Experts explain the legal and moral pitfalls in Aarogya Setu app ⁠— despite the government’s insistence that a protocol has been put in place

The Aarogya Setu app.Rounak Jain/Business Insider India
  • The Indian government has laid down the protocol for data collection in the Aarogya Setu app, after it came under fire from experts and opposition parties.
  • According to the protocol, any data obtained through the Aarogya Setu app shall be anonymised, and it shall be permanently deleted after 180 days of collection.
  • However, experts suggest that the data collected should be routinely audited, monitored and supervised by other institutions, such as the Indian Parliament.
India’s IT Ministry has passed an order to lay down the protocol for data collection in the Aarogya Setu app. However, security experts are of the opinion that these data collection practises should be monitored by the Indian Parliament.

The order was passed on Monday, stating that the National Informatics Centre (NIC), the developer of the application, shall collect only such response data which is necessary and proportionate to formulate or implement appropriate health responses. Further, such data shall be used strictly for the purpose of formulating or implementing appropriate health responses and constantly improving such responses.

However, experts think data collected using the Aarogya Setu app needs to be routinely audited, monitored and supervised by other institutions, such as the Indian Parliament.

“You want this surveillance to follow civilians without being monitored by the Parliament. You are shifting surveillance from counterterrorism to civilians. This shift must be routinely monitored, audited and supervised by the other institutions in the democratic regime,” Yuval Wollman, President, CyberProof, told Business Insider.

From a cyber security perspective, Wollman said, “You want to make sure that you have the right protection in your application, equitable to the data being collected.”

“It opens up the doors for the attackers – from a government’s perspective, you want to make sure that the agencies are taking the right protection as well,” he further added.

“This also goes against the provisions of the IT Act and the proposed Personal Data Protection Bill as the app service provider would fall under the definition of an intermediary and (is) obligated to ensure the security of the data collected and (is) liable for loss of it under the intermediary guidelines,” Salman Waris, Partner at Tech Legis Advocates and Solicitors, told Economic Times.

Government protocol says data should be permanently deleted after 180 days

The ‘Aarogya Setu Data Access and Knowledge Sharing Protocol, 2020’ states that the government should permanently delete the data after 180 days.


Apart from that, the government has mandated that any response data accessed by an authorised body shall ordinarily not be shared with any third party. However, response data may be shared with such third parties only if it is strictly necessary to directly formulate or implement appropriate health responses, it added.

Government mandates data anonymisation

Further response data may be made available for research purposes by NIC in hard anonymised form. Hard anonymisation refers to a series of technical processes which ensure that any individual is incapable of being identified from the response data through any means reasonably likely to be used to identify such individual.

This anonymisation shall be done in accordance with anonymisation protocols that are to be developed, reviewed and updated on a periodic basis by an expert committee appointed by the principal scientific advisor to the Government of India.

"Such review shall have regard to the nature and sensitivity of the data being processed, the robustness of the anonymisation protocol and advances in technology. Response data which has undergone hard anonymisation, as under para 8(a), may be made available to Indian universities and research institutions / research entities registered in India," it said.

Any violation of these directions may lead to penalties as per section 51 to 60 of the Disaster Management Act, 2005 and other legal provisions as may be applicable, as per the protocol.

See also:

These are the privacy issues in Aarogya Setu, India's Covid-19 tracker app, alleged by French hacker Elliot Alderson

Aarogya Setu denies privacy breach, contradicts ethical hacker’s claims

COVID-19 contact tracing app Aarogya Setu has alerted 1.4 lakh users: official; govt mulls making it mandatory for air passengers