Back in May, he risked a six-month prison sentence or a $ 15 fine for refusing to download the app. Ghosh is not concern: He had greater concerns about the future use of his data.
“I’m not sure how the government will use my data. If they want to, they can monitor me forever by tracking the location on the app,” Ghosh said.
The Indian government claims that most of the personal and location data of users was ultimately deleted, but critics say India’s lack of data protection laws exposes millions of people to potential privacy breaches. They also fear that the government could sell personal data to private companies or even use it for surveillance outside the Covid-19 concern.
Millions of users
The Aarogya Setu application was developed by the National Information Center, the IT and e-government body at the Ministry of Electronics and Information Technology, in collaboration with volunteer technical experts from private industry and academia.
Unlike many contact tracking applications in many other countries, Aarogya Setu uses Bluetooth and GPS location data to track the movement and proximity of other users.
Users are asked to enter their name, phone number, age, gender, occupation, and the countries they have visited in the last 30 days, as well as previous medical conditions and a self-assessment of any symptoms associated with Covid-19.
A unique digital ID (DiD) is generated for each user, which is used for all future transactions related to the application. Through the GPS application it records the location of each user every 15 minutes.
When two registered users are within Bluetooth range, their applications automatically exchange DiDs and record time and location. If one of the users tests positive for Covid-19, the information is transferred from their phone to an Indian government server and used to search for contacts.
As of June 1, the Aarogya Setu has identified 200,000 people at risk and 3,500 Covid-19 hotspots, according to lead developer Lalitesh Katragadda, founder of Indihood, a private company that builds platforms for the masses and one of the private industry volunteers who worked with government agencies. on the application.
“We have a 24 percent efficiency, or 24% of all people who are estimated to have Covid-19 because of the application have a positive test,” Katragadda said. This means that only about 1 in 4 people who are advised to get tested are actually tested positive.
Subhashis Bannerjee, a professor of computer science and engineering at the Indian Institute of Technology, New Delhi, said the combination of Bluetooth and GPS location is likely to return a higher rate of false positives and false negatives. For example, GPS is often inaccessible or unreliable indoors, and Bluetooth overestimates the risks in large open spaces, over walls and floors, into which radio waves can penetrate but the virus cannot.
The Government of India states that sufficient privacy and protection parameters have been built in to ensure the permanent deletion of application data.
“All contact search and location data on the phone is deleted in a 30-day cycle. The same server data is deleted 45 days after the transfer, unless you tested positive. In that case, all data search and location data is deleted after 60 days. after he was declared cured, ”said Abhishek Singh, executive director of MyGov at India’s IT ministry.
“There is no way to check and verify whether there has been complete destruction of the data and whether it has been destroyed by some third parties with whom the data is shared,” said Apar Gupta, IFF’s lawyer and CEO.
In response to calls for greater transparency, the Indian government opened the source code of the app on May 27 and announced a bunty program to encourage software experts to find security vulnerabilities in the app and correct bugs, if any.
On June 1, Singh of MyGov said the government planned to release the server in a few weeks.
However, Katragadda said even with the server code, access to data exchange information will be restricted.
“It will never be possible to see exactly who the data is being shared with, because we will have to open up the whole government for that,” he said.
There is no data protection law
The draft law on personal data protection imposes restrictions on the way in which personal data of residents are used, processed and stored. If passed, the bill would also establish a new regulatory body – the Data Protection Authority (DPA) – to monitor compliance with the law. Critics say the bill is wrong for several reasons, including allowing the government to exempt its departments from legislation based on national security.
But there is little protective data in India at the moment.
“No legislative framework means any official level of accountability. So if there is any inconsistency in the data, there will be no penalties, there will be no safeguards,” Gupta said.
“India has developed a strategy to sell citizen data and has thus become a commodity by seeking ownership of Indians’ personal data, which is against India’s fundamental right to privacy, ”said Kodali, a public interest technologist.
Last year, the Modi government sold registration and driver’s license data to 87 private companies for 65 rupee holes (approximately $ 8.7 million) without citizens ’consent. This sparked a conflict with the opposition party, which questioned the government’s motives and the sale price in parliament.
Despite government assurances that all Aarogya Set data will be deleted, Katragadda told CNN Business that some information from the application will be automatically transferred to the National Health Stack (NHS). The NHS is a cloud-based health registry, which is currently under development and will include medical medical history, insurance coverage and claims.
“All remaining data from the Aarogya Setu app will automatically be moved to the National Health Package within the consent architecture as soon as the health package takes effect,” Katragadda said.
Remaining data means all data that is still on the govt server at the time the NHS becomes active. That includes location, health and personal data downloaded to the server but not yet deleted within the timeframe set by the government, Katragadda said.
An NHS release date has not been set, but Gupta of the IFF again worries that there is no legal framework for data protection.
“Although it has been repeatedly stated that consent will be the basis for the exchange of information, it is important to note that in the Aarogya Setu and NHS application, consent is built into an architecture that is a technical framework rather than a clear source of legal authority.”
Ticket for movement
Like other countries that have introduced a contact tracking application, India says technology is vital to stopping the spread of the virus. As of June 22, the country has confirmed more than 410,000 cases and 13,254 deaths.
Citizens and activists are also afraid of crawling the app, which means that information obtained through the app can be linked to other services.
“In the past, we have seen that the technological interventions of this government, like the Aadhar program, which was initially built to ensure that everyone has a digital identity, have become a widespread system,” Gupta said.
“It was initially built for government grants and subsidies, and was soon given a mandate to open bank accounts, use mobile numbers and run your business.”
But in 2018, a journalist discovered a security breach in which citizens ’personal data was revealed. The government has introduced new security measures, but the scandal has eroded confidence in its ability to protect data.
Before easing its mandatory download order, India was the only democracy that made millions of citizens mandatory to download the app. The only other countries that imposed a similar order were Turkey and China. Campaigners say that’s the only cause for concern.
“When it comes to technology and public use, the world’s largest democracy draws from the Chinese book – the use of national security or the public health crisis to build a digital model of data collection, surveillance and surveillance,” said Vidushi Marda, a lawyer working on emerging technology and human rights.
“I would say that these types of complex technical architectures do not happen collectively in India, but there is a danger that they will be built through platforms like the National Health Framework,” Gupta said.