Gone are the days of landline phones and analog communication. In an increasingly digitized world, we now have applications to serve our purpose. However, looking at recent events, it begs to question- what is the line between Service and Surveillance?
The Coronavirus outbreak has given rise to many indigenous ways to prevent the spread of the disease. One of these is the government prescribed Aarogya Setu application, a contact tracing application meant to identify people with COVID-19. The application introduced in April this year soon became a necessity for people to download and in many cases, a forced criteria to enter public places like malls and supermarkets.
A recent blog post by Shadow Map, a digital risk management firm said that the firm had found the log-in credentials used by the developers of the app in plain view on a government website. The firm believes it could have been an accident by the developer. However, this information in the wrong hands, such as that of hackers would mean a breach of security and access to an entire database of people’s personal information including their location, contact and health data.
Over its short period of operation, Aarogya Setu app has been criticized by privacy experts and cyber security analysts for collecting excessive amounts of data and being an easy source of public information to malicious parties including state-backed hackers. Furthermore, authorities are allowed to upload user information to any government owned and operated server. Regarding the same, the Software Freedom Law Centre, a collective of lawyers, technology experts and students, said “it is problematic as it means the government can share the data with 'practically anyone it wants'".
In rebuttal, the government said that these claims were “malicious, nefarious and unsustained”, assuring users that no data had been compromised due to the alleged vulnerabilities. Reading into the statement, one can easily deduce that the government agrees to the vulnerability of user information. Further, Abhishek Singh, the CEO of MyGov agency said, “We assure users no data was compromised and we will look into this incident in entirety and take action as per the law.”
While the Aarogya Setu application collects information that users choose to enter, another recent event further supports evidence of collection of information in the name of public health and welfare, without consent. Reports suggest that the Kerala Police have been collecting Call Detail Records (CDRs) of COVID-19 patients in the state. This, as explained by Kerala Police Chief Loknath Behra in a circular, is being done to prepare a patient route map using the data. Chief Minister of Kerala Pinarayi Vijayan justified the act saying, “We have experimented this in the worst–affected areas like Kasaragod earlier. Strict instructions were given to the police not to misuse these details.”
However, the opposition was not very happy with the decision with leader Ramesh Chennithala saying, “The government has violated the Supreme Court directive that collection of CDRs will be permitted only in serious criminal cases. It is planning to convert Kerala into a surveillance state. It is a violation of rights.” We must add that there has been no legal method to obtain these CDRs with some service providers declining to provide the requested data.
While the above cases in question aim at serving the noble purpose of public welfare and healthcare, one cannot rule out the possibility of illegal acquirement and misuse of private information.