‘Black holes’: India’s virus apps raise privacy fears

CHENNAI: Harinder Kaur was not surprised when people slammed their doors in her face as she walked into neighborhoods in the northern state of Punjab armed with a smartphone and a long list of health and travel-related questions. The 28-year-old health worker had been told to go door-to-door in villages in Patiala district and help populate the state’s COVID-19 tracing app with “thousands of details” people were unwilling to share, from their digestive health to their mobile numbers.

“People were just hostile,” said Kaur, who is one of more than 1 million Accredited Social Health Activists, or ASHA workers, on the frontlines of India’s battle to contain the spread of the novel coronavirus. “We didn’t want to download the app, but our concerns were ignored,” Kaur said in a phone interview.

“There is so much information the app wants from every individual, including pictures. Many are just scared to give it now and threaten us if we persist.” Considered key tools in stemming the pandemic, the rollout of Punjab’s Corona Virus Alert (COVA) app and the dozens of tracing apps being used by different Indian states has been mired in concerns over privacy issues.

According to a new report released this month by Tandem Research, an independent research collective, there are at least 85 tech tools being used to support the public health response in India. At least half of them are mobile apps, say digital rights campaigners. Health workers and lawyers say they are worried about the lack of privacy policies in the apps, as well as the use of open-source software and unclear terms on issues like data retention and sharing.

The apps use Bluetooth and GPS on smartphones to evaluate a user’s risk of infection based on their location and their medical and travel history. Many of India’s state apps were launched even as the central government brought out its own coronavirus contact-tracing app Aarogya Setu, or “Health Bridge”, in early April, which has been downloaded by more than 152 million people, according to the National Informatics Centre. “While Aarogya Setu has faced significant scrutiny, not much is known about how the state apps work,” said Devdutta Mukhopadhyay, a lawyer with New Delhi-based digital rights group Internet Freedom Foundation.

“Many of them do not have a specific privacy policy and there is no transparency about how these apps collect, process, store or share personal data.” The National Informatics Centre, the organization within the Ministry of Electronics and Information Technology that has been collaborating with many state governments on the development of their apps, did not respond to repeated requests for comment. However, officials in the states of Punjab, Tamil Nadu and Himachal Pradesh told the Thomson Reuters Foundation that their apps had privacy policies in place and the data collected was secure.

Pandemic and privacy
In late February, Ravi Bhagat and his team were asked to develop an app that would work as an administrative and awareness tool to fight the pandemic. “We had a deadline of less than a week to come up with something,” said Bhagat, CEO of the Punjab government’s e-governance cell. “We studied the South Korea and China models, looked at our requirements, and had it up and running,” he added, noting that the app has been downloaded by more than 5 million people.

Down south in Tamil Nadu state, Azhagu Pandia Raja modified a game he had been creating into a coronavirus tracking app for the government within a week of being assigned the job in March. “It was a challenge for us because it was an emergency and a question of people’s health,” said Raja, a research fellow with the Chennai city government. In this race to get the technology up and running, personal data concerns were overlooked, say privacy rights advocates.

A report released in April by the non-profit Software Freedom Law Center has warned about the “excessive collection and processing, and unauthorized sharing of personal data, unbridled surveillance and tracing of people” by state apps. Looking at the apps’ policy documents, the researchers at the New Delhi-based organization found that many did not have terms of service accessible to users, limiting the governments’ liability in case of “misuse of the data collected”. Personal data rules under India’s information technology act mandate that all such apps have comprehensive privacy policies, said Prasanth Sugathan, the charity’s legal director.

“Privacy policies have to be very specific in apps like these, but many circumvented the law by being vague to just tick the box,” he said in emailed comments. “There are no consent clauses for contact tracing, storage of data (or) the role of private players involved – how can the data be deleted or rectified? These apps are like black holes.” – Reuters

‘