Weaponizing Data Tracking to Derail Covid-19 Spread V/s Data Privacy

Worldwide, the common approach to tackle the pandemic has been limiting citizen contact and detailed contact tracing of infected patients. Countries are now moving from traditional contact tracing methods to technology driven contact tracing.

Singapore, for instance, uses TraceTogether to track people who may have come in contact with Covid-19 positive persons. TraceTogether has enabled the Singaporean authorities to prepare a database of Covid-19 patients, on a no-name basis, along with details of places they visited, where they worked etc. The detailed database helps generate alerts to users on whether they may have come into contact with someone who is Covid-19 positive so that the users can get themselves tested as soon as possible.

India too has launched a contact tracing application – Aarogya Setu. Aarogya Setu translated into English means the path to wellness. Much like TraceTogether, Aaroya Setu will utilize the user’s basic information, location and bluetooth data to determine if a user has been in close contact with a person who has been detected positive for Covid-19 and notify the user.

Generally, contact tracing mobile applications use GPS/location data/ bluetooth data to trace instances of contact between mobile users. The application stores unique identifiers for each mobile that comes close to a user’s mobile. If a mobile user is diagnosed with Covid-19 then the application alerts all the other mobile users who may have come into contact with the Covid-19 positive user. Contact tracing applications reduce the margin for human error as people may not always correctly recall details of places visited, date of visit etc. Another benefit that applications have over traditional contact tracing is speedier data collection, data analysis and information dissemination.

However, contact tracing, especially technology-based contact tracing is reliant on collection, storage and processing of personal data through online systems which may involve storage of data on cloud servers. Some concerns have been voiced over collection, use and transmission of through applications for tracking community transmission. In particular, the Internet Freedom Foundation has criticized the Aarogya Setu on grounds of inadequate measures for protection of data collected through the application.

In India, the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 provide that companies are required to provide a privacy policy which details the type of information collected and the purpose of collection of the information. However, the Indian data protection law does not adequately address the criteria or standards to be followed by the Indian Government for contact tracing applications. Globally accepted standards for data privacy are that personal data should be collected only to the extent it is necessary for the purpose and for the duration essential for the purpose.

The basic information collected by Aarogya Setu is (i) name; (ii) phone number; (iii) age; (iv) sex; (v) profession; and (vi) countries visited in the last 30 days. The application will also store the location data at the time of registration and at every fifteen-minute intervals. When two users who have downloaded Aarogya Setu come in contact then the unique identification will be exchanged and in stored on the phone. If a user tests positive of Covid-19, then the information stored by Aarogya Setu will be uploaded to the Government’s server. Further, if a user is identified as at risk for contracting Covid-19 based on self-assessment then also the information from the Aarogya Setu will be uploaded on the Government Server.

Earlier, the privacy policy of Aarogya Setu specified that the information uploaded by the user may be used for complying with a legal requirement. The generic purpose specified in the application was heavily criticized as a potential means of mass surveillance. Consequently, the Government has revised the privacy policy. Now, the privacy policy has been revised to limit the use of the information for specific measures to deal with Covid-19. The data collected through Aarogya Setu can be used for generating anonymized statistical reports, calculating and probability of a user being infected with Covid-19. Further, the Government has also clarified the time period till which the information collected from the users will be stored on the Government server. The modifications introduced by the Government is a welcome change. As the efficacy of the application increases with the number of users boosting user confidence through adequate privacy protection measures is key for success of Aarogya Setu.

A potential privacy concern is that Aarogya Setu  does not clearly specify which Government department will be responsible of processing and handling the data. The term Government of India used in the application is broad enough to cover various departments and ministries. Given the sensitivity of the personal data which is proposed to be collected through Aarogya Setu, the Government of India will have to place security systems in place to ensure that there is no leakage or threat to the personal data at the time of handling and processing. Any security breach due to inadequate data security systems and measures in place will only reduce the confidence of the masses in Aarogya Setu

What is critical is that India has not released any guidelines for data protection for contact tracing through traditional methods or technology driven methods. Aarogya Setu is not the only contact tracing application available in India. State Governments have also released applications which collect personal data. Karnataka for instance has released Quarantine Watch for self-reporting and tracking of persons who have been placed in quarantine in Karnataka. Recently, Google and Apple have also launched on initiative to develop a cross platform contact tracing application. The collaborative tracing application is being developed keeping in mind user’s privacy concerns over mass surveillance. Some of the features which will build in stronger privacy protection  are that tracing will be done only through Bluetooth and not location data, the user’s identifiers will be regularly rotated and matching will be done on a phone to phone basis and not on a central server (MIT Technology Review available here). Google and Apple will work directly with the Governmental authorities and will close the application on a geographical basis once the pandemic has passed.

Data protection in the time of pandemic involves protecting a citizen’s privacy, liberty and health as opposed one coming at the cost of the other. As of now, more than 60 million people have downloaded Aarogya Setu. The application will be critical for the Indian Government for contact tracing and minimizing spread of Covid-19. However, with multiple contact tracing and surveillance applications and no clear guidelines on data protection for contact tracing, India may be facing a very difficult situation if such data is not protected in a well-coordinated and harmonized manner.