Aarogya Setu has released an Open API Services Portal through which third party apps can check users’ health status “with consent”. The API terms and conditions state that the it will provide “only the health status of a registered Aarogyasetu User (with User’s consent) [sic]” and “no other personal data shall be provided through the API”. According to the tweet and the service’s terms and conditions, this API service is available only to organisations and entities which are registered and have operations in India, and have more than 50 employees/customers/users. The government envisions the API as a tool “to help the people, businesses and the economy to return to normalcy”.

The terms and conditions forbid the app developers from charging their employees/users/customers a fee for using this service, and from using it for “any commercial advertisements or marketing or analytics”. Third party apps will have to be authorised by a necessary government agency to be able to use the API. The authorising agency is likely to be the National Informatics Centre. We have reached out to them for comment.

The groundwork for accessing health status via APIs was laid in the updates to the app on July 6 and July 17, when a new feature — Approvals — was added to the app to allow external apps to access the user’s Aarogya Setu status. Readers may also remember that in the now taken down August 12 blog post by Security Brigade, the company had pointed out that the developers “seem to be introducing new APIs for third party integrations and QR code-based tracking features that have already been released into production”. MediaNama had also cross-posted Security Brigade’s blog but took it down at the author’s request.

This new portal has been introduced even though the results from the bug bounty programme for the Android App have not yet been declared, nor have the server-side and KaiOS code been open sourced or put in public domain, despite promises to do so. Thus far, only the Android code and iOS code have been open sourced and put in public domain, respectively.

Aarogya Setu is the building block for the National Health Stack that is being developed by private players through a private lobby, iSPIRT. With this kind of integration with third party apps, it may well become an immunity passport that citizens would be required to access services, physical spaces and earn livelihoods, thereby raising multiple concerns around digital exclusion, privacy, and freedom of choice.

Who can get this API for their app?

The API is available only to entities that are registered in India and have an operational presence here. “The Total Employees/Customers/Users, of the Organization/Entity, whose health status needs to be checked through OPEN API, should be more than 50,” as per the terms and conditions.

MediaNama’s take: By setting the eligibility condition to more than 50 employees, users and customers, the app basically gives a carte blanche to anybody who wants to develop an API. For instance, if a food delivery start-up has has fewer than 50 employees but more than 50 customers, does that mean it can get access to this API to keep a track of all the employees because the terms do not distinguish between employees and users/customers?

How can companies use it?

The head of the organisation or a senior official will send an email to openapi.aarogyasetu@gov.in with the details listed below. After verification, the organisation will be authorised to use the APIs. If any information is false or inadequate, registration can be cancelled. It is not clear who will do the verification of the organisations — NIC or some other government agency.

Details to be sent for access to API:

  • Name of the organisation
  • Registration number of the organisation/entity with the government
  • Details of the person registering on behalf of the organisation including name, designation, mobile number, phone number, email address, postal address
  • Purpose for which the organisation/entity will use the open API
  • Total number of employees/users/customers whose health status on needs to be checked on Aarogya Setu
  • Expected API requests per day
  • Email ID used for registration with OPEN API
  • Official website of the organisation/entity
  • Link to the page in organisation/entity’s website, where the email ID (used for registration with OPEN API) is mentioned
  • Details of the technical contact person from the organisation/entity including name, designation, mobile number, phone number, email address, postal address

If a user refuses to provide consent, they cannot be denied services

As per the terms and conditions, when a company develops an app that uses this API, the app must be designed so that it cannot access and collect data from Aarogya Setu app and servers without the explicit consent of the user. The app must offer the following options related to consent:

  • One-time consent
  • Consent until cancelled
  • Consent up to a specified date

If a user refuses to give their consent to share their health status through the open API, the app developer has to provide other means through which they can avail the services offered. Thus, a user’s refusal to use the open API must not lead to denial of services. This is a good step, though it is not clear if employees can also refuse to give consent.

What can the API be used for?

The information accessed through the API will only be used to ascertain “the risk that your employees or customers or users, might have been exposed to COVID-19 and/or for management of COVID-19 in your extended workplace and shall confirm that you have put in place appropriate organisational and technological measures to ensure compliance with this obligation”. It is not clear how Aarogya Setu health status of employees, users and customers will ascertain the appropriateness of “organisational and technological measures” taken by the company.

What kind of data can be collected by the app?

That has actually not been defined in the terms and conditions. They place a restriction of use of data, but not on collection:

“For the avoidance of all doubts no API Client shall be designed to use the data for a purpose unrelated to the management of COVID-19 nor shall the period for which the data is retained by the API Client exceed the data retention provisions set out in the Aarogya Setu Privacy Policy and Aarogyasetu data access and knowledge sharing protocol [sic]”.

Privacy measures are undefined

The companies are also supposed to commit to the privacy of their “employees customers, users and persons that they might have come in contact with” and confirm that they “have put in place appropriate organisational and technological measures to ensure the same”. These organisational and technological standards have not been defined anywhere, including in the Aarogya Setu Data Access and Knowledge Sharing Protocol. In the absence of a privacy law or related regulations, it is not clear what the third party apps will use as their guide.

Data can only be stored in India, cannot be shared further: Security measures

App developers who use this API must:

  • Report data breach. App developers have to use “all commercially reasonable efforts to protect the user data collected by the API Client from unauthorized access or use and will promptly report to your users any unauthorized access or use of such information to the extent required by applicable law”.
  • Anonymise data as much as possible as per anonymisation principles incorporated into Aarogya Setu.
  • Store data collected through the API within India.
  • Not share data with any other organisation or entity or re-distribute it.
  • Use transport layer encryption for API communication.
  • Not expose API keys in plain text.
  • Not share API keys allotted to the organisation with anyone else. If an API key is compromised, it must be reported to aarogyasetu@gov.in

Misuse of API would result in legal action against the app developer: The APIs are being made available on an “as-is” basis and the government is not responsible for any defects, errors, bugs, compatibility issues. “The functioning of the APIs are dependent on your compliance with these Terms,” the terms state. However, if the app developer does not comply with the terms or submits false information, legal action will be taken against them.

  • As per the Protocol, the government agency that shares data with the third party will be responsible for the third party’s adherence to the Protocol. No such responsibility has been allocated in the terms of conditions with the API. The third party app developer only has to report breach.
  • As per the latest privacy policy, while the government will work on best efforts basis, it may be held liable for “unauthorised access to your information or modification thereof”.

Third parties must maintain auditable logs

In accordance with the Protocol, where data usage by third parties will be subject to audit and review by the Central government, the third party apps are expected to “generate and maintain auditable logs of the Aarogya Setu data collected and processed by the API Client [app] and shall, on demand, make such logs available to the Government of India”.

For how long is data retained?

Before taking user’s consent, the app developers have to inform users about the “specific purpose” for which data will be used, time period for which it will be retained and how the data will be deleted.

The apps must be designed so that data can only be used for COVID-19 management related purposes and be retained only for periods specified in the Aarogya Setu Privacy Policy and the Protocol. That is confusing because as per the Privacy Policy, data is retained on the Aarogya Setu servers for at most 60 days under different conditions while the Protocol allows retention of contact, location and self-assessment data for up to 180 days. Neither document lays out how long the health status of a person is retained on the server.

As per the data deletion feature that was introduced to the app in July, deleting the account means erasing information from government servers 30 days after account is deleted, deleting all app data from the phone, and permanently cancelling your registration. It has not been made clear if data of users who are tested for COVID-19 is also deleted from government servers if they request for account deletion because as per the Privacy Policy, if users test negative, the data is retained for 45 days, and if they test positive, it is retained for 60 days after they are declared COVID-19 free.

Does this then mean that third party apps will have the least restrictive duration (up to 180 days) or most restrictive one (30 days)?

MediaNama’s take: As per the terms and conditions, a user must have choice between one-time consent, consent until cancelled and consent up to a specified data. Thus, how long is the data actually retained? Will the third party app retain such logs until an audit is conducted, or until the user has consented, or as per the conflicting app privacy policy and protocol?

Government of India can limit the number of API requests made

The government of India can limit the number of API requests that an organisation can make or the number of users it can serve or any “other limitations as appropriate”. The app developer is forbidden from trying to circumvent these limits, and if they want to use the API beyond the limit, they must first seek the government’s permission.

App’s terms of service must be published

The app’s details terms of service must be published along with the app, and users must comply with these terms before using the app.

Language around preserving privacy is vague: MediaNama’s take

It is not clear what data third party apps will have access to through the API: The terms and conditions leave it ambiguous about what kind of data third party apps will have access to. Although the terms and conditions state that the API will provide “only the health status of a registered Aarogyasetu User (with User’s consent) [sic]” and “no other personal data shall be provided through the API”, language of other clauses suggests that third party apps may have access to other personal data but will have to commit to not use it instead of not having that access at all.

This suggests that the app developer will have access to personal information stored on the servers of Aarogya Setu and the app developer, not NIC or any of the Aarogya Setu developers, will be responsible for controlling user access to it by designing the app in a particular way. That is concerning. If the aim is to only check the name and the health status of the individual in question, this third party developer does not need access to all personal information about Aarogya Setu users; the PII stored by Aarogya Setu needs to be siloed away from the health status and phone number.

As per the Protocol, personal data can be shared with third parties only to formulate health responses: The Protocol allows for data to be shared with third parties only if it is “strictly necessary to directly formulate or implement appropriate health responses”. Neither the tweet, the PIB press release, nor the terms and conditions talk about using this API as a health response. The terms and conditions do not talk about how sharing this data through an API with employers helps the government formulate a health response when the government already has direct access to the data.

Documents related to the Open API service: Aarogya Setu Open API Home Page | Aarogya Setu Open API Terms of Service | Aarogya Setu API Flow Chart

We couldn’t access the dashboard since that required us to get our account verified for this purpose.

Read more: