CoWin App: No Specific Privacy Policy, No Info on Developer, Cost

CoWin app, the Centre’s glitch-prone digital platform rolled-out to manage the COVID-19 vaccination program, has also emerged as opaque regarding basic information about its development and functioning.

Information sought under the the Right to Information Act regarding the app has also been stonewalled, eliciting comparisons with Aarogya Setu’s lack of transprency and raising questions around an application designed to handle sensitive data of over a billion citizens.

An RTI seeking information on the developer of the CoWin app, as well as on the cost incurred and audit practices, was transferred from one ministry to another, before stating that ‘no information is available’.

The rejection of basic information comes months after the Central Information Commission had termed a similar denial of information by Ministry of Electronics & IT on the Aarogya Setu app as ‘preposterous’.

No Privacy Policy with CoWin App

The Software Freedom Law Centre, India (SFLC.In), an organisation advocating for online civil liberties, found in its preliminary review that the app does not have a specific privacy policy. An app’s privacy policy specifies how it collects, stores, processes and shares data pertaining to individuals.

SFLC.In also points out that the CowinApp does not list down the official email address of Union Health Ministry officials. Instead, it has listed a Gmail address.

“The privacy policy hyperlinked to the app redirects to the Health Data Management Policy, 2020,” SFLC.In adds.

So, what exactly is this policy? And why is it acting as a substitute to an actual privacy policy of an app?

This Health Data Management Policy, 2020, essentially asserts the government's intent to promote the newly-announced national health ID, along with the national health stack.

The policy is the first step in realising the NDHM’s guiding principle of ‘Security and Privacy by Design’ for the protection of individuals’/data principal’s personal digital health data privacy

SFLC.In explains that the Health Data Management Policy is an umbrella policy, which acts as a guidance document across the National Digital Health Ecosystem and can’t substitute adequately as a specific policy for an app.

Moreover Co-WIN is not an open-source application and therefor is not open to scrutiny by third party auditors. “There are no provisions for liability related to data breaches either,” Sugathan adds.

Denial of RTI Info

Given the multiple glitches that CoWin suffered from the first day of the vaccination drive, the app has invited attention to its development and design.

However, at least two separate RTIs seeking information on the app have failed to get any information on it.

A collective called ‘Legal Squad’ filed an RTI with the Union Health Ministry on 5 January, seeking specific details on the individuals and government departments associated with the development of the app, and audit measures that exist to check for misuse of the personal data.

This was transfered to the Union Electronics & IT Ministry (MeitY). It is known as the CoWin app, which comes under the administration of the Ministry of Health & Family Welfare.

On 19 January, MeitY responded stating, “With regard to information sought, no information is available with innovation & IPR Division, MeitY.”

A separate RTI, filed by SFLC India on 12 January has also sought specific information regarding the privacy assessment of Co-WIN, list of developers, file notings and cost incurred on developing the app.

Parallels With Aarogya Setu’s Lack of Transparency

The Central Information Commission (CIC) had slammed the Ministry of Electronics and Information Technology (MeitY) for having ‘no clue’ about the origin of the government’s vaunted coronavirus tracing app, Aarogya Setu, and issued show-cause notices to information officers in the ministry for their evasive replies to RTI requests on this issue.

The CIC’s order and observations related to a complaint by RTI activist and independent journalist Saurav Das, who had filed several RTI requests regarding the Aarogya Setu app.

On 1 August, Das had sent queries to the CPIOs at MeitY, asking for details and documents on the creation of the Aarogya Setu app, including the origin of the proposal, how it was approved, which government departments were involved, and copies of communications with private persons involved in developing the app.

On 2 October, after nearly two months, the NeGD said they did not have any information relating to his queries.

“It seems this government never learns. Previously in my Aarogya Setu case too, MeitY said that it does not have information and kept transferring the RTI like a game of ‘passing the parcel’,” Saurav Das told The Quint.

Das says after the Central Information Commission passed some scathing remarks after his second appeal, some information came forth. But till date, he has not got the information sought relating to Aarogya Setu’s creation. The case is currently pending before Delhi High Court.

“I believe a similar fate awaits Co-WIN. Both these apps collect a lot of sensitive information and we do not know how this data is being handled. Co-WIN is a bigger issue since this is directly related to the Digital Health ID,” Das said.

He added, “When the government starts hiding information and files relating to them, it raises genuine apprehensions and questions.”