Horrible idea.
The only historical data location data govt. can access is cell tower based triangulation.(Assuming operators have it.)
Accuracy of cell tower location is anywhere from a few hundred metres to a few kms.
Many many times the distance the virus can infect you.
The only historical data location data govt. can access is cell tower based triangulation.(Assuming operators have it.)
Accuracy of cell tower location is anywhere from a few hundred metres to a few kms.
Many many times the distance the virus can infect you.
For real time tracking, the COVID-19 patients will need to be carrying their mobile phone with them at all times with a govt. spyware app installed on their phone.
Which is an even more horrible idea, because it's literally a beacon for rabid mobs to find you.
Which is an even more horrible idea, because it's literally a beacon for rabid mobs to find you.
The Corona Kavach app needs access to
- Location (Netowrk and GPS)
- Phone Status and identity.
- Bluetooth
- Full Network access.
but....
- Location (Netowrk and GPS)
- Phone Status and identity.
- Bluetooth
- Full Network access.
but....
The Corona Kavach app also wants access to your phone storage and all your personal photos/medias and files.
There is absolutely no justification for any govt. app needing this kind of access into a citizens personal data.
There is absolutely no justification for any govt. app needing this kind of access into a citizens personal data.
The Singapore Govt's trace together app too seems to be saying one thing but doing something else.
Their FAQ page says ...
"We do not collect data about your location"
tracetogether.gov.sg/common/privacy…
Their FAQ page says ...
"We do not collect data about your location"
tracetogether.gov.sg/common/privacy…
But their app requires access to Location , Media and phone storage.
play.google.com/store/apps/det…
play.google.com/store/apps/det…
This is the Govt. of India's Meity developed Corona Kavach app on the Play Store.
The developer email address listed is someone's personal Gmail address.
#DigitalIndia #FAIL
play.google.com/store/apps/det…
The developer email address listed is someone's personal Gmail address.
#DigitalIndia #FAIL
play.google.com/store/apps/det…
And in more #DIgitalIndia #FAIL
@GoI_MeitY has two different developer IDs on the play store and publishes apps on both of them.
"MeitY, Government of India"
and
"MeitY, Government Of India"
(Difference is "of" vs "Of" )
play.google.com/store/apps/dev…
play.google.com/store/apps/dev…
@GoI_MeitY has two different developer IDs on the play store and publishes apps on both of them.
"MeitY, Government of India"
and
"MeitY, Government Of India"
(Difference is "of" vs "Of" )
play.google.com/store/apps/dev…
play.google.com/store/apps/dev…
So Corona Kavach from "MeitY, Government Of India" (Not to be confused with "MeitY, Government of India") is now gone.
And in its place we have "Aarogya Setu" from "NIC eGov Mobile Apps"
And in its place we have "Aarogya Setu" from "NIC eGov Mobile Apps"
The good stuff.
App is no longer published from someone's Gmail account.
And uses an @ gov dot in email address.
App is no longer published from someone's Gmail account.
And uses an @ gov dot in email address.
App no longer seeks access to your Storage and Photos/Media/Files.
Very welcome change. Good job whoever built this at @NICMeity!
This is literally all the permissions the app requires.
Very welcome change. Good job whoever built this at @NICMeity!
This is literally all the permissions the app requires.
Unfortunately the app goes downhill from there.
Notice the "scalable architecture" claim?
Your phone cannot scale. So what does?
The sarkari servers tracking all who install the app?
HUGE violation of our fundamental right to privacy.
Notice the "scalable architecture" claim?
Your phone cannot scale. So what does?
The sarkari servers tracking all who install the app?
HUGE violation of our fundamental right to privacy.
Let's compare the Singapore's Trace Together and Govt. of India's Aarogya Kavach.
Privacy Policy.
SG govt. one is human readable.
tracetogether.gov.sg/common/privacy…
GoI one is in legalese.(And doesn't seem to be available in other languages.)
web.swaraksha.gov.in/ncv19/privacy/
Privacy Policy.
SG govt. one is human readable.
tracetogether.gov.sg/common/privacy…
GoI one is in legalese.(And doesn't seem to be available in other languages.)
web.swaraksha.gov.in/ncv19/privacy/
Such encryption. Much wow!
Encrypted in transit and at rest.
Encrypted before upload.
Stored in "secure encrypted server".
Data shared with other apps is "securely encrypted".
Encrypted in transit and at rest.
Encrypted before upload.
Stored in "secure encrypted server".
Data shared with other apps is "securely encrypted".
But in their terms of use, they don't take any liablity for...
- the accuracy of the apps claims of contact.
- or if the awesome encrypted everywhere data gets leaked.
- the accuracy of the apps claims of contact.
- or if the awesome encrypted everywhere data gets leaked.
Data collected on sign up by Aarogya Setu.
"(i) name; (ii) phone number; (iii) age; (iv) sex; (v) profession; (vi) countries visited in the last 30 days; and (vii) whether or not you are a smoker. "
Compare this with what SG Govt. is collecting for Trace Together.
"(i) name; (ii) phone number; (iii) age; (iv) sex; (v) profession; (vi) countries visited in the last 30 days; and (vii) whether or not you are a smoker. "
Compare this with what SG Govt. is collecting for Trace Together.
COVID-19 doesn't care about your name/profession or sex before infecting you.
So why does the Govt. of India need that information at all?
Also smoker vs non-smoker? What decison making is based on that information?
So why does the Govt. of India need that information at all?
Also smoker vs non-smoker? What decison making is based on that information?
This app is absolutely not "Privacy First".
It collects way too much unnecessary information.
User has no control over the use of collected data.
User has no option revoke consent or delete their data.
It collects way too much unnecessary information.
User has no control over the use of collected data.
User has no option revoke consent or delete their data.
Your personal information shared via the app can be stored in perpetuity by the Govt.
Govt. makes the laws. So they are under no obligation to delete your data, Not even if you ask.
How is this Privacy First @PrinSciAdvGoI ?
Govt. makes the laws. So they are under no obligation to delete your data, Not even if you ask.
How is this Privacy First @PrinSciAdvGoI ?
The "Use of Information" clause is confusing.
Someone will need to analyse the app to figure out exactly what data is sent to the Govt and how it is being anonymised.
But you are granting access to the Govt. of India as a whole, not just a specific ministry or department.
Someone will need to analyse the app to figure out exactly what data is sent to the Govt and how it is being anonymised.
But you are granting access to the Govt. of India as a whole, not just a specific ministry or department.
Your personal information doesn't even seem to be restricted to only Govt. use.
Anyone could be declared as "necessary and relevant persons"
Anyone could be declared as "necessary and relevant persons"
Despite lengthy clause 2(a) (above tweet) with broad exemptions on what they'll do with your data.
They want to be doubly sure that they really have rights to your data.
So here comes Clause 2(c), which self-references itself and grants yet another relaxation.
They want to be doubly sure that they really have rights to your data.
So here comes Clause 2(c), which self-references itself and grants yet another relaxation.
Remember the draft data protection bill grants central govt. exemptions from any obligations for "reasons such as national security or public order."
nytimes.com/2019/12/10/tec…
nytimes.com/2019/12/10/tec…
After all the exemptions for storing and processing personal data by "Government of India" and "other necessary and relevant persons as may be required"
They still put this meaningless statement at the end.
They still put this meaningless statement at the end.
The "Aarogya Setu TERMS OF SERVICE"
prohibits reverse engineering the application.
web.swaraksha.gov.in/ncv19/tnc/
(Their TOS URL takes a lang= parameter, and it defaulted to lang=en, I tried a few more languages but it always displayed the page in English.)
prohibits reverse engineering the application.
web.swaraksha.gov.in/ncv19/tnc/
(Their TOS URL takes a lang= parameter, and it defaulted to lang=en, I tried a few more languages but it always displayed the page in English.)
Well intentioned security researchers are barred from analysing the app because gormint sas "The App has been thoroughly and rigorously tested for security vulnerabilities"
Who are these anonymous "leading academic and industry experts"?
Who are these anonymous "leading academic and industry experts"?
Listen to the experts @PrinSciAdvGoI
Built trust in your app.
Share your experts' names and pedigree before asking over a billion people to trust your app.
Built trust in your app.
Share your experts' names and pedigree before asking over a billion people to trust your app.
This is how privacy respecting contact tracing apps should work.
