Data Privacy In Times Of COVID-19

Andrea Gratiolo a village doctor in northern Italy during the bubonic plague went on a quest to disprove an allegation on a woman that she had carried the plague to Desenzano, the village where the doctor practised. Gratiolo started his investigation by mapping out people with whom the woman had come in contact with on her way to the village. He in his plague treatise wrote that if the woman indeed was the carrier of the disease then she should have spread it to the people she came with on a tightly packed ship and also to her family with whom she spent the night. But the fact that no one who came in contact with her was ever infected shows that she wasn’t the source of the plague. This incident in 1576 was one of the earliest known forms of contact tracing that we practice today. Since that time contact tracing has proved to be a very effective tool in fighting disease outbreaks from smallpox in the 60s to recurring malarial outbreaks in many African countries in 00s and most recently during coronavirus pandemic.

In the case of the current pandemic many governments in the absence of any cure or vaccine for coronavirus have fallen back on testing and tracing to control the virus. The question here is have these attempts to use technology to limit the spread really helped? If we look at countries like Taiwan, China and South Korea who were earliest adopters of technology we can say that while the tracing technology had not been able to completely control outbreak but it did surely help in reducing the time it took to map an infected person’s contacts and in some cases to even enforce quarantines. So earlier successes of contact tracing in these countries encouraged other countries to come up with their own form of systems to use user data to track infected people. But unfortunately, these earlier successful systems have not been successful in most of the countries. The reason for this is many, for example, Taiwan, China and South Korea have traditionally enjoyed very high penetration of smartphone usage in their population and they have much advanced technological infrastructure than rest of the world. In China and even South Korea data from CCTVs and facial recognition were used to trace the infected, something like this is almost impossible to imagine in western countries without a strong outrage and numerous legal challenges. Taiwan on other hand asked for voluntary participation in a flexible database from its citizen to create a collaboration of government and citizens which eventually came up with online and offline tools to fight the virus, this again has proved too difficult to replicate because not many governments enjoy such a level of trust among the general public that they voluntary share their data and also because of the dysfunctional and bureaucratic nature of governments in most democracies who don’t understand technology as well.

So in effect after 6 months since the first case of coronavirus was detected what we have now is a patchwork of contact tracing apps using different technologies without any solid legal backing in many cases and in some cases without even a privacy policy and they haven’t even been successful in considerably reducing virus spread in most places. The huge worry that we now have in regards to data privacy is how we are balancing the urgent need to use whatever tools we have to control the pandemic and how we come out of this with all the hard-earned data privacy rights and societal safeguards against data misuse by governments and corporates, still intact.

In India Aarogya Setu app which has been downloaded more than 100 million times was launched for contact tracing. The app uses GPS and Bluetooth data to alert people about any potential contact. The government also made it mandatory for people who live in containment zones and for employees in government and private sector. The problem here is that the app has many flaws, according to MIT researchers, for example, the app collects location data, Bluetooth data and demographic data which is more invasive than most other contact tracing apps and even the governments act to make it mandatory in many cases makes India the first democratic country to do so. There have also been proposals to make it mandatory for passengers once metro starts and also in case of other public services. What it will basically do is exclude a large number of Indians from accessing public facilities because they do not have a smartphone and in a poor country like India that is way too many people. If the app shows that a person has been in contact then just to go back to work or to use public facilities people might start gaming the system by switching off Bluetooth and GPS or using someone else’s phone when they want to use a public service that mandates a clear from the app. This practice will make the app even more unreliable. Indian government’s record on data protection is already sketchy with many data breaches in Aadhar database which have resulted in people’s sensitive information becoming public. There is also a worry that the pandemic era surveillance data might be used even after pandemic is over to monitor citizens, this is especially a possibility in countries with weak democratic institutions and low awareness of data privacy.

The solution here is to strike a right balance between transparency, decentralised tracking and strong legal backing to make the contact tracing apps not only more useful and reliable but the data collected safe as well. With every country and in some cases provincial governments coming up with their own contact tracing app it has become impossible to reliably evaluate how many of them work and how many have just been launched to make people think that government is doing something in this crisis. The best way to tackle this problem is to make these apps using a common API framework, recently apple and google launched one such system which works without using location data and people can decide to opt-in. While this system is still not full proof it does provide a much reliable system than most other tracking apps and makes sure that personally identifiable data is not collected for misuse. Another possibility is what the UK government did with its contact tracing app where the government decided to make the app open source to increase the level of public trust on the application.

When it comes to legal backing, in the scramble to make tracing easy for health workers many countries which did not had any laws or guidelines on mass collection of health data passed executive orders, ordinances or used archaic laws which were not created for 21st-century technology-driven world to legally collect such data. What all these laws had in common was lack of any form of transparency or judicial oversight, which makes it highly likely for pandemic era tracking data to be kept and used beyond the pandemic. The only solution to this problem is what EU did- they made it necessary for any data collected by these apps to follow the GDPR laws while the guidelines took a lot of time to come but what it did was provide a strong legal backing for the collected data and made sure that there were reasonable restrictions to how these were collected and used which is much more than many other democratic countries have done till now.

The last and perhaps most important thing one must ensure is that the data, apps and laws created for contact tracing are not stretched beyond what it is meant for. Notifying the user before giving information and automatic deletion of data from database after a specific time can be solution to some of the issues. The contact tracing has provided a measure to control the pandemic up to a certain extent, at the same time the danger of leaking of private data remains a threat. A proper balance is to be made between the two such that private data help in unstable conditions and protect the privacy of people in certain conditions. Many privacy organisations have warned that if it is not ensured that these abilities are dismantled once their usage is no longer necessary then governments might stretch the use of such mass surveillance tools in case of anti-government protests, or to monitor political opponents.

Finally, one must realise that tech solutionism is not the silver bullet to this pandemic. In many cases, it might do more long-term harm than any considerable good.