Coronavirus: Surge in health surveillance apps in India, concern among privacy advocates

India has seen an increase in surveillance to contain the spread of the coronavirus.
India has seen an increase in surveillance to contain the spread of the coronavirus.PHOTO: AFP

BANGALORE - When 59-year-old Jayalakshmi returned from the United States to Kochi, in the southern state of Kerala, on March 19, health officials at the airport asked her to quarantine herself at home for 14 days. They also asked her to download an app called MaaS360, which would track her location.

"My husband went to his mother's house, and I had the whole house to myself, but the app seemed to alert the police if so much as I left my bedroom to go to the kitchen. They would call me to ask if I had violated quarantine," said Ms Jayalakshmi.

Like many other countries, India has seen an increase in surveillance to contain the spread of the coronavirus.

The police earlier checked quarantine compliance by making home visits and phone calls. But as resources are stretched, they are trying to ensure compliance with remote location tracking or "geofencing".

Both the federal and state governments are increasingly using mobile phone applications, broadly of two kinds: quarantine enforcement and contact tracing.

In many states, those under quarantine are now required to download mobile apps that transmit information about their location to the authorities. Those found violating their quarantine could face imprisonment and fines.

The southern state of Kerala was one of the first states to adopt this approach, using applications that tracked users' locations using data from mobile cell towers and GPS co-ordinates. A senior policeman said that after some internal concerns were raised about "the privacy of patient data" in IBM's MaaS360, which Ms Jayalakshmi used, the Kerala police's Cyberdome, a group of volunteer programmers and engineers, developed their own Geofence app.

"If someone leaves their house with their phone, the police control room is alerted. We have registered over 40 cases against people for violating their quarantine," said Mr Manoj Abraham, the Additional Director of Police in Kerala.

But another senior policeman, who spoke on condition of anonymity , said the app was not fool-proof because it tracked the phone, not the person.

The neighbouring state of Karnataka is more exacting. Their "Quarantine Watch" app requires a person under quarantine to click a selfie every hour from 7am to 9pm. The authorities then verify the location and time the photograph was taken. Violators face the threat of being placed in government mass quarantine.

In some districts in Tamil Nadu state, the police rely on a geofencing and facial recognition app called "CoBuddy" that asks quarantined people at random times during the day to identify themselves using their faces. This way, the police say, people cannot evade tracking by leaving their phones at home.

 
 
 

The Indian government is reported to be testing a geofencing application of its own which triggers e-mails and SMS alerts to the authorities if a quarantined person strays from home.

Officials have also begun to use technology for contact tracing. Until now, they relied on interviews to identify people who had been in touch with someone infected with Covid-19, the disease caused by the coronavirus.

On April 2, the Indian central government launched the "AarogyaSetu" ("health bridge") smartphone app, inspired by Singapore's TraceTogether app. Both apps use Bluetooth technology to identify people who have been in close proximity with each other.

TraceTogether's code is now open source and developers can find out more about its source code, the BlueTrace protocol, on tech.gov.sg.

AarogyaSetu asks for the user's mobile number and location data (via GPS and Bluetooth access permission).

It also has a self-assessment tool. The user is asked to answer some questions, and if he or she shows symptoms of Covid-19, the data is sent to the health ministry, which uses the recorded contact history to notify people who have been in touch with them.

The Ministry of Electronics and IT said that AarogyaSetu's design is "privacy-first" and its use was voluntary.

Mr Rahul Matthan, who consulted with the government on privacy features of AarogyaSetu, wrote in The Mint that the app assigns each phone a device ID, which "disassociates you from your personal data early on".

"It is only when your risk of infection is so high that the government needs to tell you to get tested that the (ID) is reconnected to your personal information," said Mr Matthan.

The location and contact history stays on the device, but if infected, the person's data is sent to the cloud. The data on the app and the cloud, he said, is deleted every 30 days.

Ms Rohini Lakshane, a technologist and public policy researcher, however, said, "The public claims about AarogyaSetu's privacy features are not verifiable because the source code is not open and the privacy policy is quite non-committal."

India does not yet have a data protection law, despite the Supreme Court recognising privacy as a fundamental right in 2017. Ms Lakshane said that this leaves Indians without legal recourse in the case of any leaks or misuse of personal data.

 
 
 

Karnataka and Telangana states recently made public the names, addresses and contact details of everyone under quarantine.

People's Health Movement, a group working for equitable health access in India, said several people on the list complained of harassment, public shaming, and in some cases, eviction.

The group wrote to the Indian health minister that such a "breach of confidentiality" would "drive the disease underground" and deter people from reporting their illnesses.