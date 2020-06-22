Returning to May, he risked being held for six months or a $ 15 fine for refusing to download the app. Ghosh did Care: He had greater concerns about the future use of his data.
“I’m not sure how the government will use my data. If they want, they can monitor me forever by tracking the location on the app,” said Ghosh.
The Indian government asserts that most users’ personal and site data is ultimately deleted, but critics say India’s lack of data protection laws exposes millions of people to a potential privacy breach. They also fear that personal information could be sold by the government to private companies, or even used for surveillance outside of Covid-19’s concerns.
Millions of users
The Aarogya Setu app was developed by the National Center for Informatics, the Information and Communications Technology and e-Governance Authority of the Ministry of Electronics and Information Technology, in cooperation with voluntary technical experts from industry and the private academic community.
Unlike many contact tracking apps in many other countries, Aarogya Setu uses Bluetooth and GPS location data to monitor the movement of the app users and their proximity to other people.
Users are required to enter the name, phone number, age, gender, profession and countries they have visited in the past 30 days, as well as previous health conditions and self-assessment of any symptoms related to Covid-19.
A unique digital ID (DiD) is generated for each user, which is used for all future transactions related to the application. Through GPS, the app records the location of each user every 15 minutes.
When two registered users come within each other’s Bluetooth range, their apps automatically exchange DiDs and record the time and location. If a user test is positive for Covid-19, the information from their phone will be uploaded to the Indian government server and used to track contacts.
As of June 1, Aarogya Setu identified 200,000 vulnerable people and 3,500 hotspots for Covid-19, according to lead developer Lalitesh Katragadda, founder of Indihood, a private company that builds crowdsourcing platforms for residents, and a private industry volunteer who has worked with government agencies on the app .
“We have a 24% effectiveness rate, that is, 24% of all people who are estimated to have Covid-19 due to the application have proven positive,” said Katragada. This means that only one out of every 4 people advises the app to actually take a positive test.
Subhashis Banerjee, Professor of Computer Science and Engineering at the Indian Institute of Technology, New Delhi, said that the combination of Bluetooth and GPS will likely return a higher rate of false positives and false negatives. For example, GPS is often unavailable or unreliable indoors, and Bluetooth technology overestimates risk in large open spaces, across walls and floors, that radio waves can penetrate but the virus cannot.
Government guarantees
The Indian government states that enough privacy and protection parameters have been built to ensure permanent deletion of application data.
“All contact and site tracking data on the phone is deleted in a 30-day cycle. The same data on the server is deleted after 45 days of upload unless the test is positive. In this case all the contact tracking and location information is deleted after Abhishek said Singh, MyGov CEO at India’s Ministry of Information Technology, 60 days after the announcement of recovery.
“There is no way to verify and verify whether a complete data destruction has occurred and whether there are third parties with whom the data is shared have also destroyed it,” said Aabar Gupta, lawyer and CEO of the IFF Forum.
In response to calls for more transparency, the Indian government opened the application source code on May 27 and announced a bug bonus program to motivate program experts to find security vulnerabilities in the application, to correct vulnerabilities, if any.
On June 1, MyGov Singh said that the government plans to issue a server code within a few weeks.
However, Katragadda said that even with the server code, access to information related to data sharing will be restricted.
He said, “It will never be possible to see exactly who is sharing the data because, therefore, we will have to open the source of the entire government.”
There are no data protection laws
The Personal Data Protection Bill imposes restrictions on how personal personal data is used, processed and stored. If passed, the bill would also create a new regulatory body – the Data Protection Authority (DPA) – to monitor compliance. Critics say the bill is flawed for a number of reasons, including that it allows the government to exempt its departments from legislation on the basis of national security.
Currently, however, there are few data safeguards in India.
“There is no legislative framework that means there is no formal level of accountability. Therefore, if there is any error in the data, there will be no penalty, there will be no guarantees,” Gupta said.
Kodali, a public interest technologist, said, “India has taken a strategy to sell citizens’ data, thereby making it a commodity by claiming ownership of the personal data of Indians, which is contrary to the fundamental right of Indians to privacy.”
Last year, the Modi government sold data on vehicle registration and driver licenses to citizens to 87 private companies for 65 rupees (about $ 8.7 million) without citizens’ approval. This led to a reaction with the opposition party questioning the government’s motives and the selling price in Parliament.
Katragada told CNN Business despite government assurances that all Aarogya Setu data will be deleted. Some information from the app will be transferred automatically to the National Health Stack (NHS). NHS is a cloud-based health record, currently under development, that will include citizens’ medical history, insurance coverage, and claims.
“Any remaining data from the Aarogya Setu app will be automatically transferred to the Health National Stack package within the approval structure, once the health comes into effect,” said Katrajada.
The remaining data means any data that is still on the government server while the NHS is active. This includes the website, health and personal data downloaded to the server, but it has not yet been deleted in the time frames set by the government, said Katrajada.
No date for the NHS release has been set, but IFF’s Gupta again fears that there is no legal framework for data protection.
“Although it has been repeatedly said that approval will be the basis for sharing information, it is important to note that in both the Aarogya Setu and NHS application, consent is obtained in architecture which is a technical framework and not a clear source of authority law.”
A ticket to move
Like other countries that have introduced contact tracking, India says the technology is necessary to prevent the virus from spreading. As of June 22, the country had confirmed more than 410,000 deaths and 13,254 deaths.
Citizens and activists also fear that the job will crawl out of the app, which means that the information obtained through the app can be linked to other services.
“We have seen in the past that technological interventions by this government like the Aadhar program, which was initially built to ensure that everyone has a digital identity, has become a pervasive system,” Gupta said.
“It was initially created for the purposes of obtaining government benefits and benefits, and was soon assigned to open bank accounts, take advantage of mobile phone numbers and start your business.”
However, in 2018 a journalist discovered a security breach that revealed personal details of citizens. The government introduced new security measures, but the scandal eroded confidence in its ability to maintain data integrity.
Before it eased the mandatory download system, India was the only democratic country that forced millions of citizens to download the app. The only two countries that impose a similar system are Turkey and China. Activists say this alone is cause for concern.
Vidushi Marda, a lawyer working in technology and public use, said the world’s largest democracy relies on playbooks in China – using national security or a public health crisis to build a digital model for data collection, supervision, and surveillance. On emerging technology and human rights.
“I would like to say that these types of complex technical infrastructures do not happen collectively in India, but there is a risk that they will be built through platforms like the National Health Stack,” said Gupta.
