The number of third-party CoWIN vaccine alert apps and services continues to grow. This, despite the lack of a comprehensive data capture policy in place to govern what these services are allowed to do. Many of them capture mobile numbers and email IDs to notify users when a slot opens up in their desired area, but there is no clear policy in place to govern the use and storage of this data. A slew of these apps and websites have sprung up over the last week to address the limitations of the official CoWIN portal.
Why are CoWIN APIs open without a data capture policy in place?
The government has been double-minded on this issue. On April 17, the Government denied permission for CoWIN API to Step One, a non-profit organisation (NPO) working on enabling vaccination registration and appointment through WhatsApp. Back then, the Empowered Group of Vaccine Administration for COVID-19 said that a comprehensive data capture policy needs to be put in place before allowing third-party apps and services.
“We have built various services within the Co-WIN system as micro-services exposing APIs for ensuring integration and innovation in future. But, as you may be aware, Co-WIN APIs do deal with sensitive data and hence a well-defined policy covering data capture, protection, security certification, auditing, and other aspects need to be established. As of now, there is no such policy with respect to enabling third-party applications such as yours on top of Co-WIN APIs and hence we will not be able to allow you to connect to our APIs”—Empowered Group of Vaccine Administration for COVID-19 letter dated April 17, 2021
However, on April 28, the government reversed its position and opened selective parts of the CoWIN API despite the lack of a data capture policy in place. One of the APIs that was opened up allows third-party services to find available vaccination slots based on district or pincode. To the government’s benefit, it can be argued that the government believed opening up slot search can do no harm because it does not collect personal information of users but rather allows users to find slots based on district or pincode. But what the government might not have foreseen is the alert service that many of these apps provide. These apps allow users to register for alerts through email, Telegram and Twitter when slots open up in their desired area, which inevitably involves sharing email ID and phone number with the service.
Regardless, the government should have put a data capture policy in place because the second API that was opened up allows third-party services to download vaccination certificates. These certificates contain data that is personal and sensitive as it not only reveals the vaccination status of an individual but also details of the ID used for verification such as PAN card and Aadhaar. It’s unclear why the government changed its stance and decided to open up these APIs despite the privacy concerns.
How have some sites addressed this concern?
While the government has no policy in place, some sites have taken matters into their own hands and laid out what they do with the data they collect. But there is no guarantee that these sites will do what they say and there is no penalty if they do not. Here is a non-exhaustive list of these sites:
- Signzy App – Built by the team at Signzy, this app lets you search for slot availability by district or pin code and set email alerts based on pin code. This service perhaps has the most comprehensive policy in place. In addition to saying how each of the data fields will be used (email, pin code, date of birth, phone number), Signzy says that the data will be used with care and only for sending notification. It also says that all the personal data will be deleted post 15 days of registration.
- getjab.in – Made by a team of developers (Azhar, Shyam, Anurag, and Akshay), this site gives you an alert by email if a vaccination slot opens up in your district. It has a note on the front page saying “Your data won’t be shared or sold to anyone. Don’t worry.”