In a major concession and instance of function creep, Aarogya Setu’s new Terms of Service, updated today, include “display [of] a government issued ePass”, provision of “useful information in relation to COVID-19”, and an indicator of whether a person has been infected with the disease or is likely to have been infected. This is in addition to its earlier stated purpose of contact tracing. Also, location data for the last 30, not 14, days will now be pinged to the server if a user comes in close proximity of an infected person.

But in a significant win, reverse-engineering the app is no longer forbidden. Although this is not the same as open sourcing the code, it means that cybersecurity experts can at least analyse the app using publicly available APK kits without the fear of being prosecuted.

Unlike the last time when Aarogya Setu’s Privacy Policy and Terms of Service were updated, this time, the app notified the users of the changes, and sought fresh consent from them for the updated privacy policy and terms of service. Readers can find our word-by-word comparison of the Privacy Policies (v2 and v3) here, and of Terms of Service (v2 and v3) here. As of today, the app is being used by 112.8 million users.

Aarogya Setu.

Notification about update to Privacy Policy and Terms of Service.

Could government now be held responsible for any breach?: Changes in Terms

  1. Government working on best efforts basis, might be liable for unauthorised access to users’ information: Echoing the language of the latest Home Ministry guidelines on the use of the app, the Terms now say that the government “will make best efforts to ensure” that the app and services perform as described, but will still not be liable if the app fails to accurately identify proximity to a COVID-19 positive person, or whether they are indeed COVID-19 positive. But in significant change, the government may now be held liable for “unauthorised access to your information or modification thereof”.
  2. Expansion of services offered by the app: In addition to contact tracing, the app will now also act as an indicator of whether a user has been infected with COVID-19 or is likely to have been infected; as a source of “useful information” related to COVID-19; allow users to access convenience services offered by different service providers related to COVID-19; and to display a government-issued ePass where available. The inclusion of access to convenience services offered by third party providers is a retrospective change to the terms to legitimise inclusion of telemedicine services via Aarogya Setu Mitr which takes users to external sites.
  3. Reverse-engineering no longer banned. Moreover, non-compliance with these Terms will not lead to suspension of a user’s ability to use the app.
  4. Report bugs, defects: In concordance with removal of ban on reverse-engineering, people can not report defect and bugs in the app to support.aarogyasetu@gov.in.

Changes in Privacy Policy

  1. Location data of last 30 days will be uploaded to the server: Unlike earlier, when location data of proximity contacts for the last 14 days was pinged to the server, now location data for last 30 days will be pinged to the server.
  2. Information no longer ‘hashed’ to a unique device ID: Unlike earlier, where the app took on the responsibility of hashing (encrypting) users’ personal information to a unique device ID, now the app no longer has that responsibility. While it will still use a device ID, the privacy policy no longer claims that personal information mapped in this manner.
  3. On reporting COVID-19 positive status, or on requesting a test, information will be uploaded to the server. This information will include users’ location data that is collected every 15 minutes and stored on the device itself, and details of all DiD exchanges with people a user got in close proximity with. Personal information of other users, expect for the DiD, will NOT be uploaded to the server this way. This information uploaded to the server will be used to calculate the probability of infection amongst the user’s proximity contacts. This information, once uploaded to the server, will be deleted after 45 days if a person tests negative, or after 60 days of being cured, if a person tests positive. When this “Report” feature was first introduced, we had pointed out that the Privacy Policy at that time (v2) did not mention that data about sample collection would be sought from users, and that it was not clear how collecting such data from Aarogya Setu users was useful.

How to request data deletion is still unclear

How can users make a data deletion request for personal information that has been uploaded to the server, as has prescribed in the Aarogya Setu Data Access and Knowledge Sharing Protocol, 2020 released by the IT Ministry to govern data collection by the app? Deletion of app only means that users can’t use the services, not that they can request for data deletion.

Other changes to the app interface

  • At the time of registration, the options for professions have been expanded and now include: doctor/nurse/paramedic, police/officers/law enforcement, delivery, chemist/pharmacy, wholesaler/groceries, industry/manufacturer, retailer, and none of the above.
Aarogya Setu

Registration now lists these professions. Source: Screenshot from Aarogya Setu