Our Analysis of Aarogya Setu’s Updated Privacy Policy and Terms of Service

 

On May 24th, Aarogya Setu’s (hereinafter, “the App”) terms of service and privacy policy were updated. Prior to this, the Ministry of Electronics and Information Technology had released its Data Access and Sharing Protocol on May 11. Ever since the release of Aarogya Setu, this is the second time its privacy policy has been updated.

In this post, we have shed light on the changes in the privacy policy and terms of service, and have highlighted our concerns with them.

1. Reverse Engineering no longer penalised, source code yet to be made open: Clause 3 of the previous terms of service prohibited reverse engineering of the App. This has been done away in the updated terms of service meaning that anyone who reverse engineers the App will not be penalised anymore. It is a welcome step however, the source code of the App is yet be made open source.

SFLC.IN has repeatedly highlighted that not open-sourcing the App goes against the Government’s prevailing policy on adoption of open source software. We reiterate that the App collects personal data including the location data of a user, in such a situation, the source code should be made open to enhance transparency and security.

2. Functionality extended beyond contact tracing, building block for India’s health stack? : The prior terms of service restricted the functionality of the App to “enable registered users who have come in contact with other registered users who have tested positive for severe acute respiratory syndrome to be notified, traced and suitably supported”.

The updated terms of service have extended the functionality of Aarogya Setu beyond contact tracing. The App will now allow the users to access convenience services in relation to COVID-19. Clause 1 of Terms of Service states that “the App will also serve as digital representation of an e-pass where available. The App will also provide links to convenience services offered by various service providers”.

This also indicates that the App might outlive the pandemic. While the Data Access and Sharing Protocol (hereinafter “the Protocol”) has a sunset clause of 6 months unless otherwise decided by the Empowered Group on Technology, the App does not have a sunset clause thereby, indicating the possibility that it might be a building block for long pending India’s health stack.

3. Government may be held liable in case of unauthorised access: The previous terms of service absolved the government of any liability whatsoever. Clause 6 of updated terms of service states that “the Government of India will make best efforts to ensure that the App and the Services perform as described but will not be liable for (a) the failure of the App or the Services to accurately identify persons in your proximity who have tested positive to COVID-19; (b) the accuracy of the information provided by the App or the Services as to whether the persons who have come in contact with in fact been infected by COVID-19”.

This means that now the Government may be held liable in case of unauthorised access to the user’s information or any modification to it or any other liability arising from data breaches etc.

4. Unique Digital ID (DiD) not to be hashed with personal information : The previous privacy policy of the App stated that the personal information of the user will be hashed with a unique digital ID(DiD), and that the DiD would later be used to identify in subsequent App related transactions. SFLC.in along with several other organisations, individuals and policy professionals had raised the concern that unlike Singapore’s contact tracing application, Aarogya Setu uses a static DiD which can be retraced to the user.

However, the changes in the updated privacy policy has further downgraded this. Clause 1(a) of the updated privacy policy states that “this information will be stored on the Server and a unique digital id (DiD) will be pushed to your App”. This means that a user’s personal information will not be encrypted by the DiD anymore. This might lead to serious privacy implications in case of a data breach considering that if a user takes a self assessment test or tests positive for COVID-19, there information will be uploaded on government servers but not in encrypted format.

5. No option to request deletion of demographic data : Clause 5(e) of the Protocol allows the user to request deletion of its demographic data. No such option has been included in the updated privacy policy or terms of service. Neither do terms of use specify if un-installation of App will amount to deletion of demographic data.

The App has failed to provide deletion of entire response data i.e. demographic data, contact data, self-assessment data and location data. Allowing a user to delete its demographic data only serves little or no purpose.

6. No harmonisation between the Protocol and the App: While the Protocol states that the response data of a user will be permanently deleted in 180 days from the date on which it was collected, the updated Privacy Policy still states that data of a COVID-19 positive patient will be retained till 60 days after such person has been declared cured of COVID-19. It is still unclear if data of a user will be retained for the duration specified in the Protocol or in the Privacy Policy.

In addition to this, there is still no clarity over the sunset data of the App. While the Protocol will lapse after 6 months unless decided otherwise by the Empowered Group on Technology, the Aarogya Setu does not have a sunset clause. The fact remains that the Protocol is not a statutory foundation for Aarogya Setu.

Apple and Google’s open source API has been released in 23 countries worldwide, but it will not be compatible with Aarogya Setu as it requires both location and Bluetooth data to function. The Central Government could have adopted a de-centralised approach of contact tracing to mitigate privacy concerns surrounding Aarogya Setu but that still remains a far-fetched dream!

We also did a technical analysis of Aarogya Setu which can be found here. We also wrote to Minister of Railways, Minister of Civil Aviation, and Managing Director, Noida Metro Rail Corporation to consider the installation of Aarogya Setu on voluntary basis in consonance with the Ministry of Home Affairs guidelines dated 17.05.2020.