Indian Defence Review

The advent of COVID-19 has witnessed host of contact tracing apps worldwide. These are essential to monitor spread of COVID-19 but at the same time questions of privacy have arisen, more because of data going astray by design or default which can be misused. India introduced the Aarogya Setu aap for contact tracing including warning a user of an infected person in close proximity. It has been made compulsory for employees in public sector and private concerns in India.

Concurrently, Pakistan’s ISI has developed a ‘malicious application ‘ArogyaSetu.apk” which was reportedly shared through Whatsapp from Britain. The difference between ‘Aarogya’ in the original and ‘Arogya’ in the malicious is small, to fool users. If the malicious software is installed on a device, it can extract sensitive information and send it to the originator without knowledge of the owner.  ISI has been constantly targeting our armed forces personnel and their families for garnering information and spreading misinformation and fake news. 

China has made extensive use of artificial intelligence in combating COVID-19.  China used a smart-phone app with colour-coded health rating system to track millions of people daily. It assigns three colors to people — green, yellow and red on the basis of their travel and medical histories.

Citizens had to log into the app. Whether a person should be quarantined or allowed in public spaces was decided based on the color code. Only people having green color code were allowed in office and public places. Dashboards using Big Data have been deployed to continuously monitor the virus. Face recognition and infrared temperature detection techniques have been installed in leading cities.

Thousands of facial recognition-powered CCTV cameras have also been installed at almost every quarantine centre since there is no law to regulate use of surveillance cameras. Media reports of April 28 indicate cameras are being fixed outside homes of those under quarantine in cities across China since February.

Concerns have been raised in Australia over data storage for the Coronavirus tracking app being done by Amazon. This app is not mandatory but the Australian government has asked the public to download it. According to government officials, the uploaded contact information will be stored in Australia in secure servers and protected by additional laws to restrict access to only health professionals.

However, Labour members have asked government to explain why the data would be stored on servers hosted by a foreign company, saying, “On the face of it, the inexplicable decision to award the storage contract to a US company (overlooking Australian companies already security cleared for just such a role) could mean that personal information of Australian app users could be accessed by US law enforcement agencies. If this is not addressed, it is likely to be a serious impediment to building public confidence in the app.” It is perhaps due to privacy concerns and fear of data theft that about 10 lakh citizens of Singapore, which has a 97.5 percent literacy rate, had downloaded the TraceTogether app in April this year.

According to Lawrence Wong, Singapore’s National Development Minister, “In order for TraceTogether to be effective, we need something like three-quarters – if not everyone – of the population to have it. Then we can really use that as an effective contact-tracing tool.” However, only 1.1 million of the 3.2 million citizens have downloaded the app. Similarly, due to privacy concerns, the use by Israel’s police of mobile-phone location data to enforce quarantine has now been halted.

Lawyers for WhatsApp’s parent company alleged in documents filed on April 24, 2020, that NSO Group, the Israeli software surveillance firm accused of spying on over a thousand WhatsApp users, has used US-based servers to launch its attacks. The NSO Group used a server run by Los Angeles-based hosting provider QuadraNet more than 700 times during the attack to direct NSO’s malware to WhatsApp user devices in April and May 2019.

In addition, the NSO Group used a remote server hosted by Amazon to target WhatsApp users. The latter should be read in conjunction concerns in Australia over data storage of their virus tracking app by Amazon. The Aarogya Setu is in exactly the same position with the server outsourced to Amazon Web Services (AWS).

So those vouching for absolute security of Aarogya Setu either have little idea about data security or are covering up. Fact remains Aarogya Setu user data is available to US official agencies and Amazon could sell it to NSO Group or elsewhere – even to China directly or through intermediary if the price is right. 

Reality of user data of Zoom being available to China emerged recently concurrent to data of 500,000 hacked accounts put on sale on the dark web. There was a message to not use Zoom but it continues to be used in government and public including in education and courses due to its easy operability. ‘Saynamste’ has been developed as Indian equivalent of Zoom but there are no official orders to stop using Zoom altogether.   Multiple Chinese apps are raking in millions from India. ‘Tiktok’ alone earns about $1 million daily for China though ‘Mitron’ has been developed as its Indian equivalent. 40% shares in PayTM are Chinese.

Five years back, Super Micro’s motherboards being used pan-America was found with a Chinese microchip inserted for spying. As of date, China has invested $4 billion in 30 Indian startups and will naturally have lien on their products by way of data sharing.  Government needs to keep a tab on this.

Money spent by Facebook and Amazon for “lobbying” in the first quarter of 2020 were highest in big tech firms according to US government; Facebook spent $5.3 million (up 19% from previous quarter) and Amazon spent $4.3 million (up 3% from previous quarter. No elaboration is required that ‘lobbying’ includes ‘bribing their way through’. China aims to own global data because it provides the ultimate handle in information warfare to manoeuvre countries, regions and their future.

It is not that we do not have professionally competent cybersecurity professionals and advisors with the government but the decision is with bureaucrats and politicians who may overlook professional advice and are prone to lobbying. For corporates, their religion is money – nothing else. That is why Bill Gates is batting for going soft on China on the Wuhan Virus. Ironically, corporates have clout with policy makers since they fund elections.

The primacy of data demands its handling should be completely indigenous – negating any scope whatsoever of foreign interference. Government needs to bring legislation for this. To this end, Facebook buying 9% stake in Jio Platform is fraught with risks as can be deduced from the above, notwithstanding the percentage of stakes. Policy makers are often carried away because of advanced technology, little realizing it is better to operate on lesser indigenous technology than to share data by default or design based on lackadaisical attitude that it does not matter.

Unfortunately, little is happening in developing own operating systems and software applications.  With reference to data, our aim must be complete indigenization, nothing else.