Weak privacy policies and lack of transparency put citizens' sensitive personal data at risk, say campaigners
By Anuradha Nagaraj
CHENNAI, India, Aug 26 (Thomson Reuters Foundation) - Harinder Kaur was not surprised when people slammed their doors in her face as she walked into neighbourhoods in the northern state of Punjab armed with a smartphone and a long list of health and travel-related questions.
The 28-year-old health worker had been told to go door-to-door in villages in Patiala district and help populate the state's COVID-19 tracing app with "thousands of details" people were unwilling to share, from their digestive health to their mobile numbers.
"People were just hostile," said Kaur, who is one of more than 1 million Accredited Social Health Activists, or ASHA workers, on the frontlines of India's battle to contain the spread of the novel coronavirus.
"We didn't want to download the app, but our concerns were ignored," Kaur said in a phone interview.
"There is so much information the app wants from every individual, including pictures. Many are just scared to give it now and threaten us if we persist."
Considered key tools in stemming the pandemic, the rollout of Punjab's Corona Virus Alert (COVA) app and the dozens of tracing apps being used by different Indian states has been mired in concerns over privacy issues.
According to a new report released this month by Tandem Research, an independent research collective, there are at least 85 tech tools being used to support the public health response in India.
At least half of them are mobile apps, say digital rights campaigners.
Health workers and lawyers say they are worried about the lack of privacy policies in the apps, as well as the use of open-source software and unclear terms on issues like data retention and sharing.
The apps use Bluetooth and GPS on smartphones to evaluate a user's risk of infection based on their location and their medical and travel history.
Many of India's state apps were launched even as the central government brought out its own coronavirus contact-tracing app Aarogya Setu, or "Health Bridge", in early April, which has been downloaded by more than 152 million people, according to the National Informatics Centre.
"While Aarogya Setu has faced significant scrutiny, not much is known about how the state apps work," said Devdutta Mukhopadhyay, a lawyer with New Delhi-based digital rights group Internet Freedom Foundation.
"Many of them do not have a specific privacy policy and there is no transparency about how these apps collect, process, store or share personal data."
The National Informatics Centre, the organisation within the Ministry of Electronics and Information Technology that has been collaborating with many state governments on the development of their apps, did not respond to repeated requests for comment.
However, officials in the states of Punjab, Tamil Nadu and Himachal Pradesh told the Thomson Reuters Foundation that their apps had privacy policies in place and the data collected was secure.
PANDEMIC AND PRIVACY
In late February, Ravi Bhagat and his team were asked to develop an app that would work as an administrative and awareness tool to fight the pandemic.
"We had a deadline of less than a week to come up with something," said Bhagat, CEO of the Punjab government's e-governance cell.
"We studied the South Korea and China models, looked at our requirements, and had it up and running," he added, noting that the app has been downloaded by more than 5 million people.
Down south in Tamil Nadu state, Azhagu Pandia Raja modified a game he had been creating into a coronavirus tracking app for the government within a week of being assigned the job in March.
"It was a challenge for us because it was an emergency and a question of people's health," said Raja, a research fellow with the Chennai city government.
In this race to get the technology up and running, personal data concerns were overlooked, say privacy rights advocates.
A report released in April by the non-profit Software Freedom Law Center has warned about the "excessive collection and processing, and unauthorised sharing of personal data, unbridled surveillance and tracing of people" by state apps.
Looking at the apps' policy documents, the researchers at the New Delhi-based organisation found that many did not have terms of service accessible to users, limiting the governments' liability in case of "misuse of the data collected".
Personal data rules under India's information technology act mandate that all such apps have comprehensive privacy policies, said Prasanth Sugathan, the charity's legal director.
"Privacy policies have to be very specific in apps like these, but many circumvented the law by being vague to just tick the box," he said in emailed comments.
"There are no consent clauses for contact tracing, storage of data (or) the role of private players involved - how can the data be deleted or rectified? These apps are like black holes."
'THE EXTRA MILE'
Both Bhagat and Raja said these worries were unfounded.
"We knew that privacy would be an issue and therefore went the extra mile to make sure the data was secure," Bhagat said.
He explained that Punjab's app holds the data on the users' phones, not on a central server - which could be more easily hacked or leaked - and that anyone with access to the data has to sign a non-disclosure agreement.
"The data will be kept till COVID is (gone) and then deleted," he added.
Officials also told the Thomson Reuters Foundation that the data being collected is very basic and as such does not need separate privacy clauses.
"We are collecting rudimentary information already available on other government portals," said Rajneesh, who goes by one name and heads Himachal Pradesh state's information technology department, which developed the app called Corona Mukt Himachal.
"These apps have been helpful in many ways - from tracking quarantine violators to updating elected representatives down to the village level about cases and aiding health workers."
PETITIONS FILED
In the northern Haryana state, about 20,000 ASHA workers have been on strike since early August, demanding the government provide them with smartphones to download coronavirus tracking apps and incentivise them for the data they collect.
Meanwhile, two petitions have been filed by employers and social activists in Kerala's high court against the central government's order making it mandatory for public and private sector employees returning to work to download the Aarogya Setu app.
Along with privacy concerns, the petitions, both of which have been tagged together and are scheduled for a hearing in September, also question the accuracy and efficiency of the app.
Kaur has been asking herself the same questions lately, as India crossed the 3 million coronavirus cases milestone over the weekend, making it the worst-affected country in Asia, and third behind Brazil and the United States globally.
"I am not sure if using the app helped bring down cases," Kaur said.
"Those who can afford to be safe at home are safe. Others have to step out for work. Besides, cases are increasing everywhere despite all this data being collected."
Related stories:
Privacy debate heats up over India contact tracing app
Under watch: Indian city workers protest digital surveillance
Coronavirus controls increase surveillance 'danger'
(Reporting by Anuradha Nagaraj @AnuraNagaraj; Editing by Jumana Farouky and Zoe Tabary. Please credit the Thomson Reuters Foundation, the charitable arm of Thomson Reuters, that covers the lives of people around the world who struggle to live freely or fairly. Visit http://news.trust.org)
Our Standards: The Thomson Reuters Trust Principles.
