The TLDR: A Right To Information complaint revealed that the government claims it has no knowledge of who developed its own Covid contact tracing app. It has since offered a vague clarification—which raises more questions than it answers, and sharpens concerns about privacy.

The basic deets:

• Back in April, the government rolled out the ‘Made in India’ contact tracing app Aarogya Setu (bridge to health) with great fanfare.  
• The app basically uses your bluetooth and location information to let you know if you have been in contact with someone who was infected in the last two weeks—and shares that data with the government. 
• The government first tried to make the app mandatory for all employees in May and then backed down. 
• But it remains a requirement for most government workers, or if you want to take the metro or visit restaurants and movie theatres.
• The government spent Rs 41.5 million on PR for the app between May and July.
• As of today, it has been downloaded by 162.3 million users.

And what happened now?

The request: Saurav Das, an RTI activist, filed a request for information on the app with three separate government institutions: The Ministry of Electronics and Information Technology (MEITY), National Informatics Centre (NIC) and the National e-Governance Division (NeGD). He wanted to know who crafted the proposal for the app, who approved it, the companies and government departments involved—and, most importantly, how the personal data of users was being used and protected. (Point to note: The RTI Act empowers citizens to demand information from the government—though the law has been weakened over the past 15 years)

Response #1: For two months, his query bounced from one department to another. The NIC—which is listed as the developer of the app on the Aarogya Setu website—said that the "entire file related to creation of the app is not with NIC.” The technology ministry transferred the query to the National e-Governance Division, which said: "The information sought is not related to (our division)." Point to note: These RTI responses were given in writing as per the law.

The commission: Das then requested an urgent hearing with the Central Information Commission—which was set up under the RTI Act to address citizen complaints, and ensure the government complies with the law. The commissioner agreed with Das and issued show cause notices demanding immediate answers, saying: "None of the [officials] were able to explain anything regarding who created the app, where are the files, and the same is extremely preposterous.” 

Response #2: In response to the notice, the IT ministry hastily issued a press release last night—which was unsigned and did not bear the official seal. The clarification, however, offered very little, well, clarification: 

“The Aarogya Setu App was developed in a record time of around 21 days, to respond to the exigencies of the pandemic with lockdown restrictions only for the objective of building a Made in India contact tracing app with the best of Indian minds from industry, academia and government, working round the clock to build a robust, scalable and secure app… On all such occasions, it has been clearly mentioned that the Aarogya Setu App has been developed by NIC in collaboration with volunteers from industry and academia.”

The statement also directed everyone to this URL that contains a long list of names to check out “all those associated with” the app.

What does this tell me?

Not very much. Because it doesn’t tell you who actually made the app, what decisions they made regarding user privacy, or what protocols they created to protect user data. Das made specific requests to get at these answers: 

“He had also sought copies of the requests for collaboration with people from the industry who had helped create the app, all communications received from all the contributors/ advisers relating to the app, internal notes, memos, file notings, the correspondence carried out while making the app and finalising it, and the minutes of the meetings held while creating the app.”

So this is a big worry?

Yes, and more so given Aarogya Setu’s track record. Privacy advocates are most concerned about the following:

One: The app is alarmingly easy to hack. One person broke into the app to ensure he always shows up as ‘safe’ and told Buzzfeed all about it. Another well-known hacker, Eliot Anderson, used its location data “to see if someone was sick at the PMO [prime minister's office] or the Indian parliament. I was able to see if someone was sick in a specific house if I wanted."

Two: There are no specific restrictions on who this data is shared with. Authorities upload user data to a government-owned "server"—which in turn gives that data to “persons carrying out medical and administrative interventions necessary in relation to Covid-19.” According to privacy activists, the vague language allows the government to share the data with "practically anyone it wants.”

Three: Aarogya Setu uses both Bluetooth and location data on your phone—which makes it far more intrusive than similar apps around the world. So much so that the Indian Army does not allow its personnel to use the app while in office, operational areas and other sensitive locations.

Four: The app collects your name and phone number. It also gets your gender, profession, and medical information via questions asked at set up. The government insists that it only has access to an anonymised version of all this data—stripped of your name, number etc. But it has never offered any proof of this. But most importantly, its privacy policy says: 

“The personal information collected will not be used for any purpose other than those mentioned in this Clause 2 save as required in order to comply with a legal requirement.” 

As Software Freedom Law Center notes:

“Nowhere in the policy documents is the phrase ‘legal requirement’ defined. It is not unreasonable to think that this could be defined as whatever the Government wishes. This can lead to excessive collection and use of sensitive personal data.”

The bottomline: Our government insists we trust it with our most personal information, and yet refuses to share any with us. Now, that’s a bridge to nowhere.

Reading list

Live Law has the original reporting on the RTI case and show cause notice. Also see: the government’s response in full here. Software Freedom Law Centre lays out its privacy concerns. For a less nerdy version, check out BBC News. Mint has an excellent op-ed on the ‘privacy paradox’—i.e. we say we care about privacy but happily hand over our personal data just for convenience or even entertainment. Express Health Care—a trade publication—explains why protection of our personal medical data is paramount.