The users of the Aarogya Setu app will now be able to delete the data stored by the app. The Central govt has informed that it has issued a set of protocols to regulate the definition, collection, processing, and storage of data by the contact trapping app. Data includes the user’s name, mobile number, age, gender, profession, and travel history.
As per reports, Centre issued ‘Aarogya Setu Emergency Data Access and Knowledge Sharing Protocol, 2020’ which will be applicable from the next month. It will also increase the period of retention of such data from earlier six days as specified in the app’s privacy policy to 180 days.
The Central government’s protocol said, “There is a need to ensure efficient data and information sharing among the different Departments and Ministries of the Government of India as well as those in the State/Union Territory Governments.”
Centre ensures that data will not be shared with any third party
As per the reports, the centre specifically said that the data belonging to those who are infected or at high risk of being infected or those who allegedly came in contact with someone infected is collected and managed by the National Informatics Centre. This includes demographic data, contact, self-assessment, and location data. The government ensures that it will not share the data with any third party until it is extremely necessary to formulate or implement health responses.
Demographic data will remain until the protocol is in force
Centre informed that the contact, location, and self-assessment data of individuals will be permanently deleted in 180 days but demographic data will remain until protocol remains in force. If individual requests for deletion of its data then it will be deleted within 30 days of the request.
The protocol allowed data to be shared with different agencies of the Central government and state government in the “De-identified” form in order to assist in the formulation of crucial health response. Those responsible for processing the data in a fair manner will not store it for more than 180 days.
However, the protocol said that the NIC will maintain a list of such agencies with details of when such sharing will start people who have access as well as the categories of the data.
French hacker alleged data compromise
This came after a French hacker named Elliot Alderson claim that the privacy of 90 million Indians is at stake, owing to a “security issue” in the Aarogya Setu app. He informed that he was contacted by the National Informatics Centre (NIC) and the IT Ministry regarding the issue. But when the Aarogya setu replied to his allegations, they had turned out to be normal features of the app and not any security threat.
He had alleged that data from multiple locations can be fetched by changing the latitude or longitude, but as the app administrators clarified, that it is not a security threat, as it is the same as someone calling to people at different locations and asking the data in those locations. All this data is already in the public domain, and it does not compromise any personal data. The ‘hacker’ had said that someone being able to collect data on coronavirus spread in various places is a security issue, but the fact is that only the number of positive cases can be obtained from the app, it does not disclose any personal data of any user. Moreover, such data is already available in the public domain, there is no privacy issue in disclosing the number of Coronavirus cases in a given place. Aarogya Setu app had also informed that API calls for data go through a Web Application Firewall, and bulk API calls are not possible to harvest data automatically.
The twitter handle of Aarogy App clarified that the app fetches the location of a user, as mentioned in its privacy policy, only during registration, self-assessment, and voluntary contact tracing. The app further reiterated that the data of a user’s location is stored in a secure, encrypted manner.
