Governments around the world are working hard to convince their populations to download the various Covid-19 infection tracing apps. As well as potentially helping to stymie the spread of the virus, the app download numbers serve another purpose: they could be read to indicate how much trust there is in government. With the apps containing potentially sensitive personal data about millions of people, it comes as little surprise that there is growing concern over privacy and how this data will be used, post-pandemic.
In Australia, the COVIDSafe app has been downloaded, according to the most recent figures, almost six million times. That number, while large, falls far short of the government’s desired 40% of the population. It’s an indication that, for all of the recent opinion polls showing high approval ratings for Prime Minister Scott Morrison, there still isn’t much public faith in the government to ring-fence the data.
Conversely, in India, the tracing app Aarogya Setu (“bridge to health”) has been downloaded more than 100 million times and was the seventh most downloaded app worldwide in April (less than TikTok, but more than Netflix). Even in a country of 450 million smartphones, it is significant. Authorities are also releasing a version of the app that works on the next 100 million mobile phones that are internet-enabled. The figures underscore Modi’s ongoing popularity and the public trust in his governance.
— Aarogya Setu (@SetuAarogya) May 12, 2020
Still, there has been significant disquiet over the app’s features, which critics say undermines Indians’ privacy. The great fear is that the Indian government is using the pandemic and the app as cover for scaling up its moves towards becoming a surveillance state. The government announced it was mandatory for all state employees to download it. It has been made compulsory in a number of other settings, including throughout Noida, a satellite city to New Delhi, and for rural migrant workers travelling by train. No other democracy has made it mandatory for citizens to download the app.
Aarogya Setu, like most contact tracing apps, relies on Bluetooth. But it also uses GPS tracking, meaning that that each user’s location is tracked multiple times each day. Critics say this is unnecessary and excessive, and they fear that the app could be used to create permanent government databases with sensitive personal information about Indian citizens.
One of the voices is French ethical hacker Robert Baptiste, going by the moniker Elliott Alderson, who points out that the internal database is easily accessible, meaning anyone can see who is sick anywhere in India. He has called on the government to make the source code public, so independent researchers can fully understand the technology.
Separately, an analysis of the app conducted by French cybersecurity consultancy Defensive Lab Agency found that it has the probable capacity to access other features on the smartphone on which it is installed, such as the microphone, contacts and system settings.
And a comparative review published by MIT Technology Review gave the app two out of five stars, losing points for lacking transparency and not being voluntary. (COVIDSafe rated four out of five stars, with concerns around its lack of transparency.)
To its credit, the Indian government appears to be listening, issuing a rare Twitter rebuttal of Alderson’s claims, yet on Sunday backtracking on the mandatory download conditions, instead strongly urging employees and employers to take it up. While its moves towards a surveillance state have been well-documented, it appears the government has realised that now is perhaps not the best moment to try to exploit the public mood, even though fearful populations are generally happy to cede ground on privacy and liberty in favour of safety.
There is genuine cause for concern, given that India’s moves towards building a surveillance infrastructure did not begin with Aarogya Setu.
While another chief complaint, that of India’s lack of data privacy legislation is also being addressed with a bill awaiting approval in parliament, there is genuine cause for concern, given that India’s moves towards building a surveillance infrastructure did not begin with Aarogya Setu.
Five years ago, the Aadhar number was introduced, a program which gave each citizen a unique 12-digit number that the government said would streamline bureaucracy and ultimately help poor people access welfare. But the Supreme Court in 2018 placed strict limits on the use of the program, in response to growing public concerns over privacy and whether the data was being used correctly.
More recently, the Modi government has been finalising a database tracking “every aspect of the lives of each of India’s 1.2 billion residents”. According to a report in Huffington Post India in March, the so-called National Social Registry would track every time someone moved cities, changed jobs, bought property or even lost a family member. While authorities have claimed that the NSR would “ensure greater administrative convenience by converging resources and efforts”, deep concerns about privacy abound. Opponents say the data collated could be used to target specific communities, and even individuals. And yes, the database (or integrated set of databases) would be based on the Aadhar number, drawing a line between the two.
With this in mind, now is a good time for Indians to remain vigilant: after all, India’s legacy of using emergencies to invoke special powers does have a dark past.