In a major concession and instance of function creep, Aarogya Setu’s new Terms of Service, updated today, include “display [of] a government issued ePass”, provision of “useful information in relation to COVID-19”, and an indicator of whether a person has been infected with the disease or is likely to have been infected. This is in addition to its earlier stated purpose of contact tracing. Also, location data for the last 30, not 14, days will now be pinged to the server if a user comes in close proximity of an infected person.
But in a significant win, reverse-engineering the app is no longer forbidden. Although this is not the same as open sourcing the code, it means that cybersecurity experts can at least analyse the app using publicly available APK kits without the fear of being prosecuted.
Could government now be held responsible for any breach?: Changes in Terms
- Government working on best efforts basis, might be liable for unauthorised access to users’ information: Echoing the language of the latest Home Ministry guidelines on the use of the app, the Terms now say that the government “will make best efforts to ensure” that the app and services perform as described, but will still not be liable if the app fails to accurately identify proximity to a COVID-19 positive person, or whether they are indeed COVID-19 positive. But in significant change, the government may now be held liable for “unauthorised access to your information or modification thereof”.
- Expansion of services offered by the app: In addition to contact tracing, the app will now also act as an indicator of whether a user has been infected with COVID-19 or is likely to have been infected; as a source of “useful information” related to COVID-19; allow users to access convenience services offered by different service providers related to COVID-19; and to display a government-issued ePass where available. The inclusion of access to convenience services offered by third party providers is a retrospective change to the terms to legitimise inclusion of telemedicine services via Aarogya Setu Mitr which takes users to external sites.
- Reverse-engineering no longer banned. Moreover, non-compliance with these Terms will not lead to suspension of a user’s ability to use the app.
- Report bugs, defects: In concordance with removal of ban on reverse-engineering, people can not report defect and bugs in the app to email@example.com.
- Location data of last 30 days will be uploaded to the server: Unlike earlier, when location data of proximity contacts for the last 14 days was pinged to the server, now location data for last 30 days will be pinged to the server.
How to request data deletion is still unclear
How can users make a data deletion request for personal information that has been uploaded to the server, as has prescribed in the Aarogya Setu Data Access and Knowledge Sharing Protocol, 2020 released by the IT Ministry to govern data collection by the app? Deletion of app only means that users can’t use the services, not that they can request for data deletion.
Other changes to the app interface
- At the time of registration, the options for professions have been expanded and now include: doctor/nurse/paramedic, police/officers/law enforcement, delivery, chemist/pharmacy, wholesaler/groceries, industry/manufacturer, retailer, and none of the above.