Update (April 17 9:38 am): We received a notification from Aarogya Setu at 9:04 am this morning, notifying us of changes made to the Privacy Policy on April 12. This notification was sent 5 days after the privacy policy was actually updated.

Aarogya Setu

Notification by Aarogya Setu sent this morning. Credit: Aroon Deep

Just as quietly the government of India launched its COVID-19 contact tracing app, Aarogya Setu on April 2, it updated its privacy policy without notifying users. The government also updated the app and introduced new features. Since Prime Minister Narendra Modi has urged everyone to download this app and it has already been downloaded 10 million times from the Google Play Store since its launch, it is necessary to examine whether this app preserves people’s privacy or squanders it. Readers can find the old policy (here), new policy (here), and our word-by-word comparison of the two policies here.

Most importantly, the privacy policy does not mention anywhere that this is a temporary app meant to be used only for contact tracing during the COVID-19 pandemic. This suggests that the app and underlying technology could be used for purposes beyond contact tracing. Note that, in the updated app, once a user gives permission to access location and Bluetooth data, we could not find the Privacy Policy again, and had to re-install the app to get to it again.

Some points to note about the changes:

1. Users not notified of the change in privacy policy: The privacy policy explicitly states that users will be notified of all changes made to the policy. However, when this policy was updated, users were not notified about the change in privacy policy. At least 2 users who had the app installed prior to this update confirmed this to MediaNama. The policy also states that to use the app, fresh consent will be sought from users when the privacy policy is changed. That did not happen either.

2. Purpose limitation and no third-party data sharing: The new privacy policy explicitly limits the purpose for which data collected by the app can be used, and reiterates that personal information will not be shared with any third party except to carry out “necessary medical and administrative interventions”.

3. Treatment of Personal Information: The app initially collects personal information from each user, including name, phone number, age, sex, profession and countries visited in the last 30 days. The previous version also sought information about whether a person is a smoker or not, but that isn’t the case with the updated policy. Interestingly, unlike earlier, this time we weren’t prompted for name, phone number, sex, profession and countries visited. We were only prompted for a mobile number, which is mandatory to get an OTP.

  • Identification: This information for a particular user will be linked to a unique digital ID (called DiD), which will subsequently be used to identify that individual user’s transactions, and associated with any data or information uploaded from the app to the server.
  • Sharing and storage of personal information: Personal information will be uploaded and stored on a government server, hashed with the DiD. All personal information is encrypted before it is uploaded to the server. At registration, your location details are also captured and uploaded to the server.
  • Usage of personal information: This information will only be used by the government of India in the following cases:
    • Anonymisation and aggregation: “As anonymized, aggregated datasets for the purpose of generating reports, heat maps and other statistical visualisations for the purpose of the management of COVID-19 in the country or to provide you general notifications pertaining to COVID-19 as may be required.”
    • Communication in case of probability of infection: “Your DiD will only be co-related with your personal information in order to communicate to you the probability that you have been infected with COVID-19 and/or to provide persons carrying out medical and administrative interventions necessary in relation to COVID-19, the information they might need about you in order to be able to do their job.”

4. Information from other users: When two registered users, let’s say Alice and Bob, come within the Bluetooth range of each other, their apps will automatically exchange their DiDs, and record the time and GPS location at which the contact took place. Alice’s DiD, time and GPS location of interaction with Bob, is stored on Bob’s app (that is the device) in an encrypted manner so that Bob cannot access it, and vice versa. Only if Bob tests positive for COVID-19 that all this information about his interaction with Alice (and everyone else) will be uploaded to the government server.

  • Usage of this information: This information is used only “to calculate your probability of having been infected with COVID-19”.  One challenge here is that proximity doesn’t indicate probability: two people can walk past each other within Bluetooth range, and be wearing masks and gloves, and the likelihood of an infection being transmitted is likely to be minimal. Two people could also be on different floors of a building, and the devices could still exchange DiDs.

5. Risk assessment tests: The app allows users to take risk assessment tests, to assess their level of risk of infection. The risk assessment is quite easy to take and retake, just like in the earlier version of the app. I took it multiple times to test the app. On the updated app, I first took the test as a 78-year-old woman with a history of heart disease who had travelled internationally in the last 14 days. Unlike the earlier version of the app, my home page remained green, and only on re-launching the app, it turned orange and read “High Risk of Infection”.

  • Sharing and storage risk assessment related data: The app uploads location data and the user’s unique DiD with the government server.
  • Usage: Information based on self-assessment tests and the GPS locations from where they are being uploaded is used to determine whether a disease cluster is developing at any geographic location.
  • Consent: Unlike earlier, before my results as a 78-year-old woman were uploaded to the government server, the app sought my consent for it. This is important from a privacy perspective.

The app now (L) asks for consent before uploading information in the risk assessment test to the government server. In the earlier version (R), it did not.

6. Location data: This is collected every 15 minutes and stored “securely” on mobile device.

  • Sharing and storage: Location information is stored on the device. It is uploaded to the government server, along with DiD, only if:
    1. User tests positive for COVID-19, and/or
    2. Self-declared symptoms indicate that user is “likely to be infected with COVID-19”, and/or
    3. Self-assessment test result is either yellow or orange.

If a user tests positive for COVID-19, this information will be uploaded to the government server to map places the user visited in the last 14 days to identify locations that need to be sanitised, and identify areas where outbreaks may occur. To “more accurately map the places” and to identify people who need to be tested, this location data can be linked to the personal information underlying DiD. However, this linkage between personal information and DiD is unnecessary. To identify places to be sanitised, and people who need to be tested, all that is required is whether or not a particular DiD was present at a location. You don’t need to know if it was Alice or Bob, just that a COVID-19 positive person was there.

7. Data retention:

  • For personal information: will be “retained for as long as your account remains in existence and for such period thereafter as required under any law for the time being in force.” Note that the app doesn’t have an option for a user to delete their account. There is also no privacy law in India.
  • For information shared between users, risk assessment tests and location information: “This information will be retained on the mobile device for a period of 30 days from the date of collection after which, if it has not already been uploaded to the server, will be purged from the App.” After 45 days of being uploaded to the server, information related to people who haven’t tested positive will be deleted from the server. For those who tested positive, information will be purged after 60 days of them having been declared cured.
  • For anonymised data: Data that may be retained includes anonymised, aggregated datasets generated by the personal data of registered users of the app or any reports, heat maps or other visualisation created using such datasets, or to medical reports, diagnoses or other medical information generated by medical professionals in the course of treatment.

8. Cancellation? Under the “Rights” section, the policy states that on cancelling registration, all information provided to the app will be deleted after 30 days. The app does not offer users the option to delete their account, or cancel their registration. It is not clear if uninstalling the app means that the account is considered deleted, or registration cancelled. What if a user uninstalls the app after testing positive for COVID-19? What happens to the personal information collected if a user tests positive for it after deleting the app? The policy needs to offer clarity here.

***Update (April 17 9:38 am): Updated with notification about privacy policy. Originally published on April 14 at 5:19 pm.