Around 20.4 crore Covid-19 vaccine shots have been administered across India until May 28. Of this, 16.2 crore are first doses and 4.25 crore are second doses. All this information on the numbers of vaccinations and registrations for getting vaccinated is coming through the CoWin app. This app is meant to make it easier for users to reach hospitals and vaccination centres, but there have been concerns about accessibility for the millions of Indians without smartphones and internet access, as well as about the safety of vaccination data.
We addressed these concerns to Ram Sewak Sharma, CEO of the National Health Authority under the Ministry of Health and Family Welfare. Sharma is a career civil servant, who was earlier chairperson of the Telecom Regulatory Authority of India. He was also director-general of the Unique Identification Authority of India or the Aadhaar project. Sharma has a master’s from the Indian Institute of Technology, Kanpur, a PhD from IIT-Delhi and a master’s degree in computer science from the University of California.
Excerpts from the interview:
Who owns the CoWin app? Who does it belong to?
Let me make an initial correction. You called CoWin an app. CoWin is not an app, it is a platform that has multiple interfaces, depending on the role which you play.
For example, there is the registration and appointment module which is a citizen-facing module that enables people to register on the CoWin platform and also search for [vaccination appointment] vacancies. Another module is the onboarding module [which is used by] vaccination centres and hospitals [to] publish their [vaccination appointment] timetable on the CoWin platform.
A third module is the vaccinator module, which is used by vaccinators and the verifiers who check the identity and eligibility of a person when [they go] for vaccination. The fourth module essentially issues the digital certificates, which are digitally verifiable and non-refutable after vaccination has happened.
After the first vaccination, it issues a provisional certificate. After the second vaccination, it issues the final vaccination certificate. So that’s an introduction to the CoWin platform.
There is also the Aarogya Setu app which enables self-authentication of whether a person has had Covid-19 or may have been exposed to Covid-19. That app is under a different government ministry but is linked to the CoWin platform? How are the two linked?
It is very important to understand that the Government of India may be divided into various departments and ministries; however, the government is just one entity.
The Aarogya Setu app is operated by the Ministry of Electronics & Information Technology and the CoWin platform is being operated by the Ministry of Health and Family Welfare.
However, as I indicated, CoWin is a collection of a number of applications. These applications are loosely connected through an application programming interface. That is the architecture we created. We have not created a monolithic platform but essentially a platform that can host a number of applications around it using APIs.
We had initially published these APIs on the API Setu, one of the platforms we use to publish the API specifications. Aarogya Setu is one of the partner applications which has used these APIs to connect to the CoWin platform. We also have created a CoWin portal where you can book appointments–that is the citizen-facing function. Umang is another platform.
Only the day before yesterday, we published an open API policy that will enable third-party applications to connect using the same public APIs. Some of them are non-restricted, some are restricted. For instance, looking [for vaccine appointment] vacancies is a non-restricted API, with which people will be able to develop [third-party] apps. Some of the registrations etc. will be restricted APIs, which will require an API key to operate and connect with us. That is the architecture.
There are two kinds of people, those who have been vaccinated either once or twice, and those who have not been vaccinated. Is there any plan for how those who have been vaccinated can demonstrate that, which in turn allows them greater mobility or access, as is being explored or being done in some Western countries?
Excellent question. Two things. One is, I am not sure what Western countries have done, because to my mind, they have not had this kind of digitally verifiable [Covid-19 vaccination] certificate, which we have had since day one. We have a certificate that is actually verifiable from the source itself. [Its] QR code can be read.
Secondly, we also have, for example, the Aarogya Setu app. If the Aarogya Setu app sees two vaccinations done, then a green ribbon appears on the app which shows that this person has been vaccinated. Similarly, the vaccination certificate also can be downloaded on a mobile and can be shown.
In order to ensure that the certificate is compliant with international standards, we have utilised what is called FHIR – fast healthcare interoperability resources – of World Health Organization standard. We are aligning our certificates with that. So hopefully, for international travel, it will be recognised throughout the world. That is how we are going about it.
In the domestic area, if you are an employee and your employer wants that you should have had two [Covid-19 vaccine] jabs, you should be able to show that certificate in Aarogya Setu, or otherwise independently.
What about domestic mobility, for instance catching a flight from Mumbai to Delhi? Today the requirement is to have a recent RT-PCR test, but if I am vaccinated twice, how could I demonstrate that easily and quickly?
As I said, the [vaccination] certificate is downloadable. You can just show it on your mobile like you show your air ticket on the mobile.
It is a digital artefact, not a physical artefact, therefore it can be used digitally. You can keep it in your Digilocker, from where you can transfer it at any time to anybody who requires it. You can email it, WhatsApp it to that individual. So essentially, it is a digital artefact that is easily handleable. And it will be accepted by all the airlines.
Staying on the issue of acceptance, when the Aarogya Setu app shows green, it is clear that that cannot be fudged. There are, however, concerns that people may fudge Covid-19 vaccination certificates since it has already happened with fake RT-PCR certificates. Is there any opportunity or potential to fudge the CoWin vaccination certificate?
Not at all. In fact, it can be verified at the source. The QR code itself is encrypted. Once the QR code is read, it is very clear that this data is coming from the source and it is non-repudiable.
Therefore, it is a completely verifiable digital artefact. There is no question of any forgery happening. Of course, you can always Photoshop many things, but you cannot Photoshop the CoWin vaccination certificate.
Right now, there are about 24 crore total registrations for vaccination on CoWin and about 20.4 crore vaccine shots have been administered. Contrary to popular belief, the number of walk-ins among these is actually higher at 53% to 54% than the number of online registrations, at about 47%. What does this add up to in terms of how many people are waiting in the wings for a vaccine shot at this point?
There are two types of people. One is those who have got the first dose and not the second dose. Those figures are also available on the CoWin dashboard.
It is a very, very robust dashboard. You should understand that in a country like India, we have real-time data on the people being vaccinated, what kind of vaccines they received, how many people have been vaccinated with the first dose, how many with the second dose, how many are registered but have not yet been able to get a booking or are waiting.
Everything is absolutely transparent. You yourself read out those figures, that 24 crore or so have registered, and 20.4 crore have been vaccinated. So now, you can deduct that number and add it to the number of people who are still to get their second dose of vaccine. So that is the waiting list.
There are a lot of questions today about whether enough vaccines are available and also concerns on the distribution side, for instance, whether private hospitals are cornering vaccine doses. Can you tell us more about how you are collecting this data of where the vaccines are coming from and where they’re going at the source?
No. The point is that private hospitals are expected to provide input on vaccines as part of the onboarding process. They are supposed to update those numbers. Once the receipt is there, expenditure is what CoWin calculates.
This basically means that suppose I received 100 vials and 98 vials were actually administered by X private hospital, then we know that X has got two vials left with it. Though we are not supposed to do the stock-taking, the very fact that you received X number and you spent Y number, that Y number comes from CoWin and the X number comes from your input into the system at the time of onboarding. So we know exactly how much stock is available with each entity. That is something we do. However, the logistics of vaccine procurement is outside the scope of CoWin.
As of now, 39,506 vaccination sites are showing on the CoWin platform, of which 38,400 are government and only 1,106 are private hospitals, so it is actually a very small number, but do you have a sense of how the vaccine distribution is done, from the back-end?
Honestly, I do not and the reason is that the liberalised policy that the government had announced, effective from May 1 onwards essentially says that 50% of the total vaccines will be procured by the central government, which will be supplied to the state governments for persons aged 45 years and above to be vaccinated free of cost at government centres.
The balance 50% is to be divided between the state government and the private hospitals. So those processes of procurement, supply and logistics, we are not really aware of. But what I know is that, forget about who is getting how much, the pressure will ease as and when the vaccine availability overall in the system increases. Then obviously this whole gap between demand and supply will narrow.
When you see the number of vaccine shots being taken rise and fall from the back-end, are you able to collect other intelligence or insights on health access or behaviours and perhaps extraneous factors like lockdowns?
No, we are not. The policy we have made is a minimal data collection policy. We are collecting only three data points from an individual. We do not collect [their] address; just the name and gender for identification purposes and year of birth for eligibility purposes. And of course, we verify his or her identity from the document which he or she submits.
So that is all we are collecting, number one. Number two, a person is free to get a vaccination appointment at any place anywhere in the country, which essentially allows mobility. So for example, if I took my first vaccine in Ranchi and now I am in Delhi when the timetable comes up for my second dose, I should be able to get it in Delhi.
There should be countrywide mobility factored in there. So from a citizen-centric perspective, the whole CoWin application design approach has been how we can make the system more inclusive, and more easily accessible to the citizens.
We are not into function three. Typically applications get into function three, whereby they are made for one purpose and start doing others. We built Aadhaar and many people were saying add caste, place of birth, economic status, below- or above-poverty-line status and ration card number.
We said, “no, our purpose is to establish the identity of a person and nothing more, nothing less”. So whatever the essential attributes of identity are, that’s what we will collect. And that approach to privacy by design helped us in coming clean on the touchstone of the honourable Supreme Court’s examination of violation of privacy, in that famous case, which actually also resulted in the declaration of privacy as a fundamental right. So essentially, we have designed the CoWin system only to facilitate vaccination, and ensure that all facets of vaccination are taken care of – AEFI, adverse impact report and other things.
There are questions about whether we needed a back-end platform like CoWin at all. We have vaccinated hundreds of millions of children on one day in the past. So what is the relevance of CoWin? You mentioned mobility, the ability to offer authentication for travel. But what is the other advantage of having a back-end?
It is a very good question. People sometimes also say that it should be optional. You know why it was necessary to create such a platform? There are multiple reasons. One is as a public policy or a public health issue, the country needs to know which areas have been vaccinated, which are underserved, which are not so underserved.
Number two is that in India, when I get the first dose of a vaccine and say it is Covaxin, many people will not know the name of the vaccine they first took. So they could get some other vaccine in the second dose. We have to capture information on the adverse impact of the vaccine, if there are side-effects.
Manually doing these things would not be possible. After all, we are one-sixth of the global population. And therefore, ours is a massive programme. If you look at the numbers, it’s certainly the world’s largest vaccination programme. So that is another part.
Then, imagine in a situation of supply and demand, if there is a skewness, without a transparent platform. Then, people would throng vaccination centres, searching, trying to find out which vaccine is available. This is also very important in a country like ours, where people feel that everything can be done by pairvi (lobbying) and sifaarish (recommendation) and other things. So this platform provides that credibility, that howsoever high and mighty you may be, you are also in the line, you cannot break the queue.
From a logistics point of view, an overall management point of view and from a public health perspective, I think this is a necessary infrastructure which we had to have. And of course, this infrastructure will provide a huge amount of value in future.
I think there is no harm if polio vaccination, for example, or if other vaccination programmes which the government undertakes, also use some digital platform so we know which child has been vaccinated. Now, we are able to see which person has been vaccinated with what vaccine, and that’s important.
India is, after all, not a digitally illiterate country. Imagine India is conducting 3 billion payment transactions per month. India is consuming 10 gigabytes of data per mobile phone user. America’s consumption is of the order of four gigabytes per month, per user on mobile networks.
India’s mobile networks are transporting more data than in China and United States together. India has about 120 crore mobile phones, about 70 crore internet connections, 60 crore mobile smartphones. So, this is not an India where typically one presumes that people are living in some remote places that are not connected. India is a connected country now.
We may not have the best internet bandwidth in the country. But I am sure every phone is a 4G phone now, more or less. There may be still some vestiges of 2G, 3G, but I think broadly, the two major operators Reliance Jio and Airtel are fully 4G, Vodafone also.
India does have more than 70 crore people accessing the internet, including via smartphones. But there are concerns about those who cannot. They may be old, they may be physically constrained. So what is the CoWin team thinking about the people who are unable to use either the internet or smartphones?
An extremely good question. Let me also add a caveat that whatever the statistics I talked about in the previous question about India’s digital capabilities or digital connectivity notwithstanding, I certainly agree that there is a digital divide.
There are people who are more capable, who have access to better gadgets and better connectivity than others. I am not denying that fact. And the CoWin team from the beginning was conscious of this fact, so we built a completely inclusive system. Any digital system, if it is not inclusive, is useless. It should be accessible to everybody. Therefore, we allowed walk-ins. As you yourself said, 53% of people, ie a majority of people in this country are doing walk-in vaccination. That’s number one.
Number two, all the 250,000 Common Service Centres have been connected to our system. So you can do an assisted registration and assisted booking using these Common Service Centres. From today itself, for your information, we are opening a call centre operated by National Health Authority, that has the toll-free number 1075, through which you will be able to book the vaccination slots and also do the registration.
Third, we are also ensuring that on one phone, four people can get registered. That itself is an inclusive effort. Otherwise, we could have said that you can only use your own mobile. What about those people who don’t have a mobile? So, we are continuously improvising and improving. And now the latest policy is we have exposed these APIs and now multiple third-party applications will come and will probably improve the reach to the population. I think they will have a much more user-friendly interface.
There are two kinds of thoughts. One is people say, because it does exclude some people or because some people are unequal, therefore abandon the system. Another thought is that the system, as I explained to you, is necessary.
So what we should do is to improve the inclusivity of the system. And I think the second approach is the right approach. You should enable all kinds of systems, hybrid modes to exist: Walk-ins should exist, registrations should exist, assisted mode, self-service mode, all these things must exist. So the coexistence of all approaches to make the most inclusive system is our objective.
Some people have had problems where they’ve taken the first jab and the system does not seem to have that data. Is this because the person who was entering the data did not do so properly, or there was some breakdown? How friendly is CoWin going to be in terms of correcting these problems which people are likely to face, somewhere or the other?
Again, an excellent question. As I said, the data requirements are minimal, the only data is name, age and gender, so I think people should be careful not to commit mistakes, number one. Number two, if someone gets a jab and does not get an SMS, they must immediately be wary of the fact that this has not been entered into the system, because once you have a jab then immediately, within a few seconds, the system sends you a message saying “Congratulations, you have been vaccinated with the first dose, the second dose is due after so many days”.
Thirdly, many times people are also responsible. They create an account using their mobile phone and add themselves, their wife, their family members. Then for some reason, they create another account using another mobile number, and they add the same four people there.
Now, we are not doing any algorithmic deduplication at the back-end, because people can use multiple documents. You can use your Aadhaar, your driving license or other documents. Therefore, we are not doing deduplication, we are trusting people.
Now, what happened, you got the first jab using the first account, and you got the second jab using the second account. Obviously, the second account does not recognise that you are the same guy in the first account. So now you are struggling with two first dose certificates.
And you are saying “Oh, I got both doses, but I have two first dose certificates”. That is not a system’s problem. Once you have an account, it is better to go with that account because it will have the history of you and your family members and it is a digital certificate that will be there in that account only.
We are trying to create awareness to remove such mistakes. We are also now introducing some systems to correct errors that are happening in certificates, and I think that will help people, but in a group of 20 crore people, even 1% error is 2 million. So humanly, it becomes difficult and impossible to change such things. So we are doing certain things algorithmically and we are also enabling people to do self-correction. But of course, it has to be done in a manner that is safe. It should not result in some kind of gaming of the system again. These are some of my thoughts.
Where does the CoWin vaccination data sit right now?
I will not tell you because people might attack that facility [laughs].
But it is safe?
The data is absolutely safe.
This article first appeared on IndiaSpend, a data-driven and public-interest journalism non-profit.