Tracked during COVID, India’s citizens gave away personal data
By Anurag Mehra, Indian Institute of Technology
Like long COVID, the side effects of India’s rush to track its citizens could linger longer than anyone bargained for.
Already conditioned to handing over their private information to officials, India’s citizens were quick to adopt apps designed to surveil them during the pandemic.
Aarogya Setu, an app to track the infection status of individuals, and CoWin, an app to book appointments and record vaccination status, would appear benign. But privacy and data security laws are woefully absent in India. There have already been many breaches.
India prioritises community rights over individual rights. A general fear of officialdom means many citizens part with private information subserviently and uncritically. Pandemic-induced anxiety only enhanced this behaviour. The right to privacy was disparaged, seen as undermining national security.
A bill to protect personal data is still pending in India’s Parliament, leaving no fundamental right to privacy. Despite some scattered protection provisions in other Indian law, data seekers of any kind — apps, websites or application forms — can freely extract, store, share or even sell personal data.
The Aarogya Setu app essentially carries out contract tracing using Bluetooth to capture the location of an individual and those in proximity. The captured data is stored on the owner’s device as well as central servers, and while anonymised, its single layer encryption provides little security.
Singapore uses a dynamic digital ID and multiple encryption layers to deliver greater security. Location tracing — recording absolute location (latitude and longitude) — is not needed for proximity or contact tracing, yet it was bundled into the Aarogya Setu app.
Data open to misuse
The government can now monitor the actual movement of people and even identify them, a situation made worse by the use of central data storage. Combining the data of different individuals, it could prepare social graphs or map interactions — who met whom, where, and how frequently.
While no instances of security breaches (except that reported by a cyber-security firm, and contested by the Union government) or social graphs have been reported, these factors provide scope for surveillance by hackers as well as official agencies. There has already been scope creep, the app deployed as a travel or entry pass (there have been many flip-flops on this), and some users even asked to donate to the PM-Cares fund.
Privacy issues are rife.. While the government asserts that the extracted data will not be shared with third parties, there are back doors. For example “to provide persons carrying out medical and administrative interventions necessary in relation to COVID-19”. These persons could be anyone the government decides.
The terms & conditions of use absolve the government of all liability, including even for “accuracy of the information provided by the App or the Services as to whether the persons you have come in contact with have in fact been infected”. The near-mandatory nature of the app does not leave the user with much choice and amounts to coercion.
Various Indian states, as well as some cities, developed their own apps for tracking COVID-19 patients. Most of these have carelessly drafted privacy policies, and seek excessive permissions.
Quarantine Watch, an app from the south Indian state of Karnataka, made people post selfies at fixed times to show they were quarantined at home. Another app, Cobuddy, from Tamil Nadu, used GPS location and facial images for tracking. There was also an attempt to rope in mobile phone service operators to provide user locations. It is not clear where and to what extent this has been implemented. The information collected by these apps has often been shared with health agencies, municipal corporations and the police.
There have already been innumerable violations of privacy. The names and addresses of people who broke quarantine were published by the Karnataka government. A cyber security researcher showed that the Madhya Pradesh government’s Covid-dashboard could be accessed and information about quarantined people — with names, location and device details — gathered. Such leaks can stigmatise and endanger people.
Despite the breaches, there is no sign the government will adopt a personal privacy law, or even formulate an interim one.
What needs to be done
Guidelines are already in place for the Indian government to follow. The European General Data Protection Regulation (EGDPR), for example, mandates that personal data be extracted lawfully and in a fair and transparent manner for a specified purpose. The data collected should be minimal; stored data should be accurate and clean; data storage should be for a limited period and should be deleted subsequently; the data collector should be responsible for its integrity and confidentiality; and, the authority that “owns” the data should be held accountable to ensure adherence to these principles.
The formulation of data protection policies should be an intrinsic obligation under emergency legislations like the Disaster Management Act (2005). India, well down the path of “digitising everything,” needs comprehensive data protection legislation encoding a fundamental right to privacy.
Even more important is the need to educate people on the sensitive nature of personal data. The pandemic has highlighted a culture of obsequiousness. It’s time that shifted to one that thoughtfully demands a robust right to privacy.
Originally published under Creative Commons by 360info™.
Professor Anurag Mehra teaches engineering and policy at IIT Bombay. His policy focus is the interface between technology, culture, and politics. Professor Anurag declared no conflict of interest in relation to this article.