Skip to main content

Aarogya Setu row: RTI responses reveal Indian government fails to deploy privacy measures to protect user data

Since its launch back on April 2, Aarogya Setu, India’s contact tracing app for COVID-19 has been marred in controversy over its data collecting methods. There have been several concerns raised in the past over the kind of access the government has over citizen’s data collected by the app.

As India’s Data Protection Bill is still being analysed by a government committee, there’s no law to safeguard that data. However, shortly after launching the Aarogya Setu app for Android and iOS smartphones, the Ministry of Electronics and Information Technology (MEITY) issued the Aarogya Setu Data Access and Knowledge Sharing Protocol 2020 on May 11. These are essentially set of rules and security measures that the app must follow to safeguard user’s data from potential misuse.

RTI responses reveal government’s lacklustre approach to Aarogya Setu data

Now, as per an exclusive report by Saurav Das, an independent journalist and activist, the Indian government has failed to deploy the said security protocols leaving over 160 million users data exposed to potential risk. In the report, Saurav states that the National Informatics Centre (NIC) has failed to keep a track of access to Aarogya Setu data which means that it doesn’t know the exact entities who have accessed the data till now. The NIC responded to the RTI by giving names of the government departments instead of the names of the entities who have accessed the data. “Ministry of Health & Family Welfare, ICMR, State  Governments (i.e., State Health Secretary at the state level and District Magistrate at the district level),” the response read.

Breaking story. RTI responses by NIC reveal there is no list of data recipients, no audit and no anonymisation of data taking place. #AarogyaSetuApp protocol ignored by its own makers- the Govt of India. A huge privacy risk! My Exclusive for @TheQuint. Shoutout to @VakashaS ! https://t.co/776ixoeNnI

— Saurav Das (@OfficialSauravD) October 30, 2020

Furthermore, MEITY and NIC have no information whether the entities with whom the data has been shared have implemented “reasonable security practices and procedures” as mentioned in the Aarogya Setu Data Access and Knowledge Sharing Protocol 2020. Interestingly, the protocol does not define “reasonable security practices” in detail. 

Additionally, the Protocol also warrants an expert committee to be set up by the government for developing hard anonymisation methods so that the user’s private details remain anonymous for anyone accessing the Aarogya Setu data. This rule was made so that the user’s data cannot be backtracked to individuals while being accessed by Indian universities, research institutions and entities. As per the guidelines, only after the hard anonymisation of user’s data can it be shared with the said entities. Surprisingly, in its response to Saurav’s RTI appeal, the NIC has confirmed that the set up of the “expert committee” is still in progress and has “refused to answer if any data has been shared with universities/research organisations so far.” To reiterate, the Aarogya Setu app was launched back on April 2 and it has been over six months since the committee is being set up to hard anonymise the Aarogya Setu data. 

Another interesting reply that’s been put to light by Saurav’s RTI query is that the Aarogya Setu Data Access and Knowledge Sharing Protocol 2020 specifically mentions that the sharing of Aarogya Setu data is “subject to audit and review of their [entity] data usage by the Central Government”. However, the response by NIC states that this is “not applicable” as the data is shared with government entities. 

An audit or review of the Aarogya Setu data is important so that the entities with access to user’s data don’t misuse it, explains Srinivas Kodali, an independent researcher. 

If there is a ever a serious independent audit of #AarogyaSetu. The skeletons will be unearthed. All the data was long shared without any anonymisation to third parties as just database dumps.

— Srinivas Kodali (@digitaldutta) October 30, 2020

This comes after the Central Information Commission (CIC) hollered up MEITY, NIC and other concerned departments for obstructing sharing of information and offering an “evasive reply” over an RTI application filed by Saurav earlier. In it, the CIC has sought an explanation from the NIC on how there is no data available on the creation of Aarogya Setu, especially when it is hosted on a government server.

According to the Aarogya Setu website that is maintained by MyGov and MEITY, over 162,500,000 million people have downloaded the app across Android, iOS and KaiOS platforms. As to the question of who has access to the personal data of these users, the government seems to have no record which makes the requirement of privacy laws in India all the more important now.

 

from Latest Technology News https://ift.tt/3jHeqSy
Labels:

Comments

Post a Comment

Popular posts from this blog

YouTube Music Season Recap 2022: How to View the Spring Recap

YouTube is a jump ahead of Spotify with its Season Rewind playlist feature. Well, besides playlists, the service offers you a list of your most played artists, songs, albums, etc in the previous season. It will be a recurring thing and is poised to come out every season. Meanwhile, its biggest competitor Spotify’s Wrapped is a bop every time it lands but is limited to annual appearance. There in lies one big difference between the two approaches. Let’s see what else you could expect out of the new YouTube Music feature. YouTube Season Recap: How it works Source: u/DecentSizedTurd (Reddit) Like the YouTube Recap 2021, this one too would share personalized listening stats. YouTube calls this “an exploration of your top artists, songs, albums and playlists over the last season”. To view it, you just need to go to music.youtube.com/recap or the landing page on the YouTube Music app for Android and iOS. Right now, only some users have got the spring Youtube Music playlist. But the...
Post a Comment
Read more