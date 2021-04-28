On April 17, the Government denied permission for software access to the Co-WIN dashboard to Step One, a non-profit organisation (NPO) working on enabling vaccination registration and appointment through WhatsApp. However, on Wednesday it reversed its position and opened selective parts of the Application Programme Interfaces (APIs) for Co-WIN to third parties for appointment vacancies search and vaccination certificate downloads.

In a letter to Step One, dated April 17, the Empowered Group of Vaccine Administration for COVID-19 said that a comprehensive data capture policy needs to be put in place before allowing third-party apps and service access to the COVID-19 dashboard for vaccine registration and delivery. It commended the efforts of Step One to innovate and bring out more options to citizens but said that the “usage of public URLs, capturing personal data, and having citizens use such applications are not permitted unless explicitly stated and enabled through a policy.”

“We have built various services within the Co-WIN system as micro-services exposing APIs for ensuring integration and innovation in future. But, as you may be aware, Co-WIN APIs do deal with sensitive data and hence a well-defined policy covering data capture, protection, security certification, auditing, and other aspects need to be established. As of now, there is no such policy with respect to enabling third-party applications such as yours on top of Co-WIN APIs and hence we will not be able to allow you to connect to our APIs”—Empowered Group of Vaccine Administration for COVID-19 letter dated April 17, 2021

The letter appeared to suggest that the APIs are out in the open for future innovation and not for use at the moment. It also said that a comprehensive policy will be issued and API access for third-party apps will be opened up at an appropriate time in the future, however, the letter did not provide any concrete timeline. The letter was signed by former senior government official RS Sharma. Sharma is the chairman of the empowered group for vaccine administration and is also the Chief Executive Officer of National Health Authority.

Selective treatment in Co-WIN data access

The vaccination certificates contain data that is personal and sensitive as it not only reveals the vaccination status of an individual but also details of the ID used for verification such as PAN card and Aadhaar. On the one hand, the government is yet to issue the proposed policy governing third-party use of Co-WIN. On the other, it begs the question why has it opened APIs even though it does not plan on allowing third parties to use them?

The government has opened up the Co-WIN APIs for vaccination certificate downloads, even though there is no a comprehensive data capture policy in place, something the agency said was needed just ten days ago. The governments’ selective opening up of APIs doesn’t seem to have strong reasoning and poses the same privacy concerns that the agency pointed out earlier when it declined Step One access.

Step One’s WhatsApp Bot

Earlier this month, an organisation called ‘Project Step One’ created a bot on WhatsApp that would allow people to register for vaccination appointments.

*Easy Covid Vaccine appointment booking on Whatsapp* – just click on this link https://t.co/2H6Gc9uFd5 and send a "Hi".

U can book for up to 4 people – integrated with CoWin system, so no need to use app or website – works for 1st Dose & 2nd Dose. Works across India. May share pic.twitter.com/ZWu0s50Ivt — Kiran Bedi (@thekiranbedi) April 10, 2021

But two days later, PIB Fact Check declared the service as fake and stated that registration for vaccination can only be done through the Co-WIN portal and Aarogya Setu app. Following the PIB Fact Check, the Ministry of Health also declared the service as fake and asked the company to stop providing its services.

In a letter to Sharma, dated April 12, Step One formally requested that the government to allow the organisation to use the Open APIs available on the API Setu website to run its WhatsApp bot. The primary concern about the service offered by Step One was the potential privacy issues surrounding the capture of data that is highly personal and sensitive. To alleviate some fears, Step One stated in its letter that its service does not store any personal data of users on its server and all data is fully secure. It further added that the code for the WhatsApp bot is open source and available for audit.

In a separate statement, Step One stated that the bot was built using Open APIs provided by the government and the bot simply passed on user data to Co-WIN’s servers and none of the data was saved or accessed by the organisation. It further added that Open APIs are used worldwide to bring innovation and speed to existing solutions.

Step One suspended its services on April 15 while awaiting a response from the government.

MediaNama has reached to Step One and the National Health Authority of India for comments. We will update the story once we receive them.

