In May, he was sentenced to six months in prison or a $ 15 fine for refusing to download the app. Ghosh didn’t care: He had major concerns about the future use of his data.
“I’m not sure how the government will use my data. If they want to, they can monitor me forever by monitoring location on the app,” Ghosh said.
The Indian government says most users’ personal data and location data are eventually deleted, but critics say India’s lack of data protection laws exposes millions of people to possible privacy breaches. It is also feared that personal data could be sold by the government to private companies or even used for surveillance beyond the concerns of Covid-19.
Millions of users
The Aarogya Setu application was developed by the National Informatics Center, an ICT and e-government organization at the Ministry of Electronics and Informatics, in collaboration with volunteer technical experts from the private industry and academics.
Unlike many other countries’ tracking applications, Aarogya Setu uses Bluetooth and GPS location data to monitor the movement and proximity of users of the application to other people.
Users are asked to enter their name, phone number, age, gender, occupation and countries they have visited in the last 30 days, as well as previous health conditions and self-assessment for any symptoms related to Covid-19.
A unique digital ID (DiD) is created for each user, which is used for all future transactions related to the application. Through GPS, the application records the location of each user every 15 minutes.
When two registered users come within Bluetooth, their applications automatically exchange DiDs and record the time and location. If one of the users is positive for Covid-19, the information is downloaded from their phone to the Indian government server and used to detect contacts.
As of June 1, Aarogya Setu had identified 200,000 people at risk and 3,500 hotspots Covid-19, according to lead developer Lalitesh Katragadda, founder of Indihood, a private company that builds population platforms and one of the private industry volunteer partners. with government services in implementation.
“We have a 24% efficiency rate, which means that 24% of all people who are estimated to have Covid-19 due to the application have tested positive,” Katragadda said. This means that only about 1 in 4 people advised by the app to actually take a test is positive.
Subhashis Bannerjee, a professor of computer science and engineering at the Institute of Technology in India, New Delhi, said the combination of Bluetooth and GPS would likely return a higher percentage of false positives and false negatives. For example, GPS is often unavailable or unreliable indoors, and Bluetooth overestimates the dangers of large open spaces, walls, and floors that radio waves can penetrate, but the virus cannot.
The Indian government says several privacy and protection parameters have been created to ensure the permanent deletion of application data.
“All contact and location detection data on the phone is deleted within 30 days. The same data on the server is deleted 45 days after downloading, unless you have a positive test. In this case all contact and location tracking information is deleted after 60 days. the declaration of treatment, “said Abhishek Singh, CEO of MyGov at the Indian Ministry of Informatics.
“There is no way to check and verify whether the data has been completely destroyed and whether some third parties who share the data have also destroyed it,” said Apar Gupta, an IFF lawyer and chief executive officer.
In response to calls for more transparency, the Indian government opened the source code of the application on May 27 and announced a bug bounty program to motivate software experts to find security vulnerabilities in the application, to correct any losses, if any.
On June 1, MyGov’s Singh said the government planned to release the server code in a few weeks.
However, Katragadda said that even with the server password, access to information about data sharing would be limited.
“It will never be possible to see exactly who is sharing the data, because that’s why we have to open up the whole government,” he said.
There are no data protection laws
The Personal Data Protection bill imposes limits on the use, processing and storage of personal data of residents. If approved, the bill will also create a new regulatory body – the Data Protection Authority (DPA) – to monitor compliance. Critics say the bill is wrong for a number of reasons, including allowing the government to exclude its services from the law based on national security.
But at the moment, there are few guarantees for data in India.
“No legal framework means an official level of accountability. Therefore, if there is a data accident, there will be no punishment, no guarantees,” Gupta said.
“India has made a strategy to sell data to citizens and therefore makes it a commodity claiming ownership of Indian personal data, which goes against the fundamental right of Indians to privacy,” said Kodali, a public interest technician. .
Last year, the Modi government sold data on citizens’ registration and driver’s licenses to 87 private companies for 65 million rupees (about $ 8.7 million) without the consent of citizens. This provoked a reaction from the opposition party, which disputed the government’s motives and the sale price in parliament.
Despite government assurances that all Aarogya Setu data will be deleted, Katragadda told CNN Business that some information from the application will be automatically transferred to the National Health Stack (NHS). The NHS is a cloud-based, health-based health registry that will include citizens’ medical history, insurance coverage and claims.
“Any remaining data from the Aarogya Setu app will be automatically moved to the National Health Stack, according to the consensus architecture, once the health stack is in effect,” Katragadda said.
Remaining data means all data that is still on the government server at the time the NHS is activated. This includes location, health and personal data received on the server, but not yet deleted within the timeframe set by the government, Katraganda said.
No release date has been set for NHS, but IFF’s Gupta is again concerned that there is no legal framework for data protection.
“Although it has been repeatedly stated that consent will be the basis for the exchange of information, it is important to note that in both the Aarogya Setu application and the NHS, consent is part of the architecture that is a technical framework and not a clear source of legal authority.”
Ticket to travel
Like other countries that have introduced a contact detection application, India says the technology is vital to stopping the spread of the virus. As of June 22, the country had confirmed more than 410,000 cases and 13,254 deaths.
Citizens and activists also fear the operation of the application, which means that the information received through the application could be linked to other services.
“In the past, we’ve seen technological interventions by this government, such as the Aadhar program, which was originally created to ensure that everyone has a digital identity, became a pervasive system,” Gupta said.
“Originally created to gain access to government benefits and subsidies, it was soon commissioned to open bank accounts, use mobile phone numbers and for your business.”
However, in 2018 a journalist discovered a security breach that revealed the personal details of the citizens. The government has introduced new security measures, but the scandal has undermined confidence in its ability to keep data secure.
Prior to the easing of the mandatory receipt order, India was the only Democratic country to make the application mandatory for millions of citizens. The only other countries to impose a similar order were Turkey and China. Proponents of her case have been working to make the actual transcript of this statement available online.
“In terms of technology and public use, the world’s largest democracy draws from China’s book – using national security or a public health crisis to create a digital model of data collection, surveillance and surveillance,” said Vidushi Marda. a lawyer working on emerging technology and human rights.
“I would say that such complex technical architecture does not happen collectively in India, but there is a risk that they will be integrated through platforms like the National Health Stack,” Gupta said.