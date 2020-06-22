In May, he risked a six-month prison sentence or a $ 15 fine for refusing to download the app. Ghosh didn't Beware: You had greater concerns about the future use of your data.

"I'm not sure how the government will use my data. If they want, they can keep an eye on me forever through location tracking in the app," Ghosh said.

Indian government contends most user location and personal data is ultimately removed, but critics say India's lack of data protection laws exposes millions of people to possible privacy breaches . They also fear that the government may sell personal information to private companies, or even use it for surveillance beyond Covid-19's concerns.

Millions of users

The Aarogya Setu application was developed by the National Center for Informatics, an ICT and electronic government agency under the Ministry of Electronics and Information Technology, in collaboration with volunteer technical experts from private industry and academia.

June, more than At the beginning ofJune, more than 120 million times

Unlike contact tracking apps in many other countries, Aarogya Setu uses Bluetooth and GPS location data to monitor the movement of app users and proximity to other people.

Users are asked to enter their name, phone number, age, sex, profession and the countries they have visited in the last 30 days, as well as previous health conditions and a self-assessment on any symptoms related to Covid-19.

A unique Digital ID (DiD) is generated for each user, which is used for all future application related transactions. Through the GPS, the application records the location of each user every 15 minutes.

When two registered users are within Bluetooth range of each other, their applications automatically exchange DiD and record the time and location. If one of the users tests positive for Covid-19, the information is uploaded from their phone to the Indian government server and used for contact tracking.

In an analysis of 25 applications, the Massachusetts Institute of Technology (MIT) gave Aarogya Setu only two out of five stars, largely because it collects far more data than it needs. For comparison, Singapore's TraceTogether app earned 5 stars and uses only Bluetooth.

As of June 1, Aarogya Setu had identified 200,000 people at risk and 3,500 Covid-19 access points, according to lead developer Lalitesh Katragadda, the founder of Indihood, a private company that builds population-scale crowdsourcing platforms, and a of private industry. volunteers who worked with government agencies on the app.

"We have a 24% efficacy rate, that is, 24% of all people estimated to have Covid-19 because of the application have tested positive," said Katragadda. This means that only about 1 in 4 people recommended by the application to take a test actually test positive.

Subhashis Bannerjee, professor of computer science and engineering at the Indian Institute of Technology in New Delhi, said the combination of Bluetooth and GPS location would likely yield a higher rate of false positives and false negatives. For example, GPS is often unavailable or unreliable indoors, and Bluetooth overestimates the risks in large open spaces, through walls and floors, that radio waves can penetrate but the virus cannot.

"There appears to be a leap of faith from GPS placement and Bluetooth radio proximity to estimate a risk score for transmission of infections," he wrote in a report for the Internet Freedom Foundation (IFF), a nongovernmental organization that advocates digital rights, which has filed a lawsuit against the mandatory discharge order at Kerala High Court.

Government safeguards

The Indian government claims that sufficient privacy and protection parameters have been incorporated to ensure the permanent deletion of application data.

"All location and contact tracking data on the phone is deleted in a continuous 30-day cycle. The same data on the server is deleted 45 days after upload, unless the test is positive. In that case, All location and contact tracking information is removed after 60 days after being declared cured, "said Abhishek Singh, CEO of MyGov in India's IT ministry.

However, the Aarogya Setu Data Access and Knowledge Sharing Protocol states that anonymous (anonymous) data may be shared with any government ministry or institution, as long as it is for the purpose of addressing Covid-19. Any information received must be permanently deleted after 180 days, according to the protocol. But privacy activists say there is no way to know if that happened.

"There is no way to verify and verify whether the complete destruction of the data has occurred and whether any third parties with whom the data has been shared has also destroyed it," said Apar Gupta, IFF's attorney and chief executive officer.

In response to calls for greater transparency, the Indian government opened the application's source code on May 27 and announced a bug bounty program to incentivize software experts to find security vulnerabilities in the application, to rectify fail, if any.

"This is a step in the right direction, but to get the full picture of who has access to the data, we also need the server code," said Robert Baptiste, an ethical hacker using the alias. by Elliot Alderson and security flaws exposed in the app shortly after launch. An open server code would allow experts to see what citizen data is stored on the government server and how it is shared.

On June 1, Singh of MyGov said the government planned to release the server code in a few weeks.

However, Katragadda said that even with the server code, access to information about data exchange would be restricted.

"It will never be possible to see exactly with whom the data is shared because for that we will have to open the source code of the entire government," he said.

There are no data protection laws.

One of the activists' main concerns is that India does not have a data protection law, although a joint selection committee is reviewing a bill and it could be passed later this year.

The personal data protection bill imposes limits on how residents' personal data is used, processed and stored. If passed, the bill would also establish a new regulatory body, the Data Protection Authority (DPA), to monitor compliance. Critics say the bill is flawed for several reasons, including allowing the government to exempt its departments from legislation based on national security.

But right now, there are few guarantees for data in India.

"No legislative framework means that there is no official level of accountability. Therefore, if any data setback occurs, there will be no penalty, there will be no safeguards," said Gupta.

There is also a financial incentive for the government to share information. The 2018-19 National Economic Survey of India openly states that the Indian government will monetize citizens' data and sell it to private companies to generate income.

"India has put in place a strategy to sell citizen data and therefore makes it a commodity by claiming ownership of Indians 'personal data, which goes against the Indians' fundamental right to privacy," said Kodali, the public interest technologist.

Last year, the Modi government sold citizens' vehicle registration and driver's license data to 87 private companies for Rs 65 crore (approximately $ 8.7 million) without the consent of citizens. This caused a backlash with the opposition party questioning the government's motives and the sale price in parliament.

Despite government assurances that all Aarogya Setu data will be removed, Katragadda told CNN Business that certain information in the application will automatically be transferred to the National Health Stack (NHS). The NHS is a cloud-based health registry, currently under development, that will include citizens' medical history, insurance coverage, and claims.

"Any residual data from the Aarogya Setu application will automatically move to the National Health Stack within the consent architecture as soon as the health stack comes into effect," said Katragadda.

Residual data refers to data that is still on the government server at the time the NHS is activated. That includes location, health, and personal data that has been downloaded to the server but has not yet been removed by government-established deadlines, Katragadda said.

No date has been set for the release of the NHS, but IFF's Gupta is concerned, once again, that there is no legal framework to protect data.

"Although it is repeatedly stated that consent will be the basis of information exchange, it is important to note that in both the Aarogya Setu application and the NHS, consent is embedded in the architecture, which is a technical framework rather than a clear source of legal information. authority. "

Ticket to move

Like other countries that have introduced a contact tracking app, India says the technology is vital in stopping the virus from spreading. As of June 22, the country had confirmed more than 410,000 cases and 13,254 deaths.

Air passengers are advised to download the app before flights, rail passengers need it to travel by train, and some workers have been told they need it to do their job.

But digital rights activists say the app carries more risk than it's worth, especially in a country where less than 35% of people have cell phones capable of supporting it.

Citizens and activists also fear the drag of the app's role, which means that the information obtained through the app could be linked to other services.

"In the past, we have seen that this government's technological interventions, such as the Aadhar program, which was initially created to ensure everyone has a digital identity, became a widespread system," said Gupta.

"Initially built for the purpose of accessing government benefits and subsidies, he was soon ordered to open bank accounts, use mobile numbers, and go about business."

Gupta refers to Aadhaar, a biometric database introduced in 2009, initially as a voluntary program to prevent profit fraud. Now, it contains the fingerprints and iris scans of over a billion Indians. Users receive a 12-digit identity number that is used to access social assistance payments and other government-controlled services.

However, in 2018 a journalist discovered a security breach that revealed citizens' personal data. The government introduced new security measures, but the scandal eroded confidence in its ability to keep data secure.

Before softening its mandatory download order, India was the only democratic country that forced millions of citizens to download the app. The only other countries that imposed a similar order were Turkey and China. Activists say that alone is cause for concern.

"When it comes to technology and public use, the world's largest democracy relies on China's playbook, using national security or a public health crisis to build a digital model of data collection, monitoring and surveillance" said Vidushi Marda, a lawyer working on emerging technology and human rights.

Initially designed to track contacts during the pandemic, China's Covid-19 app is now being incorporated into a social credit system in some places, where the app is used to track a person's exercise, alcohol consumption and tobacco and the hours of sleep.

"I would say that these kinds of complex technical architectures are not happening collectively in India, but there is a danger that they will be built through platforms like the National Health Stack," said Gupta.