Earlier this month, the Karnataka government came up with the idea of digitally surveilling home-quarantined people.
They were asked to send a selfie every hour between 7 am and 10 pm. This was to be used to verify their location, with help from the metadata in the image.
Privacy activists say the instruction imposed a sleep schedule — not everyone keeps those hours.
And it was odd and impractical to expect people, many with influenza-like symptoms, to send a selfie every hour. Verifiability and accuracy of the data were also in question.
The selfies were to be uploaded through an app called Quarantine Watch, developed by the Karnataka government. Oddly, the app does not specify a privacy policy.
Quarantine Watch has been bombed with one-star reviews from users, especially those asked to send hourly selfies even past their 14-day quarantine period. Many who wanted to comply found it difficult to upload their pictures.
The government’s monitoring idea failed, but concerns are being expressed about other apps it promotes to control the pandemic.
Aarogya Setu privacy
The privacy policy of Aarogya Setu, endorsed by Prime Minister Modi, says the location data is collected on your mobile device every 15 minutes.
It asks for device location, name, phone number, age, sex, profession, travel history, and whether or not you are a smoker. There is also the continuous collection of location data through GPS and Bluetooth.
Activists say there is no clear indication of which ministries will have access to this data. The ministry of health seemingly plays a limited role, they observe.
The information is uploaded to a server along with a unique digital ID only if the user tests positive for the virus, or self-declared symptoms suggest Covid-19 infection, or if the result of self-assessment is ‘yellow’ or ‘orange’. Data is encrypted and purged every 30 days from your device, and every 45 days from the server for those who don’t test positive, and 60 days after an affected individual is cured.
While the information is purged, it doesn’t state when the collection of information will stop. A clause states that the personal information may be retained for as long as your account remains in existence and for a period thereafter required under a law that is in force at that time.
The vagueness of this clause raises concerns regarding a lack of a clear timeline of information retention.
Tracing contacts
A working paper by the Internet Freedom Foundation says many ‘contact tracing’ technologies have the potential to be used as tools of mass surveillance. It also notes that there is no scheme to audit the government’s practices and ensure deletion of personal data. The lack of a sunset clause, i.e a date on which the surveillance will end, is also called in question.
“The biggest problem has always been the lack of a legal framework. In such a system you’ll have arbitrary actions that are taken and this is what is happening,” explains Apar Gupta, executive director of the Internet Freedom Foundation, an advocacy NGO based in Delhi.
Address disclosure
Apart from this, various state governments have released contact-tracing apps that bring up similar privacy concerns. Karnataka’s Corona Watch, only available on Play Store, has been flagged as a privacy violator.
It allows the public to view the location of home-quarantined persons, report violators of quarantine rules, and trace the movement of persons affected by the virus in their vicinity.
Mira Swaminath, policy officer at The Centre for Internet and Society, Bengaluru, says that the privacy policy of these apps should contain a ‘withdrawal of consent’ clause.
“The problem with the clause is that the process to withdraw consent is usually tedious in nature and so people don’t really easily opt for it,” she explains.
Metrolife reached out to S Suresh Kumar, minister in-charge of Covid-19 response for Karnataka, but he did not respond to calls or messages.
Deccan Herald is on WhatsApp Channels| Join now for Breaking News & Editor's Picks