[ad_1]
Image copyright
fake pictures
The application has crossed 100 million downloads.
India’s Covid-19 contact tracking app has been downloaded 100 million times, according to the Ministry of Information Technology, despite fears about privacy.
The app, Aarogya Setu, which means “bridge to health” in Sanskrit, was launched just six weeks ago.
India has made it mandatory for government and private sector employees to download it.
But users and experts in India and around the world say the app raises big data security concerns.
How does it work?
Using Bluetooth data and location of a phone, Aarogya Setu informs users if they have been around a person with Covid-19 by scanning a database of known cases of infection.
The data is then shared with the government.
“If you have known someone in the past two weeks who tested positive, the app calculates your risk of infection based on how recent it was and how close it is, and recommends action,” said Abhishek Singh, CEO of MyGov in the IT ministry. from India, who built the app, told the BBC.
Although your name and number will not be made public, the application collects this information, as well as your gender, travel history and whether you are a smoker.
Is it mandatory to download the application?
Prime Minster Narendra Modi has tweeted in support of the app, urging everyone to download it, and it has been made mandatory for citizens living in containment areas and for all government and private sector employees.
Noida, a suburb of the capital Delhi, has made it mandatory for all residents to have the application, saying they can be jailed for six months for not complying.
New food delivery companies like Zomato and Swiggy have also made it mandatory for all staff.
But the government directive is being questioned by some.
In an interview with The Indian Express newspaper, former Supreme Court judge BN Srikrishna said the attempt to get people to use the app was “completely illegal”.
“Under what law does it order? Until now it is not backed by any law,” he told the newspaper.
MIT Technology Review’s Covid Tracking Tracker lists 25 contact tracking apps from countries around the world, and there are also questions about some of them.
Critics say apps like China’s Health Code system, which records a user’s spending history to prevent them from breaking quarantine, are invasive.
“Forcing people to install an app is not a success story. It just means that the crackdown works,” says French ethical hacker Robert Baptiste, who goes by the name of Elliot Alderson.
What are the main concerns about the implementation of India?
Aarogya Setu stores location data and requires constant access to the phone’s Bluetooth, which experts say makes it invasive from a security and privacy point of view.
In Singapore, for example, the TraceTogether app can only be used by your health ministry to access data. It assures citizens that the data will be used strictly for disease control and will not be shared with law enforcement agencies to enforce blockages and quarantine.
“Aarogya Setu retains the flexibility to do exactly that, or to ensure compliance with legal orders, etc.,” says the Internet Freedom Foundation, a group advocating for digital rights and freedoms in Delhi.
Image copyright
fake pictures
Aarogya Setu requires constant access to a user’s Bluetooth and GPS to collect multiple data points on a user
However, app creators insist that at no time does it reveal a user’s identity.
“Your data will not be used for any other purpose. No third party has access to it,” Singh of MyGov said.
The big problem with the app is that it tracks location, which has been deemed unnecessary globally, says Nikhil Pahwa, editor of the Internet watchdog Medianama.
“Any app that tracks who you’ve been in contact with and their location at all times is a clear violation of privacy.”
You are also concerned about the Bluetooth function in the app.
“If I am on the third floor and you are on the fourth floor, it will show that we have met, even if we are on different floors, since Bluetooth travels through the walls. This shows ‘false positives’ or incorrect data.
What are the privacy concerns?
The application allows authorities to upload the collected information to a government-owned and operated “server” which will “provide people with the necessary medical and administrative interventions related to Covid-19”.
The Software Freedom Law Center, a consortium of lawyers, technology experts, and students, says it’s problematic because it means the government can share the data with “virtually anyone you want.”
MyGov says “the app has been created with privacy as a fundamental principle” and the processing of contact tracking and risk assessment is done “anonymously.”
Mr. Singh says that when he signs up, the app assigns him a unique “anonymous” device ID. All interactions with the government server from your device are done only through this ID and no personal information is exchanged after registration.
But experts have raised doubts about the government’s claim.
Alderson has said that there are flaws in the app that let you know who is sick anywhere in India.
“Basically, I was able to see if someone was sick in the PMO [prime minister’s office] or the Indian Parliament. I could see if someone was sick in a specific house if they wanted to, “he wrote on his blog.
Aarogya Setu denied any privacy violation in a statement.
But India has “a terrible history” of privacy protection, says Pahwa, referring to Aadhaar, the world’s largest and most controversial biometric-based identity database.
Critics have repeatedly warned that the scheme puts personal information at risk and have criticized government efforts to mandatorily link it to bank accounts and mobile phone numbers.
“This government has argued that privacy is not a fundamental right in court,” said Pahwa. “We cannot trust that.”
The Indian Supreme Court ruled in 2018 that Aadhaar’s controversial scheme was constitutional and did not violate the right to privacy.
And the question of transparency?
Unlike the UK’s Covid-19 tracking app, Aarogya Setu is not open source, meaning it cannot be audited for security flaws by coders and independent researchers.
A senior IT ministry official told a newspaper that the government had not released the Aarogya Setu source code because “it feared that many would point out flaws and overburden staff supervising the application’s development.”
Singh said that “all applications are ultimately made open source and the same is true of Aarogya Setu as well.”
Can you beat the system?
To register, users have to give their name, gender, travel history, phone number, and location.
“People can fill out the form incorrectly and the government cannot verify it, so the effectiveness of the data is questionable,” Pahwa told the BBC.
According to a Buzzfeed report, an Indian software engineer had hacked the app to bypass the sign-up page, and even stopped the app from collecting data via GPS and Bluetooth.
The report also mentioned a comment on Reddit that suggests a phone wallpaper as a simple solution not to download the app.
“Privacy conscious people are likely to do this. Those who don’t want to be forced to hand over their data to the government will search and find solutions. It could be through the use of a modified app or a screenshot, people will find ways,” Mister Pahwa says.
But Mr. Singh argues that “if you stay home and don’t meet anyone, it doesn’t matter if they have the app, if they deleted it or if they turned off the Bluetooth or if they lied in the self-assessment.”
