This article was published on June 7, 2020 in the Economic Times ET Health: https://bit.ly/3gZDFzf
In the absence of a veritable vaccine for coronavirus, countries around the globe have turned to contact tracing technology to limit the spread of the contagion, assist health bodies track individual and subsequent community exposure, and to relax lockdown restrictions. There is a deluge of contact tracing mobile apps and in the last two months, around 45 such apps have been launched worldwide in over 25 countries, emphasizing the critical significance of digital contact tracing. Albeit proven to be an effective tool, these apps are engulfed by ample disputes and controversies pertaining to violation of privacy infringements guidelines and data protection laws inviting severe rebuke from activists, privacy advocates and cybersecurity experts.
Mechanism of action
The contact tracing apps require constant access to location history through GPS. The user has to input information such as name, mobile number, age, gender, profession, travel history etc. Bluetooth range is considered as proximity sensor and helps to alert a user if there is a possible contact with another user who is infected. Around 70% of these apps globally work on the centralized model which effectively means that the location details and the collected anonymized data by the app is channeled into a centrally run database rather than storing locally on the user’s phone (known as the decentralized model). This database is most likely controlled by the country’s government or the local health regulatory body raising serious questions on the transparency and the cybersecurity-hygiene principles adopted to stop misuse of this data for any unintended purpose.
Aarogya Setu: Benefits and the Controversy
On April 2nd, India’s official tracing app, Aarogya Setu, was launched with aplomb. Since then it has witnessed 120 million downloads till May 29th, making it the most downloaded contact tracing app in the world (and the seventh most downloaded app worldwide in April overtaking Netflix). Available in 12 languages, the app has helped to predict 3000 virus hotspots at a sub-post office level, traced over 500,000 people and alerted over 140,000 Indians of possible infections.
The data that the Aarogya Setu app collects is divided into four categories—demographic, self-assessment, contact and location and is stored and managed on the government servers. Data is deleted from the government server after a maximum of 60 days and the information stored on phone in 30 days. Recently, MIT downgraded the rating of the app (1 star out of 5) citing reason that the app does not follow the principle of ‘data minimalization’ – implying that it collects far more data points from the user than actually required for contact tracing.
Privacy advocates and cybersecurity experts have raised serious questions on the legal framework and the standard operating procedure around the Aarogya Setu app. It has been alleged that this app breaches privacy of the citizens as the government can use the app and the data to monitor and control individuals. A popular French ethical hacker flagged security vulnerabilities in the app and apparently leaked on twitter some info collected from the app. Many experts have also stated that data of millions of Indians, collected through the Aarogya Setu app, could land up in ‘adversarial hands’ ensuing a national security challenge.
Taking a cue from Australia, Israel, Singapore and UK, Indian government recently made the app open-source which makes it open for developers, researchers, coders and hackers to find flaws and loopholes in the app. An award of INR 100,000 can be earned by submitting any bug in the app which will help the government to improve it. However, the open-source code of the app only shows how the app interacts with user disclosing nothing on what is happening on the server side. This again poses numerous data privacy and security concerns.
What countries are doing
China was amongst the first few countries to launch these apps systematically for its population and this played a pivotal role in arresting the spread and lift regional lockdowns in the country. Despite questions being raised on the efficacy of these apps, countries such as Hong Kong, Taiwan and Korea have successfully used mobile app technology to keep a strict eye on the people in quarantine thereby limiting the outbreak. In Australia and Singapore, users can request for their data stored on government servers to be deleted.
Implications of these data security concerns are rampant. A security flaw in Qatar’s coronavirus contact tracing app risked the sensitive personal data of more than one million people before it was fixed. In Poland, the official contract tracing app is in the heart of a debate on privacy and surveillance where numerous opportunities for abuse have been cited. Number of gulf countries – Saudi Arabia, UAE, Bahrain – have made the use of the app mandatory issuing warning of jail terms for violators which has led to severe backlash from regulators and activists. US has no contract tracing plan yet for its citizens but many of the states have announced their own in the form of apps working on the Bluetooth technology or by simply sending survey questionnaires via text or email to gather information from the people to track the infection.
However, amidst the privacy issues encircling the contact tracing apps, many countries are taking appropriate measures. Europe follows one of the sternest privacy regulations in world. Switzerland has launched the world’s first contact tracing app built on the API platform developed by Google and Apple together which follows a decentralized approach. UK is also conducting trials to develop a second app which is based on this Apple-Google API (UK’s first app is based on the centralized model). Germany, Italy, Austria and Ireland are also contemplating on building apps using the Apple-Google API.
Trade-off between public health and individual’s privacy
Mounting apprehensions related to such apps should act as a warning to governments which in hope of surgical digital precision are gushing out poorly designed contact tracing apps without a robust supporting legal framework. Citizens and activists within many countries have warranted concerns that governments can use this public health crisis for uncalled surveillance and violate their fundamental rights. A recent research by experts in John Hopkin University suggests that that privacy should not outweigh public health goals and other values.
Conversely, this situation can be looked upon from a different lens. The world is combating an unprecedented crisis and these challenging times calls for some degree of trade-off between regulations and measures to mitigate health, economic and humanitarian challenges brought about by coronavirus pandemic. Over-emphasis on privacy will impact the ability to gather information which is essential for effective contract tracing. Governments, tech organizations and regulatory bodies should collaborate to instil transparency and increase trust for the efficacy of the app amongst people. Publicly releasing the source code of the contact-tracing apps done by India, UK and other countries is a first step in that direction. This could go a long way in setting standards for using data for tackling health crisis.