For the sake of tracing the coronavirus spread in their areas, various state governments and local authorities in India are releasing personal details of individuals online. The data that the authorities are found to have released publicly include the name and addresses of those who are self-quarantined in their regions.
French security researcher Robert Baptiste, who goes by pseudonym Elliot Alderson or @fs0c131y on Twitter, spotted a dashboard of the Amdavad Municipal Corporation (AMC) in Gujarat’s capital Ahmedabad that included a map showing the location of COVID-19 positive patients. The dashboard even included the details of fatalities that took place due to the virus.
It was removed a few hours after he tweeted about it.
Baptiste also found a similar dashboard released by the state government in Madhya Pradesh earlier in the week that also got pulled soon after he reported it on Twitter. The researcher highlighted that the dashboard included the name of the quarantined people alongside their device ID and name, operating system version, app version code, GPS coordinates of their current location and their office. It was later found that the mobile app Sartak, which was released by the Madhya Pradesh government, was providing the data to the dashboard.
In an advisory posted last month, the Ministry of Health and Family Welfare warned citizens against disclosing identities of COVID-19 patients and those who are under quarantine. “Never spread names or identity of those affected or under quarantine or their locality on social media,” the advisory said.
Nevertheless, it appears that some state governments and local authorities in the country are yet to follow the direction given by the centre, and are actively releasing data of the public online.
Leaky data from the start
Several local bodies have revealed the list of COVID-19 patients. States such as Karnataka and Madhya Pradesh as well as cities including Ahmedabad, Rajkot, and Vadodara are some of the places where people’s data has been revealed on the Web so far.
Karnataka was amongst the first states in India to publish the lists of COVID-19 patients and people who self-quarantined in late March. The state government released the data on its website that included the names and addresses of the individuals staying indoors, according to media reports. Some people also posted the lists on social media through which the patients and quarantined individuals were able to notice the violation of their privacy.
Similar to Karnataka, the authorities in Rajkot have built a dashboard with a map that provides location details of COVID-19 positive people. It was spotted and reported by Baptiste on Wednesday, who was able to see the names and addresses of the patients alongside their location details. Gadgets 360 was also able to verify the existence of the map that is providing precise location of the patients.
However, other details about them were apparently pulled. An email sent to the Rajkot Municipal Corporation for clarity on the fix didn’t elicit response at the time of publishing this story.
In addition to Rajkot, Vadodara has a dedicated COVID-19 dashboard that highlights the name, addresse, age, and gender of active, recovered, and dead patients in the city.
Gadgets 360 reached out to the commissioner of the Vadodara Municipal Corporation (VMC) after seeing the dashboard live on its site for several hours but didn’t receive any response until filing the story online.
‘No useful purpose is served’
Experts have questioned the authorities for releasing private data of individuals just to favour tracking of the coronavirus outbreak. Technology lawyer and founder of legal advocacy firm Software Freedom Law Centre (SFLC.in) Mishi Choudhary said that the testing in the pandemic raises novel privacy issues because of the scale of the data collection, the non-traditional methods, and reasons for its collection, and the benefits and risks involved in sharing the data widely. “No useful purpose is served by releasing data about people to the general public,” she underlined.
Sidharth Deb, parliamentary and policy counsel at the New Delhi-based digital rights group Internet Freedom Foundation of India (IFF), told Gadgets 360 that the move by the authorities releasing individuals’ data publicly is a “blatant violation of people’s fundamental right to informational privacy” that can even lead to community level harms.
“These incidents are also emblematic of the issue with the public health response that there is no overarching data protection framework,” he said. “Additionally, we do not have meaningful sector specific laws as well which help preserve people’s anonymity when governments process people’s health data and related information when responding to the coronavirus.”
The IFF in late March wrote representations to the Ministry of Health and Family Welfare, Ministry of Housing and Urban Affairs, and the National Real Estate Development Council to raise privacy concerns in the times of the coronavirus outbreak in the country. The Union Minister for Health and Family Welfare Dr. Harsh Vardhan also acknowledged the representation in an email. However, local authorities and state governments are yet to address the outlined issues.
Internal data surfaced unintentionally
Alongside what has been released by municipalities and state governments, there are some instances in which the data of individuals surfaced on the Web through external sources. In late March, personal details of 19 people who were self-quarantined in Hyderabad after arriving from abroad were circulated on WhatsApp. The details included their names, phone numbers, and passport numbers that all were supposedly leaked from a government repository. However, the Greater Hyderabad Municipal Corporation zonal commissioner reportedly said they were not custodians of such information.
A similar case was seen in Pune where personal details including the names and medical history of COVID-19 patients in the city emerged on social media. Those details were reportedly part of the Google Maps link created by the Pune Smart City Development Corporation Limited (PSCDCL) for internal purposes.