A look at Aarogya Setu through the Right to Information lens #SaveOurPrivacy

Donate to help sustain our work

Tl;dr

Since its launch on April 2, 2020 the Aarogya Setu application has been embroiled in privacy and data protection related controversies. However, while these have been the primary concerns, much has also been written about the lack of transparency around the application. IFF has filed multiple Right to Information requests with various governmental authorities to extract all relevant information. In this post, we will highlight these requests, the substantial replies that we received as well as the non-answers which also tell us a lot.

Background

On April 2, 2020 the Aarogya Setu application was launched by the Government of India. It claims to be COVID-19 tracking mobile application which has been developed in public-private partnership by the National Informatics Centre(NIC) that comes under the Ministry of Electronics and Information Technology(MeitY). It has been developed with the help of a group of unnamed volunteers and the NITI Aayog. Since it is collecting health data related to COVID-19, the Ministry of Health and Family Welfare is also a stakeholder.

What did we ask?

IFF has filed multiple RTI requests with NIC, NITI Aayog, MeitY and MOHFW to extract information about the Aarogya Setu application and the developments surrounding it.

RTI requests filed on April 4, 2020

In our first round of RTI requests we asked the NIC and MOHFW about:

  1. The legislative framework, rules, guidelines or policies authorizing the use of the Aarogya Setu application.
  2. The kind of data collected by the app.
  3. The storage duration of the data collected from quarantined persons.
  4. Exhaustive list of government officials who will have access to this data.
  5. Persons/organizations with whom this data will be shared.
  6. The specific security safeguards which have been put in place to protect the confidentiality of personally identifiable details of persons in quarantine and their data.

We also asked them about the government-appointed expert panel that has been formed to monitor the data being captured by the Aarogya Setu application.

In the reply that was sent by the MOHFW on April 21, 2020, they said that they did not hold any such information related to the Aarogya Setu application and transferred the request to NIC. It is inherently problematic that the MOHFW does not hold any information about the application which has been publicised to have been providing essential health services. (Read IFF’s initial tweet thread on the replies received here) They further transferred the request to MeitY who also claimed to not hold any information with regard to the application and transferred the request to NIC.

We received a reply from NIC on May 7, 2020 in which they also failed to adequately respond to our queries. (Read IFF’s initial tweet thread on the reply here)


In response to the question about the legislative framework which authorizes the use of the application, NIC transferred the specific request back to MeitY. Since MeitY has already stated in their own reply that they do not hold this information, this could mean either wilful flouting of transparency norms contained in the Right to Information Act or mismanagement due to lack of clarity on their part. Both these situations are less than ideal.

In response to the question about individuals and/or organizations who will have access to the health data collected, NIC replied that “The information from the Aarogya Setu App is used by the officials who are involved in COVID-19 related efforts.” This answer does not satisfy the query we raised in which we asked for an exhaustive list of such officials. Such vague answers are also not ideal since they leave the ambit too wide and essentially do not answer the question asked. It is also pertinent to note here that in the since published Protocol which provides legal basis to the application, it was stated that access will also be provided to third party researchers.

Subsequent RTI requests

In subsequent RTI requests we asked NIC, NITI Aayog, MeitY and MOHFW to disclose the names of the group of volunteers who developed the Aarogya Setu application filed on April 29, 2020. We also asked them to reveal the source code of the application in a bid to increase the transparency around it in RTI requests filed on May 7, 2020 . It is pertinent to note here that all these requests are being transferred from the authorities we filed them with to the NIC.

Additionally, an IFF community member filed a RTI request dated May 6, 2020 in which they asked for the source code of the Aarogya Setu application. In NIC’s reply dated May 13, 2020, they refused to reveal the source code citing S.8(1)(d) of the Right to Information Act which states that:

Notwithstanding anything contained in this Act, there shall be no obligation to give any citizen information including commercial confidence, trade secrets or intellectual property, the disclosure of which would harm the competitive position of a third party, unless the competent authority is satisfied that larger public interest warrants the disclosure of such information.

This could mean that the application may be exploited in the future for some commercial use. It also means that certain commercial/proprietary rights may be vested with the third parties themselves. Since we do not know the names of all the volunteers who were involved in the development of the application, this brings into question their motivation for volunteering to build the application. However, in a clear departure from its previous stance, yesterday MeitY issued a public statement in which they said that the application will be made open source. The source code of the application was made available on Github by the Government at 12 AM on May 27, 2020.

RTI Requests on the Protocol

On May 11, 2020 the Ministry of Electronics and Information Technology (MeitY) released the Aarogya Setu Data Access and Knowledge Sharing Protocol, 2020 (“The Protocol”). This Protocol has been introduced to provide legal basis to the application and depositions have been made by the Government in the Kerala HC pursuant to this. (Read our analysis of the protocol here) On May 13, 2020 we filed an RTI request pertaining to the Protocol. In it we enquired about the composition and the members of the Empowered Group on Technology and Data Management who were involved in drafting the protocol. We also asked if any legal opinion was sought to draft the protocol. We also filed a RTI request with IIT Madras asking about their involvement with the application since it was indicated in official documents that they have access to the data collected through the application.

The Vidhi Centre for Legal Policy has been involved in drafting the Aarogya Setu Data Access and Knowledge Sharing Protocol, 2020 which provides a legal basis to the application. They have also published an explainer on the Protocol. Subsequently, there was talk among the community that they have also shared a legal opinion with the Government.

On May 25, 2020 we filed a RTI request on the basis of this tweet by Vidhi’s Research Director asking for a copy of the legal opinion provided by him or other employees of the Vidhi Centre for Legal Policy. We also asked for a copy of all the subsequent correspondence that took place between the government and Mr. Lalitesh Katragadda and Mr.Rahul Matthan, who have been identified by Mr. Sengupta in a previous tweet as having been involved.

We will be following up on all these subsequent RTI requests according to the mandated timelines and will be doing a follow-up blogpost on the topic.

Why is transparency important with regard to the Aarogya Setu Application?

Right to Information requests help in facilitating government transparency which then helps individuals in asking for accountability. The Aarogya Setu application which is collecting the health data of millions of Indians needs to be accountable to these individuals. However, the Government of India and the various governmental authorities who have been involved in the development and deployment of this application have failed to disclose relevant information about the application. In failing to do so, the government opens up the application to questions regarding its legitimacy.

Since there was no public debate which was held before the deployment of the application, it becomes even more imperative to ensure that accountability is demanded from the government by mobilizing mechanisms such as the Right to Information Act. The Government has a legal responsibility to provide satisfactory responses on queries raised under this Act failing which further action may be initiated by concerned individuals and organizations.

Update: On 12.06.2020, we received an RTI response from Air India which stated that use of Aarogya Setu was mandatory for air travel. In another RTI response, the Cabinet Secretariat invoked the cabinet papers exemption under S.8(1)(i) of the RTI Act and declined to provide any information about the Committee constituted by it for developing and implementing a Citizen App technology platform for combating COVID 19.

Important Documents

  1. IFF’s working paper on COVID-surveillance "Privacy prescriptions for technology interventions around Covid-19 in India"  dated April 13, 2020 (Google Docs version / PDF Version)
  2. “We Studied the Protocol: And No This Doesn’t Sufficiently Protect Your Privacy” IFF Blogpost dated May 13, 2020 (link)

Join the Internet Freedom Forum