Data Privacy Issues during COVID-19 (key points from the article “ Invisible Enemy” by Akshit Sangomla for Down To Earth Magazine)

From releasing the names and addresses of COVID-19 patients in the public domain, to using mobile apps that force people to share personal information, the Centre and state governments are blatantly undermining privacy and human dignity during the health crisis. Governments are in fact exploiting an archaic legislation that was enacted even before the invention of the television to carry out mobile surveillance and use artificial intelligence for facial recognition in the current crisis. The Epidemic Diseases Act, 1897, which has remained largely unchanged in the past 123 years, authorizes governments to curtail people’s autonomy, privacy and liberty without even clearly defining the situations under which it can be implemented, observes P S Rakesh, a health consultant, in a 2016 paper published in the Indian Journal of Medical Ethics . The Act, which is silent on ethical and human rights issues, also shields officials from “any suit or other legal proceedings”. The 1897 Act, along with the National Disaster Management Act, 2005, lays the legal foundations for the bold steps the country is taking to fight COVID-19.

The Centre’s much publicised Aarogya Setu mobile application, for example, has a host of privacy concerns including ambiguity over how it will use/share the data. Similarly, state governments are releasing apps and websites without privacy safeguards and they are being used to collect huge amounts of sensitive medical and personal information. The Tamil Nadu Quarantine Monitoring App, through which the state police is monitoring the location of quarantined people, has been released without privacy policy or terms of use. Location data is highly revealing and tracking apps without safeguards can record information that is not necessarily relevant for the fight against Coronavirus and place a country’s entire population under monitoring and surveillance, warns a report by Access Now, a non profit that fights for human rights.

“The wave of surveillance we’re seeing is truly unprecedented, even surpassing how governments across the world responded to 9/11. The laws, powers, and technologies being deployed around the world pose a grave and long-term threat to human freedom,” warns Edin Omanovic, Advocacy Director of Privacy International, which, along with 100 other civil societies, has started a global petition asking governments to ensure that invasive measures introduced during COVID-19 also respect human rights. He adds that while the extraordinary crisis requires extraordinary measures, “it also demands extraordinary protections”.

Countries are going out of the way to carry out surveillance and amass data even though past experiences suggest they seldom help. “The assumption that open and interoperable data will lead to better health response is untested, as is the assumption that mobile network data records measurably improve health system response efforts,” writes Sean Martin McDonald in a research paper that explores the role of data during the Ebola outbreak in west Africa in 2014.

“A pandemic is no excuse to collect extensive and unnecessary data. Access to health data shall be limited to those who need information to conduct treatment, research, and otherwise address the crisis. The information should be stored securely, in a separate database,” says the Access Now report. It adds that most data should be erased after the crisis is over. On the issue of surveillance, the report recommends “detailed in-person contact tracing” rather than use of mobile devices to safeguard privacy and improve accuracy. In case of geo-location tracking, data should be anonymised. The report also calls for strict safeguards against misuse of data by private companies. “When creating applications to respond to a public health crisis, private companies should not be able to monetise data derived from the use of their products. Additionally, there should be clear limitations on secondary uses or further processing of data.”

Most state government apps in India are developed by private companies and many of them are without a privacy policy. The biggest threat, however, is the sheer scale of privacy invasion that COVID-19 can trigger. Several countries have arbitrarily altered laws to gain coercive powers that will continue even after the health crisis is over. The episode might not only normalise the deployment of mass surveillance tools in countries that have so far rejected them, but also lead to the transition from “over the skin” to “under the skin” surveillance, warns author Yuval Noah Harari in an article published in the Financial Times . “Hitherto, when your finger touched the screen of your smartphone and clicked on a link, the government wanted to know what exactly your finger was clicking on. But with coronavirus, the focus of interest shifts. Now the government wants to know the temperature of your finger and the blood-pressure under its skin.”