Aarogya Setu is a curious app made by a curiouser group of people. Since its launch on April 2, India’s contact tracing app has been mired in one controversy after another — usually of its own making. And now it has waded into another one. But it has one bright spot — NITI Aayog’s involvement in creation of Aarogya Setu has now been acknowledged by a MEITY officer publicly.

On October 26, the Central Information Commission, which deals with RTI-related complaints, hauled up the chief public information officers of National e-Governance Division (NeGD) and Ministry of Electronics and Information Technology (MEITY) for providing evasive replies to RTIs related to Aarogya Setu. Saurav Das, an RTI activist and journalist, had asked these departments for details about how the app came to be and who were involved in its development, amongst other things. LiveLaw first reported this story.

Das had also filed a complaint against National Informatics Centre (NIC) for not providing information but the CIC rejected that. However, since all three government agencies said that they did not have any information on the app, the CIC basically called the circumstances absurd.

“The Commission observes that it is a current issue and it is not possible that there was no file movement while creating this App, a citizen cannot go round in circles to find out the custodian.

“The CPIO, NIC’s submissions that the entire file related to creation of the App is not with NIC is understandable, but the same submissions if accepted from MeITY, NeGD and NIC in toto, then it becomes more relevant to now find out how an App was created and there is no information with any of the relevant public authorities.” — Central Information Commission’s interim order

The CIC thus directed NIC to explain how it could have no information related to the app if the website is hosted on a .gov.in domain which is controlled by the NIC. The Aarogya Setu website also mentions that it is owned, updated and maintained by MyGov, a subsidiary of NeGD which is in turn a department under MEITY. The website also mentioned that the Aarogya Setu platform is designed, developed and hosted by the NIC. “[How] is it that they do not have any information about the creation of the App[?]” Information Commissioner Vanaja N. Sarna asked in the interim order.

A copy of the order has been sent MEITY Secretary Ajay Prakash Sawhney, MyGOV CEO Abhishek Singh and NIC Director General Dr Neeta Verma. The case will next be heard on November 24.

What was the information sought? Through at least two RTIs, Das had asked for copies of files about creation of Aarogya Setu that would have origin of proposal, companies, people, government departments involved, file notings, comments by officers, copies of communications, etc. amongst many other details.

What did the government departments say? The Department of Electronics (under MEITY) had transferred the RTI to NeGD. NeGD, in a response sent two months after the RTI was filed, said that it did not have the information since it was not related to NeGD. MEITY CPIO said that NITI Aayog was involved in creation of the app.

Why is it such a big issue? It is phenomenal that MEITY, the ministry that houses NeGD and NIC, did not have any information on Aarogya Setu or its origins. Especially because in the past, through RTIs, MediaNama and other individuals have got information related to the app from MEITY and NIC, while officers from all three have spoken on record about their involvement in the creation of the app. Here’s a quick summary:

  • RTI responses from MEITY have shown that the Aarogya Setu Data Access and Knowledge Sharing Protocol, 2020, that the government had released on May 11, had significant inputs from MEITY that were ultimately rejected. Key amongst them was a set of guidelines to govern all data related to the COVID-19 pandemic, not just Aarogya Setu data.
  • In response to RTIs filed by MediaNama, NIC had revealed the following information:
    • The number of submissions made to the Aarogya Setu Bug Bounty Programme
    • That the results of the Android Bug Bounty Programme will be announced “shortly” and that the Bug Bounty Programme for iOS would be released “shortly”. We had received this response on September 30.

Apart from that, the list of contributors acknowledged the MEITY Secretary Ajay Prakash Sawhney, NIC Director General Dr Neeta Verma and NeGD President and CEO Abhishek Singh as government leaders. If that was not enough, all the 21 government contributors are NIC employees. All three were were present when the Aarogya Setu app’s Android version was open sourced on May 27. Singh broke the news that the iOS code has been open sourced on OpenForge in August. Singh and Sawhney made multiple appearances at government press conferences and other events giving information about the app.

Despite all this, the NIC, NeGD and MEITY have chosen to withhold information on the creation of the app in RTIs and instead released a press release that actually does not categorically state the entities involved. The GitHub link in the release does not actually state the affiliations of the contributors; MediaNama populated that data through research.

When Aarogya Setu was launched on April 2, it was launched as a Government of India app developed through Public Private Partnership under the guidance of the National Informatics Centre (NIC). No other entities were mentioned apart from a quote by Principal Scientific Advisor to the Government of India Prof. K. VijayRaghavan. However, in the seven months since then, a lot of information has come out about who the public and private partners are. Since this information has practically trickled out of the government and private players, it has led to people questioning the lack of transparency in the process.

Role of MEITY

On March 29, the Ministry of Home Affairs, under the Disaster Management Act 2005, had constituted 11 Empowered Groups to manage the COVID-19 pandemic. One of these groups was Empowered Group 9, on Technology and Data Management, led by Ministry of Electronics and Information Technology Secretary Ajay Prakash Sawhney.

Thus far, it is not known if this Group was involved in developing the contact tracing app but other RTI responses from MEITY have shown that the Aarogya Setu Data Access and Knowledge Sharing Protocol, 2020 that the government had released on May 11 had significant inputs from MEITY that were ultimately rejected. Key amongst them was a set of guidelines to govern all data related to the COVID-19 pandemic, not just Aarogya Setu data.

That set of RTI responses revealed that three law firms and entities — PLR Chambers, Vidhi Legal and Advocate Vakul Sharma — had been approached by MEITY to develop the guidelines for all COVID-19 data but ultimately, only Vidhi’s version of the Protocol, limited to the app, was made public. It is still now known when these three entities were approached — before the app was launched, or after it. Readers must also remember that NIC and NeGD are housed within MEITY.

Curiously enough, a day after the app was launched, the Central Government, Rashtrapati Bhawan and the Cabinet Secretariat created a committee to create a Citizen App that will onboard all citizens to “combat the COVID-19 pandemic” and “evaluate and converge related technology solutions and suggestions” through a public-private partnership (PPP). It is now known what this Citizen App was about or what became of this committee.

Members of this committee included MEITY Secretary Ajay Prakash Sawhney, DoT Secretary Anshu Prakash, Principal Scientific Advisor to the Government of India Prof. K. VijayRaghavan, now former TRAI Chairperson R.S. Sharma, Mahindra & Mahindra Chairperson Anand Mahindra, Tata Sons Chairperson N. Chandrasekaran, and National Security Advisory Board Member Prof. V. Kamakoti.

Role of NITI Aayog in Aarogya Setu

A week before Aarogya Setu was launched, NITI Aayog had circulated an app called CoWin-20 in closed groups that traced COVID-19 contacts using location data. The aim was to create a “mishmash” of the “best” parts of NITI Aayog’s app and MEITY’s Corona Kavach.

When Aarogya Setu was launched, we had learnt from the COO of 1mg that it is a NITI Aayog-driven project (more on that below). At least two cybersecurity researchers had shown us screenshots that showed that the first Aarogya Setu privacy policy was in fact hosted on the servers of CoWin-20.

That’s to say nothing of how Arnab Kumar, the then Director of Frontier Technologies at NITI Aayog, practically became the spokesperson for the app.

Involvement of MakeMyTrip, 1mg has been frequently elided

Two private companies — MakeMyTrip and 1mg — have been closely involved in the development of the app. Of the 34 industry contributors (apart from the C-suite personnel) identified in the list of contributors on GitHub, 13 are from Goibibo, 10 are from MakeMyTrip (one of them left MMT in April), four from 1mg and one from NITI Aayog. We could not find details for 6 of the contributors, though one of them is from Go-MMT.

When the app was launched on April 2, we had received a message on WhatsApp that said: “We, at Go-MMT and 1MG, are proud to announce that the app we’d been working on with the Government of India to fight against COVID19, is finally out on App Store and Play Store.” The message listed main features of the app and gave links to download it from the App Store and Play Store. We received a “revised” message few minutes later that said: “Government of India has launched an app to fight against COVID19, and it is finally out on App Store and Play Store.”

We had initially reported: “1mg was involved in developing the app, Tanmay Saksena, the COO, confirmed to MediaNama. He declined to comment further since it is ‘a NITI aayog driven project [sic]’.” We had then received a call from Prashant Tandon, the co-founder of 1mg, who categorically denied the involvement of the company in the development of the app. We had updated our story accordingly. Since then, Tandon has come out as an advisor on the app. NITI Aayog CEO Amitabh Kant acknowledged the Tandon and his team’s contributions when the app’s Android version was open sourced in May.

MakeMyTrip, on the other hand, had denied all involvement in the project when we reached out to them on April 2. The company had said, “While we are involved in multiple conversations with industry bodies and government, Go-MMT is not involved in it.” Since then, Deep Kalra, founder and CEO of MakeMyTrip, has emerged as a “private volunteer” and been publicly acknowledged by Kant, like Tandon was.

In June, Kalra finally acknowledged that his company’s team of developers and engineers was involved in developing the app. In October, he further said that 30 people from the MakeMyTrip team worked on the app who did “most of the development work”. Most significantly, he revealed that companies like 1mg also collaborated, directly contradicting Tandon’s statements to us.

To be absolutely clear, we know from our interviews with Rahul Matthan (who developed the app’s privacy policy) and Arnab Kumar (NITI Aayog), and from attending a webinar where Kumar and Dutta spoke about the app that individuals from the private sector have not entered into formal contracts with the government and are working on a pro bono basis.

Issues around open sourcing

Even when the team from Aarogya Setu scores a PR win, it manages to mess it up. After two months of intense criticism, the team finally made the Android code open source on May 27 and unexpectedly also announced a Bug Bounty Programme. However, the team barely engaged with developers on GitHub and the results of the Bug Bounty Programme are nowhere in sight.

iOS source code was eventually released on August 10 on Open Forge, the governemnt’s own open source platform, but “pull requests” feature  through which people can raise issues with the app is still disabled. The source code for KaiOS and the server seems like a distant dream.

And in a whammy that should have put a nail in the PR coffin, NIC-CERT said that the Android code published on GitHub was a test backend code, not the production code. In English, it means they uploaded a model code to GitHub, not the actual one, thereby making public auditing null and useless.

Where is this app going? (read: why you should care)

From the beginning, Kumar had said that this app may be used as the initial building block for National Health Stack. The NHS seeks to overhaul the entire health infrastructure in India and digitise it (read: privatise it). First introduced in 2018 by NITI Aayog, the aim of the NHS is to act as the backbone of India’s national health insurance scheme — Ayushman Bharat. While Ayushman Bharat consists of both health insurance and setting up primary healthcare centres in the country, the NHS is only concerned with the former.

iSPIRT, the Bengaluru-based technology lobby group that is behind India Stack, is also behind the National Health Stack.A number of “industry leaders” who have contributed to the Aarogya Setu app, including Lalitesh Katrgadda, are key “volunteers” at iSPIRT. On May 23, iSPIRT’s Sharad Sharma said that Aarogya Setu, along with telemedicine, is a part of the National Health Stack.

Others are indirectly linked to the lobby. For instance, Tandon is connected via the Swasth Alliance, a telemedicine group led by him, Curefit founder Mukesh Bansal and Practo’s Shashank N.D. which, as per iSPIRT, is crucial to NHS. To that end, in a jarring case of function creep, five telemedicine service providers were listed on the Aarogya Setu app (Aarogya Setu Mitr) but were pulled down after a Delhi High Court order.

Key point to remember here is that data collected from the Aarogya Setu IVR system (for people without smartphones) is validated by Ayushman Bharat, the national health insurance provider. Despite repeated queries by MediaNama, MEITY has not clarified why syndromic data needs to be “validated” in this way. The writing is on the wall on how insurance providers, especially private ones, could misuse such sensitive health data.

At least three different litigations are being heard against the app in different high courts across the country — Karnataka High Court, Kerala High Court, and Bombay High Court (Goa Bench). In all cases, the benches have voiced their concerns about the usefulness of the app, the lack of law overseeing its use, and concerns around making it mandatory.

Despite that, in a piecemeal approach, different governments, government departments, private sector players keep making the app mandatory. For instance, it is mandatory for tourists to have the app if they want to visit Himachal Pradesh. Similarly, Jawaharlal Nehru University in Delhi has recently made it mandatory for students and staff to download the app and show the “safe” status to enter the campus. None of such orders consider the impact on those without smartphones, a whopping 65% of the Indian population.

Questions raised by opacity around Aarogya Setu’s development

  • If MEITY does not have information about the data collected by the app, how it is handled and other things, how could representatives from MEITY assure the Parliamentary Standing Committee on Information Technology in July that the app is completely safe and concerns around privacy are misguided?
  • If operations of the app have been handed over to NIC, why does historical data about the app still reside only with NITI Aayog?
  • Why was the RTI request not transferred to NITI Aayog for more information? Section 6 of the RTI Act states that in cases where information is held by another public authority, or subject matter is closely linked to functions of another public authority, the RTI application must be transferred to it within five days of receipt.
  • Why has NITI Aayog’s involvement been glossed over time and again?
  • If NeGD does not have information on the app, how could Singh give out data about the effectiveness of the app?
  • How can the NIC not have information about how the app works if it can receive submissions under the app’s Android Bug Bounty Programme and reveal the number of submissions received in another RTI?
  • Why is the government so cagey about giving information about how the app came about?
  • Why should an app, that was made mandatory for 17 days for 1.3 billion people, and that is now used by over 160 million Indians, be shrouded in secrecy?

Read more:

Read our extensive coverage of the app here.

***Correction (November 2, 2020 10:50 am): The section on National Health Stack incorrectly said that Arnab Kumar had said that the Aarogya Setu app “will” be a part of the National Health Stack; he had said it “may” be. iSPIRT’s Sharad Sharma had said on May 23 that Aarogya Setu “is” a part of the NHS. The error is sincerely regretted. Originally published on October 29, 2020 at 5:55 pm.