Aarogya Setu

My mom's phone was being sluggish, laggy. Clearly, something had high CPU usage and was draining the battery. Therefore I decided to use Battery Historian.

Found that the CPU was used continuously, full tilt for 7.5 hours.

VideoOn i.e video recording was also taking place for the exact same time, down to the millisecond.

WiFi was also actively used for almost the exact same time (with a 1 minute difference because I turned on airplane mode to try and disrupt whatever was slowing down the phone).

And then I go down and look at the list of foregound services, and there's Aarogya Setu, with the exact same running duration, down to the millisecond.

Aarogya Setu had camera permissions enabled somehow, and it was continuously recording video, using the CPU with max. usage, and transmitting something over the WiFi for 7.5 hours.

Take a look at the Android manifest here () it doesn't list any camera permissions. But if you download the official app and decompile it, the manifest includes camera and wakelock permissions. And they were used today, to potentially spy on my family.

And yes, it is the official app, and not a third party app. It's the official app downloaded from the store.

Edit: Got screenshots of Battery Historian here:

Edit 2: Thanks everyone for all of the awards! Also the support and criticism. I'll try and clean up the bug report and post a link to it here, but it's a lot of work to remove all of the personal information.

!

Tl;dr

Today, we sent a to the Prime Minister's Office that is endorsed by 45 organisations and more than 100 individuals against the mandatory use of the Aarogya Setu App dated May 1, 2020. This joint representation becomes all the more urgent given yesterday's for the mandatory use of Aarogya Setu and for it's "100% coverage" especially in all workplaces. Violation of this direction can lead to criminal penalties thereby Aarogya Setu now not only impacts the data privacy of workers, or can lead to risks of exclusion and misidentification, a person not having it on their phone can also be charged with a criminal offence. This marks a dramatic and clear shift in government policy on Aarogya Setu from, "encouragement" towards coercion and increases the legitimacy of the demands articulated by the joint representation.

A joint representation co-signed by 45 organisations and more than 100 people

In we released a joint representation signed by 37 organisations and 75 individuals against mandating the use of the Aarogya Setu on workers. After we opened it for further sign-ons this number has grown to 45 organisations and more than 100 individuals who have expressed solidarity against the mandatory imposition of Aarogya Setu on workers. The endorsements are from a broad swathe of Indian society including trade unions, people's movements, digital rights organizations, public health experts, former civil servants and bureaucrats, activists, academics, technologists, journalists, lawyers etc.

A copy of the was sent today with a covering letter to the Prime Minister's Office with a copy to Ministry of Home Affairs and other central government ministries.

To this we attached dated May 2, 2020 which further notes with concern yesterday evening's development of the issuance of Order No 40-3/2020-DM-I(A) has been issued on May 1, 2020 around 6:00 PM by the Ministry of Home Affairs requiring mandatory installation of Aarogya Setu. This goes against the core demands of the joint representation which is attached to this covering letter.

Aarogya Setu : Not only mandatory but also criminal penalties

The Order No 40-3/2020-DM-I(A), which has been issued under Section 10(2)(I) of the Disaster Management Act, 2005 mandates for the mandatory installation and operation of Aarogya Setu in two specific ways:

1. First, after classification of the districts into three zones, for the Red (Hotspots) Zones, a further sub-classification has been made for, “containment zones”. As per the Order under Section 3(iii), “The local authority shall ensure 100% coverage of Aarogya Setu app among the residents of Containment Zones”.

2. Second, at Para 15(i) further reference is made for, “all the district magistrates” to, “strictly enforce the lockdown measures” for, “public and workplaces, as specified in Annexure I”. This direction extends to all three zones. Annexure I further states at Point No. 15 that, “Use of Aarogya Setu app shall be made mandatory for all employees, both private and public. It shall be responsibility of the Head of the respective Organisations to ensure 100% coverage of this app among employees”.

Presently here are no exceptions or conditionality provided in these directions which place emphasis on 100% coverage in effect meaning total and complete mandatory installation of Aarogya Setu for all workers, all across the country. The order further indicates criminal penalties for non-compliance in Paragraph No. 16 that states, “Any person violating these lockdown measures and the National Directives for Covid-19 Management will be liable to be proceeded against as per the provision of Section 51 to 60 of the Disaster Management Act, 2005, besides legal action under Section 188 of the IPC and other legal provisions as applicable”. The specific provision that may be attracted for prosecution under the Disaster Management Act, 2005 is Section 51(b) that provides for a maximum punishment of up to 1 year for disobedience, and 2 years when such actions may lead to a loss of life. The penalty for conviction under Section 188 of the IPC extends to 6 months imprisonment.

Hence, the mandatory imposition of Aarogya Setu is not only an issue of data privacy but second order harms which spring from it now includes loss of urban mobility, use of public spaces and transit, livelihood and personal liberty for millions of Indians all over India. Specially those without smartphones devices given the lack of any exemption categories.

Intention for further action

We at IFF in continuation of this Joint Representation dated May 1, 2020 and through this covering letter have requested specific review of Order No 40-3/2020-DM-I(A) and will also be shortly reaching out to each one of the co-signees and collaborators urging them to send individual letters of concern as much as examine further advocacy actions against this grave breach.

We also remain open to any suggestions and advice on what we can do better, or different not only through our collaborators, but even members of the public. We invite you to write to us, or discuss these issues over at the .

As stated before we at IFF will continue conducting public advocacy, awareness especially through digital media as well as continue to engage pro-actively with all government institutions on the issues concerning Aarogya Setu. This includes representations, RTI requests as well as other legal remedies which may be examined at an appropriate stage in consultation with IFF's legal team and several lawyers who continue to volunteer thier time and labour towards protecting fundamental rights.

We remain committed working with more organisations and individuals to broaden the scope and improve the impact of interventions around Aarogya Setu. Please do feel free to reach out to us.

Important Documents

1. Finalized Joint Representation dated 01.05.2020 sent to the Government with the list of signatories ()

2. Covering letter dated dated 02.05.2020 sent to the Government ()

3. Public call for endorsements on May Day against the mandatory imposition of Aarogya Setu ()

4. Comparative Analysis of Aarogya Setu ()

5. Working Paper on Privacy Concerns on Technological Responses to COVID-19 in India ()

This just got posted.

Also, Noida police have made not installing the AS app when you go out a crime.

and the Centre has issued instructions for even private firms to mandatorily have its employees install the AS app.

Edited for Update from his Twitter feed:

So, here's the backend code:

All news portals are celebrating this open-source release by the government who has claimed this to be the backend code.

If you are a developer, it is easy to see that this is NOT the backend code, only some React frontend views that might be embedded inside WebViews in the mobile apps. The actual backend is still being accessed through the APIs, for example:

1. - This actually just proxies to API at (which is of course inaccessible without the API token).

2. , the actual API being accessed lies at for which there is no source code.

There are several other places this happens and there is no actual backend code on this repo, only the frontend React views.

GOI would be releasing the source code of android version of Aarogya Setu and it should be available on github after 12 AM, 27th May 2020

Edit: Link to repo updated

Edit 2: There is another repo AarogyaSetu_Android and directory structure is similar. Android Devs here, could you please verify if there is any connection between these two and the compiled APK for both?

Tl;dr

Earlier today we facilitated a legal challenge to the Noida Authorities to revoke the mandatory imposition of Aarogya Setu under a threat of criminal imprisonment. As per a legal order those residing or entering Noida have been compelled to install Aarogya Setu. Failing to have Aarogya Setu on your phone would be criminally prosecuted under Section 188 of the Indian Penal Code. To contest this egregious breach of personal liberty, we commenced proceedings of challenge through Ritwik who is an advocate based and residing in Noida. We are making the contents of this representation public to facilitate more people to file similar challenges to Section 144 orders which may arise in different parts of India.

A path to health, or to jail?

The Government's contact tracing app Aarogya Setu literally means a path to health. But those who do not install it now risk being criminally prosecuted. This is through a direction issued by the Ministry of Home Affairs on which more than have asked for an urgent review.

To make this direction actionable, the Noida administration issued an order under Section 144 of the Code of Criminal Procedure, 1973 compelling those residing or entering Noida to install Aarogya Setu failing which they would be criminally prosecuted under Section 188 of the Indian Penal Code. This order was also tweeted by the Police Authorities. A copy of it is linked below.

We have on the privacy and second order injuries caused by . To us it is a, "privacy minefield". From the lack of legality and safeguards there are good, practical reasons (, or) why many people will refrain from having Aarogya Setu. To put is plainly, to criminally prosecute people for not installing a smartphone application even at the time of a pandemic is illegal. Due to this, we were compelled to take steps to challenge this order.

A Section 144(5) Challenge

To activate a challenge to this order, a terse representation was drafted today by Abhinav Sekhri, Advocate to activate a legal process to ensure the personal liberty of all residents of Noida and those who may be seeking to enter it.

This representation is made under by Ritwick a Advocate and a resident of Noida. The primary grounds of challenge are as follows:

1. Contrary to law: Section 144 Orders cannot impose positive obligations on persons to do certain acts, such as download and install an App on their Smartphone, but only direct them to “abstain from a certain act”. Reference may be had to a decision of the Calcutta High Court in Emperor v. B.N. Sasmal [ILR (1930) 58 Cal 1037] where orders under Section 144 directing a person to leave the district were struck down as illegal, and the Court noted that “The very reason why the section uses the language ‘abstain from a certain act’ is just because it is not intended to empower magistrates to make positive orders requiring people to do particular things.” This position was also upheld in Ramanlal Patel [1971 Cri LJ 435].

2. Contrary to fact: The Impugned Order is also contrary to fact. It is clear that the Advisory issued by the Union Ministry of Home Affairs requires 100% installation of the “Aarogya Setu App” within Containment Zones and nowhere else (Para 3 of the Advisory). The entirety of District Gautam Buddha Nagar has not been declared a “Containment Zone” as per the notifications issued by the State Government, but only a “Red Zone”, where 100% installation of “Aarogya Setu App” is not required as per Lockdown Directives.

3. Violation of privacy and personal liberty: The Impugned Order amounts to an unconstitutional breach of the fundamental right to privacy secured under Article 21. The “Aarogya Setu App” collects personal data in the form of medical information to which a reasonable expectation of privacy attaches as identified by the Supreme Court in K.S. Puttaswamy [(2017) 10 SCC 1]. Any sharing of such information requires clear consent, which is missing from prohibitory orders under Section 144, Cr.P.C. which work on a threat of prosecution.

A ready template (but, not legal advice)

To enable more people -- not only residents of Noida – to prefer similar challenges we are making a copy of this representation available in google docs so it may serve as a template for necessary action. While this does not constitute legal advice, we hope it accelerates the pace of citizen collaboration to safeguard individual privacy and personal liberty.

We will actively work to ensure that such orders that imperil you do not go unchallenged. As a public centered organization, IFF will conduct rapid responses and relentlessly champion your right to privacy through this pandemic.

Important Documents

1. Prohibitory Order under Section 144 dated May 3, 2020 []

2. Representation under Section 144(5) dated May 6, 2020 [ and ]

3. Joint representation by 45 organisations against the mandatory use of Aarogya Setu []

4. Our compartive analysis of the Aarogya Setu App []

Got this off Twitter, links to the tweets and relevant links are added below

Parent tweet:

: 48hrs @SetuAarogya Android client release

▶️ 200+ issues ▶️~100 Pull Requests

But no active engagement from current maintainers.

The only commits after the release was adding the names of 7 new people in the contributors' list. These include @amitabhk87 to @Arghya_justify 🤦‍♂️

(Contd)Still, Playstore version running Proprietary code, and not open-sourced version. There is a feature request for verifiable builds from the public open-sourced repo. This should be an immediate priority, along with reviewing PRs by current maintainers

: When the development is on another repository and the so called "open source" code is put out in a separate repository, this is what happens.

It makes it very difficult to update the fake repository.

: I always thought this would be difficult to prove. But here it is. Link to the original repository in the fake one:

Like it was so hyped everywhere , where ever I see only thing was downlaod aarogya setu even in my college they made mandatory to install it

I am a security professional and here is my no bullshit take of fs0c131y and his vulnerabilities.

@ fs0c131y gave out two different vulnerabilities.

1. Reading of internal files:

Clickbait issue, this is zero severity security issue. It would require physical access to an unlocked device at which pointed you have bigger concerns. Highlighting this issue and making it seem like attacker can read phone files is just plain malicious.

Technical details:

The app has a internal webrowser ( Webview activity ) and fs0c131y demonstrated that the in-app browser can read internal files. This is just android 101 and a non-issue.

Scenario 3 is applicable here, i.e the access required to exploit this is very high, at which you don't have any privacy / security left.

2. Knowing the infected / unwell stats at a given area.

Now this is a somewhat complicated issue. The developers consider knowing these stats at a location a feature, this is for you to know the stats of your neighborhood.

However as the app tells you the stats for a radius of 500m, thus you can by requesting stats of around 10 different nearby points (triangulation) to know exactly if at a location someone is unwell if they have marked the same in the app. However keep in mind that you only know the count and not any personal information (Name, age) about the people at the location.

Now you can't scale this attack, there are rate-limits on the API meaning you can only send only few requests per some time, but you can still pick few targets and know their status.

Is this is a privacy issue?

Depends on who you ask, there is some loss of privacy but you cannot claim it is a security issue when this is officially advertised as one of the features of the app. Its like snapchat allowing you to see where you friends are, you can claim you are losing privacy but that is a feature here.

Even if someone says it it is, the information leak is just very very small ( No PIIs )

Here is India's top security professional saying the same thing

1. - CTO at WeSecureApp

2. - Security Engineer at Paytm

3. - Top Bug bounty hunter ( He got paid 20K$ by facebook last week)

4. - Security Engineer at Vimeo

5. - Security lead at Grofers

6. - Security analyst at Hackerone, Amsterdam

and others

These are all legit security professionals and know their shit.

About fs0c131y

His medium bio says 'Worst nightmare of Oneplus, Wiko, UIDAI, Kimbho, Donald Daters and others'.

His UIDAI bugs are pure clickbait.

He claimed he found vulnerabilities in the mAadhaar app where the app used hardcoded passwords inside the app, what he failed to mention was that the encrypted file resided in the app sandbox ( meaning not accessible to other apps ) , you need root to access the file at which point if someone has root access on your phone, mAadhaar becomes the least of your worries.

Here's a detailed analysis of his mAadhar bugs by one of the best in the game.

His final summary

"Do you want to know how much a company would pay even if we report all of the above issues? It would be USD 0 or max USD 100 (for encouragement)."

For encouragement. lol

This is what this guy does, creates chaos for non-technical audience, gets into the politics ( such as by unnecessarily tagging Rahul Gandhi ) and fools his new found audience via clickbait.

I am not saying the Aarogya Setu app is 100% secure, but this guy didn't prove shit.

Edit: People seemed to be concerned about government taking your unique Bluetooth identifier and how it would be used for mass surveillance

Answer: Parts of the identifier are randomised in most Android 8.0+ and recent iphones. The identifier changes in x time interval usually less than an hour

To safeguard user privacy, manufacturers can make use of a Bluetooth Smart feature known as “LE Privacy.” This feature causes the MAC address within the advertising packets to be replaced with a random value that changes at timing intervals determined by the manufacturer.

And its not like government has no unique identifier on your phone. Your IMEI is public to all cell phone tower, is unique to your device and allows you to do mass surveillance at scale unlike bluetooth which is very short ranged

AMA if you more doubts

Hey, Android enthusiasts of , I need some help figuring out how to go about the Aarogya Setu App.

It is no doubt that the app is here to stay even after Covid ends. GoI has the option to integrate Apple and Google's Exposure Notification API in AS app, but they have chosen to collect location data, a move which hasn't been received positively by people who value their privacy. Plus it's been made mandatory for public and private employees alike, so there's no escaping for now.

So is there any way to limit the invasiveness of the Aarogya Setu app?

[removed]

It would be great if you could share your insights if you have used any method. If any luck at all. Feel free to discuss other approaches.

PS. And if you know about a good dabba phone, comment about it in .

Tl;dr

Resident Welfare Associations ('RWAs') have nominated themselves as the first line of defence against the coronavirus pandemic. Media reports suggest that RWAs are going well beyond the guidelines issued by the government and mandating use of Aarogya Setu by residents and visitors including domestic workers, drivers, delivery personnel and other service providers. Such measures may be well intentioned but they are illegal because the bottom line is that RWAs are private self-administration bodies which lack the power to issue rules restricting the freedom of movement and right to livelihood of individuals. In lights of this, we wrote to the Ministry of Housing and Urban Affairs, the National Real Estate Development Council and the Ministry of Health and Family Welfare seeking issuance of an advisory which clarifies that use of the Aarogya Setu mobile app cannot be made a precondition for entering residential colonies.

Is it a bird? Is it a plane? No, it is RWAman!

Media reports indicate that Resident Welfare Associations (‘RWAs’) in several cities have made use of the Aarogya Setu mobile app a precondition for residents and visitors such as domestic workers, drivers, delivery persons, service providers etc. As you may know, Aarogya Setu is a COVID-19 surveillance app launched by the Indian government which has been heavily criticized for privacy, security and exclusion related concerns.  IFF has opposed mandatory imposition of Aarogya Setu on the,, andfronts. But before we delve into the legality of rules made by RWAs which mandate use of Aarogya Setu, let us first understand what is the legal status of RWAs themselves.

A Resident Welfare Association is a voluntary body formed by the residents for the residents. It is a self-financed and self- managed association registered under the Society Registration Act, 1860 (subject to state-level amendments). The primary purpose of such an association is to represent the interests of residents of a specific locality/complex and perform the following illustrative functions:

• Represent the residents before the governmental authorities;

• Collect money for maintenance of common areas;

• Establish good public infrastructure for the residents;

• Organize workshops and cultural functions etc.

The government may also issue guidelines to RWAs as seen in the context of the in Delhi, which aims to promote broad-based civic participation in local governance. The formation of an RWA has also been made mandatory under Section 19(9) of the Real estate (Regulations & Development) Act, 2016.

RWAs are governed by their Memorandum of Association (MoA)/ by laws which contain their objectives and functions. While the by-laws are binding amongst the residents, they lack statutory character and do not have the force of law as by the Bombay High Court. For similar reasons, RWAs cannot issue directions prohibiting residents from keeping pet animals in violation of issued by the Animal Welfare Board of India under the Prevention of Cruelty to Animals Act.

RWAs turn mini-sovereigns during COVID 19

The role of RWAs during the COVID-19 pandemic is crucial to ensure that residents and visitors are adhering to government guidelines relating to wearing masks and maintaining physical distance in common areas. RWAs are also responsible for maintaining sanitation of common areas and facilitating supply of essential commodities in their locality. Recognizing the importance of RWAs as stakeholders, the National Centre for Disease Control has issued an to support and complement governmental efforts to contain spread of the virus.

However, RWAs are slowly morphing from private self-administration bodies to mini-sovereigns in their own right. Several RWAs have taken it upon themselves to impose restrictions which as this notes, ‘‘make even the stringent terms of the lockdown pale in comparison.” For example, an RWA in has asked its residents to have their domestic help tested for COVID-19 before they can be allowed into the premises. This is clearly inconsistent with testing guidelines framed by the Indian Council for Medical Research (ICMR) - the only competent authority for frame guidelines for COVID-19 testing. In another instance in , permission to enter a housing complex will be granted only if the entrant has a ‘green’ status on the Aarogya Setu app.

The most recent issued by the Ministry of Home Affairs on 30 May 2020 states that use of Aarogya Setu should be encouraged by employers on a “best efforts” basis and district authorities may “advise” individuals to install the app. The terminology used in these guidelines makes it abundantly clear that RWAs have not been authorized by the government to mandate use of Aarogya Setu among residents and visitors, and they do not have any authority to prohibit entry to residential colonies on this ground.

As we have explained earlier, COVID-19 surveillance apps are susceptible to false positives and false negatives because of inherent limitations of bluetooth technology which is not a perfect proxy for virus exposure. If RWAs were allowed to force residents and visitors to download the Aarogya Setu app and allow entry based on the status displayed on the app, it could lead to wrongful confinement of certain residents and deprivation of livelihood of working class service providers. Residents who are shown by the app to be at risk of COVID-19 could be prohibited from leaving their house or accessing common areas. Further, domestic workers, drivers, delivery persons and other service providers could also be prohibited from entering the colony to do their jobs based on their status on the app.

What can an ordinary resident do?

If you find yourself in a situation with an overzealous RWA, first ask them for a copy of the by-laws and the rules and details of the procedure by which they were adopted. The RWA’s MoA and by-laws will contain the procedure for amending existing rules or adding new rules. Generally, new rules or amendments cannot be made without a General Body Meeting. If the rule making procedure has been flouted, the rules will be invalid.

We also encourage you to have a constructive dialogue with your RWA representatives highlighting concerns about accuracy and privacy of the Aarogya Setu app and explain that official MHA guidelines do not authorize RWAs to require mandatory use of Aarogya Setu. Any rules which are inconsistent with governmental guidelines may be an abuse of power by the RWA and can be challenged in court. Any resident who is aggrieved by  arbitrary and unreasonable actions of an RWA can file a suit under Section 6 of the Societies Registration Act, 1860. The RWA can be sued in the local civil court in the name of the President or Secretary.

Representation to Government

We recognize that individual residents and working class service providers may not always have the bargaining power to negotiate with RWAs or approach courts. Therefore, we have written to the Ministry of Housing and Urban Affairs, the National Real Estate Development Council and the Ministry of Health and Family Welfare seeking issuance of an advisory which clarifies that use of the Aarogya Setu mobile app cannot be made a precondition for entering residential colonies.

As researchers at the Centre for Internet and Society note in their on lateral surveillance, the COVID-19 pandemic has witnessed an increase in surveillance by private actors. Residential colonies cannot be controlled by RWAs as mini-sovereigns, and insofar as RWAs impose measures which are inconsistent with guidelines issued by the government, it amounts to vigilantism. During the COVID-19 crisis, the need of the hour is social solidarity and the government has a positive duty to prevent RWAs from engaging in intrusive and arbitrary practices which lack any basis in law and promote a culture of suspicion, stigma and exclusion.

(This post has been authored by Sonalakshi Naidu, a legal intern at IFF, and reviewed by IFF staffer, Devdutta.)

Important Documents:

1. Representation regarding illegal imposition of Aarogya Setu by RWAs ()

Goes without saying, even if inside your house you have cases, the app still shows your status as "Safe".

Booking a Vaccination slot through the app or even registering was a nightmare.

Having side effects of Vaccine even after a week post Vaccination, so thought of informing the government bodies about the same.

There are 3 numbers and one e-mail ID mentioned on Aarogya Setu. All 3 of the numbers are always busy and or no one ever picks up. When I emailed about my condition on the email ID given, guess what, 'the email ID doesn't exist'.

Such is the condition and preparedness we have from tech POV. No wonder we all are in such misery.

Stay safe guys. Aatm Nirbhar bano, seriously!

Yesterday evening as lockdown 4.0 was extended, we recorded a small but significant win. On May 2, based on your support, a letter was sent to the Ministry of Home Affairs by 45 civil society organisations and over 100 individuals clearly calling the Ministry to roll back an order requiring the mandatory use of Aarogya Setu ().

On Sunday evening, as an incremental first step the installation of Aarogya Setu has now been changed to a best effort basis (). Endorsement and advocacy efforts by diverse organisations from trade unions to gender justice collectives signed on to this joint letter. They played a significant role in this shift, and the demands under it were widely covered in the press.

This change also comes after the Kerala High Court agreed to hear a plea drafted by IFF lawyers on behalf of Jackson Mathew, Managing Partner of Leetha Industries (). One of the main reliefs in this petition was for making Aarogya Setu purely voluntary. As per legal advice received from a skilled legal team led by Santhosh Mathewand Vrinda Bhandari, further steps will continue to be taken in this case.

But, work remains. Earlier, we noticed that within hours of this case getting activated, a “protocol” was also released that poorly addressed concerns of mass surveillance (). Further the actual implementation may result in Aarogya Setu being “voluntary yet mandatory” in practice through other notifications and frameworks as being documented by a tracker created by the Internet Democracy Project ().

Today, let us remember that action matters. These small wins matter. They provide motivation and nourishment for the larger battles ahead. If you like IFF’s work on Aarogya Setu, I urge you to consider asking your friends, family and social networks to continue donating to us. Due to Covid our fundraising efforts have been impacted but we are confident that with your support we can weather this storm.

IFF is committed to being relentless in the defence of fundamental rights as technology becomes a core facet of the daily lives of crores of Indians.

IFF remains a grassroots org committed in the fight against mass surveillance and hopes to ensure that the Government remain accountable while deploying technology in responding to a pandemic.

Tl;dr

Since its launch on April 2, 2020 the Aarogya Setu application has been embroiled in privacy and data protection related controversies. However, while these have been the primary concerns, much has also been written about the lack of transparency around the application. IFF has filed multiple Right to Information requests with various governmental authorities to extract all relevant information. In this post, we will highlight these requests, the substantial replies that we received as well as the non-answers which also tell us a lot.

Background

On the Aarogya Setu application was launched by the Government of India. It claims to be COVID-19 tracking mobile application which has been developed in public-private partnership by the National Informatics Centre(NIC) that comes under the Ministry of Electronics and Information Technology(MeitY). It has been developed with the help of a group of unnamed volunteers and the NITI Aayog. Since it is collecting health data related to COVID-19, the Ministry of Health and Family Welfare is also a stakeholder.

What did we ask?

IFF has filed multiple RTI requests with NIC, NITI Aayog, MeitY and MOHFW to extract information about the Aarogya Setu application and the developments surrounding it.

RTI requests filed on April 4, 2020

In our first round of RTI requests we asked the NIC and MOHFW about:

1. The legislative framework, rules, guidelines or policies authorizing the use of the Aarogya Setu application.

2. The kind of data collected by the app.

3. The storage duration of the data collected from quarantined persons.

4. Exhaustive list of government officials who will have access to this data.

5. Persons/organizations with whom this data will be shared.

6. The specific security safeguards which have been put in place to protect the confidentiality of personally identifiable details of persons in quarantine and their data.

We also asked them about the government-appointed expert panel that has been formed to monitor the data being captured by the Aarogya Setu application.

In the reply that was sent by the MOHFW on April 21, 2020, they said that they did not hold any such information related to the Aarogya Setu application and transferred the request to NIC. It is inherently problematic that the MOHFW does not hold any information about the application which has been publicised to have been providing essential health services. (Read IFF’s initial tweet thread on the replies received ) They further transferred the request to MeitY who also claimed to not hold any information with regard to the application and transferred the request to NIC.

We received a reply from NIC on May 7, 2020 in which they also failed to adequately respond to our queries. (Read IFF’s initial tweet thread on the reply )

In response to the question about the legislative framework which authorizes the use of the application, NIC transferred the specific request back to MeitY. Since MeitY has already stated in their own reply that they do not hold this information, this could mean either wilful flouting of transparency norms contained in the Right to Information Act or mismanagement due to lack of clarity on their part. Both these situations are less than ideal.

In response to the question about individuals and/or organizations who will have access to the health data collected, NIC replied that “The information from the Aarogya Setu App is used by the officials who are involved in COVID-19 related efforts.” This answer does not satisfy the query we raised in which we asked for an exhaustive list of such officials. Such vague answers are also not ideal since they leave the ambit too wide and essentially do not answer the question asked. It is also pertinent to note here that in the since published Protocol which provides legal basis to the application, it was stated that access will also be provided to third party researchers.

Subsequent RTI requests

In subsequent RTI requests we asked NIC, NITI Aayog, MeitY and MOHFW to disclose the names of the group of volunteers who developed the Aarogya Setu application filed on April 29, 2020. We also asked them to reveal the of the application in a bid to increase the transparency around it in RTI requests filed on May 7, 2020 . It is pertinent to note here that all these requests are being transferred from the authorities we filed them with to the NIC.

Additionally, an IFF community member filed a dated May 6, 2020 in which they asked for the source code of the Aarogya Setu application. In NIC’s reply dated May 13, 2020, they refused to reveal the source code citing S.8(1)(d) of the Right to Information Act which states that:

Notwithstanding anything contained in this Act, there shall be no obligation to give any citizen information including commercial confidence, trade secrets or intellectual property, the disclosure of which would harm the competitive position of a third party, unless the competent authority is satisfied that larger public interest warrants the disclosure of such information.

This could mean that the application may be exploited in the future for some commercial use. It also means that certain commercial/proprietary rights may be vested with the third parties themselves. Since we do not know the names of all the volunteers who were involved in the development of the application, this brings into question their motivation for volunteering to build the application. However, in a clear departure from its previous stance, yesterday MeitY issued a in which they said that the application will be made open source.

RTI Requests on the ProtocolOn May 11, 2020 the Ministry of Electronics and Information Technology (MeitY) released the Aarogya Setu Data Access and Knowledge Sharing Protocol, 2020 (“The Protocol”). This Protocol has been introduced to provide legal basis to the application and depositions have been made by the Government in the pursuant to this. (Read our analysis of the protocol ) On May 13, 2020 we filed an RTI request pertaining to the Protocol. In it we enquired about the composition and the members of the Empowered Group on Technology and Data Management who were involved in drafting the protocol. We also asked if any legal opinion was sought to draft the protocol. We also filed a RTI request with IIT Madras asking about their involvement with the application since it was indicated in official documents that they have access to the data collected through the application.

The Vidhi Centre for Legal Policy has been involved in drafting the Aarogya Setu Data Access and Knowledge Sharing Protocol, 2020 which provides a legal basis to the application. They have also published an on the Protocol. Subsequently, there was talk among the community that they have also shared a legal opinion with the Government.

On May 25, 2020 we filed a RTI request on the basis of this tweet by Vidhi’s Research Director asking for a copy of the legal opinion provided by him or other employees of the Vidhi Centre for Legal Policy. We also asked for a copy of all the subsequent correspondence that took place between the government and Mr. Lalitesh Katragadda and Mr.Rahul Matthan, who have been identified by Mr. Sengupta in a previous tweet as having been involved.

We will be following up on all these subsequent RTI requests according to the mandated timelines and will be doing a follow-up blogpost on the topic.

Why is transparency important with regard to the Aarogya Setu Application?

Right to Information requests help in facilitating government transparency which then helps individuals in asking for accountability. The Aarogya Setu application which is collecting the health data of millions of Indians needs to be accountable to these individuals. However, the Government of India and the various governmental authorities who have been involved in the development and deployment of this application have failed to disclose relevant information about the application. In failing to do so, the government opens up the application to questions regarding its legitimacy.

Since there was no public debate which was held before the deployment of the application, it becomes even more imperative to ensure that accountability is demanded from the government by mobilizing mechanisms such as the Right to Information Act. The Government has a legal responsibility to provide satisfactory responses on queries raised under this Act failing which further action may be initiated by concerned individuals and organizations.

Important Documents

1. IFF’s working paper on COVID-surveillance "Privacy prescriptions for technology interventions around Covid-19 in India"  dated April 13, 2020 (/ )

2. “We Studied the Protocol: And No This Doesn’t Sufficiently Protect Your Privacy” IFF Blogpost dated May 13, 2020 ()