Profile picture
, 19 tweets, 9 min read
My Authors
Read all threads
Mega thread on #AarogyaSetu 👇

1/n The Indian government has made Aarogya Setu contact tracing app mandatory for all employees (public & private) +for people living in Containment Zones. Failure to download it might violate MHA guidelines
medianama.com/2020/05/223-co… +
2/n Even if you aren't in a situation where #AarogyaSetu is mandatory, govt has authorised state govts/local authorities to make guidelines more restrictive. CISF is already mulling making the app mandatory for passengers at airports and metro stations.
medianama.com/2020/04/223-ci…
3/n Even before the government mandated the use of #AarogyaSetu, Prasar Bharti, Central Armed Police Forces, Zomato and Urban Company directed employees/contract workers to download the app.
medianama.com/2020/04/223-zo…
4/n There around 500 mn mobile internet users, 400+ mn smartphones. The moment #AarogyaSetu crossed 75+ mn downloads, we knew that they wouldn't want to give up an opportunity to have such a large captive user base, collect data on them, and potentially build a social graph.
5/n #AarogyaSetu, launched quietly on April 2, uses Bluetooth to track if a user came into contact with another user. It uses location to track where all a user has been. It is therefore an app that violates privacy because of all the data it collects. medianama.com/2020/04/223-aa…
6/n the effectiveness of #AarogyaSetu is questionable:it relies on self certification to indicate health status. That can be faked.
It relies on bluetooth to figure out contact, but 2 people on diff floors of an apartment building can be shown as being in contact via bluetooth
7/n As per #AarogyaSetu terms of use, the govt cannot be held liable for the app’s accuracy. Thus no accountability. Personally identifiable info collected is stored centrally on govt servers.

It's not clear who is liable for data leaks or theft. medianama.com/2020/04/223-aa…
8/n #AarogyaSetu uses a static ID to anonymise your device ID, which has raised significant privacy concerns in the cybersecurity world. Apple-Google’s proposed contact tracing API for instance, will offer a dynamic ID that’ll change every 15 minutes. medianama.com/2020/04/223-ap…
9/n It's also not clear what kind of anonymisation protocols are being used here. We don't know if the data collected by the government is truly anonymous.

The government hasn't open sourced the app, so it cannot be tested by independent security researchers.
10/n #AarogyaSetu provides no option to de-register/delete your account. Doesn’t allow users to log out. “Uninstalling doesn’t necessarily lead to de-registration,” Prof. Bhaskaran Raman from IIT Bombay said during @medianama discussion on Aarogya Setu.  medianama.com/2020/04/223-na…
11/n It's possible that #AarogyaSetu isn't very effective on iPhones. French govt has urged Apple to ease restrictions that don’t allow apps to send packets of data over Bluetooth while running in background. Not clear how Aarogya Setu works around this.  medianama.com/2020/04/223-fr…
12/n #AarogyaSetu has already witnessed a vulnerability that released users’ precise location data to Google after the self-assessment process. medianama.com/2020/04/223-aa…
13/n one of our major concerns with #AarogyaSetu is that of scope creep. It plans to offer telemedicine video consultations + personalisation in terms of data collection. It might also function as the “initial building block for India Health Stack”. medianama.com/2020/04/223-aa…
14/n Scope creep (adding more services) creates allows data to be linked together for profiling, the expansion of purpose and potentially data access, and greater privacy risks for individuals. It then doesn't just remain a contact tracing app.
15/n we have compiled a list of recommendations for improving #AarogyaSetu from a privacy perspective here
medianama.com/2020/04/223-na…
16/n We also compiled a list of issues with the #AarogyaSetu app from a privacy perspective here medianama.com/2020/04/223-na…
17/n it's important to note that #aarogyasetu doesn’t have a sunset clause. An app that tracks your location and who you're in contact with violates your privacy, and even in these times, should have a limited life-span.
18/n It's this worrying that the Indian govt has mandated it for the entire working population of India AND plans to use the app for next 1-2 years, according to Information and Broadcasting Minister Prakash Javadekar.
This needs judicial intervention.
We, as a media publication that believes in safeguarding basic human rights, have also also endorsed @internetfreedom's joint representation to the government against making the use of Aarogya Setu mandatory for workers. You can read more about it here: internetfreedom.in/45-organizatio…
Missing some Tweet in this thread? You can try to force a refresh.

Enjoying this thread?

Keep Current with MediaNama.com

Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Related hashtags

#aarogyasetu

More from @medianama see all

Profile picture
MediaNama.com
@medianama
Long thread (from @nixxin )
Yesterday, I was on a business news channel, ET Now to discuss the Indian govts regulation of social media platforms. The govt held a meeting with platforms to push for takedown of fake news/misinfo. They're particularly unhappy with Twitters delays.
One of the panelists, Vinit Goenka, made three suggestions:
1. There needs to be a KYC mechanism for users of social media. Just like banks have
2. Servers need to be kept in India (he makes this demand on every panel) Social media platforms need to pay taxes in India
3. Social Media co's need to be held accountable for user content. Just like TV channels are platforms and are held accountable what is said on TV or newspapers for what is published.

Before I address his points, a few things.
Read 17 tweets
Profile picture
MediaNama.com
@medianama
"What could be critical personal data that would require mandatory localisation? It'd most probably be in relation to national security. But wouldn't the govt already have it?" #NAMA #PDPBill2019
"It's important that we have explicit consent, but there are so many situations where we can't give explicit consent. Like my RFID number plates being read at a traffic jam." #NAMA #PDPBill2019
"What explicit consent from a user would mean is have a pretty picture showing how data flows across the world, and you click yes or no." #NAMA #PDPBill2019
Read 5 tweets
Profile picture
MediaNama.com
@medianama
#PrivacyBill Companies may have to get their privacy-by-design policies certified by the Data Protection Authority.
Right to be Forgotten under India's #PrivacyBill? A data principal can appeal Right to be Forgotten orders to an Appellate Tribunal, if he/she is unsatisfied with the Adjudicating Officer's review of the RTBF order. In the 2018 draft bill, the review process ended with the AO.
There's now going to be a "Consent Manager" thanks to #PrivacyBill.

Users can use the consent manager to give or withdraw consent to the data fiduciary (app/site). Consent manager is defined as
Read 34 tweets

Embed code for your website

×
Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!