The Indian government fixes privacy flaws in its coronavirus app

Privacy is key.
Privacy is key.
Image: AP Photo/Rafiq Maqbool
We may earn a commission from links on this page.

The Indian government has updated the privacy policy of Aarogya Setu, a mobile app for contact tracing coronavirus cases, to make it more citizen-friendly.

The app, launched on April 2, drew flak for risking user data. On April 15, Quartz wrote about how it allowed data sharing via Bluetooth and GPS and had no clause to limit the use of information that the government would collect through it.

Digital news publication MediaNama compared the old and new privacy policies and found that the app now answered some crucial security and privacy concerns. Here are some key changes (pdf) to the privacy policy:

Data management: The data from the app will be saved on a secure server managed by the Indian government. This data will be “hashed with a unique digital id (DiD)” that will be pushed to the app. All subsequent “app-related transactions” will be tagged to this DiD. This unique ID helps keeps user information anonymised.

Data sharing: In the previous version, the policy stated that when two devices with the Aarogya Setu app were in each other’s proximity, the apps would share data. It left the language vague on how and in what form this data would be shared. It now specifies that only the DiDs will be shared. “The information that is collected from your App will be securely stored on the mobile device of the other registered user and will not be accessible by such other user. In the event such other registered user tests positive for Covid-19, this information will be securely uploaded from his/her mobile device and stored on the server,” the policy now reads.

Data collection: The new policy says that data is collected from the app every 15 minutes only when the user’s status is “yellow” or “orange,” signifying a high level of risk for contracting Covid-19. Data from users with a “green” status will not be uploaded on the server.

Data use: The app now clearly specifies the end-use for the user data it collects. “Your DiD will only be co-related with your personal information in order to communicate to you the probability that you have been infected with Covid-19 and/or to provide persons carrying out medical and administrative interventions necessary in relation to Covid-19, the information they might need about you in order to be able to do their job,” it reads. Additionally, it specifies that user information will only be used for purposes specified in the policy and to no other end.

The revised policy also states that the data will not be used by any third-party organisation. “Nothing set out herein shall apply to medical reports, diagnoses, or other medical information generated by medical professionals in the course of treatment,” it says.

Data retention: All data collected from the user and not uploaded to the server will be purged from the app in 30 days for people not testing positive for Covid-19. Data of those who test positive, which will be uploaded to the server, will be purged from the server 60 days after they are cured.