Digital privacy


To curb the spread of the Coronavirus, Governments all over the world have resorted to actions that have potentially infringed upon the rights of individuals. In India, Aarogya Setu has sparked a debate on privacy.

“Big Brother is Watching You” just got a whole lot really, according to some privacy experts, when the Government of India rolled out ‘Aarogya Setu’, an application that aims to inform the people of their risk of contracting the Coronavirus and educate them on the best practices and medical advisories pertaining to the COVID-19 Pandemic.

However, the app has not exactly gone down well with certain people who argue that the system by which the app uses contact tracing and shares details with the government essentially makes it a ‘surveillance system’. Congress politician Rahul Gandhi too tweeted in this regard, and his theory was ‘proved’ by French ethical hacker, Elliot Anderson. Through this article, I am going to analyse whether or not these claims hold weight, and whether the application is truly worth it.

The first concern would be that downloading the app gives the Indian Government access to your location and personal data at all times. However, that is untrue. Firstly, the application replaces all your data with a Device Identification Number on sign-up, and this DiD becomes the basis of all future interactions. It is this DiD that is used to interact with other phones when they come in range with each other and calculate your health risk and communicate it to the server. It is only when the risk of infection to a person is too high that the personal information is reconciled with the DiD to alert the individual.

The Privacy Policy for the application, along with its Data Access protocol, explicitly states the purposes for which the data can be used and limits the possibility for misuse. One major concern remains in the fact that the data is shared not only with the Health Ministry but with any related ministry at the central or state level that is involved in addressing the pandemic, but a case could be made against the same looking at the various actors involved in the COVID response. Another concern comes from the fact that DiDs that do not change can lead to privacy issues, but the Government is currently addressing this by creating a dynamic ID that generates multiple times and offers more security.

Hacker Elliott Anderson tweeted about certain ‘risks’ which included data of the users being at risk and local files being accessed. However, various people proficient with coding have come out to deny these claims, arguing that Elliott ran basic scripts to access the data stored on his own device and portrayed it as a security issue when it isn’t. Adding to it, the creators of the app themselves chose to engage with the hacker and clarified their response to his claims. It has been by and large proved that these claims held no weight at all and should be disregarded. An important point to be noted is that this is the same person who claimed that he hacked TRAI Chairman RS Sharma’s information based on his Aadhar Number. However, it was later found that the information he ‘hacked’ was available in the public domain already and could be easily found through search engines. As Michael Scott would say “Fool me once, strike one. But fool me twice, strike three.”

More importantly, the rules and privacy policy clearly specify the duration for which the data can be stored. The application deletes all personal data 30 days from collection, and the servers purge the information after 45-60 days, depending on whether or not a particular person tested positive for the virus. This contact and location data can in any case not be retained beyond 180 days and the demographic data is deleted within six months, provided the pandemic does not extend beyond that period. Thus, the possibility of the government retaining or sharing this data for other purposes does not exist.

Contact Tracing is a difficult, labour intensive process and often leaves out people in the way it’s been conventionally done. For example, a person goes to the market to buy vegetables and meets someone they do not know who later turns out to be positive for the virus. At that point in time, it becomes almost impossible for health officials to trace who was at xyz vegetable vendor at 11:00 hours on a day. This is where the app steps in, even if the person doesn’t know the person who contracted the virus, they will be notified of the risk and be asked to take steps accordingly, thus making the contact-tracing process not only less difficult but also more comprehensive.

A case is made that apps like these cannot be put to use by people who don’t have smartphones. It’s important to note that the app isn’t a replacement for contact tracing, it is an assistance mechanism. A lack of accessibility by the entire population cannot count as an argument for the ones who can access it to not be asked to install it and use it. Even if one person can self-isolate and reduce the spread of the virus due to the app, it means tens or hundreds of others who they would have come in contact with are saved. Every single life saved is a major victory for the application. In fact, until now, the app has been used to notify 1.4 lakh people of potential exposure to the virus and asked them to take necessary precautions. Even if one percent of those, i.e., 1400 people test positive for the virus later but had taken precautions to contain its spread thanks to the notifications issued, it’s a win not only for the app but for the country.

It is a moral obligation of every citizen to try and ensure that we try and reduce the spread of the virus as much as possible and take whatever steps necessary. Aarogya Setu, with its benefits, is a huge step, and all of us who can download it should make sure that we do.

Of course, the government needs to do better in two regards. Firstly, the government must implement Aarogya Setu only through law. If an action threatens to hinder a fundamental right (such as the Right to Privacy here), it needs to be implemented through legislation that limits potential government misuse. While in the status quo, it is understandable why the app is being pushed so strongly, there are better ways to do it, especially in the absence of a Data Protection law in the country.

Secondly, app security is a major issue. Thus, the app should be made open source so that developers can check it for bugs and potential security issues, and thus make it safer and easier to use for everyone.

The Aarogya Setu app is not perfect, but there can be no denying that it can be of huge help in the fight against COVID-19. The government has actually taken measures to ensure that user privacy is respected to the extent possible, which is a welcome change from its actions from the past. Given how crucial it is, it is imperative that we download the application as a measure to not only safeguard our own health but that of others around us too.

Featured Image Credit: Flipboard

Khush Vardhan Dembla

[email protected]


The recent Cambridge Analytica scandal has brought the issue of privacy in a digital age close to our screens again. The article traces how such revelations point towards an increasingly dangerous world where our privacy is highly compromised.
Recently, Facebook has been in choppy waters with its stocks dipping and a “delete Facebook” campaign doing the rounds. Allegations by whistleblower Christopher Wiley showed how the US based data mining firm Cambridge Analytica harvested data from over 50 million American users of Facebook for “psychological profiling” during the Trump campaign. According to Wiley, he met Steve Bannon, former White House chief strategist, who orchestrated a deal between the firm and hedge-fund billionaire Robert Mercer that led to Wiley and his team engaging in what he calls “full-service propaganda”. By partnering with a Cambridge professor, Aleksandr Krogan who built an app called “thisisyourdigitallife”, the firm gained access to information on millions of Facebook users as well as their friends, unbeknownst to both Facebook and the users. However, this story is not new. Facebook had been informed of Cambridge Analytica back in 2015 and although it had demanded the data on users to be deleted, no follow-up measures had been taken after that. In a recent CNN interview, Zuckerberg apologised saying “We have a basic responsibility to protect people’s data and if we can’t do that then we don’t deserve the opportunity to serve people.”

Even though some experts believe that the amount of people that the data was taken from could be overstated, it is nevertheless evident that there are some crucial aspects to such a story which makes it noteworthy. Firstly, it is evident that regardless of the reliability of Wiley’s claim we now inhabit an increasingly frightening world where even our private communications can be easily monitored. This is not a hyperbole as was seen back in 2013. Former NSA contractor and whistleblower Edward Snowden leaked millions of documents of the intelligence agency National Security Agency (NSA) of the US and its programs like PRISM, Upstream etc. that again collects bulk information from people both within the US and outside the US through their cell phones, emails, texts, and social media. Large companies like Google, Yahoo, Facebook, and Apple Inc. were also seen to be complicit in allowing the US government access to their servers. In an interview, Snowden called these companies the “surveillance sheriffs” of the NSA.
Secondly, the kind of information we have access to through our social media often determines our political views, our ideas and our actions, and when there are vested interests in spreading such information, the narrative gets coloured by propaganda.

In an interview with the Guardian, Wiley notes how Cambridge Analytica had a bunch of developers working to create content that would be receptive to the target population. He calls it “an unethical experiment where you’re playing with the psychology of an entire nation…in the context of a democratic process.” The firm, according to a report by The Quartz, also collaborated with various political parties during elections in India through its operation centres. The firm has its offices in ten Indian cities including Ahmedababd, Cuttack, Guwahati, Hyderabad, Indore, Kolkata, Patna, and Pune. While it is not unusual for political parties to partner with tech firms to “better understand the political environment”, when there is deliberate, reckless tampering with the private data of citizens to do this, there is a great possibility of the crumbling down of a shared sense of understanding, as Wiley observes.

Thirdly, we need to understand that our privacy is tenuous and free will might just be an illusion. Our social media profiles, when connected to the other countless apps we use, creates certain digital profiles which could provide key aspects of our identity, our personalities to anyone who might have access to them. In such a case, we need to hold our representatives and the authorities in charge responsible for the protection of our already diminishing privacy. The recent controversy regarding the Aadhaar card in India saw many experts casting doubt on the reliability of the biometrics used as well as the implementation of the scheme itself.
Lastly, our digital privacy determines our physical privacy. Cyber crimes over the years are testament to this fact. In such a case, there is a crucial need for an informed public debate on the responsibility that comes with allowing access to governmental and private agencies our information. There is also a greater responsibility on the part of us as citizens to have a healthy dose of scepticism (as Wiley says) while coming across any information in the media. The more doubtful we are, the more likely are we to make informed decisions.


Feature Image Credits: Time

Sara Sohail
[email protected]