A few days back, Google and Apple , the owners of the Android and IoS systems and considered business rivals, came together to make a surprise joint collaboration arrangement.
The collaboration appeared like an attempt to regulate the use of Contact Tracing apps but has a long term implication on the way the World Governance system functions.
If the UN does not wake up, we will have a new nation state that will be under the control of Alphabet and Apple (A &A) Incorporated. Facebook-WhatsApp has already created its own nation state with its own currency Libra. If A&A opts for a currency of its own, they will disrupt the current global system more than what the North Korean -China combined regime can do together.
Soon we may have a constitutional crisis of Companies incorporated under the laws of a sovereign State trying to create their own constitutional islands. This idea was effectively used by Swami Nityananda who has purchased an island and declared it as a Nation “Kailaasa” with his own Governance system.
Naavi
Alphabet and Apple create a separate legal zone for Mobizens
According to this report in Economic Times
“Apple Inc and Alphabet Inc (Google)would ban the use of location tracking in apps that use a new contact tracing system the two are building to slow the spread of the novel corona virus”.
The Companies plan to allow “only” public health authorities to use the technology. At the same time they also said that they would prevent the Governments from using the system to compile data on citizens and that was the primary goal of this joint exercise.
Though this appears to directly reflect on the Arogya Setu app in India and its intended operations on which a team of “Highly Concerned Privacy Activists” are working to prevent the Government of India from misusing the App for public surveillance, the issue is more universal. Several states in USA as well as other countries including UK have started using mobiles as an instrument for locating an individual and thereby trace the movements that could lead to tracing the contacts of people with others who may be having infections. If a person is detected as having been infected, it is considered useful to know his movements in the last few weeks and the persons with whom he came into contact with so that the potential risks can be identified and acted upon to reduce the spread of Covid 19.
The new system prevents the use of GPS location data for tracing and requires the contact tracing apps to use Bluetooth in a manner that Apple and Google dictate , for tracing which is considered less reliable.
Google and Apple also said that they will allow only one app per country to use the new contact tracing system. They will allow different States in US to use the system independently but in other countries, they may or may not allow the regions to use the system independent of the federal Government.
By these moves, Google And Apple are projecting themselves as the saviours of the Privacy of people across the globe and dictating terms to the sovereign Governments. They have thereby thrown a challenge to the global Governance system and creating a “Nation State” governed by the users of the Android-IoS driven mobiles.
In this new suggested order, the Android-IoS mobile holders are “Mobizens” of the Android & Alphabet (A&A) state and the responsibility for protecting the fundamental right of privacy in this nation lies primarily with the A& A.
A &A opt out of protection under Section 79 of ITA 2000/8
Under the current laws prevailing in India the activities of any organization dealing with “Electronic Documents” is regulated by several measures. The sale of mobiles is regulated by business license and a mobile is a system of hardware, the OS, the default OEM apps and the apps downloaded and installed by the owner of the device.
Alphabet and Apple control their own App Stores and are considered responsible for malware free apps to be allowed to be listed there, which they have not been successful in meeting.
Under ITA 2000/8, the mobile is a computer and the OS and apps are accessories. Owners of these accessories are “Intermediaries” with their own responsibilities. Under Section 79 of the Act, Intermediaries are liable for any contravention committed by a user unless “Due Diligence” is exercised and the intermediary is not in complicity. For an entity to use this safe harbor clause, it is necessary that they fulfill the definition of an “Intermediary” and the conditions for availing the protection under Section 79.
The definition of Intermediaries under Section 2(w) of ITA 2000/8 is
“Intermediary” with respect to any particular electronic records, means any person who on behalf of another person receives, stores or transmits that record or provides any service with respect to that record and includes telecom service providers, network service providers, internet service providers, web hosting service providers, search engines, online payment sites, online-auction sites, online market places and cyber cafes.
Under Section 79 (2)
Notwithstanding anything contained in any law for the time being in force but subject to the provisions of sub-sections (2) and (3), an intermediary shall not be liable for any third party information, data, or communication link hosted by him.
But the above provision would be applicable (besides due diligence and lack of complicity) only if
(a) the function of the intermediary is limited to providing access to a communication system over which information made available by third parties is transmitted or temporarily stored; or
(b) the intermediary does not-
(i) initiate the transmission,
(ii) select the receiver of the transmission, and
(iii) select or modify the information contained in the transmission
By virtue of the above provision, the moment Alphabet and Apple take on the responsibility of how the GPS system or Bluetooth system works in their system, they lose the status as an “Intermediary”.
Hence the CERT-In should issue a notice to both the companies Alphabet and Apple if they are opting out of the Section 79 protection if any available to them under the Indian law.
A & A are Data Fiduciaries/Data Controllers
Now looking at the forthcoming data protection act that is envisaged in India, any data handler who determines the purpose and means by which the personal data will be processed will be considered as the “Data Fiduciary”. Elsewhere the entity may be called “Data Controller”.
The data fiduciary /data controller does not have an independent legal power to determine how the personal data may be handled. Either the data principal/subject should provide a consent by which the personal data has to be processed as per the choice of the data principal/subject or the law should have provides certain exemptions and derogations.
While the Governments may use the powers of exemptions because they have a duty for public safety and health, it is not clear under what legal grounds can A&A state can claim immunity from not giving a choice to the owner of the system to give permissions for the use of his personal data.
Indian law has a provision by which Alphabet Inc or Apple Inc may register themselves as “Consent Managers” who will also be a data fiduciary and have the authority to determine how consents can be given on their behalf for the personal data to other third party data fiduciaries including the Governments. GDPR and other laws may not have similar provisions.
Since the DPA in India under PDPA is not yet in place, it may not be possible to check the intention of the companies under the provisions of PDPA.
However, a notice can be issued under ITA 2000 itself about whether Apple and Alphabet would like to register themselves under Section 67C as one of the “Digi Locker” service providers. Avoiding an available legal provision to get the permission of the lawful authority is a clear violation of the law of the land and cannot be attributed to ignorance.
A &A should come under the Scrutiny of Competition Commission
Looking from another angle, if Alphabet and Apple having a monopoly of 99 % of the use of “Mobiles” and the activities of “Mobizens”, then all their activities including the current joint venture should be seen with the compliance of the Competition law.
Today A& A is taking the excuse that they want to be the sole distributors of GPS access because they want to protect privacy. Tomorrow they will make it the instrument of making money and be the sole suppliers of GPS data for all application owners. This is a dangerous monopoly situation.
The Competition Commission should therefore issue a notice to both the companies to explain their stand.
Elliot Anderson should provide guidance for a public cause
I also need to add here that there is one most concerned French citizen who impersonates himself under the pseudo identity of Elliot Anderson and writes “Aarogya Setu: The story of a failure”
This person may very well be a direct contact of some Indian politician and could even be a person sitting in Delhi since he is the first to react on Indian developments even before other Indian security professionals can get a scent of something happening here.
It is to be appreciated that he identified some bugs in Aarogya Setu and gave a notice to the Government to “respond …or else….”. He has explained his analysis of the app after decompiling the source code. Probably what he has pointed out is correct.
But many of the technical experts consider that the bugs pointed out are not significant weaknesses that can compromise the data which is lying inside the user’s device itself in an encrypted state. If accessed it will be hacking of individual device owners, whose privacy Mr Elliot Anderson is so concerned about. (P.S: This is based on the Government’s announcement that the personal data is not transferred to a data server and is stored within the device).
According to an expert
“For apps of this scale that handle sensitive data, sophisticated code hardening and app security tools like DexGuard or Arxan need to be used. These tools modify the app at build time to add code and also have features like root detection and Frida detection built in”.
The Copyright Issue
However we need to reflect,
If I just call myself an “Ethical hacker”, does that give me the license to overlook Indian Copyright Act or DMCA or any French Copyright Act?
…to the extent of de-compiling the source code and publishing it?
If I am good enough to find the flaws should I not give a reasonable time to the app developer to make corrections? Or even better
Should I not myself suggest the App developer what corrections can be made?…particularly when we are talking of a non commercial public safety app of a sovereign Government fighting the pandemic?
Declaring an App as a Protected System
Had the Government declared that the App is a “Protected System”, even an attempt to unauthorizedly access the source code would have qualified for an imprisonment of 7 years. It is good for these so called ethical hackers that Government did not remember Section 70 of ITA 2000 and how it could have been used to protect such motivated hackers.
The Government which acknowledged the report of Mr Elliot and made some corrections which it thought was necessary should have thrown back a challenge to Mr Elliot to suggest how the code should be modified to prevent the bug he points out. Then we could have found out if Mr Elliot was willing to help in the public cause or only trying to strengthen the hands of the Indian opposition and our own indigenous Privacy activists who along with their friendly media keep criticizing all Government moves without suggesting any alternatives and call themselves “Internet Azadi Brigade”.
If the Government does declare Arogya Setu as a “protected system” now, it will ofcourse face the charge of “Shooting the messenger” charge and hence they may not have the courage to do it.
Need for better articulation
If however the privacy policy provides some warranties such as storing of data within the device, deletion after a specified time etc and declares the purpose, then the only issue that remains for criticizing the app is the “Mandate that it has to be installed by all workers returning to work”.
The Government could have articulated its measure by stating that “Lock down continues in public interest but relaxations are provided only for those who have installed the App”. This would have appeared like a favour rather than saying “All can return to work but they have to install the App” which looks like a punishment.
Naavi
(Comments invited)
Brilliantly articulated.
Very insightful article. Insights to ponder for individuals and for government as well. its a wake up call. Now is the time to limit the influence/ monopoly of A& A before they carve out zone for mobizens and start governing the same, without any consideration of any laws of sovereign states.