The Indian government argues that most of the users’ personal and location data is ultimately deleted, but critics say India’s lack of data protection laws exposes millions of people to potential privacy violations. They also fear that personal information can be sold by the government to private companies and can even be used for surveillance beyond Covid-19 concerns.

Millions of users

The Aarogya Setu application was developed by the ICT and e-governance body affiliated to the Ministry of Electronics and Information Technologies, in cooperation with the private sector and academia volunteer technical experts.

Unlike many other countries’ communication tracking apps, Aarogya Setu uses Bluetooth and GPS location data to track the movement of app users and their proximity to other people.

Users are asked to make a self-assessment of their names, phone numbers, ages, genders, professions, and the countries they have visited in the past 30 days and previous health conditions and symptoms related to Covid-19.

A unique digital ID (DiD) is created for each user, used for all future application related transactions. Via GPS, the app records the location of each user every 15 minutes.

When two registered users enter each other’s Bluetooth range, their apps automatically switch DiDs and save time and place. If a user tests positive for Covid-19, the information is uploaded from their phone to the Indian government’s server and used for person tracking.

Aarogya Setu identified people at risk and 3,500 Covid-19 hotspots on June 200, according to Lalitesh Katragadda, founder of Indihood, a private company that builds mass-sourced platforms, and founder of Indihood, one of the private sector. . Volunteers working with government agencies in the app.

“We have a 24% effectiveness rate, so 24% of all people estimated to have Covid-19 because the app is positive,” said Katragadda. This means that only 1 out of about 4 people recommended by the app to take a test is actually positive.

Subhashis Bannerjee, a professor of computer science and engineering at the Indian Institute of Technology in New Delhi, said the combination of Bluetooth and GPS location will likely bring higher false positives and false negatives. For example, GPS is often unavailable or unreliable indoors, and Bluetooth exaggerates the risks in large open spaces, walls, and floors where radio waves can penetrate but the virus cannot.

State protections

The Indian government states that sufficient privacy and protection parameters have been created to ensure that the application data is permanently deleted.

“All contact tracking and location data on the phone will be deleted in a 30-day cycle. Unless you do the positive test, the same data on the server will be deleted 45 days after loading. In this case all contact tracking and location information will be deleted later 60 days after treatment,” MyGov at IT ministry of India said Its CEO is Abhishek Singh.

“There is no way to check and verify whether the data has been completely destroyed and whether third parties to whom the data has been shared have destroyed them,” said Apar Gupta, lawyer and general manager of the IFF. Said.

In response to the call for greater transparency, the government of India opened the application’s source code on May 27 and announced a bug reward program to encourage software professionals to find vulnerabilities in the application, fix rounds, if any.

Singh on MyGov said on June 1, the government plans to release the server code within a few weeks.

However, Katragadda said that even with the server code, access to information about data sharing will be restricted.

“It will never be possible to see who the data is shared with exactly, because we will have to make the whole government open source.” Said.

No data protection law

The Personal Data Protection Act imposes restrictions on how residents’ personal data are used, processed and stored. If the bill is passed, a new regulatory body – the Data Protection Authority (DPA) is also set up to monitor compliance. Critics say the bill is flawed for a number of reasons, including government exempt ministries from legislation on the basis of national security.

However, there is very little assurance for data in India right now.

“No legal framework means an official level of accountability. Therefore, if any data errors occur, there will be no penalties, no guarantees,” said Gupta. Said.

“India has made a strategy to sell citizen data and makes it a commodity, claiming that Indians have personal data that contravenes the privacy rights of Indians,” said public interest technologist Kodali. Said.

Last year, the Modi government sold citizen vehicle registration and driver’s license data to 87 private companies for 65 private rupees (about $ 8.7 million) without the consent of citizens. This created a reaction that questioned the opposition party and the government’s goals and the price of sales in parliament.

Despite the government’s assurances that all Aarogya Set data will be deleted, Katragadda told CNN Business Note that some information from the application will be automatically transferred to the National Health Stack (NHS). NHS is a cloud-based health record currently under development that will include citizens’ medical history, insurance coverage, and claims.

“Any data left over from the Aarogya Setu application will automatically switch to the National Health Stack within the consent architecture as soon as the health stack takes effect.” Said.

The remaining data means all the data still on the govt server when NHS is activated. Katragadda also includes location, health, and personal data that has been downloaded to the server, but has not been deleted in the time frames set by the government.

No date has been set for the release of the NHS, but IFF’s Gupta is concerned that there is no legal framework for protecting data.

“It is important to note that, in both the Aarogya Setu application and the NHS, architecture is approved as a technical framework, rather than an explicit legal resource, although it has been repeatedly stated that approval will be the basis for information sharing.”

Ticket to be moved

Like other countries that have launched a person tracking application, India says technology is crucial to stop the spread of the virus. As of June 22, the country confirmed more than 410,000 cases and 13,254 deaths.

Citizens and activists also mean that the app’s function fears of creep, that is, information obtained through the app may be linked to other services.

“In the past, we have seen that government interventions have become a common system, such as the Aadhar program, originally built to ensure that everyone has a digital identity.

“Originally built to access government benefits and subsidies, it soon became mandatory to open bank accounts, use mobile numbers and continue your business.”

However, in 2018, a journalist discovered a security breach that reveals citizens’ personal information. The government has introduced new security measures, but it has eroded trust that scandalous data can keep it safe.

Before easing the mandatory download sequence, India was the only democratic country that required millions of citizens to download the application. Other countries that have implemented similar orders Turkey and China. The campaigns say it is a source of concern alone.

“When it comes to technology and public use, the world’s largest democracy is working to create a digital model of data collection, surveillance and surveillance using China’s playbook – using national security or a public health crisis,” said a lawyer for the job, Vidushi Marda. developing technology and human rights.

“I can say that such complex technical architectures did not take place in a collective fashion in India, but there is a danger that they will be built through platforms such as the National Health Stack.” Said.