By Ayan Gupta and Rudraksh Lakra
When the very existence of a State is threatened, it is the tendency of governments to take hold of excessive powers. While done in the name of enabling themselves to adequately respond to the threat, these excesses often continue long after the threat is gone.
The COVID-19 pandemic has brought the entire world to a standstill. India’s response involves employing wide-spread surveillance systems to monitor and tackle the crisis, with questionable regulations to back them. The introduction of these systems exposes an underlying lack of State concern for the privacy of its citizens. The Government is laying down the architecture of surveillance, which may like we’ve seen in the past; continue long after the original threat has been eradicated.
In 1896, the Bubonic Plague struck the merchant city of Bombay and very soon spread across India, leaving the British Raj overwhelmed. In response, the Government assumed excessive authority without any safeguards by introducing the Epidemic Diseases Act. The result was a rushed and tyrannical piece of legislation that gave State officials unfettered power, such as dragging people on roads to get the hospital on little to no suspicion. It also absolved the State of any responsibility for acts purporting to be done under the Act.
Measures formulated in the context of addressing such emergencies often outlive the crises, becoming normalized in the process. The ‘Bombay Plague’ set a precedent that justified impulsive policing and brutal State force to tackle epidemics. The law, over a century after its conception, is back in force, providing far-reaching powers to the Government and implicitly sanctioning the often violent excesses of the Indian Police. Hidden behind the gloomy reports of police brutality, is the renewed legitimization of these practices in the name of fighting the coronavirus. Yet, this is not all that is being legitimized.
In response to the pandemic, governments across India have been surveilling citizens by employing apps like Aarogya Setu. The use of these apps is typically coupled with AI-enabled Facial Recognition technologies, for ostensibly innocuous purposes. The supposed trade-off of the right to privacy in favour of dealing with an unprecedented crisis is seen as transient. But this sacrosanct right is fragile and often, easily and silently taken away. The possibility of mass surveillance outlasting the virus, and being the new normal, is increasingly becoming a glaring reality in India.
History, and arguably, the present, paints a picture of what this new normal will look like. Besides the Epidemics Disease Act, take for example a more recent reaction after the attacks by militants on September 26, 2008. As the nation stood shell-shocked by the chilling tragedy, India realized that it needed to be more vigilant. Consequently, the government introduced surveillance and intelligence sharing systems like the National Intelligence Grid (NATGRID) and the Crime and Criminal Tracking Network & System (CCTNS). NATGRID was launched to integrate various databases across departments and CCTNS was meant to allow more efficient policing using e-Governance strategies. It enabled multiple police forces and departments to communicate and share useful data. However, these systems were not accompanied by any regulations, statutory or otherwise, governing their dynamics. As a result, they were expanded steadily into extensive mass surveillance systems, and are now a part of the new normal.
The lack of proper regulation allows Governments to collect intrusive data. This data then can be used for law enforcement, enabling governments to normalize oppressive and draconian measures that are violative of a citizens’ fundamental rights. In line with the historical trend, the Indian state has further augmented its architecture of surveillance as part of its COVID-19 response, giving rise to legitimate concerns about the privacy and safety of minorities.
In the midst of a crisis no one foresaw, the Centre and State governments have resorted to serious intrusive measures for health surveillance. From collecting data and tracking citizens through apps, to using facial recognition technology via drones and CCTV, governments have taken up powers that blatantly infringe upon the right to privacy of the populace at large. Authorities have even turned citizens themselves into spies, asking them to report those whom they suspect of carrying the virus.
The Centre’s contact-tracing app, Aarogya Setu, collects personal data of its users in the form of demographic and precise location data. The demographic data is stored on the central government servers and the locational data is stored on the user’s phone, and deleted after 180 days in ordinary circumstances. Demographic Data included detailed information about individuals, i.e., their name, phone number, age, sex, profession, travel history. Additionally, Aarogya Setu collects both Bluetooth proximity data and the precise GPS longitude and latitude intercepts, to record locational data. This is unlike the model apps, Singapore’s TraceTogether and MIT’s PrivateKit which strike a balance between individual liberty and the State’s needs This feature allows the Government to accurately pinpoint the location of a user. Experts have suggested that the data collected by the app is backed by weak security protocols and can easily be de-anonymized revealing every small and private detail of an individual.
The unique User-ID generated by the Aarogya Setu App is static and is not changed regularly. In comparison, the TraceTogether’s device unique User-ID is changed every 15 minutes. Which the experts say make it vulnerable to cyber-security intrusions which may lead to sniffer attacks which refer to cybersecurity intrusions to intercept the unencrypted data traffic or data with weak encryption on a network data. The centralised storage of the demographic data under static IDs makes it doubly serviceable for an attacker to have all the information collected by the app in one place under codes that never change.
Further, there have been concerns raised that the data collected by the app can be seeded with other government databases without the citizens ever knowing of it, allowing for the potential profiling and tracking of citizens.
The recent developments around the app, indicate that the Aarogya Setu technology and database will be used post the lockdown, this raises mission-creep concerns that the scope of the app, will be expanded well beyond its original scope the and makes the situation more worrisome. In fact, going far beyond what the government called “voluntary” (quite like Aadhaar), in many cases it is being made mandatory. For instance, Government officials are being mandated to install the app and have it dictate and track their daily movements. Similarly, with the imminent expansion of Aarogya Setu as an e-pass for entry to board public transport vehicles, the supposedly content-driven app becomes an imposition by the government, chipping away at the autonomy of citizens.
The government’s surveillance mechanisms have been augmented by the installation of facial recognition equipped CCTV and drones in several states’ bodies as part of the COVID-19 response. The very presence of these mechanisms can act as a panopticon that creates a chilling effect; individuals at the risk of being surveilled remotely, without their knowledge or consent. The absence of information about who operates these drones and cameras, how the footage is stored and most importantly, the lack of an adequate standard operating procedure governing the lawful usage of these intrusive technologies paves the way for such data being retained in perpetuity for purposes entirely unrelated to disease surveillance.
This worrying addition to the government’s mass surveillance capabilities can be actively used to suppress dissent and opposition, as was seen when the Delhi Police used CCTVs equipped with facial-recognition technology during the anti-CAA protests. The police used these capabilities to identify and imprison the protestors, actively suppressing dissent. To make the contention that coercive state action only becomes stronger with surveillance, one need not look beyond the Indian state’s treatment of the Kashmiri territory. (IPA Service)
Courtesy: The Leaflet