With the launch of its ‘Chikitsa Setu’ app designed to “train” people to break the chain of spread of COVID-19, Uttar Pradesh joins a couple of dozen others states to have its own app in addition to the Centre’s Aarogya Setu, which also aims to track and control the spread of the virus.
Apart from Uttar Pradesh, several other states and municipalities have, over the past two months, developed their own COVID-19 contact tracing and home quarantine apps.
These apps have multiple privacy issues that violate data security parameters on several counts, according to experts. An analysis of at least 24 such states’ apps shows most of these have been developed by private companies that have unprecedented access to sensitive patient data with little liability in case of a breach.
“Most of these apps have been developed by private companies and they have access to all the data while the liability provisions in case of breach are very vaguely worded, sometimes even asking the user to completely wave the liability and accountability of the service provider in case of data breach or loss,”Salman Waris, founder & partner at TechLegis Advocates & Solicitors said.
A contact tracing app developed by Chennai-based Bhishma Technology Services for the state of Tamil Nadu has been downloaded more than 100,000 times. The company was incorporated on September 23, 2016, and has at least four other firms registered on the same address, with overlapping directors, according to data available with the government.
“These apps, they collect data and have the right to use the same and monetize it. However, if there is a breach, the user can not even sue for damages. And then there is this whole issue of bypassing the government’s ‘procurement rules’ and favoritism,” Waris said. Detailed questionnaire sent to the state government as well as the company did not elicit any response.
The permissions sought by the most of these contact tracing apps and home quarantine portals is another security issue which must be paid attention to, cyber-security experts said. “Excessive permissions are required by applications that undertake tracing and surveillance through capturing information from different internal broadcasts from components of the device. In some cases, apps which are only informative and intended to issue advisories have sought permissions for location, photos, storage and camera,” a SFLC spokesperson said.
For example, Telangana’s app ‘T-Covid-19’ developed by Quantela Inc, a US-based company, aims only to “provide citizens with preventive care information and other government advisories”.
“However, for an information and advisory serving app, it asks for several permissions which include monitoring components including ‘extra location provider commands’ which pertains to state of location,” legal cyber-security advisory group Software Freedom Law Centre said.
A similar COVID-19 dashboard, developed by the Madhya Pradesh Agency for Promotion of Information Technology was taken down after Robert Baptiste, a French ethical hacker who used the pseudonym Elliot Alderson on Twitter, pointed out flaws and showed that it violated the basic personal privacy laws.
The quarantine and information vending apps of Punjab and Kerala, similarly seek more information than is necessary for these programs to function, experts said.
Punjab’s information vending app ‘Cova Punjab’ seeks to have full network access and even view network connections. The app even seeks to pair with Bluetooth devices in its vicinity without express approval of the device holder, which can be extremely problematic and invasive, a cyber-law expert said.
“The problem is that all the state apps are using Centre’s Aarogya Setu framework and foundation as the starting point. That will not be a correct approach,” Supreme Court lawyer and cyber-law expert Pavan Duggal told The Indian Express.
Detailed questionnaire sent to both Punjab and Kerala did not elicit any response.
Despite the issues around data security and privacy, most of the apps developed by the states have managed to fly under the radar as they have not gained much traction, experts said, adding that since most of these are voluntary in nature, there is no obligation to download and there is no strict enforcement of the same either.