You’re reading it here first: “It [Aarogya Setu] is based on a consent[-based] framework. Ideally, in my own opinion, it [Aarogya Setu] should not be [mandatory], it should not have been made mandatory, and this is under review presently with the government because, per se, if we are taking consent, it actually contradicts with it being made mandatory,” Rakesh Maheswhari, Senior Director and Group Coordinator, Cyber Law and e-Security at the Ministry of Electronics and Information Technology (MEITY) said during an online event organised by UN Women on “Cyber Crime Trends and Digital Safety amidst COVID-19 Pandemic”.
Shweta Reddy, from the Centre for Internet and Society, had highlighted a similar concern about futility of consent in an asymmetrical power relation during MediaNama’s discussion on privacy in the time of COVID-19: “Especially in the case of the pandemic, consent cannot be freely given. Central government employees have been told to download Aarogya Setu, so consent is gone there. … It’s not a fair choice to make between livelihood and privacy.”
Having said that, Maheshwari pointed out that if more people download the app, “the effectiveness of this app will substantially improve” and improve to the government’s ability to identify hotspots, to track people who could be potentially at risk “because of their historic data with the actual location [sic]”.
‘Data of less than 0.01% Aarogya Setu users uploaded to the server,’ says MyGov CEO
Thus far, of the 100.2 million downloads that Aarogya Setu has had, “the data of only 15,000, almost 15,000 people who have the app and tested positive has gone to the server,” Abhishek Singh, the CEO of MyGov and National eGovernance Division (NeGD), said during the webinar. “This has helped identify almost two lakh Bluetooth contacts,” he said. “15,000 on a download of 100 million is almost .01%. So only data of 1 in 10,000 people has gone on the server,” he calculated. This means that since May 11, data of more than 2,000 COVID-19 patients has been pulled to the server and an additional 60,000 Bluetooth contacts have been identified.
However, readers should note that the personal demographic data (name, gender, age, profession, travel history and phone number) is immediately uploaded to the server upon registration and hashed to a unique device ID. Here, Singh is referring to the location data that is collected every 15 minutes, and the device IDs of Bluetooth contacts that the app collects on detecting proximity; both are stored on the user’s device until pinged from the server after the user’s risk has been assessed using data analytics.
The positive to testing ration in the general population is about 3%, Singh revealed, since India has conducted about 2 million (20 lakh) tests so far and had over 80,000 positive cases, but this ratio increases significantly when tests are conducted amidst a “vulnerable section of people”. Of the two lack Bluetooth contacts, “depending on the level of contact that has happened, around 30,000 of these people have been tested” and “from this data we found that almost 28% people are turning positive,” he revealed.
“This reduces the pressure on health authorities and ensures that we are able to identify risk groups [to test and treat],” Singh explained.
Using data analytics to identify hotspots
As of May 11, location data of infected users along with data from self-assessment test from Aarogya Setu have been used to identify 697 potential hotspots in the country, MEITY Secretary Ajay Prakash Sawhney had revealed earlier this week. IIT Madras is running the data analytics on the data collected via the app.
Only anonymised data will be shared for research purposes
However, as per the Aarogya Setu Data Access and Knowledge Sharing Protocol, 2020, the response data may be shared with third parties, presumably private ones. The Protocol does not place any restrictions on anonymising the response data, which includes demographic data (name, mobile number, age, gender, profession and travel history of an individual), when sharing with these third parties. The Protocol, though, specifies that only “hard anonymised” data will be shared with Indian universities and research institutions registered in India.
Still not clear if the sun will set on the app or the Protocol
Maheshwari said that the Protocol “clearly also mentions the sunset clause”. However, this sunset clause — as per which if the Protocol is not “specifically extended” by November 11, 2020 by Empowered Group 9 on Technology and Data Management, the Protocol will lapse, meaning that all personal data will be permanently deleted — is for the Protocol, not for the app itself. This suggests that the app will be repurposed for other issues once the pandemic has been dealt with, including becoming the first building block of India health stack.
Is data collected through Aarogya Setu IVRS shared with Ayushman Bharat?
MediaNama had asked Maheshwari why the syndromic data collected via IVRS was shared with Ayushman Bharat for validation, as per the graphics shared by MEITY Secretary during a press conference on May 11. “I am not really sure if we are really sharing this data with Ayushman Bharat. This aspect, I will have to check up and then come back,” he said.