Experts explain the legal and moral pitfalls in Aarogya Setu app — despite the government’s insistence that a protocol has been put in place
Rounak Jain/Business Insider India
- The Indian government has laid down the protocol for data collection in the
Aarogya Setuapp, after it came under fire from experts and opposition parties.
- According to the protocol, any data obtained through the Aarogya Setu app shall be anonymised, and it shall be permanently deleted after 180 days of collection.
- However, experts suggest that the data collected should be routinely audited, monitored and supervised by other institutions, such as the Indian Parliament.
India’s IT Ministry has passed an order to lay down the protocol for data collection in the Aarogya Setu app. However, security experts are of the opinion that these data collection practises should be monitored by the Indian Parliament.
View all Offers
View all Offers
- 24% OFF
Samsung Galaxy M32 (Light Blue, 4GB RAM, 64GB Storage) 6 Months Free Screen Replacement for Prime₹ 12999₹ 16999Buy On
- 21% OFF
iQOO Z3 5G (Cyber Blue, 8GB RAM, 128GB Storage) | India's First SD 768G 5G Processor | 55W FlashCharge | Upto 9 Months No Cost EMI | 6 Months Free Screen Replacement₹ 17990₹ 24990Buy On
OnePlus Nord CE 5G (Charcoal Ink, 8GB RAM, 128GB Storage)₹ 24999₹ 24999Buy On
- 28% OFF
OPPO A31 (Mystery Black, 6GB RAM, 128GB Storage) with No Cost EMI/Additional Exchange Offers₹ 11490₹ 15990Buy On
- 27% OFF
Samsung Galaxy M12 (Blue,4GB RAM, 64GB Storage) 6000 mAh with 8nm Processor | True 48 MP Quad Camera | 90Hz Refresh Rate₹ 9499₹ 12999Buy On
The order was passed on Monday, stating that the National Informatics Centre (NIC), the developer of the application, shall collect only such response data which is necessary and proportionate to formulate or implement appropriate health responses. Further, such data shall be used strictly for the purpose of formulating or implementing appropriate health responses and constantly improving such responses.
However, experts think data collected using the Aarogya Setu app needs to be routinely audited, monitored and supervised by other institutions, such as the Indian Parliament.
“You want this surveillance to follow civilians without being monitored by the Parliament. You are shifting surveillance from counterterrorism to civilians. This shift must be routinely monitored, audited and supervised by the other institutions in the democratic regime,” Yuval Wollman, President, CyberProof, told Business Insider.
From a cyber security perspective, Wollman said, “You want to make sure that you have the right protection in your application, equitable to the data being collected.”
“It opens up the doors for the attackers – from a government’s perspective, you want to make sure that the agencies are taking the right protection as well,” he further added.
“This also goes against the provisions of the IT Act and the proposed Personal Data Protection Bill as the app service provider would fall under the definition of an intermediary and (is) obligated to ensure the security of the data collected and (is) liable for loss of it under the intermediary guidelines,” Salman Waris, Partner at Tech Legis Advocates and Solicitors, told Economic Times.
Government protocol says data should be permanently deleted after 180 days
The ‘Aarogya Setu Data Access and Knowledge Sharing Protocol, 2020’ states that the government should permanently delete the data after 180 days.
AdvertisementApart from that, the government has mandated that any response data accessed by an authorised body shall ordinarily not be shared with any third party. However, response data may be shared with such third parties only if it is strictly necessary to directly formulate or implement appropriate health responses, it added.
Government mandates data anonymisation
Further response data may be made available for research purposes by NIC in hard anonymised form. Hard anonymisation refers to a series of technical processes which ensure that any individual is incapable of being identified from the response data through any means reasonably likely to be used to identify such individual.
This anonymisation shall be done in accordance with anonymisation protocols that are to be developed, reviewed and updated on a periodic basis by an expert committee appointed by the principal scientific advisor to the Government of India.
"Such review shall have regard to the nature and sensitivity of the data being processed, the robustness of the anonymisation protocol and advances in technology. Response data which has undergone hard anonymisation, as under para 8(a), may be made available to Indian universities and research institutions / research entities registered in India," it said.
Any violation of these directions may lead to penalties as per section 51 to 60 of the Disaster Management Act, 2005 and other legal provisions as may be applicable, as per the protocol.
These are the privacy issues in Aarogya Setu, India's Covid-19 tracker app, alleged by French hacker Elliot Alderson
Aarogya Setu denies privacy breach, contradicts ethical hacker’s claims
COVID-19 contact tracing app Aarogya Setu has alerted 1.4 lakh users: official; govt mulls making it mandatory for air passengers
Popular on BI
- A CryptoPunk NFT bought for $74 resurfaced after four years and just sold for $2 million
- Best DIY wallpapers to revamp your house
- India's largest car maker loses nearly two thirds of its profit to chip shortage
- New Range Rover: Check out expected price in India, features and other details
- Softbank will make $250 million by selling a fifth of its stake in Policybazaar