The Central Information Commission (CIC), on Tuesday (October 27), has issued a show-cause notice to several government departments including the IT ministry for not having any information about the who created the controversial contact tracing app Aarogya Setu.
The commission has summoned the central public information officer (CPIO), the ministry for electronics and information technology (MeitY), the National Informatics Centre (NIC) and National eGovernance Division (NeGD) in this matter. It has also asked the NIC to share a written explanation on how it does not have any information about the creation of the app.
The directive to the NIC comes in the light of the fact that the official Aarogya Setu website mentions that the app was designed, developed and hosted by NIC itself. Moreover, the CPIO and NIC have been asked to explain in writing how the Aarogya Setu website was created on the domain name “gov.in”, which is used by government websites.
“None of the CPIOs were able to explain anything regarding who created the app, where are the files, and the same is extremely preposterous,” information commissioner Vanaja N. Sarna was quoted as saying. The development was first reported by Live Law.
After the story came to light, MeitY issued a statement highlighting that “Aarogya Setu app is a product of government of India built in collaboration with the best of the minds of industry and academia. Worlds largest contact tracing app, appreciated by WHO also.”
Earlier, Puducherry-based activist Saurav Das submitted a right to information (RTI) application with the NIC seeking information on the creation of the contact trace app. To this, NIC had replied that it “does not hold the information”. Das, then, filed a case against these relevant authorities for failing to furnish the information.
The much-criticised Aarogya Setu app was launched on April 2, 2020, by the Indian government as a way to enable digital contact tracing for suspected Covid-19 cases in India. The app leverages Bluetooth and GPS-based location tracking to identify potential encounters with suspect or coronavirus-positive cases. It detects other devices with the Aarogya Setu app installed and alerts users based on proximity to the device. It also captures this information to let authorities know about the movement of suspect cases.
However, Aarogya Setu, which was the seventh most downloaded app globally in the second quarter of 2020, also brought along several privacy and security concerns. The critics have highlighted that the app collects unnecessary data of the users, which can allow the government to create a social graph of users by tracking everyone they have been close to. Further, it can also be used as a surveillance system, once combined with the government’s existing database.
Even French hacker Robert Baptiste, who goes by the nom-de-guerre Elliot Alderson on Twitter, exposed some vulnerabilities in the app in May this year. Later, the government released the source code of the iOS version of the app, however, reports suggest the source code of the version released in the public domain does not match the final version of the app which is available to download.
Besides this, MeitY also released the data-sharing protocol for Aarogya Setu to highlight how the collected data will be used. The document mentioned that NIC will be responsible to collect, process and manage data collected by the app. The document also added that NIC shall only collect such data, which will be necessary to formulate or implement appropriate health responses.
Update: October 28, 2020 | 8: 43 PM
The article has been updated to incorporate MeitY’s statement.