India's Vanishing Privacy - Part 1
May 5, 2020
While COVID-19 continues to create havoc throughout the world with no end in sight, India seems to be sailing smoothly towards an Orwellian State, making good use of the crises to satisfy the government’s agenda to have complete control over its citizens via their data.
As technology has advanced at a breakneck speed the Government of India, keeping up with the times, has adopted various tools, laws and techniques to increase its surveillance capabilities. Private companies too have realised the importance of data and are leaving no stone unturned to collect, dissect and analyse user data to their heart’s content. In these series of posts I’ll connect the dots that are the nails in the coffins of the concept of privacy for Indian citizens despite the Supreme Court declaring it a fundamental right. However, the details of these posts should not come as a surprise since the Government of India does not believe that the citizens have absolute right over their bodies.
Part 1: The Aarogya Setu App
Contact tracing is one of the most important tool in the arsenal of tools available to suppress the spread of COVID-19. Owing to its high R0 and ability to remain undetected for days, contact tracing is essential.
It took little while for tech companies and governments to start working on a solution to automate contact tracing using mobile phones. Google and Apple have made an alliance to bake the feature into their respective operating Systems. Consortiums, like DP-3T, have been set up and protocols like PEPP-PT have been established. There is still lots of back and forth and controversies surrounding the use of such intrusive tech to contact trace; as it should be.
As of now 10 countries seem to have contact tracing apps available for download. Aarogya Setu is India’s answer.
Unlike most other tech being used/proposed in other countries, I could not find any white paper which could highlight the exact technology behind the Aarogya Setu. The app is not open sourced and worse is that it is made under a private-public partnership (PPP) with MakeMyTrip (MMT) and National Informatics Centre (NIC). How did this come to happen is also not clear - I could not find any information on how they landed with the responsibility to develop the app. What is even more worrying is that the single largest shareholder in MMT is a Chinese company called CTrip with 49% stake in the company. A PPP is a risky proposition when it comes to security and privacy of the country and its people but good policies around such partnership can minimise the risk. Unfortunately, that too seems to be missing according to the Internet Freedom Foundation (IFF).
IFF has come up with a detailed report on the impact of the app on our privacy and the conclusion is not good. Here is their summary of the report but I recommend going through the whole post-
“In today’s speech announcing the extension of India’s national lockdown till 3rd May, 2020 the country’s Prime Minister requested citizens to download the Aarogya Setu application. Unfortunately, the application remains a privacy minefield and it does not adhere to principles of minimisation, strict purpose limitation, transparency and accountability. IFF’s Working Paper, analyses the application, highlights how it is inconsistent with the right to privacy, is conceivably a risk toward a permanent system of mass surveillance, and suggests clear recommendations to arrest these risks.”
If all this was not fear inducing there is more — the government has now made the app mandatory for every private and public employee in the country to have the app installed. The app is no longer an option for majority of the people in the country. It will be our companion for the foreseeable future. Further, there are also reports that the app may become an integral part of any mobile phone that’ll be sold in the country post lockdown. It’ll reportedly be pre-installed and setting it up will be part of the phone’s setup process.
At this point we should go back to IFF’s report which states “IFF’s Working Paper, analyses the application, highlights how it is inconsistent with the right to privacy, is conceivably a risk toward a permanent system of mass surveillance, and suggests clear recommendations to arrest these risks.” In less than a months time the prediction seems to be taking shape as reality.
What should have been done was engagement with academics, ethical philosophers, and various representatives of the people. What happened was an opaque partnership between a private company and the government with complete absence of any form of dialogue and the app being forced on the people.
Given the track record our governments through the years, it would be naive to believe that this app is temporary. Expect it to evolve, transform and gain more capabilities with time.
Various contact tracing approaches that have been made public:
IFF’s work wrt current situation:
(i) https://internetfreedom.in/45-organizations-and-105-prominent-individuals-push-back-against-the-coercion-of-aarogya-setu/ (ii) https://internetfreedom.in/workers-privacy-during-covid-19/ (iii) https://internetfreedom.in/legal-notice-to-becil-for-its-tender-to-procure-employee-tracking-smartwatches-and-a-mass-surveillance-system/ (iv) https://internetfreedom.in/a-comprehensive-look-at-covid-surveillance-and-privacy-in-india/