Bengaluru -- A public website run by the Andhra Pradesh government tracks the exact location of state-run ambulances in real time, allowing anyone on the Internet to monitor the movement of these vehicles and obtain sensitive information about the patient — such as the pick-up point, why the ambulance was called, and the hospital to which the patient was taken — the HuffPost has found.
While the website doesn't publish the name of the patient, it reveals the pick-up point and the purpose of the visit — such as assault, pregnancy, heart attack, asthma, and so on — sparking fresh concerns over the kind of citizen data collected by state governments, the security of this data, and the total absence of laws laying out how such data should be stored, with whom it can be shared, and if private companies can harvest and monetise this data. The much anticipated Justice BN Srikrishna Committee report is expected to form the basis of a data privacy law; the report is expected to be submitted soon.
Apart from the inherent Handmaid's Tale style creepiness of monitoring the movements of pregnant women and victims of assault, broadcasting such data, privacy experts said, can cause citizens serious harm. The tracker also records information like if the ambulance's ignition switch is on, or off — revealing that such granular data gathering is now commonplace.
"Among the last things a person needing an ambulance wants is for their medical situation to be broadcast online without their consent," said Pam Dixon, founder and executive director of the World Privacy Forum. "Highly specific and sensitive health information should not be available about individuals online. This is especially so for information that is identifiable. It is not the government's role to disturb peoples' medical privacy."
The ambulance tracker is only the most recent of a long series of privacy breaches linked to Andhra Pradesh's ambitious People's Hub: a vast integrated database that merges citizen information across multiple government departments and presents the information as easy searchable dashboards.
Many of these dashboards — including the ambulance tracker — were initially available to the public. HuffPost has previously reported on how one public website allowed users to search and geo-locate homes on the basis of caste and religion, while another website broadcast the names, phone numbers and medical purchases — like generic Viagra and HIV medication — of anyone who buys medicines from the state's Anna Sanjivni stores.
Who is tracking all this tracking?
HuffPost sent a detailed questionnaire to the Chief Minister's Office Realtime Executive (CORE), the agency overseeing Andhra Pradesh's digital push, including the dashboard linked to the ambulance tracker.
Our calls were not answered; public access to the website was terminated after our email, but those with open sessions on the website — like this reporter — could continue to access the information.
Security researcher Srinivas Kodali, who first discovered this vulnerability, added the dashboard's use of Microsoft's Azure platform was a cause for concern.
"The risks are enormous," Kodali said. "This is the kind of data that could be used to identify people, and this is the kind of data that patients don't want anyone to have access to."
In a mailed response, Microsoft stated that it does not have anything to do with the design or deployment of the service, and all data belongs to the customer using Azure, not Microsoft. It wrote: "Our customers own all data relating to solutions and processes they run on our platforms. We build our services from the ground up with strong security and encryption built in to safeguard customers' data and provide industry-verified conformity with global standards."
"In this particular instance, we would like to clarify that Microsoft has not played a role in the design or deployment of the solution," Microsoft added.
Dixon, from the World Privacy Foundation, recommends that the data should be taken offline immediately, until a "thorough review of the system and its access controls is completed."
Beyond this however, she urged that a policy of "never posting identifiable medical of demographic information needs to be put in place." Beyond that, Dixon also called for regular audits of any system, to make sure any unauthorised access can be logged and tracked.
A lack of foresight
"We have not made the public policy choices with foresight," said Apar Gupta, a Delhi-based lawyer and a co-founder of the Internet Freedom Foundation. "Government has the most power over an individual," he said, and added, "Privacy protections have to be applied with a particular focus to how the government gathers data, processes it, and discloses it."
"The question to ask is, what is the purpose of stockpiling, and monitoring, this data?" he said. "What may help right now may even be state level legislation on data privacy. For example, prior to central RTI act, state governments made RTI laws. The same could happen for privacy. The government with AP is quite competent to bring in a data protection law at the state level."
By doing this, even before there is a national law on data privacy, the individual states can help ensure that the various data collection programs that are going on are not misused, and such laws will also help to plug leaks through audits.
"A lot of the harms are emerging from the digitisation of government data, such as leaks and the perception of surveillance," said Gupta. "This happens because there is no legal restraint on government to conduct these activities."
Editor's note: This article has been updated to reflect the statement sent by Microsoft to HuffPost India after the article was first published.