Aditi Mozika

Manish Soni

June 12th, 2020

Privacy in a Pandemic: A Comparison between the Contact Tracing Applications of India and the United Kingdom

1 comment | 32 shares

Estimated reading time: 10 minutes

Aditi Mozika

Manish Soni

June 12th, 2020

Privacy in a Pandemic: A Comparison between the Contact Tracing Applications of India and the United Kingdom

1 comment | 32 shares

Estimated reading time: 10 minutes

The use of technology serves as one of the most effective tools in combating a pandemic owing to its accessibility and pervasiveness. Several governments have launched smart-phone based applications to trace coronavirus-infected and susceptible persons with a view to containing the spread of the disease. The use of this technology has yielded positive results in several countries, including China, South Korea, Taiwan, and Singapore. However, although these measures deserve recognition for their role in monitoring the pandemic, they pose a grave threat to the right to privacy. This is because most of these applications store users’ data in central servers, making them susceptible to governmental abuse.

The Right to Privacy

The right to privacy is recognised as a fundamental human right under Article 12 of the Universal Declaration of Human Rights, Article 17 of the International Covenant on Civil and Political Rights and in many other international and regional treaties. To keep these rights relevant in the internet age the UN expanded the mandate of article 12 to ensure digital privacy via United Nations General Assembly resolution 68/167 which compels states to ‘respect and protect the right to privacy, including in the context of digital communication’ by ‘review[ing] their procedures, practices and legislation regarding the surveillance of communications, their interception and the collection of personal data, including mass surveillance, interception and collection’.

In the United Kingdom, human rights are protected under the Human Rights Act, 1988. The Act upholds the European Convention on Human Rights which, under Article 8, gives recognition to the right to respect of private and family life. In India, the Supreme Court in Justice K. S. Puttaswamy (Retd.) v. Union of India has recognised the right to privacy as an intrinsic part of the right to life and personal liberty under Article 21 of the Constitution.

The Technology

Contact tracing is a measure that enables the tracing of persons who are confirmed or suspected to have been infected by Covid-19, thereby reducing the transmission of the outbreak. Both India and the UK have deployed contract tracing applications to assist their governments in monitoring public health. In India, a GPS and Bluetooth technology-based application called Aarogya Setu was launched in April and has been in the news for various privacy concerns. The UK’s NHS Covid-19 App, although still in the testing phase, has also garnered criticism for similar reasons.

Transparency

An important distinction between the two applications is the transparency that the two governments have shown. Although the Indian Government has a policy on the adoption of open source software, Aarogya Setu’s code has not been disclosed. On the other hand, the NHS application is open sourced. Making the source code available enhances transparency and also improves security by enabling the software community to examine the code and fix vulnerabilities, if any.

The users of Aarogya Setu also cannot give informed consent while registering for the application as its ‘Terms of Use’ is accessible only after registration is completed. Furthermore, the government has made the use of the application mandatory for several classes of people. In fact, in some parts of India, non-installation of the application has been made a punishable offence, whereas it has been indicated that the use of the NHS application will be completely voluntary.

Privacy

Both countries use static ID to anonymise the data collected. Concerns have been raised that because there is only a single layer of protection in these systems, they are more vulnerable to de-anonymisation. The Privacy Policy of Aarogya Setu is silent on this aspect of data processing, and in the UK, it has been reported that ministers will be given powers to de-anonymise the data. By contrast, Singapore’s TraceTogether application uses dynamic ID which, by adding an additional layer of security, works as a more protective technology.

The nature of the data collected by the two applications also differs. Unlike the NHS application which only asks for the first half of a user’s post code, the phone model and information relating to Bluetooth usage, Aarogya Setu collects users’ sensitive personal data such as name, age, travel and medical history, profession and location, all of which is recorded on a central cloud server. Additionally, the information collected by the government from Aarogya Setu “may be shared with such other necessary and relevant persons as may be required in order to carry out necessary medical and administrative interventions.” Such a vague articulation of the terms of use defeats the objective of purpose limitation and grants unlimited discretion to the government to share their citizens’ personal information. The Indian government may also revise the terms (and has done so) without bringing their actions to the notice of users. The use of the term ‘may’ grants unlimited discretion with regards to usage and sharing of data to the application developer and violates the General Data Protection Regulation. Besides, the limited liability clause of the Terms of Service of Aarogya Setu absolves the Indian government of all liability in case of any harm caused due to inaccurate generation or leakage of information. Similar concerns have been raised with regard to the vague and unclear purpose of the NHS application as it allows retention of data beyond the pandemic for research purposes, potentially allowing such data to be shared with private parties and other government agencies.

Both countries store the collected data on a central server. The main risk that a centralised system poses is that by collecting data relating to proximity it enables assimilation of the data to identify sub-groups and social circles. The system developed by Apple and Google, on the other hand, is decentralized and has the data stored on individual devices. It is notable that the UK has also indicated its inclination to shift to a decentralised mechanism of storing data, by adopting this software.

The Approach

The UK government is introducing the NHS Application in a phased manner by testing it in the Isle of Wight before launching it across the country. There have been reports of bugs, multiple notifications and other technical glitches in the application. Further, only forty percent of population of the island has downloaded it. It has been widely speculated that the government will abandon this version of the application and adopt a decentralised model post the trial. This is contrary to India’s approach, where Aarogya Setu was launched across the country without any trial or any adequate data protection mechanism in place. A cautious approach like the one adopted by the UK would have been more preferable for India as well, considering the large population of the country and the lack of any data protection regime. We have already seen instances of hacking of the application, which have exposed the weakness of the application’s security and risked the data of 90 million Indians.

Legal Frameworks

The UK Parliament passed the Data Protection Act in 2018, which complements the European Union’s General Data Protection Regulations and updates the Data Protection Act of 1998. The Act provides for the processing of personal data and establishes the office of the Information Commissioner to promote transparency by public offices and data privacy for individuals.

This is in direct contrast with the obsolete data protection framework in India. Though the Indian Supreme Court has recognised the right to privacy as a fundamental right, there is no robust data protection infrastructure in India. On the directions of the Supreme Court, the government appointed the Justice Srikrishna Committee which pointed out loopholes in the legal framework governing the data protection in India and recommended the enactment of a new data protection law. However, the Indian Parliament is yet to pass the Personal Data Protection Bill of 2019 and in the absence of such a law, crucial data of citizens remains unprotected and vulnerable to misuse. The currently applicable Information and Technology Act, 2000 and the rules framed under it are inadequate to protect sensitive personal data of users.

Furthermore, as data from Aarogya Setu can be used to restrict the fundamental rights of citizens and their access to basic amenities, it becomes a constitutional requirement under Articles 19 and 21 of the Indian Constitution to have a procedure established by law in this regard. However, no such law has been passed to govern the application. Similarly, in the UK, the Joint Committee on Human Rights has recommended that governmental assurances on the protection of privacy must be placed and that a law governing the application must be passed. It has also suggested putting in place an independent oversight mechanism.

Conclusion

Contact tracing applications serve as a desirable and promising tool for the protection of public health. However, governments must gain the trust of their citizens in order for the system to work efficiently. Citizens must be assured that their personal data will not be stored or used beyond the pandemic in line with international human rights law.  Governments must address their concerns by taking proper steps such as enacting primary legislation to govern the application, placing an independent oversight mechanism to ensure transparency, improving the efficacy of the application, and following the principles of data protection such as data minimization and data anonymity.

About the author

Aditi Mozika

Aditi is a fourth year student at Gujarat National Law University, Gandhinagar

Manish Soni

Manish is a fifth year student at Gujarat National Law University, Gandhinagar.

Posted In: Coronavirus | Health | Law | Technology

1 Comments