Blog

The Internet Freedom Foundation (IFF), an Indian digital liberties organisation, on Wednesday, put up a tweet explaining the kind of user data that the CoWin app will collect from users who registers for the vaccine on the portal

The data collected will include users’ names, gender, date of birth (DOB), photo ID, type of photo ID and mobile number

The Ministry of Health said it can’t provide a privacy policy for the CoWin app since the CoWin app is accessible only by National, State and District level Administrators. The general public can only register themselves for vaccination

The Indian government, on Wednesday, opened Covid-19 vaccine registrations for those above 18 years of age. Or did it? Within minutes of the registration opening at 4 pm, Twitter users reported that CoWin, one of the government’s designated apps for the purpose, had crashed. For several others, while the app was working, the vaccination centres in their cities weren’t accepting bookings from anyone aged below 45 (the previous age criteria for getting the jab). 

To put it simply, the government opened up vaccine registrations before ensuring that hospitals and testing laboratories had enough vaccines to cater to the increased demand. Despite these obvious glitches reported by hundreds of users, the government denied any glitches. Also, there could be more flaws with the systems built by the government to help people register for the vaccine. 

The Internet Freedom Foundation (IFF), on Wednesday, put up a tweet explaining the kind of user data that the CoWin app will collect from users who register for the vaccine on the portal. 

The data collected will include users’ names, gender, date of birth (DOB), photo ID, type of photo ID and mobile number. It is worth noting that Aadhaar will not be mandatory to register on CoWin. The data collected by the app will be available for access by national, state and district-level administrators, said the digital liberties organisation. 

In its tweet, IFF has explained some reasons for concern about CoWin’s data protection apparatus, or lack thereof. The IFF, last month, had filed right to information (RTI) requests asking the Ministry of Health and Family Welfare (MoHFW) to explain how the personal data of CoWin users will be protected. 

While the ministry clarified certain aspects as noted above, it said it cannot provide a copy of the app’s privacy policy because “the CoWin app is accessible only by national, state and district-level administrators. The general public can only register themselves for vaccination.”

The IFF also didn’t receive a clear response to its query about which ministries and departments in the government will have access to the data on the CoWin platform. 

“This lack of answerability leads us to believe that either the ministry doesn’t have the necessary info (which is problematic, to say the least), or they are refusing to give us access to info – because that may open the doors to further questions,” IFF wrote in a tweet thread explaining the RTI replies last month. 

Government Apps Ignore Privacy Best Practices

The Indian government’s propensity for using technology for governance has led to mobile applications that have eased the delivery of public goods and services. However, with India yet to notify a personal data protection legislation, many of these apps developed by the government are found to have security vulnerabilities that clearly jeopardise user privacy. 

Earlier this month, the Delhi High Court granted bail to activist Umar Khalid seven months after his arrest under the stringent Unlawful Activities (Prevention) Act (aka UAPA) of 1967 for his alleged involvement in the Delhi riots of 2020. While the charges under UAPA are still pending, the court decided to let Khalid out on bail against the payment of the INR 20,000 bond and a surety of like amount.

While all that was part of due legal procedure, there was one condition that raised a lot of eyebrows — Khalid was asked to install the Indian government’s Covid-19 contact tracing app Aarogya Setu on his mobile phone.

“The installation of Aarogya Setu as a precondition has not clearly been articulated and there have also been existing concerns that Aarogya Setu data, which includes a person’s physical movements, will also be shared with authorities beyond it being there for health purposes,” Apart Gupta, executive director of IFF had told Inc42. 

Gupta had further noted that there is no legal limitation at present to Aarogya Setu deployment apart from the protocol and there is no legal basis to restrict its sharing of information of the police department.