Some points to note about the changes:
3. Treatment of Personal Information: The app initially collects personal information from each user, including name, phone number, age, sex, profession and countries visited in the last 30 days. The previous version also sought information about whether a person is a smoker or not, but that isn’t the case with the updated policy. Interestingly, unlike earlier, this time we weren’t prompted for name, phone number, sex, profession and countries visited. We were only prompted for a mobile number, which is mandatory to get an OTP.
- Identification: This information for a particular user will be linked to a unique digital ID (called DiD), which will subsequently be used to identify that individual user’s transactions, and associated with any data or information uploaded from the app to the server.
- Sharing and storage of personal information: Personal information will be uploaded and stored on a government server, hashed with the DiD. All personal information is encrypted before it is uploaded to the server. At registration, your location details are also captured and uploaded to the server.
- Usage of personal information: This information will only be used by the government of India in the following cases:
- Anonymisation and aggregation: “As anonymized, aggregated datasets for the purpose of generating reports, heat maps and other statistical visualisations for the purpose of the management of COVID-19 in the country or to provide you general notifications pertaining to COVID-19 as may be required.”
- Communication in case of probability of infection: “Your DiD will only be co-related with your personal information in order to communicate to you the probability that you have been infected with COVID-19 and/or to provide persons carrying out medical and administrative interventions necessary in relation to COVID-19, the information they might need about you in order to be able to do their job.”
4. Information from other users: When two registered users, let’s say Alice and Bob, come within the Bluetooth range of each other, their apps will automatically exchange their DiDs, and record the time and GPS location at which the contact took place. Alice’s DiD, time and GPS location of interaction with Bob, is stored on Bob’s app (that is the device) in an encrypted manner so that Bob cannot access it, and vice versa. Only if Bob tests positive for COVID-19 that all this information about his interaction with Alice (and everyone else) will be uploaded to the government server.
- Usage of this information: This information is used only “to calculate your probability of having been infected with COVID-19”. One challenge here is that proximity doesn’t indicate probability: two people can walk past each other within Bluetooth range, and be wearing masks and gloves, and the likelihood of an infection being transmitted is likely to be minimal. Two people could also be on different floors of a building, and the devices could still exchange DiDs.
5. Risk assessment tests: The app allows users to take risk assessment tests, to assess their level of risk of infection. The risk assessment is quite easy to take and retake, just like in the earlier version of the app. I took it multiple times to test the app. On the updated app, I first took the test as a 78-year-old woman with a history of heart disease who had travelled internationally in the last 14 days. Unlike the earlier version of the app, my home page remained green, and only on re-launching the app, it turned orange and read “High Risk of Infection”.
- Sharing and storage risk assessment related data: The app uploads location data and the user’s unique DiD with the government server.
- Usage: Information based on self-assessment tests and the GPS locations from where they are being uploaded is used to determine whether a disease cluster is developing at any geographic location.
- Consent: Unlike earlier, before my results as a 78-year-old woman were uploaded to the government server, the app sought my consent for it. This is important from a privacy perspective.
6. Location data: This is collected every 15 minutes and stored “securely” on mobile device.
- Sharing and storage: Location information is stored on the device. It is uploaded to the government server, along with DiD, only if:
- User tests positive for COVID-19, and/or
- Self-declared symptoms indicate that user is “likely to be infected with COVID-19”, and/or
- Self-assessment test result is either yellow or orange.
If a user tests positive for COVID-19, this information will be uploaded to the government server to map places the user visited in the last 14 days to identify locations that need to be sanitised, and identify areas where outbreaks may occur. To “more accurately map the places” and to identify people who need to be tested, this location data can be linked to the personal information underlying DiD. However, this linkage between personal information and DiD is unnecessary. To identify places to be sanitised, and people who need to be tested, all that is required is whether or not a particular DiD was present at a location. You don’t need to know if it was Alice or Bob, just that a COVID-19 positive person was there.
7. Data retention:
- For personal information: will be “retained for as long as your account remains in existence and for such period thereafter as required under any law for the time being in force.” Note that the app doesn’t have an option for a user to delete their account. There is also no privacy law in India.
- For information shared between users, risk assessment tests and location information: “This information will be retained on the mobile device for a period of 30 days from the date of collection after which, if it has not already been uploaded to the server, will be purged from the App.” After 45 days of being uploaded to the server, information related to people who haven’t tested positive will be deleted from the server. For those who tested positive, information will be purged after 60 days of them having been declared cured.
- For anonymised data: Data that may be retained includes anonymised, aggregated datasets generated by the personal data of registered users of the app or any reports, heat maps or other visualisation created using such datasets, or to medical reports, diagnoses or other medical information generated by medical professionals in the course of treatment.
8. Cancellation? Under the “Rights” section, the policy states that on cancelling registration, all information provided to the app will be deleted after 30 days. The app does not offer users the option to delete their account, or cancel their registration. It is not clear if uninstalling the app means that the account is considered deleted, or registration cancelled. What if a user uninstalls the app after testing positive for COVID-19? What happens to the personal information collected if a user tests positive for it after deleting the app? The policy needs to offer clarity here.