The National Informatics Centre (NIC) refused to provide the list of companies that have access to the Aarogya Setu Open API in an RTI response, saying that “no larger public interest is served by providing this information”. When SFLC.in, the digital rights organisation that had filed the RTI, appealed the reply citing Section 8 of the RTI Act, 2005, which does not recognise “larger public interest” as a ground to deny information, the Appellate Authority of NIC agreed with the first CPIO’s (Chief Public Information Officer) decision to refuse the information.

The Aarogya Setu Open API Services Portal, launched on August 22, allows third party apps to check users’ health status “with consent”. This service is only available to orgnisations and entities that are registered and have operations in India, and have more than 50 employees/customers/users.

This is not the first time that RTI queries related to the contact tracing app have been stonewalled:

  • The Central Information Commission had hauled up the CPIOs of National e-Governance Division (NeGD) and Ministry of Electronics and Information Technology (MEITY) for providing evasive replies to RTIs related to Aarogya Setu. In this case, filed by RTI activist and journalist Saurav Das, the CIC had also directed the NIC to explain how it could have no information related to the app if the website is hosted on a .gov.in domain which is controlled by the NIC.
  • Internet Freedom Foundation’s RTI request seeking the source code of the app was rejected in May. However, that was filed before the Android code was open sourced on May 27 and the iOS code was made open source on August 10. It is important to remember that NIC-CERT had later said that source code on GitHub, that is the Android source code, is “test backend code”, not “production code”.

On the other hand, other RTI responses related to app have revealed significant information:

  • RTI responses from the NIC revealed that the government of India has not implemented the measures and safeguards prescribed in the IT Ministry’s Data Access and Sharing Protocol for Aarogya Setu, the Quint had reported. For instance, the Protocol mandates NIC to maintain a detailed list of entities with whom Aarogya Setu data is shared, but NIC only gave categories of entities with whom it shares data. NIC also said that it had no information about the “reasonable security practices and procedures” implemented by parties receiving data. Read the RTI query (filed by Das) and NIC’s response.
  • RTI responses from MEITY have shown that the Aarogya Setu Data Access and Knowledge Sharing Protocol, 2020, that the government had released on May 11, had significant inputs from MEITY that were ultimately rejected. Key amongst them was a set of guidelines to govern all data related to the COVID-19 pandemic, not just Aarogya Setu data.
  • In response to RTIs filed by MediaNama, NIC had revealed the following information:
    • The number of submissions made to the Aarogya Setu Bug Bounty Programme
    • That the results of the Android Bug Bounty Programme will be announced “shortly” and that the Bug Bounty Programme for iOS would be released “shortly”. We had received this response on September 30, although the results of the Android Bug Bounty Programme were yet to be announced at the time of publication.

Read more: