Rise of tracing apps highlights threats to civil liberties
Roula Khalaf, Editor of the FT, selects her favourite stories in this weekly newsletter.
In the early days of the Covid-19 pandemic, authorities in India used everything from door-to-door surveys to indelible ink hand-stamps to track people suspected of being infected.
In April 2020, however, New Delhi launched a more high-tech solution: Aarogya Setu, a Bluetooth-based tracing app that harvests mobile phone records to identify users’ possible exposure to coronavirus.
Meaning “bridge to health” in Sanskrit, Aarogya Setu is one of the world’s most widely used contact-tracing apps, downloaded hundreds of millions of times. For many Indians, it remains a feature of everyday life, mandatory for everything from entering airports to visiting some malls.
Those in government say it has played an important role in India’s Covid-19 response. But critics — particularly civil society and privacy advocates — counter that the app has done little to bolster the response while harvesting vast quantities of Indians’ health and personal data.
India spends about 1 per cent of gross domestic product on public healthcare, compared with 10 per cent in the UK. Technological solutions, such as Aarogya Setu, have therefore been lauded by their by proponents as a way of supplementing the country’s neglected public health infrastructure.
India — a country of 1.4bn people — has officially recorded 35m Covid-19 infections and 500,000 deaths, though experts believe the true figures are higher, with a brutal wave in 2021 overwhelming both testing capacity and hospitals across the country.
But whether tools such as Aarogya Setu have mitigated the damage is hotly contested.
Using GPS data and Bluetooth to determine whether users have been in contact with a person known or suspected to be infected with Covid-19, Aarogya Setu alerts at-risk users and feeds information to authorities. Amitabh Kant, head of the government’s policy think-tank NITI Aayog, last year hailed Aarogya Setu as India’s “curing machine” and “a key tool in our fight against Covid-19”.
Senior government officials say that, while some invasion of privacy may be necessary in a health emergency, the app has robust protections. “Transparency, privacy, and security have been the core design principles of the app since its inception,” Kant said.
Aarogya Setu was developed in conjunction with private-sector tech executives, and the government has made some of its code open source to allow scrutiny of its inner workings.
However, critics say the app sets a dangerous precedent, labelling it as an example of how authorities and companies have rushed to harvest sensitive personal data without valid safeguards, under the umbrella of supposedly combating Covid-19. Also, it is not fully open source, critics note, with only an outdated version of the user-side code available and not the server code that controls the app.
Apar Gupta, executive director of the Internet Freedom Foundation, a New Delhi-based privacy advocacy group, says there is little evidence that Aarogya Setu has aided the battle against Covid-19. The app has repeatedly failed to detect infected nearby persons and has carried the risk of false negatives and positives, according to the IFF’s research into its effectiveness.
As Covid-19 surged in the months after Aarogya Setu was rolled out, the app alone was insufficient to stop the disease spreading, the IFF noted. Its analysts attribute this to a lack of on-the-ground follow-up from health workers.
In 2020, Aarogya Setu had been heavily promoted in authorities’ Covid-19 messaging. But, by 2021, it had been sidelined, and critics interpreted this as an indication of the app’s limited efficacy.
Rather than help counter Covid-19, Gupta suggests that Aarogya Setu has served to enhance the government’s surveillance powers by allowing it to collect enormous quantities of personal and location data on Indian citizens. Authorities show no signs of wanting to relinquish those powers, Gupta adds.
“Extraordinary powers used in times of war, famine or health emergencies have been utilised in the time of Covid,” he says. “What is worrying, is that the restrictions on civil liberties are continuing for an indefinite period.” Aarogya Setu effectively remains mandatory for many activities, even though, according to Gupta, “there is no stated evidence for [its] effectiveness”.
Udbhav Tiwari, a public policy adviser at non-profit internet group Mozilla, says the biggest concern about apps such as Aarogya Setu is the lack of checks and balances on what the Indian government can do with health data, despite a ruling by the Supreme Court in 2017 that Indians held a fundamental right to privacy.
India does not have an overarching law governing the use of data — such as the EU’s General Data Protection Regulation — but a personal data protection bill is waiting to be passed through parliament. Although the draft legislation contains controls on how companies can use sensitive data, it effectively allows government authorities to exempt themselves from curbs on broad grounds such as maintaining public order.
“The case for why [invasive technologies are] justified in a public health emergency can be made, but the framework around the laws and regulations and what can or cannot be done, like a lot of things with privacy in India, is almost non-existent,” Tiwari says. “There is no real law that tells you [what] you can and cannot [do] with the data.”
India’s struggle with contact-tracing apps contrasts with other countries in Asia. In China, for example, authorities have used heavy-handed technological surveillance to control citizens’ movement, without the pretence of respecting civil liberties.
Singapore’s contact-tracing efforts, which include TraceTogether, a Bluetooth-based app, have been praised for their efficacy. Privacy advocates, however, have highlighted concerns about how authorities — including law enforcement agencies — have been able to access data that citizens were promised were collected solely for public-health purposes.
Tiwari says the main difference between India and other Asian countries that have used contact tracing more effectively — such as Taiwan and Japan — is in-person follow-up by health workers to test and monitor patients flagged by the technology.
With some exceptions, most Indian states have lacked teams of trained health workers needed to deploy a comparable on-the-ground response, meaning the app on its own has had limited effectiveness.
When it comes to restricting the spread of Covid-19, Tiwari says that comparatively low-tech solutions, such as the requirement to show a negative PCR test when boarding a flight, have proved the most effective.
But technology has been deployed in India’s Covid-19 response in other ways, too. Qure.ai, a Mumbai-based start-up that uses artificial intelligence to analyse CAT scans and X-rays, adapted its products to detect and measure Covid-linked pneumonia lung infections.
During last year’s wave of Covid-19 in India, when hospital beds were full and resources stretched, Qure.ai also developed chatbots to monitor infected patients quarantining at home. These technologies were used by Indian health authorities, including those in Mumbai, and in other countries such as the UK and Italy.
Prashant Warier, Qure.ai co-founder, praises the Indian authorities, saying they were enthusiastic about bringing tech into their coronavirus response. “We could see how they were eager to adopt new technologies to combat the disease,” he says.
Reshma Suresh, Qure.ai’s head of business operations, acknowledges, however, that India’s privacy “framework is evolving”, adding that awareness and transparency need to improve. “If you go to the US, most patients are aware of how and where their data is used,” she says. “In India, it would be more difficult.”