Why many Indian citizens believe that their government is trying to sell their data through a coronavirus application

0
How contact tracing could fight the coronavirus

Back in May, he risked a six-month prison sentence or a $ 15 fine for refusing to download the app. Ghosh is not concern: He had greater concerns about the future use of his data.

“I’m not sure how the government will use my data. If they want to, they can monitor me forever by tracking the location on the app,” Ghosh said.

The Indian government claims that most of the personal and location data of users was ultimately deleted, but critics say India’s lack of data protection laws exposes millions of people to potential privacy breaches. They also fear that the government could sell personal data to private companies or even use it for surveillance outside the Covid-19 concern.

Millions of users

The Aarogya Setu application was developed by the National Information Center, the IT and e-government body at the Ministry of Electronics and Information Technology, in collaboration with volunteer technical experts from private industry and academia.

Until the beginning June, it was taken over 120 million times.

Unlike many contact tracking applications in many other countries, Aarogya Setu uses Bluetooth and GPS location data to track the movement and proximity of other users.

Users are asked to enter their name, phone number, age, gender, occupation, and the countries they have visited in the last 30 days, as well as previous medical conditions and a self-assessment of any symptoms associated with Covid-19.

A unique digital ID (DiD) is generated for each user, which is used for all future transactions related to the application. Through the GPS application it records the location of each user every 15 minutes.

When two registered users are within Bluetooth range, their applications automatically exchange DiDs and record time and location. If one of the users tests positive for Covid-19, the information is transferred from their phone to an Indian government server and used to search for contacts.

In an analysis of 25 applications, the Massachusetts Institute of Technology (MIT) gave Aarogya Setu just two of the five stars, mainly because it is more expensive far more data than needs, By comparison, Singapore’s TraceTogether app has earned 5 stars and uses only Bluetooth.

As of June 1, the Aarogya Setu has identified 200,000 people at risk and 3,500 Covid-19 hotspots, according to lead developer Lalitesh Katragadda, founder of Indihood, a private company that builds platforms for the masses and one of the private industry volunteers who worked with government agencies. on the application.

“We have a 24 percent efficiency, or 24% of all people who are estimated to have Covid-19 because of the application have a positive test,” Katragadda said. This means that only about 1 in 4 people who are advised to get tested are actually tested positive.

Subhashis Bannerjee, a professor of computer science and engineering at the Indian Institute of Technology, New Delhi, said the combination of Bluetooth and GPS location is likely to return a higher rate of false positives and false negatives. For example, GPS is often inaccessible or unreliable indoors, and Bluetooth overestimates the risks in large open spaces, over walls and floors, into which radio waves can penetrate but the virus cannot.

“There seems to be a leap of faith from GPS collocation and the proximity of Bluetooth radios to assess the results of the risk of transmitting the infection,” he said. he wrote in the report for the Internet Foundation Foundation (IFF), a non-governmental organization advocating for digital rights, which has filed a legal challenge against a mandatory takeover order in the High Court in Kerala.

Government safeguards

The Government of India states that sufficient privacy and protection parameters have been built in to ensure the permanent deletion of application data.

See also  Surprise in Finland: cross-country skier Hennig takes third place | free press

“All contact search and location data on the phone is deleted in a 30-day cycle. The same server data is deleted 45 days after the transfer, unless you tested positive. In that case, all data search and location data is deleted after 60 days. after he was declared cured, ”said Abhishek Singh, executive director of MyGov at India’s IT ministry.

However Aarogya Setu protocol for data access and knowledge sharing states that de-identified (anonymous) data may be shared with any government ministry or institution, provided Covid-19 is resolved. All received data should be permanently deleted after 180 days, the protocol said. But privacy campaigns say there is no way to know if that happened.

“There is no way to check and verify whether there has been complete destruction of the data and whether it has been destroyed by some third parties with whom the data is shared,” said Apar Gupta, IFF’s lawyer and CEO.

In response to calls for greater transparency, the Indian government opened the source code of the app on May 27 and announced a bunty program to encourage software experts to find security vulnerabilities in the app and correct bugs, if any.

“This is a step in the right direction, but to know the full picture of who has access to the data, we also need a server code,” said Robert Baptiste, an ethical hacker who goes along with pseudonyms. from Elliot Alderson and discovered security flaws in the application shortly after its launch. An open source server would allow professionals to see what citizen data is stored on the state server and how the data is shared.

On June 1, Singh of MyGov said the government planned to release the server in a few weeks.

However, Katragadda said even with the server code, access to data exchange information will be restricted.

“It will never be possible to see exactly who the data is being shared with, because we will have to open up the whole government for that,” he said.

See also  Police descend into downtown Glasgow after a police officer is stabbed

There is no data protection law

One of the main concerns of activists is that India does not have a data protection law, although the bill is currently being reviewed by a joint committee to select and could be passed later this year.

The draft law on personal data protection imposes restrictions on the way in which personal data of residents are used, processed and stored. If passed, the bill would also establish a new regulatory body – the Data Protection Authority (DPA) – to monitor compliance with the law. Critics say the bill is wrong for several reasons, including allowing the government to exempt its departments from legislation based on national security.

But there is little protective data in India at the moment.

“No legislative framework means any official level of accountability. So if there is any inconsistency in the data, there will be no penalties, there will be no safeguards,” Gupta said.

There is also a financial incentive for the government to share information. National Economic Survey of India 2018-19 openly states that the Indian government will cash in on citizens’ data and sell it to private companies in order to generate revenue.

“India has developed a strategy to sell citizen data and has thus become a commodity by seeking ownership of Indians’ personal data, which is against India’s fundamental right to privacy, ”said Kodali, a public interest technologist.

Apple's initiative to find contacts would miss billions without smartphones

Last year, the Modi government sold registration and driver’s license data to 87 private companies for 65 rupee holes (approximately $ 8.7 million) without citizens ’consent. This sparked a conflict with the opposition party, which questioned the government’s motives and the sale price in parliament.

Despite government assurances that all Aarogya Set data will be deleted, Katragadda told CNN Business that some information from the application will be automatically transferred to the National Health Stack (NHS). The NHS is a cloud-based health registry, which is currently under development and will include medical medical history, insurance coverage and claims.

“All remaining data from the Aarogya Setu app will automatically be moved to the National Health Package within the consent architecture as soon as the health package takes effect,” Katragadda said.

Remaining data means all data that is still on the govt server at the time the NHS becomes active. That includes location, health and personal data downloaded to the server but not yet deleted within the timeframe set by the government, Katragadda said.

An NHS release date has not been set, but Gupta of the IFF again worries that there is no legal framework for data protection.

“Although it has been repeatedly stated that consent will be the basis for the exchange of information, it is important to note that in the Aarogya Setu and NHS application, consent is built into an architecture that is a technical framework rather than a clear source of legal authority.”

See also  US manufacturing growth in September for the fifth month in a row

Ticket for movement

Like other countries that have introduced a contact tracking application, India says technology is vital to stopping the spread of the virus. As of June 22, the country has confirmed more than 410,000 cases and 13,254 deaths.

Air passengers are encouraged to download the app before the flight, and rail passengers need it to travel by train and some workers they told them they needed to do their job.
But digital rights activists say the app carries more risk than it is worth, especially in a country where less than 35% people have cell phones that can support it.

Citizens and activists are also afraid of crawling the app, which means that information obtained through the app can be linked to other services.

“In the past, we have seen that the technological interventions of this government, like the Aadhar program, which was initially built to ensure that everyone has a digital identity, have become a widespread system,” Gupta said.

“It was initially built for government grants and subsidies, and was soon given a mandate to open bank accounts, use mobile numbers and run your business.”

Gupta mentions Aadhaar, a biometric database introduced in 2009, initially as a voluntary program to prevent fee fraud. It now bears the fingerprints and irises of more than a billion Indians. Beneficiaries receive a 12-digit identity number that is used to access social benefits and other government services.

But in 2018, a journalist discovered a security breach in which citizens ’personal data was revealed. The government has introduced new security measures, but the scandal has eroded confidence in its ability to protect data.

Before easing its mandatory download order, India was the only democracy that made millions of citizens mandatory to download the app. The only other countries that imposed a similar order were Turkey and China. Campaigners say that’s the only cause for concern.

“When it comes to technology and public use, the world’s largest democracy draws from the Chinese book – the use of national security or the public health crisis to build a digital model of data collection, surveillance and surveillance,” said Vidushi Marda, a lawyer working on emerging technology and human rights.

The Chinese Covid-19 app, which was originally designed to find contacts during a pandemic, is now being built into the social credit system in some places, where the app is used to track exercise, alcohol intake and smoking, as well as sleep hours.

“I would say that these types of complex technical architectures do not happen collectively in India, but there is a danger that they will be built through platforms like the National Health Framework,” Gupta said.

Leave a Reply

Your email address will not be published. Required fields are marked *