Because many Indian citizens believe their government is trying to sell their data in coronavirus

Because many Indian citizens believe their government is trying to sell their data in coronavirus

In May, he was sentenced to six months in prison or a $ 15 fine for refusing to download the app. Ghosh didn’t care: He had major concerns about the future use of his data.

“I’m not sure how the government will use my data. If they want to, they can monitor me forever by monitoring location on the app,” Ghosh said.

The Indian government says most users’ personal data and location data are eventually deleted, but critics say India’s lack of data protection laws exposes millions of people to possible privacy breaches. It is also feared that personal data could be sold by the government to private companies or even used for surveillance beyond the concerns of Covid-19.

Millions of users

The Aarogya Setu application was developed by the National Informatics Center, an ICT and e-government organization at the Ministry of Electronics and Informatics, in collaboration with volunteer technical experts from the private industry and academics.

From the beginning June was over 120 million times.

Unlike many other countries’ tracking applications, Aarogya Setu uses Bluetooth and GPS location data to monitor the movement and proximity of users of the application to other people.

Users are asked to enter their name, phone number, age, gender, occupation and countries they have visited in the last 30 days, as well as previous health conditions and self-assessment for any symptoms related to Covid-19.

A unique digital ID (DiD) is created for each user, which is used for all future transactions related to the application. Through GPS, the application records the location of each user every 15 minutes.

When two registered users come within Bluetooth, their applications automatically exchange DiDs and record the time and location. If one of the users is positive for Covid-19, the information is downloaded from their phone to the Indian government server and used to detect contacts.

In an analysis of 25 applications, the Massachusetts Institute of Technology (MIT) gave Aarogya Setu only two out of five stars, mainly because it collects much more data than neggs. For comparison, the TraceTogether application in Singapore has gained 5 stars and uses only Bluetooth.

As of June 1, Aarogya Setu had identified 200,000 people at risk and 3,500 hotspots Covid-19, according to lead developer Lalitesh Katragadda, founder of Indihood, a private company that builds population platforms and one of the private industry volunteer partners. with government services in implementation.

“We have a 24% efficiency rate, which means that 24% of all people who are estimated to have Covid-19 due to the application have tested positive,” Katragadda said. This means that only about 1 in 4 people advised by the app to actually take a test is positive.

Subhashis Bannerjee, a professor of computer science and engineering at the Institute of Technology in India, New Delhi, said the combination of Bluetooth and GPS would likely return a higher percentage of false positives and false negatives. For example, GPS is often unavailable or unreliable indoors, and Bluetooth overestimates the dangers of large open spaces, walls, and floors that radio waves can penetrate, but the virus cannot.

“There seems to be a leap of faith from the deployment of GPS and the proximity of Bluetooth radio to the assessment of the risk score for infection transmission,” wrote in a report for the Internet Freedom Foundation (IFF), a non-governmental organization that advocates for digital rights, which has filed a legal challenge against the compulsory mandate to the Kerala Supreme Court.

Government safeguards

The Indian government says several privacy and protection parameters have been created to ensure the permanent deletion of application data.

“All contact and location detection data on the phone is deleted within 30 days. The same data on the server is deleted 45 days after downloading, unless you have a positive test. In this case all contact and location tracking information is deleted after 60 days. the declaration of treatment, “said Abhishek Singh, CEO of MyGov at the Indian Ministry of Informatics.

However, the Aarogya Setu data access and knowledge exchange protocol states that unrecognized (anonymous) data may be disclosed to any government ministry or institution, as long as it is addressed to Covid-19. Any data received will have to be permanently deleted after 180 days, the protocol says. But privacy advocates say there is no way we know if this has happened.

“There is no way to check and verify whether the data has been completely destroyed and whether some third parties who share the data have also destroyed it,” said Apar Gupta, an IFF lawyer and chief executive officer.

In response to calls for more transparency, the Indian government opened the source code of the application on May 27 and announced a bug bounty program to motivate software experts to find security vulnerabilities in the application, to correct any losses, if any.

“This is a step in the right direction, but to know the full picture of who has access to the data, we also need the server code,” said Robert Baptiste, a moral hacker who goes by the pseudonym of Eliot Alderson and security vulnerabilities were exposed to the application immediately after its release. An open server code would allow experts to see which citizen data is stored on the government server and how the data is shared.

On June 1, MyGov’s Singh said the government planned to release the server code in a few weeks.

However, Katragadda said that even with the server password, access to information about data sharing would be limited.

“It will never be possible to see exactly who is sharing the data, because that’s why we have to open up the whole government,” he said.

There are no data protection laws

One of the main concerns of activists is that India does not have a law to protect data, although a bill is currently being considered by a joint selection committee and could pass later this year.

The Personal Data Protection bill imposes limits on the use, processing and storage of personal data of residents. If approved, the bill will also create a new regulatory body – the Data Protection Authority (DPA) – to monitor compliance. Critics say the bill is wrong for a number of reasons, including allowing the government to exclude its services from the law based on national security.

But at the moment, there are few guarantees for data in India.

“No legal framework means an official level of accountability. Therefore, if there is a data accident, there will be no punishment, no guarantees,” Gupta said.

There is also an economic incentive for the government to share information. The National Economic Survey of India 2018-19 openly states that the Indian government will generate revenue from citizens’ data and sell it to private companies to generate revenue.

“India has made a strategy to sell data to citizens and therefore makes it a commodity claiming ownership of Indian personal data, which goes against the fundamental right of Indians to privacy,” said Kodali, a public interest technician. .

Apple and Google Contact Detection Initiative Will Release Billions That Don't Have a Smartphone

Last year, the Modi government sold data on citizens’ registration and driver’s licenses to 87 private companies for 65 million rupees (about $ 8.7 million) without the consent of citizens. This provoked a reaction from the opposition party, which disputed the government’s motives and the sale price in parliament.

Despite government assurances that all Aarogya Setu data will be deleted, Katragadda told CNN Business that some information from the application will be automatically transferred to the National Health Stack (NHS). The NHS is a cloud-based, health-based health registry that will include citizens’ medical history, insurance coverage and claims.

“Any remaining data from the Aarogya Setu app will be automatically moved to the National Health Stack, according to the consensus architecture, once the health stack is in effect,” Katragadda said.

Remaining data means all data that is still on the government server at the time the NHS is activated. This includes location, health and personal data received on the server, but not yet deleted within the timeframe set by the government, Katraganda said.

No release date has been set for NHS, but IFF’s Gupta is again concerned that there is no legal framework for data protection.

“Although it has been repeatedly stated that consent will be the basis for the exchange of information, it is important to note that in both the Aarogya Setu application and the NHS, consent is part of the architecture that is a technical framework and not a clear source of legal authority.”

Ticket to travel

Like other countries that have introduced a contact detection application, India says the technology is vital to stopping the spread of the virus. As of June 22, the country had confirmed more than 410,000 cases and 13,254 deaths.

Airline passengers are encouraged to download the application before the flights, railway passengers need it for train travel and some employees they have said they need it to do their jobs.
However, digital rights activists say the application carries more risks than it deserves, especially in a country where less than 35% of people who have mobile phones to support it.

Citizens and activists also fear the operation of the application, which means that the information received through the application could be linked to other services.

“In the past, we’ve seen technological interventions by this government, such as the Aadhar program, which was originally created to ensure that everyone has a digital identity, became a pervasive system,” Gupta said.

“Originally created to gain access to government benefits and subsidies, it was soon commissioned to open bank accounts, use mobile phone numbers and for your business.”

Gupta refers to Aadhaar, a biometric database introduced in 2009, originally as a voluntary fraud prevention program. It now contains the fingerprints and iris scans of more than a billion Indians. Users receive a 12-digit ID number used to access welfare payments and other government-controlled services.

However, in 2018 a journalist discovered a security breach that revealed the personal details of the citizens. The government has introduced new security measures, but the scandal has undermined confidence in its ability to keep data secure.

Prior to the easing of the mandatory receipt order, India was the only Democratic country to make the application mandatory for millions of citizens. The only other countries to impose a similar order were Turkey and China. Proponents of her case have been working to make the actual transcript of this statement available online.

“In terms of technology and public use, the world’s largest democracy draws from China’s book – using national security or a public health crisis to create a digital model of data collection, surveillance and surveillance,” said Vidushi Marda. a lawyer working on emerging technology and human rights.

China’s Covid-19 app, originally designed to detect contacts during a pandemic, is now being adapted to a social credit system in some places, where the app is used to monitor exercise, alcohol and smoking, and of hours of sleep.

“I would say that such complex technical architecture does not happen collectively in India, but there is a risk that they will be integrated through platforms like the National Health Stack,” Gupta said.

Leave a Reply

Your email address will not be published. Required fields are marked *