally excluded. The Government has gone back on its earlier promise on the Aarogya Setu app being voluntary. There is no reason for India, which is similarly placed as other countries to do things in a way that affects the rights of citizens.

It is imperative for an app that collects data of all citizens to be open source as this allows for its code to be audited by the developer community and security experts. The app has already been found to be vulnerable and such an app cannot be forced on the citizens risking their data and security.

Most countries have opted for a data minimalistic and decentralised approach, whereas Aarogya Setu app goes against these accepted principles.

By mandating all employers to ensure the adoption of the app by their employees, the Government has made a mockery of the consent principle as the terms and the privacy policy of the app are now enforced on the people and they do not have any choice. This raises concerns about the pandemic phase being replaced by a situation where the people are made vulnerable to threats because of the leakage of their data.

All Posts | Apr 20,2020

Our Analysis of the Indian COVID-19 Apps

Our Analysis of the Indian COVID-19 Apps

The Central Government had recently launched the Aaryogya Setu app, a surveillance application developed for tracing users who might have come within the proximity of people who have tested positive for COVID-19. In addition to this Central Government developed app, there are other active applications that have been developed by various State Governments and local authorities pertaining to personal and other data collection, and monitoring in relation to the COVID-19 pandemic.

While we applaud the efforts taken by each State/UT government and the Central Government in combating this deadly disease, we are also concerned with the arbitrary use of state power in different situations in conducting excessive collection and processing, and unauthorised sharing of personal data, unbridled surveillance and tracing of people during this pandemic spread in India. Earlier, we had joined hands with different organisations and concerned citizens in sending a joint letter expressing our concerns regarding the collection and processing of personal data during this time to various heads of the Central & State Governments. You can read the letter here.

We had done an analysis of the Terms of Service and Privacy Policy of the app and had expressed our concerns over the same. You can read about them here. Apart from the Aarogya Setu app, we have also analysed the policy documents of the different State/UT applications. While the applications have been developed independently by each government, we have observed some questionable trends, practices and policy provisions pertaining to the apps. The comparative analysis can be found in tabular form hereunder. The observations are summarised as follows:

  1. Absence of Terms of Service/Privacy Policy: It is shocking to see the absence of Terms of Service or a Privacy Policy that binds the developer/publisher of the app and its end user. In case of entities who are Internet intermediaries Rule 3 of the Information Technology (Intermediaries Guidelines) Rules, 2011 mandate that an intermediary shall publish within the platform, the terms of use, rules and regulations, and privacy policy pertaining to the platform operated by the intermediary. In comparison, some COVID-19 based applications do not even have the Terms of Service accessible to the users though personal data is collected. In some cases, the link provided to the Privacy Policy redirects to the policy of the website of the developer, which may be a private entity to whom the development of the app was outsourced by the government concerned. This is a shocking practice as the absence of the policy documents attempts to drive away any liability of the government concerned if there is any misuse of the data collected. The apps terms are governed by laws of the country where the developer runs its primary business. In some applications, which are covered by the terms of the website of the private entity that has developed the app for the government concerned rather than specific terms and conditions covering the use of the app.
  2. Unspecific Terms and Policies: While some of the apps that we looked into have privacy policies in place, they are not specific with regards to the app that the policy covers. Some of the applications have generated privacy policies from a Firebase application that generates privacy policy from a generator which is hosted here. This practice in itself is not condemnable.However, these policies lack clauses that cover important aspects such as data retention, and purpose limitation for the processing of data collected. Add to this, the terms try to avoid liability to the maximum it can, even in cases of data leaks and harms caused.
  3. Closed Source: We had mentioned this issue in our analysis of the Aarogya Setu app. Not every state in India has an open source software policy in place. However, it is important for the State to make the source code of the software that it develops open source when these are aimed at citizen welfare and when it purports to handle health and travel information pertaining to citizens. This increases the trust of the citizens in the software and increases its usage. Moreover, open source software security is further strengthened when there exists the possibility of community audit by independent security researchers and developers.
  4. Excessive Permissions: The Indian COVID-19 apps also implement the surveillance feature of excessive permissions for accessing and controlling various elements of the smartphone in which the app is installed. Excessive permissions are required by applications that undertake tracing and surveillance through capturing information from different internal broadcasts from components of the device. In some cases, apps which are only informative and intended to issue advisories have sought permissions for location, photos, storage and camera.

Comparative Table of Observations of the Various COVID-19 Apps in India

GovernmentName of the App (link)Policy DetailsTerms/Privacy/FOSSPermissionsData CollectedRemarks/Concerns
Central GovernmentCOVID19 Feedback (app) Installs: 100,000+Terms of Service: No Privacy Policy: Yes Open Source: NoContactsPhotos/Media/ FilesWi-Fi Connection InfoIdentityStorageOthers1. User’s full name2. Phone number3. Email4. Office address5. Residence addressesThere is no accessible policy document within the app. This app is intended to take feedback from people who have taken a COVID-19 test as to the quality of the test.There is no Terms of Service covering the application.According to the privacy policy it is only applicable to the “website” (which is unclear). It has to be inferred that the privacy policy only covers the parent website (ncog.gov.in; which did not load) rather than the application.The privacy policy is short and does not mention the purpose for which the data collected will be used. It does not mention anything about data retention and where will the data be stored.
Arunachal PradeshCOVID CARE (app) Installs: 1000+Terms of Service: No Privacy Policy: No Open Source: No* Location* Phone* Photos/Media/Files* Storage* OtherNot knownThis app has been developed by a private company named Atsuya Technologies Pvt. Ltd. The app’s Google Play Store description says that it offers “Quarantine & Contact Health Tracing for Covid Suspects in Arunachal Pradesh”. It is a big concern that a surveillance tool is being operated without any terms of service or privacy policy. Even the website of the developer does not have a privacy policy or terms of service.The app can be used only by people who are in the Quarantine List. A message which says “This mobile number is not in Quarantine List” appeared when one of our associates tried registering an account in the app.The app’s interface has the Arunachal Pradesh Emblem and a web portal has reported that the App was developed by the Govt. of Arunachal Pradesh.
Bhopal Municipal Corpn.(in partnership with an unknown pvt. entity) Niramaya App (app) Installs: 1000+Terms of ServiceYes Privacy Policy: Yes Open Source: No* Location (GPS & Network based) * Others 1. Home Location2. GPS Information3. Mobile Number4. Full name5. Age6. Gender7. Home Address8. Cookies and Usage data9. Device details10. Browser broadcastsThis app is intended for users to request a Corona test indicating the symptom(s) they are experiencing or if they have been in contact with anyone tested postive or if they have travelled internationally.The terms of service and the privacy policy are not visible/accessible within the app. They can be accessed by visiting the app’s website.It is not clear as to who has developed the Niramaya app. The private entity’s identity is unknown. It has been indicated neither in the website nor the app.The terms of service ascribes very limited liability to the developers even if correct information is provided. Also, it seems to absolve the developer from liability even in case of data leaks. The terms state that “[t]his includes but is not limited to the loss of data or loss of profit, even if NIRAMAYA was advised of the possibility of such damages.”The NIRAMAYA app, in its Terms of Service has a problematic clause which states:“Any material, information, or idea submitted or posted on this Web site/Mobile App will be considered non-confidential and non-proprietary. NIRAMAYA may share or otherwise use your submission for any purpose whatsoever. If any of the information submitted constitutes personal data, you agree that NIRAMAYA may transmit such personal data across national and international boundaries for any business purpose.This is a problematic clause giving a blanket permission to the app publisher in using the data.Moreover, the policy documents use generic clauses which might suggest that the policy documents were ripped off from a template. This was confirmed to be true, as we found similarly worded provisions in the privacy policies of some websites with that of the Niramaya app’s privacy policy.
ChhattisgarhCG Covid-19 ePass (app) Installs: 50,000+Terms of Service: No Privacy Policy: Yes Open Source: No* Photos/Media/Files* Storage* Camera* Other1. Name2. Travel Plans3. Vehicle Number4. Aadhaar/PAN Card5. Photo6. Address7. Cellphone numberAs per the app’s description, “[t]he Government of Chhattisgarh has launched this app to issue State-wide and Intra-district e-Pass for vehicular movement during the lock-down period...”Only the privacy policy of the app is visible inside the application.The application has been developed by ASC AllSoft IT Consulting Pvt. Ltd. a Raipur based company.The privacy policy of the application specifically addresses the governance of the application, though it is hosted on the AllSoft’s website. However, the privacy policy has been generated from the above mentioned Firebase app which uses generic terms and does not mention the policies as to data retention.Moreover, the privacy policy states that the app may use third party cookies and the user has the option to refuse cookies trading off the ability to use some portions of the app. However, no such option is visible within the app.
ChhattisgarhKavach (app) Installs: 50,000+Terms of Service: No Privacy Policy: Yes Open Source: No* Location (GPS & Network based)* Photos/Media/Files* Storage* Other1. Personal demographic2. Location3. IP addresses4. Device details5. Personal InformationThis app “developed by Government of Chhattisgarh to provide preventive care information and other government advisories.” The app does not offer a Terms of Service document for the users.The Privacy Policy document is accessible within the application (not uploaded in Play Store).As per the Privacy Policy personal information will be shared only with Service Providers. Info such as IP addresses, domain name, browser type, Operating Sytem, Date and time of the visit, pages visited, IMEI/MSI number, device ID, location information, language settings, handset make and model will be collected but will not be linked with the true identity of individuals visiting the KAVACH app.Once registered, the user’s account continues even if the app is deleted or from the phone. The privacy policy does not provide for how much data will be retained after the pandemic or the mode of retention.It is a matter of concern that an app only intended to provide information and advisories require permission to access location, photos, media, files and the storage.
Faridabad AdministrationJan-Sahayak (app) Installs: 1000+Terms of Service: No Privacy Policy: Yes Open Source: No* Location (GPS & Network based)* Phone* Other1. Domain name of the ISP2. IP Address3. Browser & OS information4. Presumably information submitted through the app.This app, currently live in Faridabad and Panipat, has been developed by a private firm (OfBusiness) for the District Administration of Faridabad, for helping its citizens during the COVID-19 crisis by communicating requests from the user to the administration’s personnel.When the user tries to register an account for the first time, a message appears indicating that by signing in, the user agrees with the Terms of Use and Privacy Policy. However, there are no links to the Terms of Use or Privacy Policy placed in the login page for the user to read and accept. The Terms of Use and the Privacy Policy are not viewable even after registration.Again, this app also operates without a Terms of Service document. The Privacy Policy is accessible on the application’s website. However, the Privacy Policy is written to cover the use of the website rather than the application.A simple word search in a search engine revealed that the Privacy Policy was generated or copied from a template as the same text was found in the privacy policies of other websites.
GoaCovid Locator (app) Installs: 5000+ Terms of Service: No Privacy Policy: Yes Open Source: No* Location (GPS & Network based)* Phone* Device ID & call information* Other1. Name2. Gender3. Home Address4. Cellphone NumberThis is a tracing and surveillance app developed by the Government of Goa. The stated purpose of the app is “to help authorities to better locate patients who are under home quarantine.”The app supplies information from various sources (including covid19india.org/) and makes it accessible through the app.The app features a tracking service of people under quarantine. However, tracking is enabled only when the user gives consent by giving a “missed” call at a number communicated through SMS.There are no Terms of Service available and the privacy is policy has to be accessed through the app’s Google Play Store page.It is easy to find that the Privacy Policy was built from the Firebase app template which essentially is a generic template with boilerplate clauses which does not talk about how much and how long will the data collected be retained.
Goa(in co-operation with Innovacer Inc.) Test Yourself Goa (app) Installs: 50,000+Terms of ServiceYes Privacy Policy: Yes Open Source: No* Other (full network access)1. Name2. Gender3. Home Address4. Mobile number5. Location (upon consent)6. Any other information submitted through the application.The app is aimed at assisting its users for COVID-19 testing by checking the user’s risk for the disease.The app does not have a specific privacy policy. The Google Play Store page of the app directs a person to the privacy policy of the website of the developer. The Privacy Policy therein states “This Privacy Policy explains how we collect, use, and share information collected from including its domain and subdomains as well as any software, platform, or application owned or licensed by Innovaccer (collectively, the "Services").”Further, the Privacy Policy goes on to say that it is incorporated into the Terms of Service. However, the Terms of Service that is linked within the Privacy Policy govern “the use of web pages, software and content located within www.innovaccer.com including its domain and subdomains and apply generally to any of Innovaccer’s or its affiliates’, subsidiaries’ or joint ventures’ websites (collectively, the "Site").”Therefore, the Terms of Service technically does not apply to the “Test Yourself Goa” app but only to the website and associate websites of Innovacer Inc.The Privacy Policy spells out a detailed list of data that is collected and whether the company discloses it or sells it. As per what the current provisions stipulate, the company does not sell any data.However, the Privacy Policy in a clause pertaining to International Visitors, states that “[o]ur Services are hosted in the United States and intended for visitors located within the United States.” It is therefore, unclear as to why this Privacy Policy has been bundled with the “Test Yourself Goa” application.
Greater Chennai Corpn.GCC – Corona Monitoring(app) Installs: 10,000+Terms of Service: Yes (within the application) Privacy Policy: Yes Open Source: No* Location (GPS & Network based)* Photos/Media/Files*Storage* Camera* Other This app is a monitoring app developed by the Greater Chennai Corporation. The app is only accessible for users within Greater Chennai as users from other locations cannot go beyond the signup page.The Terms of Service (Terms and Conditions) can be viewed upon installation. The terms stipulate that the data collected will be completely deleted in 3 months.However, the privacy policy (not shown in the signing page) link within the Google Play Store page directs the user to the Privacy Policy of ‘iWasteX” app of the Madras Waste Exchange, a scheme under the Greater Chennai Corporation.
HaryanaHaryana Sahayak (app) Installs: 100+Terms of Service: No Privacy Policy: Yes Open Source: No* Location (GPS & Network based)* Photos/Media/Files* Storage* Other1. Mobile Phone Number2. Name3. Location4. Results of Quick health check-up within the appg5.The app has been developed by the Electronics & Information Technology department of the Government of Haryana.The app is intended to provide with information on COVID-19 updates to the users, take health check ups and get information on confirmed cases, COVID-19 hospitals and essential commodities near the location of the user.The app features and in-app health check-up (self-check) facility. Officers from the health department may call up the user based on the result of the health check up.The app does not show the Terms of Service or the Privacy Policy within the app. The Privacy Policy of the app is hosted on the Haryana Government’s website.The Privacy policy governing the use of the app states, that while the data collected will be stored in a centralised database in anonymised aggregated datasets for the purpose of management of COVID-19 within the state, “[s]uch personal information may also be shared with such other necessary and relevant persons as may be required in order to carry out necessary medical and administrative interventions.” This is problematic as these provisions are worded vaguely and broadly and broad interpretation can fit in almost anyone that the government can share the data with.It is clearly spelled out (Clause 2) in the app that the information provided at the time of registration is intended to be retained as long as the government can. The policy states that this information will be retained as long as the account (of the user) exists. However, there is no option within the application to delete the user’s account. Further, the provision exempts the information collected through the user submissions and makes it unclear as to what happens to that data. Moreover, the possibility of true anonymisation personal data is debatable Hence, this provision may not hold good for the protection of personal data. Therefore, more clarity is required in the provisions of the Privacy Policy.
Himachal PradeshCorona Mukt Himachal (app) Installs: 10,000+Terms of Service: No Privacy Policy: No Open Source: No* Location (GPS & Network based)* Wi-Fi connection information* OtherUnknownThis app is apparently intended for persons under quarantine, as it won’t allow users not in the quarantine list to register.Neither the Terms of Service nor the Privacy Policy governing the use of the application is found within the app or the Google Play Store page.
KarnatakaQuarantine Watch (app) Installs: 10,000+Terms of Service: No Privacy Policy: Yes Open Source: No* Location (GPS & Network based)* Phone* Photos/Media/Files* Storage* Camera* OtherUnknownThis app is apparently intended for persons under quarantine, as it won’t allow users not in the quarantine list to register.Neither the Terms of Service nor the Privacy Policy governing the use of the application is found within the app.The Google Play Store’s link to the Privacy Policy points to the Privacy Policy of the website of the landrecords department of the Government of Karnataka. The privacy policy appears to cover only that website though the word “Our Service” is used in a provision. Itis not clear hoe this policy can be made applicable to the Quarantine Watch application.
KarnatakaCorona Watch (app) Installs: 100,000+Terms of Service: No Privacy Policy: Yes Open Source: No* Location (approx. & precise)* Phone* Photos/Media/Files* Storage* WiFi Connection Information* Device ID & call information* Other1. Name2. Mobile number3. Address4. Gender5. GPS Location6. Log Data7. Session InformationThis app, developed by Karnataka Geographic Information System (KGIS), is intended for displaying the location and spots visited of persons who have been diagnosed with COVID-19 within the state of Karnataka and also the locations of home quarantined. The app opens up a Google Maps frame and marks the location of the infected patients and the spots they have visited. No personal details are explicitly provided by the application. However, the address, specific to the street is given by the marker. And there is also a feature to open the co-ordinates within the app in Google Maps. The app is presumably used also by government officials for data collection.The Terms of Service and Privacy Policy are not accessible within the app. The Terms of Service is not available in the Google Play Store page either.The Privacy Policy linked in Google Play Store redirects to KGIS’s website, where the privacy policy of the app is hosted. The Privacy Policy is the same policy that is used for the KGIS website. It is therefore not clear whether the privacy policy actually applies to the Corona Watch app as the name of the app is not specifically mentioned in the privacy policy.The privacy policy enumerates the data collected and stipulates that the data will be retained on servers within India. However, it is not mentioned for how long will the data be retained or whether the data collected will be deleted after the pandemic.The application also logs Log Data (error data) and session data through cookies. The relevant provision stipulates that the user can deny cookies, however, no such option is available in the app.
KarnatakaCorona Contact Survey (app) Installs: 1000+Terms of Service: No Privacy Policy: Yes Open Source: No* Location (GPS and network-based)* Phone* Photos / Media / Files* Storage*Wi-Fi connection information* Device ID & call information* Other This is an app intended only for departmental use. Only the persons whose cellphone numbers are registered with the government can register the app in their phones.The privacy policy used by the Corona Watch app is used to govern the use of this app as the privacy policy linked in Google Play Store directs to the same.
KeralaGoK Direct - Kerala (app) Installs:Terms of Service: No Privacy Policy: Yes Open Source: No* Photos/Media/Files* Storage* OtherUnknownThis app has been developed by the Information & Public Relations Department of the Government of Kerala. This application is intended to communicate alerts with the users on COVID-19 updates. The app also enables users to visit the WhatsApp api to get alerts from the World Health Organisation (WHO). The application also features a helpline button which enables users to connect to the Direct Intervention System For Health Awareness (DISHA) operated by the Government of Kerala.There are no Terms of Service accessible within the application. The Privacy Policy is accessible from the application and the app’s Google Play Store page. However, both links point to a privacy policy document hosted on the website of the developer (Qkopy Online Services Pvt Ltd.) and as per its provisions pertain, to an application called “Qkopy X” which is a product of Qkopy. So, essentially the app does not have an effective privacy policy governing its use.
Madhya PradeshMP Covid Response App (app) Installs: 10,000+Terms of Service: No Privacy Policy: Yes Open Source: No* Location* Phone* Photos/Media/Files* Storage* Device ID & call information* Other1. Name (not mandatory)2. Phone Number3. IMEI4. Location of the user5. Patient information6. Location of recent patientsThis is a monitoring tool, developed by the government of Madhya Pradesh to identify citizens suffering or susceptible to contracting COVID-19. The app also features list of public health centres and government guidelines.The application does not show a Terms of Service document or the Privacy Policy within it. The Privacy Policy of the app is linked in the Google Play Store page.The privacy policy of the app, hosted in a sub-domain the National Health Mission (MP) website, indicates that the app collects information through 3 interfaces; from the citizens, from the hospitals, and from the Government officers. They are used to collect information about patients, location of recent patients, user reports, etc.The privacy policy, states that submitting names are not mandatory. However, that does not make much difference as the phone number, the location and the IMEI number are collected.The privacy policy stipulates that “[n]o personal data (such as name, number, age filled by user while app downloading) of suspected patient will be shared with other users” and that “[o]bjective is to ensure community safety without any personal data breach.” This however, is not assured with provisions on the kind of data and the duration for which it will be retained, whether it will be anonymised if retained and whether the users will be able to correct incorrect personal data etc.
MaharastraMahakavach (app) Installs: 10,000+Terms of Service: No Privacy Policy: Yes Open Source: No * Contacts* Photos/Media/Files* Camera* Storage* Location* Phone* Other1. Name2. Gender3. Age4. AddressMahakavach is a “digital contact tracing app for Covid-19”. The application has been developed by the Maharashtra State Innovation Society, a nodal agency of the government of Maharashtra. The accessibility of this app is limited to either suspected COVID-19 patients or to those persons already in quarantine. Therefore, only those users who have been issued an authorisation code can access the application.It has been reported that the government has mandated users to adhere to a system of ‘selfie attendance’ though which the government attempts to photographically track the location of the users. It is also reported that users are also required to constantly update their quarantine status and upload their Coronavirus tests to aid government in tracking their progress.The privacy policy of the app has been generated from the Firebase-based policy generator app. The privacy policy of the app refers to a “Terms and Conditions” which is available in the app. However, we have not been able to verify this is true as we could not access the app without an authorisation code.Should there occur an error in the app, data such as the device’s IP address, device name, software version and “other statistics”, which has not been defined, are collected and stored via third party products.Additionally, while the policy allows the users to ‘opt-out’ of cookies, we were not able to verify whether this provision has been enabled in the app. Some of the other apps we had analysed did not provide for the feature though the privacy policy mentioned it.With respect to accessibility to personal information and sharing of data, the policy states that the use and sharing of data will remain limited to the confines of the policy. This in turn extends to third parties which may be engaged to ‘facilitate the service’, ‘provide the service on behalf of the government’, ‘assist in analysing how the service is used’ and interestingly so, ‘perform Service-related services.’ Here, access is granted only for tasks assigned to such third parties on behalf of the government. However, these tasks, as aforementioned, lack concrete definition and thus, may provide scope for exploitation.As with the other apps based on the same policy, the privacy policy of Mahakavach fails to stipulate provisions on data retention.
OdishaCOPE Odisha (app) Installs: 1,000+Terms of Service: No Privacy Policy: Yes Open Source: No* Location* Photos/Media/Files* Storage/Camera* Other The app, as per its description, is intended for people under quarantine, citizens and officers.This app also has used the Firebase policy generator for generating the privacy policy. The major difference with the other policies is that the privacy policy of COPE Odisha stipulates that it embeds only Google Play Services as a third party service within the app.The app when opened displays the following message: “As per the Government’s mandate, you are required to give permission to the application to access your device location. We request you to cooperate with us in such difficult times. Any violation may amount to actions as per law. Kindly tap on ‘ALLOW’ whenever such permissions are requested.”The above provision is of concern. It is unclear as to which mandate is the message referring to. It is also unclear as to which Government agency has developed the application so as to find the mentioned ‘mandate’. Such a mandate has not been found in the Health & Family Welfare Department of the Government of Odisha in the Master Circulars issued by the department.The app also does not give accessible links to the Terms of Service and the Privacy Policy.
OdishaCOVID-19 Odisha (app) Installs: 1,000+Terms of Service: Yes (within the app) Privacy Policy: Yes Open Source: No* Location* Photos/Media/Files* Storage* Other1. Name (required)2. Age (required)3. Gender4. District (required)5. Pin Code6. Address (at least one line is required)7. Any illness experienced by the user8. Cellphone number9. Password (for account)10. Device detailsThis app, developed by the Odisha government, is stated to be a COVID-19 risk management app.The app is intended only for the residents of Odisha. The app collects personal information during the registration process. During the same the user has to give his/her consent for the Terms & Conditions of the app.However, the Terms & Conditions is essentially a declaration from the user giving consent to share his personal data with the government and also agreeing for monitoring of his/her location. The declaration uses broad terms which take from the user “consent to the usage of all relevant personal data” that has been provided and will be providing from time to time and the “dynamically tracked location.The link to the Privacy Policy is provided in the Google Play Store page which leads to a short policy document in which it is essentially stipulated that the user will be notified of the purpose of collection of data and that it will not be shared with third parties.However, the policy is silent as to data retention, user access to the data collected, and the user’s right to correct incorrect data.
PuducherryTest Yourself Puducherry (app) Installs: 10,000+Terms of Service: Yes Privacy Policy: Yes Open Source: No* Full Network Access1. Region2. Language(The app is intended only for users within Puducherry territories)Developed by Innovacer Inc. in association with the Government of Puducherry, the Test Yourself Puducherry app is intended for users within Puducherry to “check [their] risk for COVID-19” through informational and educational content through the app.The app opens up to the user seeking acceptance to the Terms of Use and the Privacy Policy of the app. Firstly, the Terms of Use does not explicitly refer to the app by name. The name “Test Yourself Puducherry” does not appear in the Terms of Use. So, it has to be inferred.The Terms of Use explicitly states that the application is not intended for diagnosis or treatment.The Terms of Use seems comprehensive in covering usual terms present in software licenses. However, the app itself remaining closed-source is still a concern.However, clauses in the the Privacy Policy are problematic. Firstly,the Privacy Policy document is a general document used for Innovacer’s website, and any of Innovacer’s software, platform or application. Secondly, the Privacy Policy is linked to a different Terms of Use intended only for the website of Innovacer and for any software located within the website. This is different from the app’s Terms of UseAccording to the Privacy Policy the services are hosted in the United States and intended for visitors located in the United States. The clause titled “International Visitors” indicate that the developers intended US laws to be governing data collection. The Privacy Policy is comprehensive in covering different aspects but it is not made subject to Indian laws. This is a fundamental concern and a major flaw.
PunjabCOVA Punjab (app) (iOS) Installs: 500,000+Terms of Service: No Privacy Policy: Yes Open Source: No* Location* Photos/Media/Files* Storage* Camera* Other1. Personal demographic2. Location3. Device information4. Usage details5. User submissions The Corona Virus Alert (COVA) is an app developed by the Government of Punjab. The app is intended to be an alert system for the users.However, it is surprising to see that too much permission is sought for by the app when it is only an alert system.The privacy policy is accessible within the app (when signing in) and from Google Play Store.Once registered, the user’s account continues even if the app is deleted from the phone. The privacy policy does not mention how much data will be retained after the pandemic or the mode of retention.It is a matter of concern that an app only intended to provide information and advisories require permission to access location, photos, media, files and the storage.
RajasthanRajCovidInfo (app) Installs: 1,000+Terms of Service: Yes (shown within the app during signup) Privacy Policy: Yes Open Source: No* Location* Photos/Media/Files* Storage* Camera* Other1. Full Name2. Mobile Number3. Address4. Pin Code5. Health condition6. Family member assessment.7. SelfieThis app, developed by the Department of IT & Communication, has been developed to provide COVID-19 government guidelines and health advisory.Though it is stated that the app is used only to issue guidelines and health advisory. the excessive permissions sought for by the app is of concern.The privacy policy linked within the Google Play Store page directs to the Privacy Policy of the website of the Department of IT & Communication. This is a fundamental issue and flaw common with some of the other COVID-19 centred apps developed by state governments in India.Additionally, a Terms of Service & Policy is displayed during sign up when the app is first used. The short document recommends setting the user’s location sharing to ‘Always’. The document also requests not to switch off the user’s mobile phone, do not disable the user’s Internet connection, provide location access and update the app regularly. It is not unreasonable to suspect that this app also is intended to be a monitoring tool.The app also collects information on the user’s health condition (voluntary) and also of family members (voluntary). The app also has the feature for users to upload their selfies.This app repeats the failures of similar apps by not mentioning anything about data retention and the future use of collected data except for the fact that the data won’t be used by persons other than Government officials.
Surat Municipal Corpn.SMC COVID-19 Tracker (app) Installs: 50,000+Terms of Service: No Privacy Policy: Yes (can be downloaded from within the app) Open Source: No* Location* Phone* Photos/Media/Files* Storage* Camera* Wi-Fi connection information* Device ID & call information* Other1. Email2. User account3. Device information4. Location (presumably)This app has been developed by the IT department of the Surat Municipal Corporation to “track people who have abroad or interstate travel history and persons who have come in direct contact with positive COVID-19 individual.”A summary of what the app does is explained in the Google Play Store page of the app. However, the Privacy Policy linked in the Google Play Store directs to the privacy policy of the website of the SMC.The actual Privacy Policy of the app can be downloaded from within the app. However, the privacy policy has been generated from the above mentioned Firebase app which uses generic terms and does not mention the policies as to data retention.Moreover, the privacy policy states that the app may use third party cookies and the user has the option to refuse cookies trading off the ability to use some portions of the app. However, no such option is visible within the app.The app, however, can only be used by registering with an official travel id issued to persons who have submitted their travel history details at SMC’s portal.
Tamil NaduCOVID-19 Quarantine Monitor Tamil Nadu (official) (app) Installs: 100,000+Terms of Service: No Privacy Policy: Yes (but does not apply) Open Source: No* Photos/Media/Files* Camera* Storage* Location* Wi-Fi connection information* Phone* OtherUnknownThe app only allows users to register and use the app if their mobile number is enlisted in the State Quarantine List.There are no other accessible links within the app other that the login form and button.The privacy policy of the application provided in the Google Play Store page does not cover the app as it is the privacy policy of the ‘esevai’ (e-Service) portal of the Tamil Nadu government and has not explicitly mentioned the app at all.
TelaganaT COVID'19 (app) Installs: 10,000+End-User License Agreement (EULA): Yes Privacy Policy: Yes Terms and Conditions: Yes Open Source: No* Calendar* Location* Phone* Photos/Media/Files* Storage* Camera* Microphone* Wi-Fi connection information* Device ID & call information* Other This app has been developed by the Government of Telangana to “provide citizens with preventive care information and other government advisories”.However, for an information and advisory serving app, it asks for several permissions which include monitoring components including ‘extra location provider commands’ which pertains to state of location.The Privacy Policy linked in the Google Play Store page directs to the website of presumably the developer of the application, Quantela Inc., a company based in the US.The app however features three documents which must be accepted in order to use the app. The first of the three documents (End-User License Agreement) directs to the Terms and Conditions of an app named ‘Smart City Software Atlantis’, a product of Quantela Inc. The second document (Privacy Policy) directs to a general privacy policy document that applies to all of Quantela Inc’s services. The third document directs to the Terms and Conditions of the website callhealth.com apparently owned by CallHealth Services Pvt. Ltd., a Hyderabad-based company.It is unclear from these documents which document applies squarely to the app and who is the entity actually behind the development of the app.Though the Privacy Policy mentioned above is a general document, it could be inferred to be the governing document.
UttarakhandUttarakhand CV 19 Tracking System (app) Installs: 5,000+Terms of Service: No Privacy Policy: Yes Open Source: No* Location* Photos/Media/Files* Storage* Camera* Other1. Name2. Gender3. Father’s/Spouse’s name4. Phone Number5. Age6. Address7. District8. Symptoms9. Duration of symptoms10. Overseas travel details11. Health condition12. Location Co-ordinates13. Google Map locationThis app is designed to collect information from user submissions to determine whether the user has contracted COVID-19 or not. If found to be having issues, the app stipulates that a medical team will come and help the user. This service is restricted only to residents of Uttarakhand.Neither a Terms of Service nor a Privacy Policy document is accessible within the app. The Google Play Store page hosts a link to a privacy policy.Sadly, it is the policy generated apparently from the Firebase application, Firebase app which uses generic terms and does not mention the policies as to data retention.
Uttar PradeshUP Self- Quarantine App (app) Installs: 10,000+ Terms of Service: No Privacy Policy: Yes Open Source: No* Location* Other1. Name2. Age3. Gender4. Address5. Mobile Number6. Password (for the account)This app is explicitly described as an app for “Corona COVID19 Surveillance”.This app does not have an accessible Terms of Service or Privacy Policy document.The privacy policy link in the Google Play Store page directs to the U. P. government’s COVID19 web portal. A policy document is not uploaded there either.
West BengalCOVID-19 West Bengal Government (app) Installs: 10,000+Terms of Service: No Privacy Policy: No Open Source: No* Location* Phone* Other1. Name2. Mobile3. Age4. Gender5. Address6. Next of kin details7. Symptoms (may be submitted only if they are persistent and eligible to be notified).This application is to monitor the users location. The user may update his symptoms and personal details if he/she wants it.There is no accessible link to a Terms of Service or Privacy Policy documents within the app.The privacy policy link in the Google Play Store page directs to the website of the Government of West Bengal.

All Posts | Mar 31,2020

Joint Letter to the Central and State Governments on Unwarranted, Excessive, Collection and Processing of Personal Data of Individuals during the ongoing COVID-19 Pandemic

March 31, New Delhi: Delhi-based non-profit legal services organization SFLC.IN along with a coalition of non-profit organisations, civil society groups, lawyers, public policy professionals, technologists, social activists, entrepreneurs, and citizens voice their concerns urging the government to resort to strict legal measures to regulate and supervise the collection, and subsequent processing of personal data of individuals during the ongoing COVID-19 pandemic. A joint letter was sent to Shri Amit Shah, Home Minister, Shri Harsh Vardhan, Minister of Health and Family Welfare, Shri Ravi Shankar Prasad, Minister of Electronics and Information Technology, as well as heads of various State Governments urging them to process the personal data of individuals within the territory of India, and conduct the monitoring of persons, only as per the law laid down through various judgments of the Supreme Court of India and the norms and principles enunciated therein. Any unwarranted, excessive, collection and processing of personal data can cause irreversible harms or violations of informational and bodily privacy of an individual. The organisations who have signed are CCAOI, Digital Empowerment Foundation, Free Software Movement of India, Internet Democracy Project, Internet Freedom Foundation, Internet Society-Delhi Chapter, IT For Change, SFLC.in and Swathanthra Malayalam Computing. Prasanth Sugathan, Voluntary Legal Director, SFLC.in said that “Central and State Governments are taking various steps like publishing information of patients and persons under quarantine and are coming out with apps that collect and process personal information. Although this is an extraordinary situation, care should be taken to ensure that the personal information of individuals are handled securely and with due care respecting their privacy rights. Any measure adopted for public health purpose should be the least intrusive and should not violate the privacy rights of individuals. Publishing of route maps and contact tracing should be done without publishing the personal details of patients” The letter highlights the following principles that the governments should follow while processing data during the ongoing Covid-19 Pandemic: Time-Limited: All measures related to the public emergency response to COVID-19 should be temporary in nature and limited in scope and should not become permanent features of governance. The personal data collected for the purpose of public health should only be retained during the response to the pandemic and deleted automatically without maintaining any copies, once the pandemic has been declared to be over. Necessity and Proportionality: Any collection, processing of personal data, including health data, shall be necessary and proportionate for the purpose of combating the pandemic and public health. In some states the list of persons who are under quarantine have been made public in the guise of public monitoring. This is excessive and a disproportionate invasion into the privacy of the individuals under quarantine. Transparency and Accountability: Processing of personal data must be conducted transparently, and appropriate notices must be provided about use, collection and purpose in an easy to read, plain language format. Individuals must be informed as to the volume, extent, and purpose of the personal data belonging to them being collected, processed, stored or transferred to any person. Use Restrictions: No use of the data unconnected to public health should be allowed. Use of such data for advertisement and commercial purposes unrelated to public health should be completely prohibited. No discrimination shall be meted out to individuals in the collection and processing of personal data during this pandemic and such personal data shall not be used to discriminate any individual in the future. Security:Security protections for data processing during the Covid-19 pandemic should not be compromised and the data must be maintained securely and must be exchanged only through secure platforms and hardware.  Any apps related to COVID-19 promoted by the Government should be secure and their data collection should be in tune with the principles mentioned herein. No Surveillance without Due Process:Any surveillance required to respond to the pandemic should be temporary and only to the extent and degree allowed by provisions of the Indian Telegraph Act, 1885 and the Information Technology Act, 2000 and the rules notified under these statutes. Any surveillance pursuant to the aforementioned statutes and other relevant laws such as the Epidemic Diseases Act, 1987, and the Code of Criminal Procedure, 1973 used for the monitoring of individuals during this pandemic are subject to judicial review. About SFLC.IN SFLC.IN is a donor-supported legal services organisation that brings together lawyers, policy analysts, technologists, and students to protect freedom in the digital world. SFLC.in promotes innovation and open access to knowledge by helping developers make great Free and Open Source Software, protect privacy and civil liberties for citizens in the digital world by educating and providing free legal advice and help policy makers make informed and just decisions with the use and adoption of technology. For further communication: Prasanth Sugathan Voluntary Legal Director, SFLC.IN prasanth @sflc.in +91 9013585902