The Arogya Setu app was launched earlier this month by the government for people to self-assess COVID-19 symptoms and the possibility of them contracting the virus. It has now received a revised privacy policy, along with some minor updates. In terms of the visual aspect, the dashboard of the app has been made more prominent, with images of how to remain safe and how to maintain social distance at all times. The app is likely to display an e-pass feature in the days to come, but as of now, it does not share any information regarding the same.
The previous policy mentioned that users would receive notification of revisions from time to time, but that has not been the case with the recent policy update. What is more shocking is the fact that the present privacy policy is not mentioned in the Google Play Store, which is otherwise a must. Let us now have a look at the critical changes made in the policy.
Unique ID For Everyone
The app saves several details about a user, such as name, age, gender, profession, and phone number, along with locations of countries they may have visited in the last 30 days. With this update, the users will be provided with a unique digital ID called DiD. The privacy policy states that the DiD will be used to identify the user in all subsequent app-related transactions, and will be associated with any data or information uploaded from the app to the server. However, the DiD unique ID will not be available at the moment for users to access.
Sharing DiD With Other Users
The Arogya Setu app has been designed to automatically share the DiD, time and GPS location of one user with other users when they come nearby. The policy reads that the information collected from one user will be securely stored on the mobile device of the other registered user, and will not be accessible by other users.
Data Will Not Be Shared With Third-Party Apps
The recent update in the policy reads that the data of users will not be shared with any third-party apps. However, there is a clause. This data may be retrieved for necessary medical and administrative intervention, although the exact definition or meaning has not been made public yet. Information will be sent to the central government’s server without the user’s permission, such as:
- Positive Test For COVID-19
- Self-declared assessment points for a user at high risk (this is categorized as yellow (moderate risk) and orange (high risk))
Non-liability Of Government
As per the limitation of the liability clause, the government cannot be held responsible for the failure of the app to identify a person accurately, as well as for the accuracy of the information provided by the app. The policy reads that the government is not liable in case of any unauthorized access to your information or modification thereof.
However, it remains unclear if the clause is limited to unauthorized access of a user’s device or central servers which store the data.
Duration Of Stored Data
Any data, including the DiD data, will be stored on the mobile for 30 days, after which it will be deleted automatically, in case it has not been stored in the central database. For the data that has been stored in the central database, the deletion period is 45 days.
For those users who have been tested positive for the virus, the data will be deleted after 60 days.
Data After Uninstallation Of App
It is a common question that hovers over everyone’s mind – what will happen to the data if the app is uninstalled from the mobile device? All the data that are retrieved from a user at the beginning of the installation remains stored in the database – as mentioned in the above paragraph – for a set number of days, irrespective of usage of the app by the user. In simple words, once the app is installed, the data stays for 30 days.
Usage Of Data
The stored data will be anonymized and transformed into data sets that will generate a heatmap and statistical visualization. However, the app has not seen a heatmap and statistical visualization even after the update on the user’s end. The app at present only shows a state-wise breakdown of the COVID-19 positive cases.
Data Security
The app has been encrypted with standard security features, and all the data will be encrypted before it is further uploaded to an encrypted cloud server. The app has been designed in such a way that it conceals the location and other details of a positive tested patient, in case another user comes near the patient.
