1. Reverse Engineering no longer penalised, source code yet to be made open: Clause 3 of the previous terms of service prohibited reverse engineering of the App. This has been done away in the updated terms of service meaning that anyone who reverse engineers the App will not be penalised anymore. It is a welcome step however, the source code of the App is yet be made open source.
SFLC.IN has repeatedly highlighted that not open-sourcing the App goes against the Government’s prevailing policy on adoption of open source software. We reiterate that the App collects personal data including the location data of a user, in such a situation, the source code should be made open to enhance transparency and security.
2. Functionality extended beyond contact tracing, building block for India’s health stack? : The prior terms of service restricted the functionality of the App to “enable registered users who have come in contact with other registered users who have tested positive for severe acute respiratory syndrome to be notified, traced and suitably supported”.
The updated terms of service have extended the functionality of Aarogya Setu beyond contact tracing. The App will now allow the users to access convenience services in relation to COVID-19. Clause 1 of Terms of Service states that “the App will also serve as digital representation of an e-pass where available. The App will also provide links to convenience services offered by various service providers”.
This also indicates that the App might outlive the pandemic. While the Data Access and Sharing Protocol (hereinafter “the Protocol”) has a sunset clause of 6 months unless otherwise decided by the Empowered Group on Technology, the App does not have a sunset clause thereby, indicating the possibility that it might be a building block for long pending India’s health stack.
3. Government may be held liable in case of unauthorised access: The previous terms of service absolved the government of any liability whatsoever. Clause 6 of updated terms of service states that “the Government of India will make best efforts to ensure that the App and the Services perform as described but will not be liable for (a) the failure of the App or the Services to accurately identify persons in your proximity who have tested positive to COVID-19; (b) the accuracy of the information provided by the App or the Services as to whether the persons who have come in contact with in fact been infected by COVID-19”.
This means that now the Government may be held liable in case of unauthorised access to the user’s information or any modification to it or any other liability arising from data breaches etc.
The App has failed to provide deletion of entire response data i.e. demographic data, contact data, self-assessment data and location data. Allowing a user to delete its demographic data only serves little or no purpose.
In addition to this, there is still no clarity over the sunset data of the App. While the Protocol will lapse after 6 months unless decided otherwise by the Empowered Group on Technology, the Aarogya Setu does not have a sunset clause. The fact remains that the Protocol is not a statutory foundation for Aarogya Setu.
Apple and Google’s open source API has been released in 23 countries worldwide, but it will not be compatible with Aarogya Setu as it requires both location and Bluetooth data to function. The Central Government could have adopted a de-centralised approach of contact tracing to mitigate privacy concerns surrounding Aarogya Setu but that still remains a far-fetched dream!
We also did a technical analysis of Aarogya Setu which can be found here. We also wrote to Minister of Railways, Minister of Civil Aviation, and Managing Director, Noida Metro Rail Corporation to consider the installation of Aarogya Setu on voluntary basis in consonance with the Ministry of Home Affairs guidelines dated 17.05.2020.