“A genuine leader is not a searcher for consensus but a molder of consensus”
Martin Luther King, Jr.
There is global consensus that COVID-19 transmission chain can be interjected with containment measures. Containment efforts require rapid identification and quarantine of potential carriers or “contacts” who may have contacted the virus through a confirmed patient. Manual tracing requires the patient to jog their memory, recollect, and identify all locations, times, duration and contacts. This process is arduous, ineffective, and inaccurate. This is where “contact tracing” through technology becomes critical. Regardless of whether countries have a codified data-protection and privacy law, most have either launched or are contemplating use of contact tracing applications. They are also keenly analysing various technology frameworks proposed by technology companies and academia for adaptation in COVID-19 tracing applications. While governments are fiercely urging people to use contact tracing technology as an essential tool to contain the virus, there is little or no discussion around their immense potential for invasive surveillance and dilution of user’s privacy.
This post aims at providing an overview of some of the existing tracing tools across the world with a view to comparatively analyse Indian government’s Aarogya Setu application, privacy and data protection implications, and the way forward.
1. What is contact tracing? The World Health Organization (WHO) defines contact tracing as the identification and follow-up of persons who may have contacted a contagious disease from an infected person in order to help the contacts get relevant care and treatment. It comprises of 3 basis steps:
- contact identification => identifying everyone who has come in contact with the infected subject;
- contact listing => inform every contact about their status, implications, actions that they must take, and guidelines for care; and
- contact follow-up => follow-up with all contacts to monitor symptoms.
Digital contact tracing tools currently collect and process important pieces of personal information like bluetooth transmission, geo-location, proximity between two devices, cellular ID, mobile data, battery usage, and health data. These information help monitoring a person’s movement, social distancing, identifying exposed cases, and implementing preventive care measures. The data transmission chain involves different stakeholders including users of the application, operating system providers (“OS”), network carriers providing internet connectivity, third-party servers that store information, and the government. Quite naturally, there are significant concerns around what, how and why data is being processed, and whether privacy is traded-off only to the extent necessary for containment of COVID-19. In a way, there is a thin line between contact tracing and state surveillance.
2. Concerns around contact tracing technology: Privacy advocates have voiced their concerns and it echoes with the common man. For instance, a joint statement was issued by 100 civil rights and digital policy organizations, emphasizing the need for governments to “respect” human rights while deploying digital surveillance technologies to fight the pandemic. Some of the key concerns are:
- contact tracing could form the basis for expanded and indefinite digital surveillance;
- governments could use disproportionate means for containment needs in complete disregard of fair processing principles, such as data minimization and limited data retention;
- there is lack of data processing transparency and accountability, which will diminish the chances of any future challenge to state action; for example, many countries claim that anonymous data is being processed, but there is no evidence to substantiate the same;
- there is increased possibility of “function creep” i.e., where information is collected for one purpose, but used otherwise, without any basis; for example, COVID-19 contact trace information although primarily collected for containment can end up being used for future commercial usage, profiling, or for intelligence and security purposes;
- there may be absence or deployment of poor network and data protection infrastructure, making data sets susceptible to breach and resultant harm to users; and
- states may deny access to judicial remedies by users for breach and harm.
3. Comparative study of different countries: Nonetheless, governments are moving rapidly in developing and deploying contact tracing tools. Based on a comparative study, it appears that states have been using two key technologies – bluetooth signalling and geo-location tracking. Bluetooth signalling uses bluetooth signal transmission between devices for determining distance, time and duration of contact. This provides proximity tracing with a positive COVID-19 patient. This can be used to contain further spread by providing prevention guidelines to potential contacts. Geo-location tracking goes a step further. It tracks the actual movement of the user at certain time intervals. This helps proximity tracing, but also allows actual surveillance. It also appears that for data processing, countries are following either a centralized or decentralised data collection and storage strategy. The underlying technology and usage conditions for the contact tracing apps are fundamental blocks for analysing the privacy implications. The table below provides an overview of select government apps and technology frameworks, including India’s Aarogya Setu. We have not analysed China and South Korea as a lot has been written and discussed about them. While analysing, we have not factored state specific data protection and privacy laws. Rather, we rely on well accepted fair processing principles – fair and lawful processing, data minimisation, limited retention of data, processing for specific purposes, necessity, transparency and accountability. Based on these core tenets, we have colour coded each of the analysed contact tracing apps on a high, medium and low risk matrix.
|#||Application or framework||Country / region||Core technology||Data storage||How it works?||How is data and privacy protected?||Risk to privacy|
|(i)||HaMagen||Israel||Geo-location cross-referencing of user’s data with confirmed patient’s data||Decentralised storage and centralised tracing through government server||
HaMagen uses geo-location data of contacts to cross-reference with that of a COVID-19 patient, and not just bluetooth signals. This is how it works:
HaMagen poses a higher risk to globally accepted privacy norms for the following reasons:
|(ii)||Aarogya Setu||India||Bluetooth signalling and geo-location data tracking||Decentralised storage and centralised tracing through government server||
Aarogya Setu uses bluetooth signalling as well as geo-location data to identify COVID-19 positive or symptomatic cases, and contact trace. An overview of how it works is below:
|Aarogya Setu stands out as an application that poses significant risk to a user’s privacy for the following reasons:
|(iii)||TraceTogether (TT)||Singapore||Bluetooth signalling model||Decentralised storage and centralised tracing through government server||This is how TT works:
||Several features make TT less regressive of user privacy and more responsive to the core processing principles:
|(iv)||Apple-Google API and contact tracing framework ||Proposed for world-wide use||Bluetooth signalling model||Decentralised storgae and decentralised tracing through different applications using the framework and API||
Apple and Google have announced launching of a “comprehensive soluton” that includes APIs and OS-level technology for contact tracing. In first phase, APIs allowing inter-operability between different OSs and applications will be released by May 2020. While the details are yet to be released, it appears that the framework will use bluetooth signalling for tracing. Some of the key features released include:
It is premature to comment on how this technology framework will work and what will be the privacy implications. A lot will depend on how implementing apps work around consent and data access, but, certain aspects available publicly create an impression that the risks will be medium to low:
|(v)||COVIDSafe||Australia||Bluetooth signalling model||Decentralised storage and cenralised tracing through government server||
Similar to TT, COVIDSafe uses bluetooth signalling and works in the following manner:
COVIDSafe was launched reportedly after detailed privacy impact assessment. This follows a necessity-based approach and similar to TT adheres to well-known fair processing principles like data minimisation, limited retention, decentralised data storage, and encryption. Some additional privacy centric checks are below:
|(vi)||PEPP-PT NTK proxmity tracing system||Proposed for European Union||Bluetooth signalling model||Decentralised storage and centralised tracing through specific application related server||
PEPP-PT NTK proximity tracing system is a framework curated for European Union countries factoring requirements under General Data Protection Regulations and EU Privacy Directive. PEPP-PT NTK operates on bluetooth signalling and will work in the following manner:
The proposed framework definitely trumps our analysis for being the least intrusive of one’s privacy, but a lot will depend when this is actually adopted and put to use. Apart from the privacy protection features used in TT and COVIDSafe, the noteworthy feature that safeguard user’s privacy is that there will be minimal collection of data, mostly without personal identifiers. Further, tracing will happen through temporary IDs and the chances of identification and surveillance of any kind are almost negligible.
Based on the comparison above, it can be observed that the approach underlying contact tracing technology varies per jurisdiction. The common theme is that there is need to use contact tracing technology for public health emergency, and to that extent an individual’s privacy can be curtailed. However, the question remains – to what extent and at what cost? For contact tracing tools to work, it is important that majority of a given demographic download and use it. Approximately, 75 million users have downloaded Aarogya Setu and the Indian government is considering installing the application as a default app on new smartphones. From user’s perspective, there is a dilemma. While many are using contact tracing applications as preventive tools, there is apprehension that the data will be misused in complete disregard of user’s privacy. In our view, bluetooth signalling method combined with consent-based access facilitates containment measures. On the other hand, geo-location tools allow movement tracking which adds to the existing trust deficit. When scrutinised on parameters of proportionality and necessity of state’s containment measures i.e., whether deployed tools are proportionate to the containment purpose and absolutely essential, it appears that bluetooth signalling has better chances to stand the scrutiny. However, geo-location tracing may be ruled as disproportionate as it permits ongoing surveillance. Even when these privacy arguments are kept at the periphery, it is important to acknowledge that the technology has limitations and one can never rely on the assessment findings and notifications prompted on these apps. These apps rely on time duration based on bluetooth signal or geo-location. For instance, many trigger notifications if bluetooth signals are transmitted for 15 minutes. There is no scientific basis for relying on duration of exposure as a benchmark, and it is possible that someone contracts the infection in few seconds of being around a confirmed or symptomatic person. Thus, there is a possibility of false notification and inaccurate identification of contacts and symptomatic cases. In any event, reliance on tracing application’s symptom assessment is not fool proof. This raises a fundamental question on efficiency of tracing tools, and whether the privacy-utility trade-off is proportionate.
4. Conclusion: What can governments do to encourage people to download tracing apps and contribute to containment efforts? One approach is to make it mandatory for the entire population as has been done by China. But, this approach, apart from breaching fundamental human rights, can strain the existing information technology infrastructure for developing countries like India. The possible course could be to bring in checks and balances. For India, it is even more crucial as informational privacy is a fundamental right and any government action that curtails or suspends the right must be as per the constitutional mandate. In absence of a dedicated personal data protection law (which definitely is much needed now!), this is what Indian government can do to garner popular consensus for use of Aarogya Setu:
- conduct privacy impact assessment between bluetooth signalling and geo-location methods to identify unique requirements for India’s containment strategy;
- revisit the liability disclaimer and remain accountable, transparent and subject to judicial scrutiny in future;
- minimize data retention period to 21 days for all kinds of data collected, unless there is scientific basis for longer retention;
- maintain data processing audit logs to substantiate the claims that government processing is for limited purpose and duration, and to rule out any scope for function creep;
- bring in user consent mechanism for access and transfer of data to government server or any third party; if consent is not feasible, access must be minimal and only to the extent of contact tracing;
- put in place a data sharing agreement and protocol that allows public to know more about how and why data is being transferred to a third-party including healthcare providers;
- undertake and ensure that the app and its data will be purged with end of the pandemic; and
- not to forget – the weakest link in any technology are humans, and therefore, awareness and training is of paramount importance.
 To learn more about HaMagen, access https://govextra.gov.il/ministry-of-health/hamagen-app/download-en/ (last accessed on April 29, 2020)
 Israel’s moves have been drastic and much debated. The government passed an emergency bill overnight allowing Shabak to conduct cellular monitoring surveillance on COVID-19 patients and it is suspected that HaMagen facilitates surveillance measures. For more information on Shabak’s monitoring of cellular data, access https://techcrunch.com/2020/03/18/israel-passes-emergency-law-to-use-mobile-data-for-covid-19-contact-tracing/ (last accessed on April 29, 2020)
 It also requires consent on location data for Android phones, although location data is not processed for contact tracing. The requirement stems from Google’s requirement to seek consent whenever bluetooth permission is obtained as bluetooth id can be combined with other information to determine location.
 To learn more about the proposed framework, access https://www.apple.com/in/newsroom/2020/04/apple-and-google-partner-on-covid-19-contact-tracing-technology/ (last accessed on April 29, 2020)