More than 16 crore Indians have downloaded the government’s Arogya Setu App. To trace and track the cases of covid-19, personal data of Indians is available on this app in bulk. And now the government has confessed itself, it has not followed its own rules made to protect your personal information on the app.
On April 2, 2020, NIC announced that it has created the Arogya Setu Contact Tracing App in a public private partnership to battle Corona.
But the Arogya Setu app recorded the sensitive information about your health and live location, there was concern from the beginning that what would happen if this sensitive data fell into the wrong hands?
To address this concern, the Ministry of Information Technology and Electronics (NIC) and NIC on 11 May 2020 decided to fix a protocol regarding the data that who can access to the data of Arogya Setu app.
To put it into practice means that no private company is able to use the data on the app, such as a company that harasses you by sending advertisements or a non-government company cannot monitor you through it.
But unfortunately, in a RTI application by independent journalist and RTI activist Sourav Das, the NIC has revealed that even after 6 months of the release of the protocol, many security measures have not been implemented.
Safety Measures 1 – Paper Trail
The NIC had to keep an account of which agencies or people the data is being shared with. According to the Law Center that helped create the protocol, it meant keeping a paper trail so they can prevent the misuse of the data and trace them so govt can fixed the accountability.
So is this paper trail happening? No. When NIC was asked with whom he shared the data of the app, they only shared a generic list in response to whom the data can be shared. He did not say to whom the data was actually given.
In another RTI application, when the NIC was asked whether data is being shared with intelligence agencies, which can be done in very rare cases … then they also avoided this question.
Safety Measures 2 – Security Procedures
Any institution – government or private – with whom NIC shared the data of the sanatorium bridge had to implement ‘appropriate’ security measures.
Because India still does not have data protection law, it was expected that NIC and the Ministry of Electronics and IT would ensure that the model is secure, especially when the app data is not only used by all state health secretaries but also across the country All of the 700+ can also be shared with the District Magistrate. But have they done anything of the sort? No
The NIC is only taking away the responsibility of those institutions which have received the data, and is saying that it has not taken security measures, instead there are no model security measures. Meaning .. these security measures are also a pretense
Safety Measures 3- Audit and Review
No party with whom data is shared under the protocol can reuse the data for any other purpose or provide data to anyone else. To ensure this, it was said in the protocol that the central government can audit and review those who will be given the data.
This was a big way to prevent mis-sharing of data. Such a measure which does not lead to an event like data leakage of the Ministry of Transport .. So is the health data being protected through this audit and review mechanism?
No. Instead NIC said that this RTI question is inappropriate, as it shares the data with government institutions. But the fact is that the audit process also applies to government institutions. Which includes NIC itself!
Security measures 4- Whose data is it?
The most talked about in the protocol was this security measure – if an institution doing research to fight covid will be given data, then it will not be allowed to know whose data it is? A major motive behind making Arogya Setu App was this research.
Meaning- no third party will ever know whose data it was. This will ensure that the privacy of the person concerned is not violated. Even if all the data in the app has been used. But did the government do this? Once again .. the answer is no. The reaction on the RTI has revealed that the expert committee that the government was supposed to form to find out the methods of hiding the data, has not yet been created.
NIC also escaped the question of what has been done so far to anonymize such data. This means that the data of millions of Indian citizens who downloaded the Arogya Setu App is insecure. Their data can be misused without accountability. The DT also spoke to digital rights lawyers like Srinivas Kodali and Anivar Aravind, cyber experts, Raman Cheema and Vrinda Bhandari. So that we can understand the concerns related to this matter. The concerns that these people have told, you can read them on our website.
Through whose RTI application, The Dossier Times is making these big revelations, understand from Sourav Das that the government did not implement security measures, what could be the consequences.