The word Privacy basically means “freedom from unauthorized intrusion”, therefore when something is felt to be private by a person it means there are sensitivities involved and constitutes privacy. As a society, we tend to often get confused when on one side there are people fighting tooth and nail on privacy with government and on the other side we see people posting an avalanche of personal information including pictures and personal data online on social media platforms. The simple understanding for that would be that they are either too comfortable doing so with or without knowledge of privacy and technologies or do not see this as an intrusion of their private space. Some are also equally selective in their interpretation of privacy depending on the face of the person or organisation where such data is posted. It is this selectivity that has led to an outrage with regards to the Aarogya Setu app introduced by the government to arrest the spread of Covid-19.
Culturally the West and East have always differed on many things since most of the Eastern civilizations were far evolved in ancient times and were based on the concept of “collectivism” where the individual was part of the society and co-existence, teamwork, unity, mutual care and human relations approach were key attributes. Most of the Western models were built on “Individualism” where everything depended on the person, uniqueness and self- related issues were considered paramount. Both models have their pros and cons and like everything, a balance is necessary in the modern world and so does privacy because in times of crisis and disasters, saving human life far outweighs everything else.
The concept of privacy is perceived to be of a western cultural origin since many Asian societies never had privacy defined and practised like the West which emphasized more around individualism. In ancient cultural civilizations like India, China and many Asian countries, privacy always existed in some form but the extent and interpretations differed widely from the way the West looked at it. People believed in the concept of their life being an open book and behaviourally had a tendency to interfere into everything by asking all the questions that a westerner may frown upon and consider as a great breach of privacy. In our villages and towns, everyone knew everyone and privacy was limited to certain personal sensitive issues only hence culturally different, but this also led to collectivism and people helping each other as a society, while in our cities today people do not even know the names or faces of their neighbours.
In the modern day world where everything seems to be moving into the digital online mode, more and more of people’s personal data has come online. Privacy and data protection are being spoken quite commonly although many do not even understand how it actually translates on ground since everyone is in a tearing hurry to consume the fruit and not bother about where it came from. With increasing number of people following the western concept of individualism and privacy, people are slowly getting aware of the concept of privacy and privacy warriors looking at everything with distrust and from the prism of individualism.
Enough has been written on data protection and privacy laws in India by many learned experts hence I would just summarise things as they stand today without elaborating on these regulations to avoid duplication. Many countries have come up with “data protection” and privacy regulations and India too is dabbling on the same. Privacy is currently covered through the Information Technology Act, 2000 along with the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules 2011. In 2017, the right to privacy was considered to be a part of our fundamental rights by the Supreme Court in the K.S. Puttaswamy v. Union of India case which was premised on the principle that “Privacy is the ultimate expression of the sanctity of the individual”. Subsequently, an expert committee headed by Justice Srikrishna was constituted and a report was submitted to the government after which the Personal Data Protection Bill, 2019 (PDP Bill) was introduced in the parliament and sent to a Joint Parliamentary Committee (JPC). Considering the sensitivity of health care data, the government has also proposed the Digital Information Security in Healthcare Act (“DISHA”) in 2018 that aims to establish a health information exchange, to regulate health data and personal information.
In times of peace in a pre-Covid-19 world, it sounded to be important as well as fashionable for many to talk of privacy. It was also a strange paradox that the privacy warriors seemed to trust industry platforms more than governments, although right from birth to their movements in life, everything depended on government-issued documents and date. Faith in private platforms often fell when such platforms collaborated with governments.
Such positioning and narrative often led to confusion and people began to consider privacy as fashionable, while industry continued their journey to figure out how business interests they represent would be covered or not by regulations.
From a layman’s point of view when one looks at any phone, tablet, laptop or any communication device, there are a bundle of apps working on the hardware and apps front all of which are for free and people not only love them for the ease they bring into their lives but also give access to many things when they click on “I agree” due to which many things may come free and permissions may have been granted for access.
Right from your microphone, camera, contacts, pictures, apps etc. today many devices may be listening, collecting and analysing information to enhance their offering to their customers’ thanks to the access already granted due to which the term privacy may have already shrunk.
Even a few hardware devices have started dabbling with the software layers in the pretext of enhancing the performance of their devices through constant updates. Sometimes these enable them to control their devices and the apps in them which imaginatively may sound murky but these do not seem to be of concern for many.
It is equally intriguing to see the enthusiasm with which folks in social media participation to an unknown creation of a post that made people to openly post their pictures with #MeAt20 and #20years recently or 10 years ago posts. If one were to build a facial recognition algorithm that had dependencies on age-related characteristics/progression such focused campaigns help create a free data-mine for facial recognition, artificial intelligence (AI) and Analytics tool for companies and surveillance agencies. The biggest rush to post things on social media is often the image people seek to maintain online to maintain self-worth, most people think its “cool” to post personal stuff while many are driven by their current psychological state of mind.
The technology companies are often blamed for monetising data of people while governments have been blamed for collecting data for surveillance in the name of security and when a technology company is seen to collaborate with the government it becomes worse. Most people end up sharing all their birthdays to wedding days in a feedback form in a restaurant and take product surveys where they share all their detailed interests without being concerned or scared that these could be used to target them since many of their personal data is used for authorisation in different places. Personally identifiable information that includes your name, address, email, mobile number, date of birth and other information relating to your family members, employment, and education can provide attackers with enough information to conduct identity theft and potentially compromise online accounts that rely on security questions being answered correctly. Even advertisers may serve themselves from this readymade platter.
The world is innovating and moving ahead quickly and in the process increasingly becoming more difficult for governments to administer. So what do governments do to safeguard national security or figure out whom to reach out to when and how simple they depend on a surveillance backbone which combines intelligence and information? Since it is common for adversaries to resort to attacks that may be physical, financial, cyber and may involve human lives, it becomes critical for them to acquire information that depends on human intelligence (HUMINT), signals intelligence (SIGINT), imagery intelligence (IMINT), measurement and signatures intelligence (MASINT) and open-source intelligence (OSINT). Hence a combination of all of these leads to the creation of a surveillance system that becomes an essential part of any government.
Globally almost all governments around the world have implemented mass surveillance programs that have been in place since the 1960s and have evolved over time to encompass the modern-day communication mediums. The list of such surveillance programs is endless and names have changed over time starting from ECHELON, INDECT, SIS, Golden Shield, IJOP, Carnivore, Project6, MUSCULAR, MYSTIC, ROOM641A, X-Keyscore, ONYX, BULLRUN, NDNAD, SORM, FRENCHELON, MTI, PRISM and so on (would request readers to search online). In democracies, mass surveillance was resorted to by many countries citing the need to counter terrorism, reduce crimes, promote national security and prevent social unrests while dictatorships and autocratic regimes were blamed for using it to violate privacy, civil and political freedom.
In course of time, globally countries have moved beyond the basic objectives of security alone as surveillance was bringing benefits to not only help boost their economies through advance intel gathered but also helped them further their quests towards global dominance in business and trade. It leaves a bitter scenario where countries which do not have these in place may be left out in the global security and business race altogether. Hence privacy warriors and interests that constantly pull them down end up benefiting competitive countries in the process. The onus, therefore, is equally on regulators to bring in acceptable regulations that have well built-in mechanisms of addressing privacy concerns while balancing national needs.
There is nothing wrong in governments to engage in surveillance so long as the intent is to protect their country and their citizens while civil freedom continues to exist. As terrorism tries to push its agenda of reducing freedom enjoyed by citizens, governments get forced to protect their citizens by cutting down people’s freedom to ensure security. The freedom to move is curtailed through multiple security checks people need to undertake these days and the same is now translating into the digital world where surveillance has become a necessity at times to ensure safety. When a crime occurs including a financial or a cybercrime today people expect miracles from law enforcement agencies to catch the culprits which is possible only when some form of surveillance exists else we will continue to have devastated victims of fraud hoping for a miracle. In most cases of financial cyber fraud on Indian citizens, governments do not even get access to data as most companies are incorporated outside, existing legal frameworks are long and arduous and traceability of data is not forthcoming from many platforms.
With all such work happening around data, Covid-19 made its appearance and has put governments, people and privacy warriors in a spot. No one can deny the fact that in times like these, raising privacy concerns and stalling governments from using information for saving lives is morally indefensible. During a pandemic when so many lives are at stake, surveillance, tracking and isolation have been the way many countries have effectively managed control the spread and prevented deaths. Before the pandemic, people were raising alarms on how surveillance is harmful and now people expect governments to enhance surveillance to save lives hence the privacy laws need to respond situationally as well when the veil can be taken off.
As countries and companies focus on tracking, tracing to fight the pandemic, privacy can be considered a casualty but depends on people if they still consider privacy over life. Fortunately, technologies are evolving today where mass surveillance is possible through contact-tracing systems that notify potentially exposed users without handing over personal data.
Facial recognition based surveillance has been widely deployed in China and according to various estimates, the facial recognition cameras deployed in china are currently around 630mn which have now been deployed with colour coding models to track people and guide them appropriately in their day to day activities and containment zone restrictions for Covid-19. Hong Kong mandates the use of an electronic wristband, accompanied by a smartphone app, in an effort to enforce the self-quarantine measures. All other countries like Singapore, South Korea have all deployed contact tracing as a means to track.
During a pandemic, surveillance, tracking and isolation are but a natural necessity unless people including government find some other Divine or extra-terrestrial means of getting information and have superhero eyes of scanning who is infected and who is not.
The government of India launched its own contact tracing app called Aarogya Setu. Interestingly this app was not built by the government but was evolved through a collaborative process where volunteers from industry, academia and government built it. Many industry experts, volunteers, engineers from companies like MakeMyTrip etc. were involved in the collective creation of this app.
The app uses GPS and Bluetooth to alert a user if they have come in contact with a COVID-19 positive patient. The Aarogya Setu app tracks the movement of the user through their smartphone and reports on the proximity to other users that have also downloaded the app. The app uses the permission to access a smartphone’s GPS/Bluetooth and to generate a status report about the phone’s user and its proximity to other users. States like Kerala and Karnataka have their own versions used for different purposes. While the Kerala app aims to track the location of individuals who are being told to self-quarantine for 14 days the Karnataka one expects the quarantined individual to take a “selfie” every hour giving a real-time status report. Few states have also used a combination of geofencing and facial recognition for quarantined individuals.
The app which has been developed by the government in collaboration with the private sector seems to have taken care of the basic necessities that may raise privacy concerns. The app disassociates itself with the user in the initial stages and all personally identifiable information is securely uploaded onto a server that issues a DiD (Device ID number) which is a unique and randomly generated. This DiD becomes the basic identifier for all further interactions. When a user comes in contact with another, this DiD is sent to the other device but not to the name and phone number. Aspects such as the probability of infection are calculated by uploading this DiD on the server along with one’s contact history. Only when one gets tested does the DiD gets reconnected to the personal information. The data retention policies are stringent and any data is wiped out after 30 days, if stored in a central database after 45 days and for those tested positive after 60 days. The app policy further reads that the data of users will not be shared with any third-party apps, however, the data may be retrieved for necessary medical and administrative intervention. The stored data is anonymised and is used to generate necessary visualisations.
Aarogya Setu’s USP is that it can give you an early warning system if you have come in touch with or have been in close proximity of someone who has tested positive for COVID-19. When we step out for pharmacies and groceries, we might come in touch with someone who is not aware of them being positive. This app will then be helpful to track such instances as Bluetooth pinging and location monitoring is helping to arrive at this result. Collective information helps to drill down on a district level. The app will be most useful in contact tracing and when the lockdown is lifted partially or entirely, this will be even more impactful. The data is being used by the government only with the express purpose of medical interventions. The app can be deleted at will and once Covid-19 ends the app would be deleted. The fundamental purpose is to save lives. While the app is simple and has been hugely popular it continues to be treated with cynicism by privacy warriors.
While pandemics like Covid-19 are disruptive, governments need to be conscious to focus their abilities to control effectively. Contact tracing has been recognized as one of the ways of improving situational awareness to manage this crisis. The Aarogya Setu app like all contact tracing technologies is people dependent and needs to be more participative to deliver the results aimed for. Hence if more people participate, the more effective it will be and vice-versa hence it is now being extended shortly to feature phones as well apart from smartphones.
I personally support and respect privacy, but we live in a real world and a democratic nation and elect a government, we expect the government to protect us and keep the nation safe whether from frauds, attacks, disasters and pandemics and without power of traceability. Putting ourselves in the seat of government is the best way to figure out what works and what does not to administer such a country. Hence it is common sense that in such cases surveillance is necessary tool required to compliment safety efforts. A nation of 1.3bn with a dense population like ours is an administrative nightmare. It cannot be safeguarded unless those entrusted with its running get to know “who exists where, when required” else we will have chaos. Hence while data protection is important and no law can be perfect in this emerging area where technology evolution will always be ahead of regulation and human mind will continue to use and misuse. Regulators and technologists will need to continue to evolve to figure out that unique way which will meet each sides requirement of security and privacy needs satisfactorily if not completely. Till then it is important for each side to respect each other views and limitations in this journey of privacy and work in a collective manner for the nation besides safeguarding privacy where necessary. Government, industry and privacy warriors need to join hands to ensure a policy that makes information request legitimate with necessary access to metadata frameworks with triggers to access data well defined under law and find solutions instead of firing cynicisms.