wordpress blog stats
Connect with us

Hi, what are you looking for?

Government selectively opens up Co-WIN APIs to third parties without data policy

On April 17, the Government denied permission for software access to the Co-WIN dashboard to Step One, a non-profit organisation (NPO) working on enabling vaccination registration and appointment through WhatsApp. However, on Wednesday it reversed its position and opened selective parts of the Application Programme Interfaces (APIs) for Co-WIN to third parties for appointment vacancies search and vaccination certificate downloads.

In a letter to Step One, dated April 17, the Empowered Group of Vaccine Administration for COVID-19 said that a comprehensive data capture policy needs to be put in place before allowing third-party apps and service access to the COVID-19 dashboard for vaccine registration and delivery. It commended the efforts of Step One to innovate and bring out more options to citizens but said that the “usage of public URLs, capturing personal data, and having citizens use such applications are not permitted unless explicitly stated and enabled through a policy.”

“We have built various services within the Co-WIN system as micro-services exposing APIs for ensuring integration and innovation in future. But, as you may be aware, Co-WIN APIs do deal with sensitive data and hence a well-defined policy covering data capture, protection, security certification, auditing, and other aspects need to be established. As of now, there is no such policy with respect to enabling third-party applications such as yours on top of Co-WIN APIs and hence we will not be able to allow you to connect to our APIs”Empowered Group of Vaccine Administration for COVID-19 letter dated April 17, 2021

The letter appeared to suggest that the APIs are out in the open for future innovation and not for use at the moment. It also said that a comprehensive policy will be issued and API access for third-party apps will be opened up at an appropriate time in the future, however, the letter did not provide any concrete timeline. The letter was signed by former senior government official RS Sharma. Sharma is the chairman of the empowered group for vaccine administration and is also the Chief Executive Officer of National Health Authority.

Selective treatment in Co-WIN data access

The vaccination certificates contain data that is personal and sensitive as it not only reveals the vaccination status of an individual but also details of the ID used for verification such as PAN card and Aadhaar.  On the one hand, the government is yet to issue the proposed policy governing third-party use of Co-WIN. On the other, it begs the question why has it opened APIs even though it does not plan on allowing third parties to use them?

The government has opened up the Co-WIN APIs for vaccination certificate downloads, even though there is no a comprehensive data capture policy in place, something the agency said was needed just ten days ago. The governments’ selective opening up of APIs doesn’t seem to have strong reasoning and poses the same privacy concerns that the agency pointed out earlier when it declined Step One access.

Advertisement. Scroll to continue reading.

Step One’s WhatsApp Bot

Earlier this month, an organisation called ‘Project Step One’ created a bot on WhatsApp that would allow people to register for vaccination appointments.

But two days later, PIB Fact Check declared the service as fake and stated that registration for vaccination can only be done through the Co-WIN portal and Aarogya Setu app. Following the PIB Fact Check, the Ministry of Health also declared the service as fake and asked the company to stop providing its services.

In a letter to Sharma, dated April 12, Step One formally requested that the government to allow the organisation to use the Open APIs available on the API Setu website to run its WhatsApp bot. The primary concern about the service offered by Step One was the potential privacy issues surrounding the capture of data that is highly personal and sensitive. To alleviate some fears, Step One stated in its letter that its service does not store any personal data of users on its server and all data is fully secure. It further added that the code for the WhatsApp bot is open source and available for audit.

In a separate statement, Step One stated that the bot was built using Open APIs provided by the government and the bot simply passed on user data to Co-WIN’s servers and none of the data was saved or accessed by the organisation. It further added that Open APIs are used worldwide to bring innovation and speed to existing solutions.

Advertisement. Scroll to continue reading.

Step One suspended its services on April 15 while awaiting a response from the government.

MediaNama has reached to Step One and the National Health Authority of India for comments. We will update the story once we receive them.

Also Read


Written By

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.



Looking at the definition of health data, it is difficult to verify whether health IDs are covered by the Bill.


The accession to the Convention brings many advantages, but it could complicate the Brazilian stance at the BRICS and UN levels.


In light of the state's emerging digital healthcare apparatus, how does Clause 12 alter the consent and purpose limitation model?


The collective implication of leaving out ‘proportionality’ from Clause 12 is to provide very wide discretionary powers to the state.


The latest draft is also problematic for companies or service providers that have nothing to with children's data.

You May Also Like


Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...


135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...


Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...


By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Your email address:*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ