Check out Global Coices' special coverage on the global impact of COVID-19.
In recent weeks, surveillance in India has increased thanks to a new and untested technology at stake – all for the fight against COVID-19.
The Government is currently considering using “cameras integrated with Aadhaar”. If implemented, those cameras can take body temperatures and capture facial images and match them to those in the Aadhaar database, which would help authorities identify possible positive cases of COVID-19, according to a report by the Indian news channel the Outlook.
Use #Aadhaar data for #FacialRecognition with drones. Somebody send this to the supreme court and all the @Product_Nation apologists who said no surveillance can happen with Aadhaar. https://t.co/7xIz0JVG8R
– Srinivas Kodali (@digitaldutta) April 15, 2020
These cameras integrated with Aadhaar can be somewhat revolutionary in the fight against Covid-19.
The combination of Aadhaar and artificial intelligence can be a turning point in the fight against the coronavirus. But it also raises a question: Is people's privacy at risk?
Use Aadhaar data for facial recognition with drones. Someone send this to the Supreme Court and to all Product Nation think tank advocates who said surveillance cannot be done with Aadhaar.
Aadhaar is India's biometric digital identification program with over 1.25 billion individual enrollments and is probably also the largest data collection system in the world.
The report quotes a former official from the Unique Identification Authority of India (UIDAI) who claims that the use of personal data on file in the Aadhaar database could quickly identify positive cases of COVID-19. This will help authorities conduct immediate physical tests. UIDAI is a government entity that manages the Aadhaar program. That database, among many sets of personal data, includes home addresses, phone numbers, and details of family members that can be key to identification in this case.
Global Voices' Subhashish Panigrahi spoke with Mishi Choudhary, attorney and legal director of the Center for Free Software Legal Advice, and Srinivas Kodali, a leading technology and policy researcher, to discuss the use of surveillance technologies in the fight against COVID-19 in India.
Subhashish Panigrahi (SP): What is India doing regarding individual rights, considering everything at the time of the pandemic?
Mishi Choudhary (MC): While we cannot expect the same levels of privacy as in times of peace, we can expect that rules caution is not thrown to the wind and time-limited measures are put in place. Any data collected should be destroyed completely once the pandemic is over and should not be used for any commercial or another purpose unrelated to public health.
Mishi Choudhary (MC): While we cannot expect the same level of privacy as there is in peacetime, we can hope that the rules of prevention are not spoiled and that time-bound measures are put in place. All collected data should be destroyed once the pandemic has ended and must not be used for any commercial or other purpose that is not related to public health.
SP: From a legal point of view, what do you think about the Aarogya Setu application and this new application of cameras integrated with Aadhaar?
MC: The liability limitation clause of the Terms of Service limits the government's liability even if inaccurate information is given by the (Aarogya Setu) app or in case of failure to generate true positives. It is pertinent to note that this acquits the government’s liability in case of any harm caused due to incorrect information. Therefore the app’s policies render the app as nothing but another data grabbing exercise.
Moreover, the liability clause also exempts the government from liability in the event of “any unauthorized access to the (user’s) information or modification thereof” (emphasis supplied). This means that there is no liability for the government even if the personal information of users are leaked.
MC: The restrictive disclaimer of the Terms of Service limits the Government's responsibility even if the information provided by the application (Aarogya Setu) is erroneous or in case it does not generate true positives. It is pertinent to point out that this absolves the responsibility of the Government in case of any damage caused by incorrect information. Therefore, application policies make the application just another data capture exercise.
In addition, the liability clause also exempts the Government from liability in case of “any unauthorized access to (user) information or its modification” (emphasis ours). This means that it is also not the responsibility of the Government if user information is leaked.
Aarogya Setu is a mobile application launched by the Indian Government to track COVID-19 cases. Alerts users when they are within two meters of a person infected with coronavirus, as long as that person's infection status is updated in the application.
SP: What are the precautions that authorities can still take to ensure that the country fights against COVID-19 while still protecting the basic human rights of every citizen?
MC: Data Security can never be compromised. Just because we are all in a hurry does not grant anyone the right to exploit sensitive personal information of citizens for commercial or other benefits. All measures related to the public emergency response to COVID-19 should be temporary in nature and limited in scope and should not become permanent features of governance. There should be use and access restrictions of data. Large swaths of data in untrained hands including the Police is a recipe for disastrous situations.
MC: Data security can never be compromised. Just because we are all in a hurry does not give anyone the right to exploit citizens' sensitive personal information for commercial or other benefits. All measures related to the public emergency response to COVID-19 should be temporary and limited in scope and should not become a permanent feature of the Government. There should be restrictions on use and access to data. Large swaths of data in the wrong hands, even those of the Police, are a recipe for disastrous situations.
SP: Will it even be feasible to use integrated camera technology with Aadhaar in rural India and small towns while ensuring privacy and security?
Srinivas Kodali (SK): I think there is a lack of infrastructure to monitor people at this scale with cameras, drones or any other means. So this can never be implemented in due time. Even if such a thing was being worked on, it will be against the supreme court's judgment on Aadhaar. It can lead to further litigation and problems that the government or UIDAI will not choose to have.
Srinivas Kodali (SK): I think there is a lack of infrastructure to monitor people on this scale with cameras, drones or other means. So this can never be implemented in due time. Even if something like this was being worked out, it would run counter to the Supreme Court ruling on Aadhaar. It can lead to more litigation and problems that the Government or UIDAI will not choose to have.
SP: To what extent do these initiatives or applications like Aarogya Setu comply with the advice of the WHO? How likely is data leakage since most applications seem to be built in collaboration with “industry volunteers”?
SK: I haven't looked into the WHO advisory, but the other interesting question to ask is whether these apps comply to any standards at all. There is no framework to evaluate these systems. Any frameworks proposed by citizens will be rejected by the associated industry volunteers and the government. The possibility of lack of control over data for an individual exists because there are no rules to protect the individuals. Vague terms and conditions say that the government can share the data with anyone it deems fit.
SK: I didn't go through the WHO notice, but the other interesting question is whether those apps fully comply with all the standards. There is no framework for evaluating those systems. Any framework proposed by citizens will be rejected by volunteers from the partner sector and the Government. The possibility of lack of control over individual data exists because there are no rules that protect people. Inaccurate terms and conditions say that the Government can disseminate the data with anyone it deems appropriate.
As facial recognition is gaining popularity around the world as a technology for rapid recognition of potential positive coronavirus cases, India is willing to bet on using its existing infrastructure such as Aadhaar. However, there are many obstacles, including legal ones. Opinions are divided as to the use of Aadhaar data for COVID-19 surveillance and whether the Aadhaar Act of 2016, which provides guidance on the use of collected personal data, allows the Government to use the data for those purposes or not. Sanjay Hegde, a lawyer at the Supreme Court of India, suggests that these cameras can be used even if there is a privacy violation, but cautions that “it should not result in uncontrolled surveillance.” There are also technical challenges. An article published in 2018 by the Indian newspaper The Hindu explains how facial recognition can be a “bad factor” for identification, while disapproving of security issues.
Government authorities are rushing to adopt surveillance technologies like cameras integrated with Aadhaar or applications like Aarogya Setu or even the use of drones for surveillance, and there are private initiatives like location or thermal application, telemedicine, and frugal and rapid manufacturing of personal protective equipment (PPE). Only careful testing of the camera prototypes will indicate the efficacy and potential privacy risks of the combination of Aadhaar and temperature monitoring and facial recognition cameras to track potential COVID-19 patients.