As covid-19 cases rise, states are scrambling to make public health apps. What about privacy?
The adoption of tech tools will only grow as the virus spreads. It is important to know what the apps can do, what they can’t, and where we are headed when it comes to individual privacy
NEW DELHI :
In mid-March, at least two government teams in different parts of the country started ideating on how they could use digital technology to fight the fast-spreading pandemic. They reviewed international examples. Consulted experts. Got collaborators.
One of those efforts morphed into the central government’s Aarogya Setu project. The other team’s idea turned into the Mahakavach app, which the Maharashtra government has started using to monitor home-quarantined individuals. While the slated objective of both these public health apps is to tackle covid-19, they arrived at radically different solutions, with different interpretations on privacy and consent. In the weeks ahead, those differences are going to increasingly matter.
Over the past three weeks, 11 of the 17 apps that Indian public authorities have launched to fight covid-19 have the same goal: quarantine tracking. Some governments are using traditional mass surveillance tools for the same goal. Delhi police, for instance, ordered quarantine monitoring using mobile phone tracking (which is often used in criminal investigations). Kerala and Pune have deployed drones. The list continues.
But none of these come close to the scale and ambition of the central government’s flagship app, Aarogya Setu. The app can alert users if they come in close contact with a covid-19 positive person, at least in theory.
Everyone is hoping that technology will serve as a catalyst and help curb the spread of the novel coronavirus. But these efforts have already begun to raise complicated questions about civil liberties and individual privacy.
Privacy should never take a backseat, said Ramesh Raskar, an associate professor at MIT Media Lab, who led the team that built Safe Paths, a privacy-preserving digital contact-tracing app. “It is not only an issue of an individual’s right. Any data breach can turn it into an issue of national security. If the details of the physical social graph of key individuals (say, nuclear scientists or air force pilots) gets leaked, it can be misused," he explained.
Most of the tools have been rapidly developed in the last three weeks and their adoption will only grow as the virus spreads further. It is important to know what the apps can do, what they can’t, and where we are headed.
Digital contact tracing
In the ideal scenario, every citizen should be tested to find out where the virus is residing, isolate all who test positive and ensure no further spread takes place. But mass testing at that scale is not feasible. Public health practitioners, hence, rely on filtering mechanisms to decide whom to test. That is why contact tracing is a critical part of disease control.
So far, India has largely relied on manual tracing. Officials talk to the diagnosed patients to trace their life events in preceding weeks to identify individuals to test. But the process has its limitations: it relies on human memory, takes time and requires trained human resources.
Enter the race for a digital contact tracing option over the past few weeks. If implemented well, it’s more accurate, fast and low-cost. That is the premise that led to the development of Aarogya Setu.
On 20 March, Singapore launched TraceTogether, its own Bluetooth-based digital tracing app. “That gave international validation to our idea," said Arnab Kumar, Program Director, NITI Aayog and member of the Aarogya Setu team. With the go-ahead from the top, the team—which included private sector partners and over 50 engineers, designers and product managers—started coding.
Unlike TraceTogether, Aarogya Setu uses Global Positioning System (GPS) in addition to Bluetooth for contact tracing.
Here is why. Public health practitioners want the list of people who come in “close contact" with the infected patient. So while GPS can identify people, say, in the same building, Bluetooth signal strengths can tell more precisely who was closer to the infected patient (accurate to around 1-2metres) and for how long. Bluetooth has its own limitations, though. It can’t identify geographical hotspots of disease transmission, which location data can do. The central government wanted both capabilities which led to the current design.
The list of infected patients comes from testing labs—not self-reporting by patients.
“We built this in two weeks," Kumar said. “We want this app to be the one-stop-shop for all covid related tech. Tomorrow, say, we have to integrate telemedicine, or schedule testing, or predict and find out where the disease could travel, this app could be developed to serve as the solution," Kumar said. “In that sense, we have just seeded the first version of building a digital health stack for the country."
Several organizations came forward to support the initiative. Apple generally takes a week to upload the app on the App Store. Aarogya Setu was approved in three hours. Google Play did it in an hour. The app is prominently promoted on Paytm’s app. Gaana sent notifications to its users. HDFC Bank sent text-message alerts. Schools wrote to kids. Ministers promoted it on Twitter. All with the same message: a request to install the app.
Within a week of its 2 April launch, the app has got over 20 million unique users. But questions about effectiveness and privacy were inevitable.
What percentage of the population, for example, needs to use the app for it to be effective? Estimates vary. A review of multiple studies puts the range at 40-70% of the population. It is difficult for India to reach that scale at a national level as India doesn’t have that level of smartphone penetration.
According to the India Internet 2019 report by IAMAI and Nielsen, 385 million Indians over the age of 12—around 36% of the population—have access to the internet. Smartphone usage is likely to be lower than that figure (there are no official numbers). Moreover, the access is not uniform. There is a wide disparity by geography (51% in urban areas can access the internet but only 27% in rural) and by state (69% in Delhi to 25% in Odisha).
That means, even if every Indian with access to a smartphone instals the app, and keeps their Bluetooth and GPS location on all the time, around two-thirds of Indians will still be left out.
“We are now actively thinking about how to extend the functionality to feature phones which don’t have in-built Bluetooth technology," Kumar said. Feature phones can be tracked through location data captured through telephone towers, but it is not precise. It also leads into a vortex of privacy concerns.
“The lockdown has bought us some time to think of those solutions and we are figuring out what we can do," Kumar said.
The practical challenges in ensuring mass adoption of a citizen-facing app is why the Maharashtra government took another route.
Amit Kothawade, who works with Maharashtra State Innovation Society—one of the six organizations that came together to build Mahakavach—said that they studied the apps built in Singapore and South Korea and realized that cultural factors won’t allow those models to succeed in India.
“In Singapore, when you ask people to isolate, they follow it. In India, they don’t," he said, referring to the incidents where people were found to escape quarantines. “Indians would not be willing to support such initiatives or be open to do so voluntarily."
People fleeing quarantine—for whatever reason—endangers other people around them and increases the risk of community transmission. That’s the argument governments are using to exert coercive power and engage in intrusive Big Brother-style surveillance.
The Maharashtra app’s design shows the state has minimal trust on the citizens. Every person under home quarantine is required to install the app to help the state administration monitor them effectively. The platform allows the home quarantines to be restricted in a digitally-mapped area—a technique called geo-fencing. They are monitored through their phone’s location data and authorities are alerted in case the phone leaves the boundary. That in itself is not enough, the government believes. What if people leave the phone and roam around? That is why users are required to provide regular updates to authorities via selfie-attendance. Even that is not enough. What if they click and send old photos? So the app software uses facial recognition technologies to detect live images.
For tracing contacts of infected patients, Mahakavach extracts data from a user’s Google Maps Timeline, a feature that stores the entire location history of a user captured by Google’s services like on the Android smartphone—and serves as a constant reminder of ubiquitous corporate surveillance. “The user shares the information with consent to help the authorities in tracing contacts," Kothawade explained.
A pilot of the app is running in Nasik district and the project team is hoping for a state-level scale up soon, Kothawade said.
While the material goal of both Aarogya Setu and Mahakavach is to fight the pandemic, the philosophical difference could not be more different. Mahakavach is built on a social contract where the state believes that citizens can’t be trusted while the success of Aarogya Setu is fundamentally dependent on the citizens trusting the state, installing the app and sharing sensitive data. Which way will India go in the weeks ahead?
“Research done by our group and others shows that it is possible to consider privacy-first solutions and still provide nearly all the functionalities," said Raskar, the MIT Media Lab professor who also served on the core advisory teams of Mahakavach and Aarogya Setu.
The data Aarogya Setu captures—location and the list of every person you came in contact with—is sensitive and a misuse or breach will severely hit individual privacy. Kumar from NITI Ayog says that privacy was central to the app’s design. Location and Bluetooth contact data is stored locally on the phone and uploaded to the central server only if the user comes in contact with a covid-19 patient or in an anonymized and aggregated format for disease monitoring. Data is purged from the phone after 30 days if the user doesn’t come in contact with an identified patient.
“How well will the privacy protections work depends on the competence and intentions of the team that’s running the app for the government," said Peter Eckersley, an AI ethics and privacy researcher and convener of the “stop-covid.tech" group. One must recognize that apps are being launched in times of a public health emergency, he added. “If you delay the app’s launch by a few weeks, it might save fewer lives. But on the other side, if people don’t trust the app’s privacy protections, it won’t get the large installation rate that it’s going to need."
One can expect more features as things evolve, Niti Aayog’s Kumar said. “The current version of the app is built keeping in mind what can happen in the next ten days," he said. “If we go to a stage when it becomes important for us to collect more information, we have to take a call," he added.
“There’s a lot that could be done in the weeks ahead to upgrade the privacy protections in the app," Eckersley said. “Make it open-source; let users see the statistical queries being sent to their phones; add a cryptographic lock so that users exposed to covid-19 still get to approve the collection of their personal information," he added. “Indian citizens should check and insist that those privacy upgrades are being made if the app is gaining widespread adoption."
The apps are here to stay. How much they help or hinder the broader public health effort would become clear in a matter of just a few weeks.
Samarth Bansal is a freelance journalist based in Delhi. He writes about technology, politics and policy.