As of 14/05/2020, 10.2 Crore Indians are reported to be using Aarogya Setu app, which is basically a contact tracing app to help with Covid-19 or novel Coronavirus related pandemic. When the app was launched, I had doubts about its effectiveness since it was not clear why people who test positive for Covid-19 will be motivated to mark themselves as infected on the app (see section later which describes: “How is a person marked COVID-19 positive?”). This was so because of reports of even doctors who were working with Covid-19 patients being harassed or facing discrimination by certain ignorant people, so that kind of possible behaviour will cause scare to a layperson.

So because of such doubts I had installed the app but had not registered myself on the servers.  Then one day I decided to have a look at the terms and conditions and privacy policy of the app – yes, the same stuff that 99% of the people don’t bother to read!

Upon going through the privacy policy, it became clear how the privacy measures were being taken to protect identity of people using the app.  Conspiracy theories and eternal scepticism apart, the privacy policy seems to be well drafted with clear provisions for upload, privacy, and deletion of data., Also, the privacy policy in a way explains workings of how the app stores data, when does it upload data, and finally how the data is deleted on the servers.  The article will now go into these issues in detail, but first let us understand some basics of Contact Tracing before going into specific workings of the Aarogya Setu app.

What is Contact Tracing and how is it used to control an infectious disease or pandemic like Covid-19?

From Wikipedia: In public health, contact tracing is the process of identification of persons who may have come into contact with an infected person (“contacts”) and subsequent collection of further information about these contacts. By tracing the contacts of infected individuals, testing them for infection, treating the infected and tracing their contacts in turn, public health aims to reduce infections in the population.  The following diagram explains it nicely:

So Aarogya Setu app is an Indian version and implementation of the same concept and technique of Contact Tracing.

How Aarogya Setu App works

To understand the working of the app, I found the official privacy policy document to be most helpful.  It is interesting that there are many news reports and conjectures about how this app will threaten privacy of citizens, but I did not find any news report based on an actual reading of this privacy policy document.  That shows the level of public discourse.

Now, the privacy policy can be found by opening the the Android store app page, and clicking on the Privacy Policy link on the app page: https://web.swaraksha.gov.in/ncv19/privacy/

I will give excerpts from the privacy policy given at above link and then give my analysis and comments:

At registration you accepted the terms of this Privacy Policy and your use of the App signifies your continued acceptance thereof.

So basically merely installation of the app will not lead to applicability of the policy on the user.  One has to actually register on the app before data collection (we discuss later) and privacy policy is applicable.

User Registration

Merely installing the app does not lead to any data collection or storage.  Upon registration, the app collects basic identity details of the user along with some information which can be relevant to assess user’s risk profile for Covid-19:

(i) name; (ii) phone number; (iii) age; (iv) sex; (v) profession; and (vi) countries visited in the last 30 days.

The Privacy Policy states the following about user registration and further steps taken between app and Server:

a. When you register on the App, the following information is collected from you and stored securely on a server operated and managed by the Government of India (Server) – (i) name; (ii) phone number; (iii) age; (iv) sex; (v) profession; and (vi) countries visited in the last 30 days. This information stored on the Server will be hashed with a unique digital id (DiD) that is pushed to your App. The DiD will thereafter be used to identify you in all subsequent App related transactions and will be associated with any data or information uploaded from the App to the Server. At registration, your location details are also captured and uploaded to the Server.

So above para gives some info about implementation of the app also like the unique digital id etc.  The last line states that location details will be captured and uploaded on the government’s Server.

b. When two registered users come within Bluetooth range of each other, their Apps will automatically exchange DiDs and record the time and GPS location at which the contact took place. The information that is collected from your App will be securely stored on the mobile device of the other registered user and will not be accessible by such other user. In the event such other registered user tests positive for COVID-19, this information will be securely uploaded from his/her mobile device and stored on the Server.

So this important para tells us in an indirect way that the app needs Bluetooth on smartphone to be on.  If it was off, the mechanism of exchanging DiDs between people in proximity will not work.  The very important point is that the information upload about contacts from a device will happen only if the device’s user actually tests positive for Covid-19.

How is a person marked COVID-19 positive?

As per FAQ given on Aarogya Setu app, a user cannot mark himself/herself Covid-19 positive. The FAQ states:

“When someone is tested COVID-19 positive, the testing lab shares this information with Indian Council of Medical Research (ICMR) – the nodal government agency for COVID-19 testing. ICMR, through a secure Application Programming Interface (API), shares the list of COVID-19 positive persons to the Aarogya Setu server. If the person tested COVID-19 positive has Aarogya Setu app installed, the server then updates the app status and runs contact tracing for this person.”

Now, in the event one of your past contacts tests positive for Covid-19, and after upload of data is done from his mobile device, the government authorities will be able to contact you based on the information provided during user registration, and advise on steps for isolation etc, as explained in section on Contact Tracing covered earlier.

c. Each time you complete a self-assessment test the App will collect your location data and upload it along with your DiD to the Server.

So another time a data upload will happen is when you do a self-assessment test on the App.  I haven’t myself done this self-assessment since I haven’t felt any of the symptoms.

d. he App continuously collects your location data and stores securely on your mobile device, a record of all the places you have been at 15 minute intervals. This information will only be uploaded to the Server along with your DiD, (I) if you test positive for COVID-19; and/or (ii) if your self-declared symptoms indicate that you are likely to be infected with COVID-19; and/or (iii) if the result of your self-assessment test is either YELLOW or ORANGE. For the avoidance of doubt, this information will NOT be uploaded to the Server if you are not unwell of if the result of your self-assessment test is GREEN.

This para also details clearly the conditions under which data upload will happen.  Data upload will not happen if the result of self-assessment is GREEN.  As regards data collection, it is happening continuously but the storing of collected data on mobile device is done at 15 minute intervals.

How is the information collected by Aarogya Setu app used?

Note: the above message is older, and as of 14/05/2020, the app shows that there is no Covid positive person in vicinity of my area.

The following paras of privacy policy can be reproduced verbatim and they explain how the data is used (like in any Contract Tracing strategy) by government:

2. USE OF INFORMATION

1. The personal information collected from you at the time of registration under Clause 1(a) above, will be stored on the Server and only be used by the Government of India in anonymized, aggregated datasets for the purpose of generating reports, heat maps and other statistical visualisations for the purpose of the management of COVID-19 in the country or to provide you general notifications pertaining to COVID-19 as may be required. Your DiD will only be co-related with your personal information in order to communicate to you the probability that you have been infected with COVID-19 and/or to provide persons carrying out medical and administrative interventions necessary in relation to COVID-19, the information they might need about you in order to be able to do their job.
2. The information collected from any other user’s mobile device and uploaded and stored on the Server in accordance with Clause 1(b) will be used to calculate your probability of having been infected with COVID-19.
3. The information collected under Clause 1(c) will be used by the Government of India to evaluate, based on the self-assessment tests and the GPS locations from where they are being uploaded, whether a disease cluster is developing at any geographic location.
4. The information collected under Clause 1(d) and securely uploaded and stored on the Server will, in the event you have tested positive for COVID-19, be used to map the places you visited over the past 14 days in order to identify the locations that need to be sanitised and where people need to be more deeply tested and identify emerging areas where infection outbreaks are likely to occur. Where, in order to more accurately map the places you visited and/or the persons who need to be deeply tested, your personal information is required, the DiD associated with the information collected under Clause 1(d) will be co-related with your personal information collected under Clause 1(a).
5. The information collected under Clause 1 will not be used for any purpose other than those mentioned in this Clause 2.

The above usage of information is done at server side, and it is here that the use of data analysis, big data analytics, algorithms/heuristics, and such techniques can possibly be put to good use. The clauses mentioned have already been discussed and I did not find any issue related to privacy or misuse of data.  Also note the last sentence which clearly states that the data collected will not be used for any other purpose apart from usual things done during Contact Tracing to protect spread of disease.

Storage and Retention of Data collected by Aarogya Setu app on government servers

Section 3 of Privacy Policy describes details about how long the data is stored on government servers, and when is it deleted.

3. RETENTION

1. All personal information collected from you under Clause 1(a) at the time of registration will be retained for as long as your account remains in existence and for such period thereafter as required under any law for the time being in force.
2. All personal information collected under Clauses 1(b), 1(c) and 1(d) will be retained on the mobile device for a period of 30 days from the date of collection after which, if it has not already been uploaded to the Server, will be purged from the App. All information collected under Clauses 1(b), 1(c) and 1(d) and uploaded to the Server will, to the extent that such information relates to people who have not tested positive for COVID-19, will be purged from the Server 45 days after being uploaded. All information collected under Clauses 1(b), 1(c) and 1(d) of persons who have tested positive for COVID-19 will be purged from the Server 60 days after such persons have been declared cured of COVID-19.
3. Nothing set out herein shall apply to the anonymized, aggregated datasets generated by the personal data of registered users of the App or any reports, heat maps or other visualization created using such datasets. Nothing set out herein shall apply to medical reports, diagnoses or other medical information generated by medical professionals in the course of treatment.

Note that even for people who have tested positive for Covid-19, their data will be deletes from servers 60 days after they have been declared cured from Covid-19.

However, anonymized, aggregated datasets may remain on government databases.  These will not contain any identity information (like name, mobile number) about a past user of the app.

User Rights and Grievances

RIGHTS

1. As a registered user, you have the right to access your profile at any time to add, remove or modify any registration information that you have supplied.
2. You cannot manage the communications that you receive from us or how you receive them. If you no longer wish to receive communications from us, you may cancel your registration. If you cancel your registration, all the information you had provided to us will be deleted after the expiry of 30 days from the date of such cancellation.

The registration information pertains to: (I) name; (ii) phone number; (iii) age; (iv) sex; (v) profession; and (vi) countries visited in the last 30 days; as given in 1 (a) of the Privacy Policy.  Therefore, under section on RIGHTS, the para 1 seems somewhat superfluous apart from the part about countries visited in last 30 days, and possibly change of phone number which is a relatively rarer occurrence.  Anyway no harm is done if this clause is there.  Para 2 under RIGHTS states that user’s information will be deleted 30 days from cancellation of registration.

The Sections 6 gives further points about Privacy of user’s data, and last Section 7 mentions contact person in case of any grievances.

6. DISCLOSURES AND TRANSFER

Save as otherwise set out in Clause 2 with respect to information provided to persons carrying out medical and administrative interventions necessary in relation to COVID-19, no personal information collected by the App will disclosed or transferred to any third party.

7. GRIEVANCES

If you have any concerns or questions in relation to this Privacy Policy, you may address them to the Grievance Officer whose name and address are as follows: Mr. R S Mani, Deputy Director General (DDG) NIC (support.aarogyasetu@gov.in)

To make Aarogya Setu mandatory or not

It was reported that Aarogya Setu app has been made mandatory for government and private sector employees.  I have no problem if it is made mandatory for government employees – simply because of the “eat your own dog food” principle.  If government employees are not comfortable with the privacy measures of the app, then on what basis can government mandate it’s use or promote it for general public!  So government employees must use the app and ensure that if they have any concerns about privacy, they should take it up within the government channels and get them resolved.

My own take is that using such an app can be useful, and it can be an important part of overall epidemic management.  One criticism of the app is that everyone does not have a smartphone to install the app.  However, it can be noted that most of the Covid-19 hotspots are within large cities, and a large percentage of city dwellers do have smartphones.  Without using contact tracing app and infrastructure, the alternatives could be to increase the scale of testing to much larger levels, and even though it may be a good strategy in theory, it will entail much higher costs.  The same strategy of testing can be instead focused on vulnerable population based on age, cluster of positive cases, symptoms etc; which is again something where the Aarogya Setu app can be very helpful – since it is able to capture both data about age of user, and the self-assessment tests can provide warning about which people may need to get tested.  The location data captured by the app will help to identify any clusters where lot of infections are already there, or lot of people are reporting illness symptoms.

Government should allay fears about privacy and one way to to achieve this could be by making suitable amendments to existing laws like Disaster Management Act in the interim while a formal Data Protection related law is yet to be passed.