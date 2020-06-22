Returning to May, he risked being held for six months or a $ 15 fine for refusing to download the app. Ghosh did Care: He had greater concerns about the future use of his data.

“I’m not sure how the government will use my data. If they want, they can monitor me forever by tracking the location on the app,” said Ghosh.

The Indian government asserts that most users’ personal and site data is ultimately deleted, but critics say India’s lack of data protection laws exposes millions of people to a potential privacy breach. They also fear that personal information could be sold by the government to private companies, or even used for surveillance outside of Covid-19’s concerns.

Millions of users

The Aarogya Setu app was developed by the National Center for Informatics, the Information and Communications Technology and e-Governance Authority of the Ministry of Electronics and Information Technology, in cooperation with voluntary technical experts from industry and the private academic community.

At the beginning of June, it was downloaded more than 120 million times

Unlike many contact tracking apps in many other countries, Aarogya Setu uses Bluetooth and GPS location data to monitor the movement of the app users and their proximity to other people.

Users are required to enter the name, phone number, age, gender, profession and countries they have visited in the past 30 days, as well as previous health conditions and self-assessment of any symptoms related to Covid-19.

A unique digital ID (DiD) is generated for each user, which is used for all future transactions related to the application. Through GPS, the app records the location of each user every 15 minutes.

When two registered users come within each other’s Bluetooth range, their apps automatically exchange DiDs and record the time and location. If a user test is positive for Covid-19, the information from their phone will be uploaded to the Indian government server and used to track contacts.

As of June 1, Aarogya Setu identified 200,000 vulnerable people and 3,500 hotspots for Covid-19, according to lead developer Lalitesh Katragadda, founder of Indihood, a private company that builds crowdsourcing platforms for residents, and a private industry volunteer who has worked with government agencies on the app .

“We have a 24% effectiveness rate, that is, 24% of all people who are estimated to have Covid-19 due to the application have proven positive,” said Katragada. This means that only one out of every 4 people advises the app to actually take a positive test.

Subhashis Banerjee, Professor of Computer Science and Engineering at the Indian Institute of Technology, New Delhi, said that the combination of Bluetooth and GPS will likely return a higher rate of false positives and false negatives. For example, GPS is often unavailable or unreliable indoors, and Bluetooth technology overestimates risk in large open spaces, across walls and floors, that radio waves can penetrate but the virus cannot.

“There appears to be a jump in confidence from GPS and the proximity of Bluetooth radio to estimate the degree of transmission risk” Written in a report Of the Internet Freedom Foundation (IFF), a digital rights advocacy NGO, that has faced legal objection against the mandatory download order at the Kerala State Supreme Court.

Government guarantees

The Indian government states that enough privacy and protection parameters have been built to ensure permanent deletion of application data.

“All contact and site tracking data on the phone is deleted in a 30-day cycle. The same data on the server is deleted after 45 days of upload unless the test is positive. In this case all the contact tracking and location information is deleted after Abhishek said Singh, MyGov CEO at India’s Ministry of Information Technology, 60 days after the announcement of recovery.

However, the Aarogya Setu protocol for data access and knowledge sharing It states that anonymous (anonymous) data can be shared with any government ministry or institution, as long as it is for the purpose of processing Covid-19. The protocol says that any data received should be permanently deleted after 180 days. But privacy advocates say there is no way to know if this has happened.

“There is no way to verify and verify whether a complete data destruction has occurred and whether there are third parties with whom the data is shared have also destroyed it,” said Aabar Gupta, lawyer and CEO of the IFF Forum.

In response to calls for more transparency, the Indian government opened the application source code on May 27 and announced a bug bonus program to motivate program experts to find security vulnerabilities in the application, to correct vulnerabilities, if any.

From “This is a step in the right direction, but to find the complete picture of who has access to data, we also need the server code,” said Robert Baptiste, the ethical intruder who goes by the nickname.From Elliot Alderson And it revealed security flaws in the application shortly after its launch. The open server icon will enable the experts to know the citizen data stored in the government server and how to share the data.

On June 1, MyGov Singh said that the government plans to issue a server code within a few weeks.

However, Katragadda said that even with the server code, access to information related to data sharing will be restricted.

He said, “It will never be possible to see exactly who is sharing the data because, therefore, we will have to open the source of the entire government.”

There are no data protection laws

One of the main concerns that activists have is that India does not have a data protection law, although a bill is currently being reviewed by a selected joint committee and Can pass Later this year.

The Personal Data Protection Bill imposes restrictions on how personal personal data is used, processed and stored. If passed, the bill would also create a new regulatory body – the Data Protection Authority (DPA) – to monitor compliance. Critics say the bill is flawed for a number of reasons, including that it allows the government to exempt its departments from legislation on the basis of national security.

Currently, however, there are few data safeguards in India.

“There is no legislative framework that means there is no formal level of accountability. Therefore, if there is any error in the data, there will be no penalty, there will be no guarantees,” Gupta said.

There is also a financial incentive for the government to share information. The National Economic Survey of India 2018-19 It expressly states that the Indian government will convert citizens’ data and sell it to private companies to generate revenue.

Kodali, a public interest technologist, said, “India has taken a strategy to sell citizens’ data, thereby making it a commodity by claiming ownership of the personal data of Indians, which is contrary to the fundamental right of Indians to privacy.”

Last year, the Modi government sold data on vehicle registration and driver licenses to citizens to 87 private companies for 65 rupees (about $ 8.7 million) without citizens’ approval. This led to a reaction with the opposition party questioning the government’s motives and the selling price in Parliament.

Katragada told CNN Business despite government assurances that all Aarogya Setu data will be deleted. Some information from the app will be transferred automatically to the National Health Stack (NHS). NHS is a cloud-based health record, currently under development, that will include citizens’ medical history, insurance coverage, and claims.

“Any remaining data from the Aarogya Setu app will be automatically transferred to the Health National Stack package within the approval structure, once the health comes into effect,” said Katrajada.

The remaining data means any data that is still on the government server while the NHS is active. This includes the website, health and personal data downloaded to the server, but it has not yet been deleted in the time frames set by the government, said Katrajada.

No date for the NHS release has been set, but IFF’s Gupta again fears that there is no legal framework for data protection.

“Although it has been repeatedly said that approval will be the basis for sharing information, it is important to note that in both the Aarogya Setu and NHS application, consent is obtained in architecture which is a technical framework and not a clear source of authority law.”

A ticket to move

Like other countries that have introduced contact tracking, India says the technology is necessary to prevent the virus from spreading. As of June 22, the country had confirmed more than 410,000 deaths and 13,254 deaths.

Air travelers are encouraged to download the app before flights, and railway passengers need to travel by train, and Some workers They were told that they needed to do their job.

But digital rights activists say the app carries more risks than it deserves, especially in a country where it is Less than 35% People have mobile phones that can support them.

Citizens and activists also fear that the job will crawl out of the app, which means that the information obtained through the app can be linked to other services.

“We have seen in the past that technological interventions by this government like the Aadhar program, which was initially built to ensure that everyone has a digital identity, has become a pervasive system,” Gupta said.

“It was initially created for the purposes of obtaining government benefits and benefits, and was soon assigned to open bank accounts, take advantage of mobile phone numbers and start your business.”

Gupta refers to Aadhaar’s biometric database Filed in 2009 , Initially as a voluntary program to prevent benefit fraud. Now, it contains fingerprints and iris scans for over a billion Indians. Users receive a 12-digit identification number that is used to access government-controlled welfare payments and services.

However, in 2018 a journalist discovered a security breach that revealed personal details of citizens. The government introduced new security measures, but the scandal eroded confidence in its ability to maintain data integrity.

Before it eased the mandatory download system, India was the only democratic country that forced millions of citizens to download the app. The only two countries that impose a similar system are Turkey and China. Activists say this alone is cause for concern.

Vidushi Marda, a lawyer working in technology and public use, said the world’s largest democracy relies on playbooks in China – using national security or a public health crisis to build a digital model for data collection, supervision, and surveillance. On emerging technology and human rights.

Chinese app Covid-19 , Initially designed to track communication during an epidemic, is now being integrated into a social credit system in some places, where the app is used to track individual exercise, alcohol consumption, smoking, and sleep hours.

“I would like to say that these types of complex technical infrastructures do not happen collectively in India, but there is a risk that they will be built through platforms like the National Health Stack,” said Gupta.