In an effort to assure citizens that the Aarogya Setu app doesn’t pose any risk to their online privacy, the Indian government on Monday issued a new set of guidelines for processing of data collected through the controversial contact-tracing software and even proposed jail terms for violators. The new guidelines not only prohibit the storage of Aarogya Setu data for more than six months, but there’s also a provision for people to seek deletion of their data from the record within 30 days of making such a request.
The fresh guidelines, which lay down rules on the handling of data by various health and security agencies tasked with controlling the pandemic, also limits what exact information can be collected through the new app. According to the PTI, the new guidelines allow the collection of only demographic, contact, self-assessment, and location data of persons infected by the coronavirus or those who come in contact with the infected person.
The data shared with universities for research purposes, but only after removing all personally-identifiable details. According to the guidelines: “Any violation of these directions may lead to penalties as per section 51 to 60 of the Disaster Management Act, 2005 and other legal provisions as may be applicable”.
The latest developments come just days after a famed security researcher, Baptiste Robert, claimed that the Aarogya Setu app has severe security loopholes that could have potentially exposed the exact location of 90 million users. According to Robert, not only does the app allows for continuous location tracking in the background, but it also allows anyone to see the concentration of COVID-positive or COVID-suspected people within up to a 10km radius. The government, however, has denied all allegations, claiming that the issues pointed out by the researcher are included in the app ‘by design’.