COVID-19, data protection, and the consolidation of the Indian surveillance state

India’s contact tracing app, Aarogya Setu (meaning “bridge to health” in Sanskrit), was released on April 2. The app is similar in many ways to other contact tracing apps, but it looked mainly to the model of China: you input data about yourself including your name, age, and travel history; the app enables Bluetooth and GPS to monitor the people you come into contact with; and you are assigned a colour to tell you how at risk you are.

India has a relatively low number of COVID-19 cases per million inhabitants (currently ranked 147th out of 213 regions). However, it still ranks 10th globally for total cases and is the worst affected country in South Asia. Faced with the possibility of a devastating outbreak across the country, many Indians willfully downloaded Aarogya Setu. Following a call from Prime Minister Narendra Modi, 50 million downloaded the app in one day, making it the fastest downloaded app on record. The app currently has over 115 million downloads.

A man marked “safe” by Aarogya Setu. Credit: Prabhat Kumar Verma

Aarogya Setu has quickly become part of everyday life for many Indians. The app is already mandatory for all public and private sector office employees, government employees, and military. There is also talk of requiring a green code to take public transport and enter public spaces.

As with all contact tracing apps, it is likely to produce false negatives occasionally, which could have a disastrous effect on the many in the country that live from hand to mouth. Also, only 36% of people in India have access to the internet, and it is unclear how many of those are through smartphones.

Migrant workers walking back to their hometowns from Mumbai. Credit: Atul Loke

Another concern is data. Data collected by Aarogya Setu is sent to an external government-controlled server. If you are deemed high-risk, your location information is also sent. Built in just two weeks, many questions remain unanswered. The crucial concern is that India still does not have data protection and privacy laws. 

Data protection and privacy in India

India has long boasted having one of the laxest data protections among the world’s major economies, which is currently being finely governed by the Indian Penal Code, the Information Technology Act 2000, and the Information Technology Rules 2011.

Lax regulation has had positive and negative effects for India. The positive is that India has been a relatively easy market to operate and innovate in. The IT sector in India has an annual growth rate of 7.2% and is expected to reach a valuation of US$1 trillion by 2022. The negative is straightforward – Indians currently have weak data protections and privacy rights.

However, a 2017 Supreme Court ruling found that privacy is a fundamental right. Parliament subsequently set out to design the future trajectory of data protection and privacy in India. The Personal Data Protection (PDP) bill incorporates many elements of the European Union’s General Data Protection Regulation (GDPR), so much so that India feels it can receive adequacy status with the GDPR once the PDP has passed. The bill was expected to have passed by now but is still pending.

One of the core similarities with the GDPR is that companies must obtain explicit permission before collecting personal data. However, there are key differences. One is that the government is allowed to ask companies to provide anonymous user data to help formulate policies and “protect national interests.” Another is that all sensitive data (financials, health, sexual orientation, genetics, transgender status, caste, religion) and critical data (military or “national security” data) must be stored on servers in India. However, perhaps most important is that the PDP will not apply to any agency of the government.

Other requirements, such as new social media verification classifications, have been met with criticism. Some tech companies say that it could end up creating an Indian “splinternet” like China’s. Prashant Mali, president of Mumbai-based Cyber Law Consulting, describes GDPR as a “civil remedy to a civil harm.” In contrast, Mali points out the PDP entails criminal liabilities and potential prison time for company directors (GDPR enforces solely through fines).

A consequence of the PDR could be that it ends up being used by the government as a tool for surveillance. Justice B. N. Srikrishna, who led the committee that first drafted the PDP, said the revised bill now on the table is “dangerous” and could turn India into an “Orwellian State.” Indeed, both exempting the government and giving it the power to seize any data it deems of “national interest” provides the executive with an unusually high level of authority. 

The new norm for India?

The cynicism towards the ruling Bharatiya Janata Party (BJP) party is not uncommon. Modi has governed India in what critics describe as an increasingly authoritarian manner. Regarding technology, laws have passed allowing increased surveillance, and internet shutdowns have become frequent. 

Author Arundhati Roy believes that before the pandemic, “if we were sleepwalking into the surveillance state, now we are panic-running into a super-surveillance state.” Fighting COVID-19 is a war of sort, and during wars, we willingly give up some liberties to win. But will Aarogya Setu and the upcoming PDP cement a modern Indian surveillance state?

Aarogya Setu’s developers say the app was built with privacy as a “core principle,” but we only have their word to go on. French security researcher Baptiste Robert recently said in a blog post that he was able to modify the app to spoof his location and look anywhere in India for infected users.

Prime Minister Narendra Modi addressing the nation. Credit: Raminder Pal Singh

Last week the government responded to urges to make the app’s source code public, open-sourcing the app and introducing a bug bounty program to improve security. Although this will help patch issues like the one raised by Robert, it does not guarantee the lifespan of this data nor does it come with any binding assurances that data will not be added to another database or become part of a bigger mechanism of public health surveillance. 

Already, some Indian states have published the names, addresses, and dates of birth of everyone who has been abroad or who has been under quarantine. Red stickers have been put on the doors of people under quarantine in Delhi. This flaunting of private information has helped fuel stigma towards the virus, but for the moment, India is celebrating its response to COVID-19. Modi currently has one of the highest approval ratings in the world. Perhaps only after the pandemic will the world’s largest democracy wake up to its newly consolidated data-driven governance.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: