Madhya Pradesh app to track patients leaks personal data, taken offline
The database contained the names of people who are meant to be quarantined, information about the type of phone they used and their last known location – at times as accurate as within 5 metres – and was available for download on an mp.gov.in website.Updated: May 11, 2020 06:40 IST
A digital tool used by Madhya Pradesh government to track people who are meant to be quarantined was found to have exposed the personal details, including real-time location, of thousands of individuals before it was pulled down on Sunday after a French computer programmer tweeted about it.
The database contained the names of people who are meant to be quarantined, information about the type of phone they used and their last known location – at times as accurate as within 5 metres – and was available for download on an mp.gov.in website. Before it was pulled down on Sunday evening, it contained the names of at least 5,400 people.
“There is some information on the portal which should not have been there. Hence, we are going to remove the dashboard and working on a new access strategy under which only authorised persons will be given access to information to the data,” said Nand Kumaram, the chief executive officer (CEO) of Madhya Pradesh Agency for Promotion of Information Technology (MAP-IT), a state government agency that developed the system from where the data was leaked.
MAP-IT is a part of Madhya Pradesh government’s department of science and technology and uses a mobile phone application called Sarthak that needs to be installed by people who need to be under home quarantine since they may have or are confirmed to have the coronavirus disease (Covid-19).
“Sarthak App is to help us in Covid management. The information stored in the App is confidential and is not meant for making it public. However, we are trying to verify if names being made public on the portal are real ones or as stored in the app,” Kumaram added.
Privacy and health experts said the leak, exposed by the French man who guys by the nom de guerre of Elliot Alderson in a tweet on Sunday afternoon, was a major breach. “If you store data in such a risky manner, where it could immediately lead to the identification of an individual, you have to security measures to make sure no one can access it. They didn’t do that here and the Madhya Pradesh government is now legally responsible if there is a breach of such people’s privacy,” said Raman Jit Singh Chima, Asia policy director and senior international counsel at Access Now.
The Union government had in an advisory on April 8 said that those affected by Covid-19 or under quarantine should not be identified.
“It can’t be allowed this way. Making public name of any quarantined person without his consent is violation of his rights. The information is for analysis and follow-up, not to stigmatise people and create terror among them about Covid,” said Bhopal-based public health expert Amulya Nidhi. “There should be a detailed inquiry into this as to who allowed this and whether consent of quarantined people was taken for making public his name. Action should be taken against officials responsible,” he added.
Principal secretary, Health, Faiz Ahmad Kidwai said: “Sarthak app is to help the department to monitor quarantined people. I will look into it if something like this has happened.”
(With inputs from Binayak Dasgupta)