The COVID 19 pandemic has led to a situation wherein Governments across the world have devised digital solutions including tracking apps, which have unbridled access to a person’s sensitive personal data. Countries with a lack of data protection and privacy laws give an upper hand to the Governments to mandate apps bypassing the ethical principles of privacy and data collection. India has devised an ad-hoc technology-based solution without a clear understanding of the harm it may cause. This article will critically analyze the various mass surveillance solutions used in the face of the pandemic while weighing them against human rights and privacy concerns.
With the Covid-19 pandemic raging on in India, marking over 78 lakh confirmed cases and 1.2 lakh deaths, digital solutions aimed at collecting crucial data to supplement the public health machinery and to execute policies with regards to restrictions, quarantining, and testing are necessary. However, said data collection, done for public health security, cannot afford to ignore constitutionally-guaranteed rights. The global trend has shown that previous epidemics have made several governments across the world sensitive to data privacy concerns while implementing digital solutions to tackle a pandemic.
For example, in South Korea, after the deadly MERS (Middle East Respiratory Syndrome) outbreak in 2015, the law in place to govern the prevention and control of disease outbreaks was amended to accommodate the newly employed digital data collection strategies by the South Korean government. The amended law was conscious of privacy concerns of the subjects and set limits on the government to curb prolonged and arbitrary misuse of the collected data. Each person whose data was to be collected had to be notified of the same. Also, the data needs to be destroyed after it has been processed.
A statement from the Canadian government in March 2020, delimiting how the data collected during the pandemic will be used legally, creates an atmosphere of public trust ensuring that future policies with regards to information gathering are transparent and challengeable.
The government of India, by the looks of it, has not factored in privacy concerns while devising digital solutions to counter the pandemic. India’s approach lacks vision and in-depth analysis to completely understand the implications of said solutions. Historical evidence has shown that a rights-conscious approach is possible in scenarios such as this, despite the fact the government might take some leeway in using the personal data in the interest of public health.
The government of India, especially Prime Minister Narendra Modi, has vehemently promoted the Aarogya Setu app, made to aid the public health system to better deal with the pandemic. Aarogya Setu is a contact-tracing app that uses the user’s location history to trace possible contact with persons who have tested positive. The app does this using GPS and Bluetooth to determine proximity with an infected person. The health status of a user is determined by the information they provide to the app.
Of the several digital surveillance technologies, Aarogya Setu is a major one that the central and state governments have purposefully pushed to fuel the Covid-19 response. Several other data surveillance apps use a combination of features such as GPS, facial recognition, and thermal scanning to create “social graphs” of a person and determine possible carriers. The release of the app was followed by a Data Access and Knowledge Sharing Protocol, released by the Ministry of Electronics and Information Technology. This statement provided for a fixed time period exceeding which collected data will be destroyed.
However, it also provided that the app will not only be used for the purpose of contact-tracing, but the data gathered from the same will be used by government agencies to identify new hotspots and devise new policies with regards to the pandemic. The plan released by the government failed to inform upon the practices followed by the government while collecting and using said data. Whether privacy safeguards, such as anonymization and pseudonymization will be applied to the data collected before it’s put to use is not clarified.
This is technically problematic whilst having some obvious privacy loopholes, as such apps have some inherent limitations preventing them from being an efficient source for data collection and policy support. First, their success is hugely dependent upon the data provided to it by a user. Self-reporting by the user is required to mark a user as infected, which in turn requires large scale testing, which is non-existent in India. Moreover, the app has a method to self-diagnose, results appearing from which would be unreliable.
Only a fourth of the Indian population owns a phone, considerably affecting the effectiveness of the app. In situations where one would come in proximity of an infected person albeit, separated by a wall or a car, the app would be left wanting inaccuracy. A Mumbai woman was sent to a quarantine facility on the basis of an alert from Aarogya Setu despite not having symptoms. The woman told The Quint that little to no clarity on the basis of the decision was provided to her.
Structural Issues For Digital Solutions
Policy-based on the technology in India is driven mainly by security concerns. This predisposition rubs off in the public health sector, resulting in technological policies swayed by policing concerns rather than medical ones. This dilemma is rooted in the Epidemic Diseases Act, 1897, as it gives immense discretion to the executive to prevent the spread of diseases. Originally enacted by the British colonial administration to contain the spread of the plague, the act has immortalized the bitter memories of colonial rule by giving extraordinary powers to the executive under a situation of emergency, under the garb of security concerns.
The reliance placed on colonial legislation to organize an effort to curb a pandemic has resulted in an approach completely ignoring privacy and other civil rights considerations. The act changes the stance of the administration from taking a public health approach to a security-based approach placing undue reliance on policing to tackle a pandemic. An approach disconnected from the modern conception of prioritizing civil rights concerns and data privacy issues while framing technology-based policies would only result in governments ignoring these concerns.
This structure has also manifested in the government’s top-down approach while tackling the pandemic. The center plans all policies and releases all the important guidelines to be followed by states who are often overwhelmed owing to the lack of economic and infrastructural resources. Verisk Maplecroft, a British data analysis firm, has predicted Asia holds a high risk of degradation of human rights, importantly the right to privacy and freedom of opinion following the prevalence of mass surveillance measures to tackle Covid-19.
The study revealed that the newfound powers by the South Asian governments with a questionable history of civil rights, will be difficult to relinquish, leading to long-term detriments to civil rights and privacy concerns. Such trends are already being observed in Cambodia, the Philippines, India, Pakistan, and Myanmar, where civil and political rights have taken a downturn. Surveillance has become rampant and journalists are seen being arrested on the charge of spreading ‘fake news’ pertaining to the virus, which usually is news inconsistent with the data provided by the government.
The World Health Organization (WHO), released a report in 2015 analyzing India’s compliance with WHO’s International Health Regulations, the only global regulations on public health that are binding on India. The report observed that India’s approach to tackling a pandemic would fail to mobilize all its wings and resources in an efficient manner. Since policy-making is done at the centre and its implementation is solely the discretion of states, coordination between the centre and the states is left desirable.
The report also clarified that India lacks a strong Standard Operating Procedure (SOP) to dictate the steps taken and the responsibilities ascribed once a pandemic is at large. Five years on, no structural or operational changes have been made to limit the discrepancies pointed out by this report.
Lauren Kirchner, while writing for ProPublica, revealed that there is little to no evidence on the effectiveness of mass surveillance. He pointed out that mass surveillance programs usually fail to deliver the objective they are promised to deliver and are only successful in establishing infrastructure and legislation supporting the indiscriminate collection of personal and sensitive data. After 9/11 in 2001, the Bush administration ran a mass surveillance program through the FBI called Stellar Wind to identify terrorists and potentially confidential information.
Its findings revealed that only 1.2% of the data collected by the FBI was relevant for the purpose. Between 2004 and 2006, none of the leads was relevant. This example strengthens the notion that governments never relinquish an opportunity to conduct mass surveillance programs under the garb of security concerns. Since technology-based legislation in India and other South Asian nations lends itself primarily to security concerns, the objective sought to be achieved from such initiatives remains in contrast with the needs of the public health sector.
Moreover, since legislation in this country lacks provisions to demand transparency and accountability of digital solutions, the indiscriminate and prolonged use of such technologies to surveil subjects would go on even after the need for the same has extinguished.
The government has also made use of hired drones to surveil areas determined as hotspots by the Aarogya Setu app. The government has also confessed to using such drones in North-East Delhi during the Anti-CAA protests and Legislative Assembly Elections in 2020 to maintain ‘law and orders’. Since there are no guidelines and a standard operating procedure dictating the usage of drones for law and order purposes, the government gets a free-hand in determining the extent to which these might be used.
This arbitrariness is compounded by the fact that said drones are hired, making it impossible to hold the entities supplying said drones accountable on the basis of the tenders they have agreed to. The normalization of surveillance and identification facilitates biased surveillance of certain groups based upon the political whim of the ruling party. For example, in the ongoing pandemic, there was an unwarranted and disproportionate focus on surveilling the members of the Tablighi Jamaat, who held a conference in Delhi.
The members were accused of deliberately flouting lockdown rules and intentionally spreading the disease. This resulted in not only discriminate profiling, surveillance motivated by political whim, but also biased reporting by media houses to divert the attention from the poor testing capabilities of the government.
The Lack of Regulation and Overreliance on Technology
Digital solutions can undoubtedly help the public health apparatus to function better by providing it with necessary data, however, over-reliance on technology can never be the solution and it may never replace on-ground efforts to curb the spread of the pandemic. An example could be seen in West Africa, where global positioning systems (GPS), data from call records and cell phone site locations were pioneered as groundbreaking tools to counter the spread of Ebola.
However, over-reliance on the data provided by cell phones by the research proved ineffective as cell phone penetration was limited in the region, leading to skewed and unreliable data. Undoubtedly, Aarogya Setu has faced similar issues, and over-reliance on the data provided by it to formulate policies will only do more harm than good. Digital solutions should only be used to supplement on-ground efforts to curb the pandemic and not to replace them.
The automated system based on algorithms used by Aarogya Setu hosts issues such as non-transparency and arbitrariness resulting in discrimination. Since the government takes decisions based on the findings of the app, which might affect people’s rights, regulations to limit the power of the government to act upon said findings and standards to be followed while taking such actions should be the norm.
Europe has a General Data Protection Regulation and the United States has an Algorithmic Accountability Bill to put in place standards and procedures in case the government wants to use automated and algorithmic data to make policy decisions affecting the rights of the people.
A Rights-Conscious Approach Is the Way Forward
The Personal Data Protection Bill, 2019 pushed for a comprehensive legal framework to push for privacy rights in India. This proposed legislation deals with the collection, storage, and usage of data, also providing for some exceptions in case of public health or medical emergencies. Digital technology for disease-surveillance isn’t a new discussion in India. The National Center for Disease Control has been looking into new solutions since 2007 and the Integrated Health Information Platform was established in 2018.
However, the Covid-19 response of the government of India seems to have ignored these previous discussions which gave priority to privacy concerns. The approach has been to implement a nation-wide contact tracing technology with little to no transparency, accountability, and assurances on how collected data will be used, protected and anonymized.
This approach has limited the procedural requirements for the collusion of public and private entities to devise surveillance technologies. As a result, our sensitive information is not safe from the public as well as numerous other private entities. This call to maximize digital solutions at all costs separates itself from long-term and prudent concerns reflected in the previous discussions on disease-surveillance.
Current disease-surveillance measures have not seemed to have factored in the concerns for data privacy in its plans. Moreover, such solutions are marred by other deficiencies such as minimal cell phone penetration, unreliable data, and facilitation of discriminatory surveillance measures among other things. Our personal information such as whereabouts, medical history photographs, etc. is being shared with impunity among various departments of the government as well as private entities, reflecting the need to devise a procedural and ethical framework to control the invasive spread of such information.
The Supreme Court affirmed the right to privacy to be a fundamental right in 2017. There was an emphasis to be laid down on informational self-determination, which signifies an individual’s right to determine how information personal to them is collected, stored, and used. An extraordinary situation such as this pandemic understandably demands some exceptions to the rule to facilitate greater powers of data collection, however, such decisions should never be divorced from privacy and civil rights concerns. Globally, history is shown that a rights-conscious approach to tackle a pandemic is possible as well as desirable to prevent future detriments to rights.
The Supreme Court is considered the bulwark of justice and the supreme protector of the fundamental rights of citizens. In this light, the Court cannot be allowed to rise above the very idea of justice it seeks to protect. The conception of rule of law dictates that the law is supreme and no individual or institution is immune from what it dictates.
However, the functioning of the Court, especially with regards to contempt laws, proves otherwise. The Court is allowed to take a rather hypocritical stance in terms of dictating what constitutes free speech and what constitutes scandalizing the majesty of the law. This conception is allowed to stand since the Supreme Court is seen as the cradle of justice, meaning it coincides with the very meaning of justice. The Supreme Court should be treated on par with all other government institutions with regards to its standing before law and the ideals of justice.
It cannot be allowed to supersede its authority on the back of it being the very meaning of justice. In other words, the Supreme Court should not be allowed to redefine the meaning of freedom of speech if it considers valid criticism as a slight to the very idea of justice. The idea of justice and the Supreme Court cannot be allowed to coincide. The Supreme Court is an institution engaged in the protection of justice and not justice itself. Hence, in the name of preserving the majesty of law, the Court shouldn’t take liberty in reinterpreting the fundamental rights guaranteed to the citizens of this nation.