Aarogya Setu is a contact-tracing app developed by the National Informatics Centre (NIC) under the Ministry of Electronics and Information Technology. (File/Express photo: Sneha Saha)
The COVID-19 crisis has seen a gradual erosion of privacy through the proliferation of apps and measures undertaken by governments and companies. Some of these measures, such as the introduction and deployment of Arogya Setu, have received a lot of attention, while others have slipped under the radar.
One such instance is the request for expression of interest floated by the Broadcast Engineering Consultants India Ltd. (BECIL) last month for the empanelment of an agency “for the supply of healthcare equipments”. As part of the scope of work, BECIL, which comes under the Information and Broadcasting Ministry, has provided a list of 22 items that have to be delivered by the bidders, including a sanitisation/disinfectant chamber, COVID-19 test kits, rescue team GPS location monitoring system, and N95 face masks. BECIL then issued a corrigendum and added a hand-held thermal imaging system, optical thermal fever sensing system, and a COVID-19 patient tracking tool, as part of the products to be delivered.
Through these innocuous additions, the building blocks of a perfect surveillance tool have been smuggled in. Consider the specifications of the “COVID-19 patient tracking tool”, presumably meant to be deployed to reduce health risks. The very first specification, however, is for the tool to be useful as an “intelligence investigation platform and tactical tool to detect, prevent and investigate threats to national security using CDR, IPDR, tower, mobile phone forensics data”.
The law enforcement aspect of this “patient tracking” tool is further made evident in other parts of the corrigendum, such as for its use as an “intelligence investigation platform and tactical tool to detect, prevent and investigate threats to national security…”; for location-based analysis to “geo-fence an area of interest” such as “airport, mosque, railway station” to identify “all the people” present there at the time of the event; to identify a “suspect’s behaviour”, including where they “order food from”, where they go for regular walks, where they “work during the day” and “sleep at night”. These are just some examples that illustrate the vast swathes of personal data being collected. For all practical purposes, therefore, the government will have intimate knowledge of our every movement and be able to monitor every aspect of our daily routine.
Interestingly, the specifications for this patient tracking tool use the word “infected person” and “suspect” separately, further establishing its surveillance and national security imperative. Under the guise of supplying healthcare equipment during a national epidemic, the government (through BECIL) is using COVID-19 as an opportunity to shore up its surveillance infrastructure. This is concerning both for practical and philosophical reasons.
The practical concern stems from the fact that India still does not have a data protection law, and there are no established norms that regulate the collection, storage, and use of such data. The patient tracking tool is collecting far more data than required for the task of contact tracing. We have no information on where this data is being stored, the period of storage, and whether the data will be deleted after the COVID-19 crisis passes.
There is no restriction on the sharing of such personal data with law enforcement agencies, which will greatly enhance – and result in the likely misuse of – their surveillance capabilities. Despite the extraordinary amount of data being collected, we have no way of knowing the security measures being deployed to prevent a hack or an unauthorised data breach. The Aadhaar experience, and the multiple cases of leaks, over the last couple of years should make us wary about government claims of security of data. Finally, there is no accountability or oversight built into the system. Citizens have no way of knowing how their data will be processed nor is there any data protection authority who can handle any complaints about the misuse of data.
The philosophical concern stems from the fact that privacy is increasingly viewed as a “luxury”, that has no place in times of a public health crisis. Such a view, however, simplifies the debate to a “privacy vs health” heuristic. Most academics or privacy activists are not opposed to the idea of contact tracing per se. Their fear, instead, is that exceptional measures taken during the COVID-19 crisis will be normalised; and that the surveillance architecture being built as a reaction to the pandemic will become a part of our bureaucratic infrastructure, justified on the ground that it will be necessary to “fight” the next pandemic. Mass surveillance may very well become the new norm in these exceptional times.
Over the years, technology has removed the traditional constraints of surveillance, namely limited police resources. However, technology today has empowered law enforcement agencies with far greater ability to monitor the daily activities of a large number of people. Many people question the focus on state surveillance, particularly when we seemingly have no problems giving Google and Facebook all our personal data. “Surveillance capitalism” is undoubtedly a cause of concern. However, the power imbalance between citizens and the state, in terms of the concentration of powers in the hands of the state, their monopoly over the law and violence, and the possibilities of misuse, means that we should be even more concerned when the state tries to arrogate greater powers to itself. The BECIL expression of interest represents just that, and unless we sit up and take notice, we are unwittingly sacrificing our hard-fought civil liberties in the name of public health protection.
The writer is a Delhi-based lawyer specialising in digital rights and privacy