Our Analysis of Aarogya Setu’s Updated Privacy Policy

After drawing flak over its privacy policy and terms of use, Government of India’s contact tracing application “Aarogya Setu’s,which is handled by MeitY and now boasts of 50 million usersi,privacy policy was updated on April 12.  On April 26th, the Government disclosed that Aarogya Setu had a vulnerability where it shared user location with Google.

We at SFLC.IN,have also done a word by word analysis of old and new privacy policy of the Application which has been highlighted in the table mentioned below. Before that, we  would chalk out our assessment of the updated privacy policy.

1. The updated Privacy Policy is ultra vires the principle of data proportionality and necessity : The privacy policy fails to specify if Aarogya Setu is a temporary application whose purpose is contact tracing only during the pandemic. Therefore, the policy does not fall within the yardstick of principle of “data proportionality and necessity” as listed out by the United Nations High Level Committee on Management.ii It also goes against the principles of of privacy enshrined in Puttaswamy case.iii

2.Storage of Personal Information: Clause 1(a) of the updated privacy policy clarifies that the information will be stored on the servers operated and managed by the Government of India.

3. Collection and identification of personal information:The old privacy policy collected the age, name, sex, phone number, profession, travel history of last 30 days and if person is a smoker. The updated privacy policy has done away with the question “if a user is a smoker of not”.

Unique Digital Id(DID): Clause 1(a) of the updated privacy policy also mentions that the information stored on the server will be hashed with a unique digital ID (DID) which will be used to identify the user in subsequent app related transactions. This was not present in the initial version of the privacy policy.

Storage and sharing of personal information: The updated privacy policy clarifies that that at the time of registration, location details of the user will also be captured and uploaded to the server.

Self assessment test by the user:Clause 1(c) of the new privacy policy authorizes the App to collect the location data and upload it along with DID to the server every time a user takes a self-assessment test. This was absent in the initial privacy policy.

Pre-conditions to upload the location data collected every 15 minutes on government servers:According to Clause 1(d), the App has been authorised to collect user’s location data every 15 minutes and store it locally in user’s mobile device. However, it has laid down 3 pre-conditions when this information will be uploaded on the server along with the DID--

i. If the user has been tested positive for COVID-19; or/and

ii. if user’s self-declared symptoms indicate that it is likely to be infected with COVID-19; or/and

iii. If result of user’s self-assessment test is either yellow or orange.

However, if a user has been tested positive for COVID-19, clause 2(d) of the privacy policy mandates that the information uploaded by user will be used to map the places visited over past 14 days. In case there is a requirement to accurately map places visited by the user, the DID associated with the information collected under clause 1(d) will be co-related with the user’s personal information collected under clause 1(a).

4. Purpose limitation:The updated privacy policy in Clause 2(a) clarifies that the user information shall only be used by the government in anonymised aggregated data sets.

It limits the purpose of information collected to--

i. generate reports, heat maps, and other statistical visualizations for the purpose of management of COVID-19;

ii.  to provide general updates pertaining to COVID-19.

Co-relation of user’s DID with its personal information:

Clause 2(a) further clarifies that a user’s DiD will only be co-related with its personal information in order to-

i. communicate the probability of contracting COVID-19; and/or

ii. to provide information to persons carrying out medical and administrative interventions in relation to COVID-19. This has been limited to the information need by medical personnel to do their job.

5. Use of information collected from other users: Clause 2(b) provides that information collected from any other user’s mobile device shall be uploaded and stored on the server and be used to calculate the user’s probability of contracting COVID-19.

According to Clause 1(b), as soon as two users come within each other’s Bluetooth range, the DIDs will be automatically exchanged and time and GPS location when the contact took place will be recorded. 

Since this data will be stored in the respective devices of both users in encrypted manner, in case of them tests positive for COVID-19, this data of contact between the two users shall be uploaded on the government server.

In the earlier privacy policy, SFLC.IN had raised the concern arising from “sharing of personal information with such other necessary and relevant persons as may be required in order to carry out necessary medical and administrative interventions”. This has been done away with in the new privacy policy which now specifies that and/or to provide persons carrying out medical and administrative interventions necessary in relation to COVID-19, the information they might need about you in order to be able to do their job.”

6. Data RetentionWhile clause 4 of updated privacy policy allows a registered user to “add, remove or modify any registration information supplied”,the application does not have an option of account deletion.

Clause 3(a) states that “all personal information collected from you under Clause 1(a) at the time of registration will be retained for as long as your account remains in existence and for such period thereafter as required under any law for the time being in force”. 

This leaves a lot of ambiguity considering India does not have a Personal Data Protection legislation in place or a legislation on privacy.

Information collected from risk assessment tests and location data:  

Clause 3(b) lays down certain conditions for data retention:

i.All personal information collected under Clause 1(b), (c), and (d) will be retained on the mobile device for a period of 30 days from the date of collection after which, if it has not already been uploaded to the Server, will be purged from the App.

ii.All information collected under Clause 1(b), (c) and (d) and uploaded to the Server will, to the extent that such information relates to people who have not tested positive for COVID-19, will be purged from the Server 45 days after being uploaded.

iii. All information collected under Clause 1(b), (c), and (d) of persons who have tested positive for COVID-19 will be purged from the Server 60 days after such persons have been declared cured of COVID-19.

Aggregated anonymised data to be retained:Provisions of Clause 3(a)are not applicable anonymized, aggregated datasets generated by the personal data of registered users of the App or any reports, heat maps or other visualizations created using such datasets.

Clause 3(a) is also not applicable on medical reports, diagnoses or other medical information generated by medical professionals in the course of treatment.

7. Rights of the user to add, remove or modify any information provided during registration:Clause 4(a) gives a user the option to “add, remove or modify any registration information that you have supplied”.

Clause 4(b) reads asYou cannot manage the communications that you receive from us or how you receive them. If you no longer wish to receive communications from us, you may cancel your registration. If you cancel your registration, all the information you had provided to us will be deleted after the expiry of 30 days from the date of such cancellation.”

Considering that the App does not provide an option to delete one’s account, it is ambiguous what will be considered as deletion of account, and if un-installation shall be considered as deletion.

Moreover, what will happen to the data of such user who has been tested positive for COVID-19 but later uninstalled the App. Will such person’s personal information be deleted after 30 days, and will such deletion of data be not in conflict with Clause 3(b) which mandates storage of personal data of COVID-19 positive person till 60 days after such person has been cured.

 

 

 

Word by word comparison of old and updated privacy policy of Aarogya Setu App

 

 

Old Privacy Policy

Updated Privacy Policy
Clause 1(a)

1.The old privacy policy did not specify that the information of users shall be stored in government servers or private servers.

2.There were 7 questions a user had to answer at the time of registration which included age, sex, travel history, profession, phone number, name, and if the user is a smoker.

1.The updated privacy policy clarifies that the information will be stored in servers operated and managed by the Government of India.

2. It states that the information stored on the server will be hashed with a unique digital ID (DID) which shall be used to identify the user in subsequent app related transactions.

3. The updated policy also clarifies that at the time of registration, location details of the user are captured and uploaded to the server.

4.While the 6 questions pertaining with age, sex, travel history, profession, phone number, name find mention in the updated policy, the 7th question has been omitted.

Clause 1(b)

The old policy did not mandate for creation of a (unique digital ID)DID.

According to the new policy, as soon as two users come within each other’s Bluetooth range, the DIDs will be automatically exchanged and time and GPS location when the contact took place will be recorded.

Clause 1(c)

 

Each time a user completes a self-assessment test, the App has been authorized to collect the location data and upload it along with DID to the server.

Clause 1(d)

 

The app continuously collects location data, and stores record of all places the user has been at 15 minutes intervals in the user’s mobile device.

There are 3 pre-conditions when this information shall be uploaded to the server along with the DID--

i. If the user has been tested positive for COVID-19; or/and

ii. if user’s self-declared symptoms indicate that it is likely to be infected with COVID-19; or/and

iii. If result of user’s self-assessment test is either yellow or orange.

Yellow colour code means that the user is at high risk. Orange means moderate risk.

Clause 2(a)

1. In the old privacy policy, the personal information collected was to be stored locally in the App on user’s mobile device and was to be uploaded and used by Government of India only in anonymised, aggregated datasets.

2. The purpose of this information collection was to -

i. generate heat maps, reports and other statistical visualisations for the purpose of management of COVID-19; and

ii. contact tracing in case the user has been tested positive or has come in contact with anyone who has been tested positive.

3. User’s personal information may also be shared with such other necessary and relevant persons as may be required to carry out necessary medical and administrative interventions.

1. The personal information of user collected at the time of registration shall be stored on the government server and will only be used by Government of India in anonymised aggregated datasets.

2. The purpose of this information collection is to-

i. generate reports, heat maps, and other statistical visualisations for the purpose of management of COVID-19;

ii.to provide general updates pertaining to COVID-19.

3. A user’s DiD will only be co-related with its personal information in order to-

i. communicate the probability of contracting COVID-19; and/or

ii. to provide information to persons carrying out medical and administrative interventions in relation to COVID-19. This has been limited to the information need by medical personnel to do their job.

Clause 2(b)

The mobile number provided by the user at the time of registration was to be used to communicate through SMS, IVR, push notifications or other such means to inform the user that it has come in close contact with someone who has been tested positive for COVID-19.

Information collected from any other user’s mobile device shall be uploaded and stored on the server and be used to calculate the user’s probability of contracting COVID-19.

Clause 2(c)

 

The information collected under clause 1(c) shall be used by the Government of India to evaluate, based on self-assessment tests and GPS locations, whether a disease cluster is developing at any geographic location.

Clause 2(d)

 

1. In case, the user has been tested positive for COVID-19, information uploaded by user will be used to map the places visited over past 14 days.

2. In case there is a requirement to accurately map places visited by the user, the DID associated with the information collected under clause 1(d) will be co-related with the user’s personal information collected under clause 1(a).

Clause 3(b)

1. Location information of registered users with whom such user had come in contact was to be retained fora period of 30 days from the date of such contact, after which neither such user nor other registered user had tested positive for COVID-19 during such 30 day period, shall be purged from the App.

1. All personal information collected under Clause 1 will be retained on the mobile device for a period of 30 days from the date of collection after which, if it has not already been uploaded to the Server, will be purged from the App.

2. All information collected under Clause 1 and uploaded to the Server will, to the extent that such information relates to people who have not tested positive for COVID-19, will be purged from the Server 45 days after being uploaded.

3.All information collected under Clause 1 of persons who have tested positive for COVID-19 will be purged from the Server 60 days after such persons have been declared cured of COVID-19.

Clause 3(c)

1.Nothing set out herein shall apply to the anonymised, aggregated datasets generated by the personal data of registered users of the App or any reports, heat maps or other visualisations created using such datasets.

1.Nothing set out herein shall apply to the anonymised, aggregated datasets generated by the personal data of registered users of the App or any reports, heat maps or other visualisations created using such datasets.

2. Nothing set out herein shall apply to medical reports, diagnoses or other medical information generated by medical professionals in the

 

 

We had also written about concerns with the previous privacy policy  of Aarogya Setu, and on March 31st, several organisations led by SFLC.in had written a joint letter to the Central and State Governments on unwarranted excessive collection and processing of personal data of individuals during COVID-19 pandemic.

 

 

iAarogya Setu: Govt’s coronavirus tracker app gets 5 crore users in 13 days, 16 April, 2020. LiveMint. <https://www.livemint.com/news/india/aarogya-setu-govt-s-coronavirus-tracker-app-gets-5-crore-users-in-13-days-11587021032271.html >.

ii. Personal Data Protection and Privacy Principles, Adopted by the UN High-Level Committee on Management (HLCM) at its 36th Meeting on 11th October, 2018. United Nations. <https://www.unsceb.org/CEBPublicFiles/UN-Principles-on-Personal-Data-Protection-Privacy-2018.pdf >.

iiiJustice K.S. Puttaswamy (Retd.) v. Union of India, WP (Civil) No. 494 of 2012.