COVID-19 SPECIAL

Coping with Covid-19: Surge in surveillance apps in India raises concerns over privacy

As the coronavirus cuts a swathe through Asia, The Straits Times bureaus report on how governments, hospitals and the man in the street are rising to the battle. In the last of a multi-part series, India Bureau Chief Nirmala Ganapathy reports on how local communities are helping the poorest and most vulnerable, while India Correspondent Debarshi Dasgupta looks at a city that has become a model in controlling the spread of the virus, and India Correspondent Rohini Mohan examines concerns over surveillance apps.

An advertisement for the Aarogya Setu contact tracing app launched by the Indian central government on April 2. PHOTO: AAROGYA SETU/TWITTER
An advertisement for the Aarogya Setu contact tracing app launched by the Indian central government on April 2. PHOTO: AAROGYA SETU/TWITTER

When 59-year-old Jayalakshmi returned from America to Kochi, in the southern Indian state of Kerala, on March 19, health officials at the airport asked her to quarantine herself at home for 14 days.

They also asked her to download an app, called MaaS360, which would track her location.

"My husband went to his mother's house, and I had the whole house to myself, but the app seemed to alert the police if I so much as left my bedroom to go to the kitchen. They would call me to ask if I had violated quarantine," said Ms Jayalakshmi, who goes by one name.

Like many other countries, India has seen a rise in surveillance to contain the spread of the coronavirus.

The police had earlier checked quarantine compliance by making home visits and phone calls. But with their resources stretched, they are trying to ensure compliance by using remote location tracking or geo-fencing.

Both the federal and state governments are increasingly using mobile phone applications, broadly of two kinds: quarantine enforcement and contact tracing.

In many states, those under quarantine are now required to download mobile apps that transmit information about their location to the authorities. Those found violating their quarantine could face imprisonment and fines.

Kerala was one of the first states to adopt this approach, using apps that tracked users' locations via data from mobile cell towers and GPS coordinates.

A senior policeman said that after some internal concerns were raised about "the privacy of patient data" in IBM's MaaS360, which was sed by Ms Jayalakshmi, the Kerala police's cyberdome, a group of volunteer programmers and engineers, decided to develop their own geo-fence app.

Mr Manoj Abraham, the additional director of police in Kerala, said: "If someone leaves their house with their phone, the police control room is alerted. We have registered over 40 cases against people for violating their quarantine."

But another senior policeman, who spoke on condition of anonymity, said the app was not foolproof because it tracked the phone, not the person.

The neighbouring state of Karnataka is more exacting, however. Its Quarantine Watch app requires a person under quarantine to click a selfie every hour from 7am to 9pm.

The authorities then verify the location and time that the photograph was taken. Violators face the threat of being placed in government mass quarantine.

In some districts in Tamil Nadu, the police rely on a geo-fencing and facial recognition app, called CoBuddy, that asks quarantined people at random times during the day to identify themselves using their faces.

This way, the police say, people cannot evade tracking by leaving their phones at home.

The Indian government is reported to be testing a geo-fencing app of its own which triggers e-mails and SMS alerts to the authorities if a quarantined person strays from home.

Officials have also begun to use technology for contact tracing.

Until now, they had relied on interviews to identify people who had been in touch with someone infected with Covid-19, the disease caused by the coronavirus.

On April 2, the central government launched the Aarogya Setu (health bridge) mobile app, inspired by Singapore's TraceTogether app. Both apps use Bluetooth technology to identify people who have been in close proximity with one other.

TraceTogether's code is now open source and developers can find out more about its source code, the BlueTrace protocol, on tech.gov.sg.

Aarogya Setu asks for the user's mobile number and location data via GPS and Bluetooth. It also has a self-assessment tool.

The user is asked to answer some questions, and if he shows symptoms of Covid-19, the data is sent to the health ministry which then uses the contact history to notify people who have been in touch with him.

 
 

The Ministry of Electronics and IT has said that Aarogya Setu's design is "privacy first" and its use is voluntary.

Mr Rahul Matthan, who consulted with the government on privacy features of Aarogya Setu, wrote in The Mint that the app assigns each phone a device ID, which "disassociates you from your personal data early on".

"It is only when your risk of infection is so high that the government needs to tell you to get tested that the (ID) is reconnected to your personal information," he said.

The location and contact history stay on the device, but if infected, the person's data is sent to the cloud. The data on the app and the cloud is deleted every 30 days, Mr Matthan said.

Ms Rohini Lakshane, a technologist and public policy researcher, said: "The public claims about Aarogya Setu's privacy features are not verifiable because the source code is not open and the privacy policy is quite non-committal."

India does not yet have a data protection law, despite the Supreme Court recognising privacy as a fundamental right in 2017.

Ms Lakshane said that this leaves Indians without legal recourse in the event of any leaks or misuse of personal data.

Karnataka and Telangana recently made public the names, addresses and contact details of everyone under quarantine.

People's Health Movement, a group working for equitable health access in India, said several people on the list have complained of harassment, public shaming and, in some cases, eviction.

The group has written to the Indian health minister to say that such a "breach of confidentiality" would "drive the disease underground" and deter people from reporting their illnesses.

SEE HOME

A version of this article appeared in the print edition of The Straits Times on April 11, 2020, with the headline 'Surge in surveillance apps raises concerns over privacy'. Subscribe