Cities, states launch Covid-19 apps across India, many lack privacy controls

BENGALURU: States, city municipal corporations as well as police departments across India have launched 40 apps for Covid-19 contact tracing, quarantine tracking, providing health information and to generate e-passes, even as the central government’s Aarogya Setu app remains the face of Covid-19 contact tracing efforts across the country.

These apps have garnered several million downloads already, but many lack a clear or strong privacy policy although they collect personal information such as location data, photos, media, camera, call information, WiFi connection information and device ID, privacy advocates said.

In the absence of a privacy law, privacy activists have termed the apps’ policies and terms of service as ineffective, weak and confusing.

“While the applications have been developed independently by each government, we have observed some questionable trends, practices, and policy provisions pertaining to the apps,” Software Freedom Law Centre said in a report that studied the privacy policies, terms of service, and permission demanded by these apps. “It is shocking to see the absence of Terms of Service or a Privacy Policy that binds the developer/publisher of the app and its end-user.”

Information Technology (Intermediaries Guidelines) Rules, 2011 mandate that an intermediary shall publish the terms of use, rules and regulations, and privacy policy pertaining to the platform operated by the intermediary.

Some of the applications have generated privacy policies from a Firebase application, which helps companies generate standardised privacy policy templates depending on the type of app and information accessed.

The practice is in itself not uncommon although these policies lack clauses that cover important aspects such as data retention and purpose limitation for processing the data that is collected.

“These apps are also not updated regularly, which poses a cybersecurity threat. There is a sloppy coding patchwork of the apps and sloppy drafting of the privacy policies. They are taking it from templates. Healthcare data is the most sensitive data alongside financial data. It requires a high degree of protection. Users should be able to demand a copy, rectify it and delete it,” said Apar Gupta, Executive Director at Internet Freedom Foundation, a digital advocacy organisation.

For instance, the Uttar Pradesh government’s Self-Quarantine App does not have an accessible Terms of Service or Privacy Policy document. The privacy policy link on the Google Play Store page directs a user to the state government’s Covid-19 web portal. A policy document was not found there either.

On the other hand, Punjab’s COVA app has a detailed privacy policy. However, it does not mention how much of the data will be retained after the pandemic or the mode of retention. It also requires permission to access location, IP address, operating system, device ID, and handset make, even though the app is mainly for providing information and advisories.

Many apps direct users to privacy policies of other state government websites, which may have nothing to do with the Covid-19 app.

Quarantine Monitor app of Tamil Nadu directs users to the privacy policy of the ‘esevai’ (e-Service) portal of the state government, while the Karnataka government’s Quarantine Watch app takes users to the privacy policies of the land records department.

Emails sent to app developers of Tamil Nadu, Karnataka, Uttar Pradesh, Maharashtra, and Punjab did not elicit a response.