Centre for Internet & Society


Over the last three months there has been a considerable amount of focus on Aarogya Setu, the Indian Government’s Covid-19 contact tracing app. This app uses location data and Bluetooth technology to try to determine if the user has been in close proximity with a COVID-19 infected person. The efficacy, usage, mandate, and privacy policies of this app have been discussed at length. The app has received much criticism for not possessing adequate safeguards to protect the privacy of the users, and for failing to meet the necessity and proportionality principle. Further, there is no underlying legislation which forms the basis of the app. The app is currently voluntary, however, there has been a strong push by the Government to make the use of the app mandatory to access essential services. For example, as per the standard operating procedure published by the Airport Authority of India, it is mandatory for passengers above the age of 14 to register on the app prior to boarding any domestic flight. In addition to Aarogya Setu, several state governments have also launched mobile apps to monitor Covid 19 cases in their respective states. Given the focus on Arogya Setu, these apps have largely escaped attention and public scrutiny. The objective of these apps vary, from monitoring the movement of quarantine patients (Karnataka, Tamil Nadu, and Uttarakhand) to providing information and updates about the number of patients in the state. Some of these apps have now also introduced contact tracing, and identification of hotspots (Punjab, Haryana and Odisha). These state government apps have already been downloaded by lakhs of citizens in different states. COVA Punjab app, for instance, has been downloaded by over ten lakh citizens in the state.

It is concerning that some of these apps either do not even have a privacy policy (Corona Mukt Himachal Pradesh, Covid-19 West Bengal). In some instances, where a dedicated privacy policy for the app is missing, the citizen is directed to the general privacy policy of the developer (Test Yourself Goa, Test Yourself Puducherry) or to the state government’s website (Odisha, Maharashtra). Even in cases where a specific privacy policy has been published, the policies are often vague, and fail to specify important details such as the time period for which the data shall be retained and specific use cases for the data. Lack of clarity, transparency, and privacy on numerous levels across the COVID-19 apps launched by state governments indicates that the practices governing the apps in response to COVID-19 in Indian are far from ideal and require significant improvement.

Our survey presents structured observations of the prevalent issues in these apps, providing findings that can be utilised to make comprehensive improvements to technology and app-based responses to COVID-19. Read the full survey and a report on the findings here.

The views and opinions expressed on this page are those of their individual authors. Unless the opposite is explicitly stated, or unless the opposite may be reasonably inferred, CIS does not subscribe to these views and opinions which belong to their individual authors. CIS does not accept any responsibility, legal or otherwise, for the views and opinions of these individual authors. For an official statement from CIS on a particular issue, please contact us directly.