The events following the global spread of COVID-19 have put governments on high alert. This has prompted a variety of initiatives to combat the virus, as well as its effects on society. Amidst this public health crisis, both State and society seem to have made providing treatment and controlling the pandemic their primary concern.
Taking inspiration from governments around the world, in its fight against COVID-19 India has recognised tracing and isolation through mobile applications, drones, and wearable tech as essential tools. Yet, as the State deploys these tools, it is crucial to remember that post the Puttaswamy judgment, the right to privacy has been explicitly upheld as a fundamental right, inherent to the right to life under Article 21 of the Constitution. Thus it is inalienable, even in times of crisis. The law still leaves scope for certain restrictions on these rights, however, these restrictions must necessarily be backed by legislation that maintains the safeguards of proportionality and necessity.
Democracies in age of #Covid19 shall only accept measures that respect ethical & legal essence of #privacy & #dataprotection.
– Purpose limitation
– Data minimisation
– Data protection by design
principles to ensure return to previous condition @W_Wiewiorowski #WNF20 pic.twitter.com/vpziHvdQKg
— EDPS (@EU_EDPS) June 4, 2020
Yet, in spite of these rulings, many of the technological interventions undertaken by the Indian government have raised alarms on data protection and privacy. For example, Apar Gupta of the Internet Freedom Foundation, a digital rights advocacy group, has called the Aarogya Setu app a “privacy minefield,” adding that “it does not adhere to principles of minimization, strict purpose limitation, transparency, and accountability.”
Is this level of caution and critique required? It is true that to get us through the catastrophe, the government will have to resort to certain extreme measures. To that end, it is also valid to balance the need to efficiently trace the spread of the virus against encroaching on a person’s privacy. As has often been pointed out by scholars, what we must remember then is that “when faced with crises, governments — acting for all the right reasons — are invariably prone to overreach.”
The degree of protection of our data and privacy rights depends on the powers of the data controller, and how they wield them. For example, when this controller is a well-integrated private tech giant, one with incredible resources and systematic access to people’s data, it is better placed to significantly affect a person’s rights–for better or for worse. Against a seemingly all-powerful State though, one that should protect and yet can also suspend our rights, even that giant is dwarfed.
The All-Powerful State
It is not unreasonable to wonder why one must be critical of a government working towards the greater good of society, when we already surrender so much of our personal information to private tech giants like Google or Facebook. However, it is crucial to also remember that in multiple ways, the government is placed differently from a private entity in terms of how directly it can affect our rights as citizens. As a result, the State’s actions could easily have grave impacts on citizens’ autonomy in the long-term.
Firstly, there is an inherent legitimacy attached to all government initiatives, that is rarely afforded to any private entity. If this is the case, then these initiatives must be accompanied by a greater commitment towards transparency and accountability.
For example, when the government broadcasted a list of people who tested positive for COVID-19, the information was taken at face value by the masses, despite its ineffective testing mechanisms that risk declaring false positives or negatives. This is further seen in the release of the Aarogya Setu app for contact tracing. With a chart-topping 75 million downloads achieved (much sooner than other successful private apps), the App’s government legitimacy overshadowed its subsequently acknowledged privacy risks. There is an evident ‘function creep’ in Aarogya Setu’s flawed purpose limitation, given that an application that came about primarily for contact tracing, now threatens to be used for lockdown enforcement. Therefore, there the same standards of accountability that the government enforces on private tech companies, which have been waylaid in this case, need to be demanded for such interventions to be considered citizen-friendly.
Breaking – 100 Million plus downloads for Aarogya Setu App making it one of the world’s most widely used Apps for Contact Tracing in the fight against COVID-19 pic.twitter.com/1C7YHjBW1l
— Prasar Bharati News Services (@PBNS_India) May 13, 2020
Secondly, to avail the services of a private company, even one that could potentially put one’s privacy at risk, is largely a voluntary decision made by a user. On the other hand, citizens’ engagement with an app released by the government for their ‘welfare’ is often made mandatory, in effect. The consequences of withdrawing from either of these scenarios are highly varied.
In the case of a private tech company, a user would lose out on the valuable convenience that its services provide. In stark contrast, not downloading the Aarogya Setu app, which was slowly made mandatory for certain activities, could lead to both criminal and social consequences. Owing to intense criticism, in this case, the guidelines around the enforced use of the app were very recently shifted away from mandatory usage, to a ‘best effort basis’. Yet, a detail that slips through here is that the app continues to be compulsory for all government or public sector employees, as well for all persons looking to travel via local or intercity public transport. This effectively strips all citizens of their right to choose to use Aarogya Setu or not, which puts their privacy at huge risk in the long-term.
This is not an instance of isolated government practice, though. Even the Aadhaar scheme, which had initially come about as an entirely voluntary one, is now a requirement to be eligible for subsidised ration, even during the COVID-19 pandemic. At the very least, this made it mandatory in effect, again raising larger concerns on how user data would be stored and used.
Today, a joint representation was sent to the Prime Minister’s Office endorsed by 45 organisations and 104 individuals against the mandatory use of the Aarogya Setu App. 1/4https://t.co/7y9ZdPkmXl
— Internet Freedom Foundation (IFF) (@internetfreedom) May 2, 2020
Thirdly, it is important to recognise that data collection by the government and by the private sector cannot be compared. The government’s collection and analysis of people’s data, often undertaken for policies with far-reaching consequences for all citizens, is incomparable to a private company’s collection of data, considering the latter’s motives primarily relate to providing better services for a select target audience.
The risks of forming policies on the basis of digitally collected data can be exemplified by the National Health Stack program developed by the NITI Aayog to facilitate the collection of comprehensive healthcare data digitally. This data is aimed at assisting in policymaking and detecting insurance frauds, amongst other uses. However, concerns were quick to surface regarding its methods of digital data collection. These included an inability to address inequalities arising from the exclusion of underprivileged farmers and women that did not have access to the digital infrastructure required for the program’s execution, as well as an overall misplaced allocation of government funds to the private health sector, instead of investments in primary healthcare. We must also remember that inequalities in access to smartphones, or the Internet, continue to be a harsh reality for our country even today.
So, using the current data collected through healthcare surveillance to design policies to contain COVID-19 could once again result in systemic discrimination. The application is limited in its usability to a smartphone that necessarily has access to a 3G/4G network connection. Fund allotments and aid to affected populations, that may be difficult to account for in a digitally-driven data collection process, could stand hampered as a result.
The requirement of having Aarogya Setu as a condition for travel by Railways will cause massive exclusion to large sections of our fellow Indians. Technology deployments should be inclusive and account for implementing by design. A failure to do so is unconstitutional.
— Internet Freedom Foundation (IFF) (@internetfreedom) May 12, 2020
Fourthly, through devices like the recently introduced patient and personnel tracking tool, the government can considerably dictate daily lives. As noted by the Internet Freedom Foundation, the tender for these wearable devices calls for extremely invasive surveillance functionalities, and provides little justification for their use. Citing a broad objective of ‘detecting threats to national security’, the tools are set to be used to track one’s location histories, food habits, and sleep schedules, yet will also monitor movements through facial recognition and GPS. This is a classic example of “under the skin” surveillance, as discussed by the author Yuval Noah Harari, wherein the government creeps in to monitor not just your interaction with the external world around you, but the internal mechanisms of your physical being as well.
In China, local governments have adopted ‘health code’ web pages that give users a red, yellow, or green status, on the basis of self-reported personal health questionnaires and inaccurate location trackers. The assigned statuses went on to affect a person’s ability to access public transport and highways. There have been reports of how a similar approach may be adopted in India using Aarogya Setu, through an electronic travel pass available in a new version of the app. Issuing these passes on similar parameters becomes concerning considering the ample scope of false positives being recorded. Remember, a private body cannot have such an effect on an individual’s mobility.
The dataset of “select protesters” was put to use for the first time to keep “miscreants who could raise slogans or banners” out of the Prime Minister’s rally last Sunday. #surveillance #CAA_NRC_Protesthttps://t.co/9BC3wRegY3
— Rohini Mohan (@rohini_mohan) December 30, 2019
So, by essentially making it mandatory to download Aarogya Setu, the government can impose criminal penalties for non-compliance. Additionally, it can also monitor the data collected through the application and take specific actions against individuals. For instance, in Noida, suspected infected individuals were subjected to home quarantine or isolation on the basis of their location history in various containment zones collected through GPS data. A more alarming instance, that could be extended to the pandemic too, was the use of facial recognition technology to identify and detain protestors in Delhi and Uttar Pradesh during the anti-CAA protests. Through such surveillance and profiling, without a sound legal backing, there is often the risk of the country descending into a surveillance state that threatens to squash all dissent.
The Way Out
We are in the midst of a global crisis, and it remains that the government is the most suitably placed to ensure a smooth sailing recovery from it. As noted by Alok Prasanna Kumar of the Vidhi Centre for Legal Policy, pandemic management “is not a binary of privacy vs. health, but on a spectrum of what measures can a state take without losing the trust of people”.
Short-term emergency policies tend to stick around and define new normals. In order to ensure that our new world is designed only for the better, conversations on technological surveillance demand strong public participation and a receptive government. We must build a robust transparency and accountability mechanism around all emergency measures, rooted in concrete legislation, to build not only trust but faith in the country’s democratic systems in the long-term.