Clik here to view.
Bengaluru -- A public website run by the Andhra Pradesh government, and hosted on Microsoft's Azure cloud computing service, tracks state-run ambulances in real time, allowing anyone with an internet connection to monitor the movement of these vehicles and obtain sensitive information about the patient — such as the pick-up point, why the ambulance was called, and the hospital to which the patient was taken — the HuffPost has found.
While the website doesn't publish the name of the patient, it reveals the pick-up point and the purpose of the visit — such as assault, pregnancy, heart attack, asthma, etc — sparking fresh concerns over the kind of citizen data collected by state governments, the security of this data, and the total absence of laws laying out how such data should be stored, with whom it can be shared, and if private companies can harvest and monetise this data. The much anticipated Justice BN Srikrishna Committee report is expected to form the basis of a data privacy law; the report is expected this week.
Apart from the inherent Handmaid's Tale style creepiness of monitoring the movements of pregnant women and victims of assault, broadcasting such data, privacy experts said, can cause citizens serious harm. The tracker also records information like if the ambulance's ignition switch is on, or off — revealing that such granular data gathering is now commonplace.
"Among the last things a person needing an ambulance wants is for their medical situation to be broadcast online without their consent," said Pam Dixon, founder and executive director of the World Privacy Forum. "Highly specific and sensitive health information should not be available about individuals online. This is especially so for information that is identifiable. It is not the government's role to disturb peoples' medical privacy."
The ambulance tracker is only the most recent of a long series of privacy breaches linked to Andhra Pradesh's ambitious People's Hub: a vast integrated database that merges citizen information across multiple government departments and presents the information as easy searchable dashboards.
Image may be NSFW.
Clik here to view.
Many of these dashboards — including the ambulance tracker — were initially available to the public. HuffPost has previously reported on how one public website allowed users to search and geo-locate homes on the basis of caste and religion, while another website broadcast the names, phone numbers and medical purchases — like generic Viagra and HIV medication — of anyone who buys medicines from the state's Anna Sanjivni stores.
Who is tracking all this tracking?
HuffPost sent a detailed questionnaire to the Chief Minister's Office Realtime Executive (CORE), the agency overseeing Andhra Pradesh's digital push, including the dashboard linked to the ambulance tracker.
Our calls were not answered; public access to the website was terminated after our email, but those with open sessions on the website — like this reporter — could continue to access the information.
Security researcher Srinivas Kodali, who first discovered this vulnerability, added the dashboard's use of Microsoft's Azure platform was a cause for concern.
Like most leading global tech companies - Microsoft is also investing heavily in artificial intelligence algorithms, which need vast stockpiles of data for effective machine learning. Microsoft did not respond so far to a HuffPost questionnaire asking if the company had the right to use data gathered in the course of its partnership with the Andhra Pradesh government, and we will update this article when it does.
"The risks are enormous," Kodali said. "This is the kind of data that could be used to identify people, and this is the kind of data that patients don't want anyone to have access to."
Dixon, from the World Privacy Foundation, recommends that the data should be taken offline immediately, until a "thorough review of the system and its access controls is completed."
Beyond this however, she urged that a policy of "never posting identifiable medical of demographic information needs to be put in place." Beyond that, Dixon also called for regular audits of any system, to make sure any unauthorised access can be logged and tracked.
Image may be NSFW.
Clik here to view.
A lack of foresight
"We have not made the public policy choices with foresight," said Apar Gupta, a Delhi-based lawyer and a co-founder of the Internet Freedom Foundation. "Government has the most power over an individual," he said, and added, "Privacy protections have to be applied with a particular focus to how the government gathers data, processes it, and discloses it."
"The question to ask is, what is the purpose of stockpiling, and monitoring, this data?" he said. "What can help right now is state level legislation on data privacy. For example, prior to central RTI act, state governments made RTI laws. The same could happen for privacy. The government with AP is quite competent to bring in a data protection law at the state level."
By doing this, even before there is a national law on data privacy, the individual states can help ensure that the various data collection programs that are going on are not misused, and such laws will also help to plug leaks through audits.
"A lot of the harms are emerging from the digitisation of government data, such as leaks and the perception of surveillance," said Gupta. "This happens because there is no legal restraint on government to conduct these activities."