Back in May, he risked a six-month prison sentence or a $ 15 fine for refusing to download the application. Ghosh no care: He has greater concern about future data usage.
“I am not sure how the government will use my data. If they want, they can monitor me forever through location tracking on the application,” Ghosh said.
The Indian government states that most of the user’s personal data and location is ultimately deleted, but critics say the lack of Indian data protection laws makes millions of people potentially violate privacy. They also worried that private information could be sold by the government to private companies, or even be used for surveillance outside Covid-19 concerns.
Millions of users
The Aarogya Setu application was developed by the National Informatics Center, an ICT and e-governance body under the Ministry of Electronics and Information Technology, in collaboration with voluntary technical experts from the private industry and academia.
In the beginning
June, already downloaded
120 million times.
Unlike many other countries’ contact tracking applications, Aarogya Setu uses Bluetooth and GPS location data to monitor the user’s application movements and proximity to others.
Users are asked to enter their name, telephone number, age, gender, profession, and country that they have visited in the past 30 days, as well as their previous health condition and self-assessment of Covid-19 related symptoms.
A unique digital ID (DID) is generated for each user, which is used for all future application-related transactions. Through GPS, the application records the location of each user every 15 minutes.
When two registered users come within Bluetooth range of each other, their application automatically exchanges DiD and records time and location. If one of the users tests positive for Covid-19, the information is uploaded from their mobile to the Indian government server and used for contact tracing.
In an analysis of 25 applications, the
Massachusetts Institute of Technology (MIT) gave Aarogya Setu fair
two out of five stars, mostly because he collects
far more data than that needs. In comparison, the Singapore TraceTogether app gets 5 stars and uses Bluetooth only.
On June 1, Aarogya Setu identified 200,000 people at risk and 3,500 Covid-19 hotspots, according to leading developer Lalitesh Katragadda, founder of Indihood, a private company that builds population-scale crowdsourcing platforms, and one of the voluntary private industries working with government agencies in the app.
“We have an efficacy rate of 24%, that is, 24% of all people who are estimated to have Covid-19 because the application was stated positive,” Katragadda said. This means that only about 1 in 4 people are suggested by the application to get a truly positive test.
Subhashis Bannerjee, professor of computer science and engineering at the Indian Institute of Technology, New Delhi, said the combination of Bluetooth and GPS locations is likely to return higher levels of false positives and false negatives. For example, GPS is often unavailable or unreliable indoors, and Bluetooth exaggerates risks in large open spaces, across walls and floors, which radio waves can penetrate but viruses cannot.
“There seems to be a leap of confidence from GPS colocation and proximity of Bluetooth radios to estimate risk scores for transmission of infection,” he said.
write in the report for the Internet Freedom Foundation (IFF), a non-governmental organization that advocates for digital rights, which has put up legal challenges to mandatory download orders in the Kerala High Court.
Government protection
The Government of India states that adequate privacy and protection parameters have been established to ensure permanent erasure of application data.
“All contact tracking and location data on the mobile phone are deleted in the rolling 30 day cycle. The same data on the server is deleted 45 days from the upload unless you test positive. In this case all contact tracing and location information is deleted after 60 days after being declared cured,” said Abhishek Singh, CEO of MyGov in the Indian IT ministry.
However
Aarogya Setu Data Access and Knowledge Sharing Protocol states that unidentified (anonymous) data can be shared with any ministry or government agency, as long as it is for the purpose of dealing with Covid-19. Any data received must be deleted permanently after 180 days, the protocol said. But privacy campaigners say there is no way to know if that happened.
“There is no way to check and verify whether total data destruction has occurred and if a third party sharing the data has also destroyed it,” said Apar Gupta, a lawyer and executive director of the IFF.
Responding to the call for further transparency, the Indian government opened the application source code on May 27 and announced a bug program to provide incentives for software experts to find security vulnerabilities in applications, to correct errors, if any.
“This is a step in the right direction but to find out the complete picture of who has access to data, we also need server code,” said Robert Baptiste, an ethical hacker who uses aliases.
from
Elliot Alderson and security weaknesses that open in the application immediately after launch. Open server code will allow experts to see what citizen data is stored on government servers and how the data is shared.
On June 1, Singh from MyGov, said the government plans to release server code in a few weeks.
However, Katragadda said that even with server code, access to information about data sharing would be limited.
“It will never be possible to see exactly who the data is being shared with because for that we have to open up the sources of the entire government,” he said.
There are no data protection laws
One of the main concerns activists have is that India does not have a data protection law, even though the law is currently being reviewed by a joint select committee and
can be skipped later this year.
The Personal Data Protection Bill imposes limits on how occupants’ personal data are used, processed and stored. If passed, the bill will also form a new oversight body – the Data Protection Authority (DPA) – to monitor compliance. Critics say the bill is flawed for a number of reasons, including that the law allows the government to free its departments from laws based on national security.
But at present, there is some protection for data in India.
“There is no legislative framework which means there is no official level of accountability. So, if there is a data accident, there will be no penalty, there will be no protection,” Gupta said.
There are also financial incentives for the government to share information. That
Indian National Economic Survey 2018-19 openly states that the Indian government will monetize citizen data and sell it to private companies to generate income.
“India has made a strategy to sell citizen data and thus make it a commodity by claiming ownership of Indian personal data, which is contrary to Indian people’s fundamental rights to privacy,” said Kodali, a public interest technology expert.
Last year, the Modi government sold vehicle registration and driver’s license data to 87 private companies for 65 rupees crore (around $ 8.7 million) without the residents’ consent. This caused a reaction with the opposition party to question the government’s motives and selling prices in parliament.
Despite government guarantees that all Aarogya Setu data will be deleted, Katragadda told CNN Business that some information from the application will be automatically transferred to the National Health Stack (NHS). NHS is a cloud-based health registrar, which is currently being developed, which will include a citizen health history, insurance coverage and claims.
“Any residual data from the Aarogya Setu application will automatically move to National Health Stack in the approval architecture, as soon as the health stack starts to take effect,” Katragadda said.
Residual data means any data that still exists on government servers when the NHS becomes active. That includes location, health, and personal data that has been downloaded to the server but has not been deleted within the timeframe set by the government, Katragadda said.
No date has been set yet for the NHS release, but Gupta from the IFF is worried, again, that there is no legal framework to protect data.
“Although it is repeatedly stated that consent will be the basis of information sharing, it is important to note that in both the Aarogya Setu and NHS applications, approval is incorporated into architecture which is a technical framework rather than a clear legal source of authority.”
Ticket to move
Like other countries that have introduced contact tracking applications, India says this technology is very important to stop the spread of the virus. On June 22, the country confirmed more than 410,000 cases and 13,254 deaths.
Air passengers are encouraged to download the application before the flight, train passengers need it for train travel, and
some workers have been told that they need it to do their work.
But digital rights activists say the application carries a greater risk than its value, especially in the country where
less than 35% people have cellphones that can support it.
Citizens and activists also fear the creep function of the application, which means that information obtained through the application can be linked to other services.
“In the past we have seen that technological interventions by the government such as the Aadhar program, which were originally built to ensure that everyone has a digital identity, have become a pervasive system,” Gupta said.
“Originally built for the purpose of accessing government benefits and subsidies, it was immediately mandated to open a bank account, availing mobile numbers and continue your business.”
Gupta refers to Aadhaar, a biometric database
introduced in 2009, initially as a voluntary program to prevent fraudulent benefits. Now, it contains fingerprints and iris scans of more than one billion Indians. The user receives a 12-digit identification number that is used to access welfare payments and government-controlled services.
However, in 2018 a journalist discovered a security breach that revealed citizens’ personal details. The government introduced new security measures, but the scandal eroded confidence in its ability to keep data safe.
Before reducing its mandatory download orders, India is the only democratic country that requires millions of citizens to download applications. The only other countries that apply similar rules are Turkey and China. Activists say that’s just a concern.
“In terms of technology and public use, the largest democracy in the world draws from the Chinese handbook – using national security or public health crises to build digital models for collecting, monitoring and monitoring digital data,” said Vidushi Marda, a lawyer working on new technology and human rights.
Chinese Covid-19 application, originally designed for contact tracing during a pandemic, is now being sewn into a social credit system in several places, where this application is used to track individual exercise, alcohol consumption and smoking, and hours of sleep.
“I would say this kind of complex technical architecture does not occur collectively in India, but there is a danger that they will be built through platforms such as National Health Stack,” Gupta said.