Editor’s note: This article has been rewritten to address a misinterpretation of the terms and their applicability. The error is regretted.
Google and Apple have updated their terms of service for their contact tracing API (Application Protocol Interface), which allows governments to develop contact tracing apps, to limit the scope of their data collection, following worldwide criticism of the surveillance threat that contact tracing can pose. What’s also interesting, from a tech-politics perspective, is that this means that Google and Apple are imposing their norms, on what governments can and cannot do with their API.
Importantly, this is not going to have an impact on Aarogya Setu, given that it uses its own APIs for contact tracing. These terms will only be applicable to Aarogya Setu should it choose to deploy the Google-Apple APIs.
Here’s now the terms of the Google-Apple API compare with those of Aarogya Setu:
Key changes in terms and how they compare with Aarogya Setu
1. One per country: Contact tracing apps, using the Googe-Apple API has been limited to one app per country, unless the country has a regional approach.
Comparison with India: India has rolled out a single contact tracing app in Aarogya Setu, but other apps have also been deployed in the country. Some of them, such as in Karnataka are for managing quarantined patients.
2. Purpose limitation and data sharing: The app which uses Google-Apple API has to be exclusively used for COVID-19 response, and not for any other purpose, such as law-enforcement or any punitive action. The terms also say:
“Your App may only collect the minimum amount of end-user data necessary for COVID-19 response efforts and may only use the data for such efforts. All other uses (including selling or licensing such data, using it to serve or target ads, or providing it to government agencies for purposes other than COVID-19 response) are prohibited.”
“While end users of your App may provide personal data as part of their use of the App, you will not share this end-user personal data with Google. You may only share end-user personal data with third parties with user consent, and only as necessary for COVID-19 response efforts.”
There is also a plan to keep Aarogya Setu, with an install base of over 75 million, functioning beyond the COVID-19 crisis, by removing contact tracing functionalities.
3. Personal data collection: The app, as per the terms, may not require end users to provide personal information to receive exposure notifications.
Comparison with Aarogya Setu: This isn’t the case with Aarogya Setu, which requires that users provide personal information in order to be able to use the application.
4. Consent: As per the terms, the app must provide end users with the ability to consent before using the app.
Comparison with Aarogya Setu: This provision is meaningless, given that the Ministry of Home Affairs notification from a few days ago, mandates that employers ensure that employees download the Aarogya Setu app. In effect, statutory mandating has over-ridden the choice that the app provides by way of consent.
6. Location data: This is a tricky one. “Your App may not request the Location, Bluetooth_Admin, Special Access, Privileged, or Signature permissions, or collect any device information to identify or track the precise location of end users”
Comparison with Aarogya Setu: One key criticism of Aarogya Setu is that it tracks location data, which is deemed unnecessary for contact tracing, to identify the location of individuals. In particular, Aarogya Setu tracks:
- Location data linked to Risk Assessment Tests is sent to a government server, when the test is taken.
- Location data is tracked every 15 minutes (or 30 minutes), and stored on the device. It is uploaded to the government server, only if:
- User tests positive for COVID-19, and/or
- Self-declared symptoms indicate that user is “likely to be infected with COVID-19”, and/or
- Self-assessment test result is either yellow or orange.
7. Runtime permissions: Your App may not request any other runtime permissions (e.g., Contacts, Storage) unless expressly authorized by Google.
Comparison with Aarogya Setu: Aarogya Setu doesn’t require access to contacts or storage, so this isn’t a concern
7. Linking datasets: The terms expressly prohibit combining data obtained through permissions granted to any other app (contacts, storage and other runtime permissions, as well as Location, Bluetooth_Admin, Special Access, Privileged, or Signature permissions and other location related permissions) and combined with the data from the contact tracing app.
Comparison with Aarogya Setu: There’s no publicly available mapping of which datasets are being combined in India for the COVID-19 response, and thus it is not clear whether data from other governments apps is being combined with Aarogya Setu data. However, Aarogya Setu Mitr requires that users log-in separately to the website, and there is no data sharing between the two.
What Google and Apple cannot do
Speaking with MediaNama, Kiran Jonnalagadda, Founder of HasGeek, said Google and Apple are somewhat limited in how much control it has over apps on user devices:
- Google and Apple cannot prevent side-loading of the app or listing on the Play Store: These terms will only apply to apps that use the Google-Apple API. In addition, “they cannot prevent anyone from side-loading an app and using existing APIs on a device. A government can still bypass these terms by asking individuals to manually install an APK file, or forcing to manufacturers to bundle or pre-install the app. They can use the APIs once they’re on the device.” Note that there have been news reports that handset manufacturers are being asked to pre-load Aarogya Setu for the Indian market.
- Device API’s will still be accessible: “Without the API, an app cannot determine the phones location without using one of GPS, cell towers or nearby Bluetooth beacons or WiFi”, Jonnalagadda said. “It is still in the control of the Operating System whether an app can get location or not. The primary problem [for Google] is that the OS is controlled not by Google. It is controlled by the OEMs [handset manufacturers], who in turn have agreements with Google regarding what they are allowed to do. Google is not in positon to ban the app from using APIs on the device, but they can ban it from the app store.”
- Pull the app from the device: For apps that are installed via the Play Store, given that the Play Store terms applicable, Google “can also pull it out of the device,” Jonnalagadda said.