Emergencies change the rules. All over the world, people have willingly given up the freedom to see friends or family to obey strict lockdown or quarantine orders. They do this because they judge the reasons behind these new regulations to be valid; they believe these measures can stop the spread of the coronavirus. The same applies to Covid-19 tech. Millions have consented to have their phone’s location tracked via SMS surveys or smartphone apps – sacrificing a sense of privacy because they trust their government when it says that citizens’ data can help reduce the number of infections.
But how can people who agreed to trade certain freedoms to stay safe be sure the terms of the deal don’t change? In countries like Australia, the promise that coronavirus tech will only be used for one purpose is enshrined in law. But those safeguards don’t exist everywhere. In some places, there is mounting evidence that coronavirus tech is already morphing into something more permanent. In others, there is little to protect citizens from that possibility.
The Correspondent asked three journalists from India, Tunisia and Peru to send a “postcard” from their home country, reporting on the growing sense that the terms underpinning coronavirus technology are not set in stone.
In India, courts are already making the download of the Aarogya Setu app part of defendants’ bail conditions – suggesting the technology is already being used to track more than just the coronavirus.
Tunisia’s experiments with Covid-19 robots and apps give some people flashbacks to former president Ben Ali’s surveillance state. But how can Tunisians make sure this “good” kind of surveillance does not turn into the “bad” kind, from which the country wrestled free during the Arab Spring?
And in Peru, the government’s track record of data breaches or corruption inspires little trust, even as the state asks citizens en-masse to share their phone’s location data via a national SMS “survey”.
In India’s courts, the country’s contact-tracing app hints at an ulterior motive
By Annie Philip, an independent journalist based in New Delhi, India who has worked for several years in digital and print mediums. Her areas of interest include development, international affairs, renewable energy and culture.
New Delhi, India – When lawyer Pulkit Jain, appealed for a client’s temporary bail in May, he told me he was surprised to receive an unusual response from the court. Yes, his client could have bail, but on one condition: he must download the Indian government’s Covid-19 contact-tracing app, the Aarogya Setu. After being initially puzzled, Jain told me this request has become quite common in India’s justice system. However, these cases indicate an expansion in the app’s scope that go beyond just reducing the spread of Covid-19, which was stated as the app’s original aim by the government.
Although rules on how data will be collected, processed and shared – introduced in May – do include a sunset clause, the app itself does not. That means it’s possible the Aarogya Setu could outlive the rules that govern it, raising questions about how data collected by the app after the rules have lapsed can be safeguarded and sparking fears it could be repurposed. “The sunset clause for Aarogya Setu is an administrative promise,” says Raman Jit Singh Chima, Asia Pacific policy director at digital rights group Access Now. “Unlike other democracies, the Indian government has refused to make its Covid app be accountable to and limited by a law passed by parliament.”
The Aarogya Setu app arrives in the midst of the “digital India” campaign, prime minister Narendra Modi’s drive to create online infrastructure and improve internet connectivity. Against this backdrop, digital rights activists worry the app could lay the foundation for a more permanent system, such as an electronic national health database. In April, a government official said Aarogya Setu may function as the “initial building block” for India’s Health Stack – the digital infrastructure which is currently being developed to act as a single source of health data for the country – although when the prime minister announced the launch of a national health ID in August, Aarogya Setu was not mentioned.
Are the fears over Aarogya Setu’s future unwarranted? I don’t think so. The app arrives at a moment when an investigation by HuffPost India has found the government is creating a searchable database that can track every aspect of citizens’ lives, including their religion, caste, income, property, education, marital status, employment, disability and family-tree.
That system would build on the national identity card database that already exists, called the Aadhaar system. Launched a decade ago, today it is almost impossible to make do without the Aadhaar card. The 12-digit unique number assigned to card holders in India is required in many different areas of our lives: from income tax returns to accessing government welfare. In some places, it is even needed in exchange for Covid-19 tests and medicines.
Tarangini Sriraman, author of the book In Pursuit of Proof: A History of Identification Documents in India, sees Aadhaar as an ecosystem that necessitates many interconnected databases in order to authenticate a person’s identity. “In this sense, Aadhaar has shown the way for other ill-conceived tech applications like Aarogya Setu,” she told me.
It is this context that makes many people suspicious that the Aarogya Setu app could outlive the pandemic. That possibility means the need for a robust Personal Data Protection law – which the parliament is presently working on – cannot be overstated.
Covid-19 creates flashbacks to Tunisia’s surveillance state
By Layli Foroudi, a freelance journalist based in Tunis. She writes for the Times, Thomson Reuters Foundation and the Financial Times among others.
Tunis, Tunisia – When Tunisia went into lockdown earlier this year, I didn’t receive a pop up notification on my phone or see a press release to inform me that my movements were being monitored by the government via my sim card. It was revealed months later on 14 June during a TV interview with the then prime minister, Elyes Fakhfakh. “Our operation room works 24/24, it’s run by a total of 87 experts. We’re following everything,” said Fakhfakh, assuring that his operation room found that 85% of Tunisians were following the rules at the peak of the virus.
The president of the Data Protection Commission, Chawki Gaddes, said that there was no problem with privacy since the data provided by the phone operators was anonymised but Nizar Kerkeni, president of the Association for Free Digital Culture and a lecturer at Tunisia’s University of Monastir, reads it as “the leftover of the police state”.
“[The government thinks] we did this before and we can do it, so we do it now without asking the questions, without the respect of personal data. These are bad reflexes that come back,” he told me, adding that this may have been facilitated by old routes of direct communication between telecoms companies and the government of former president Zine El Abidine Ben Ali, a corrupt dictator who was in power for 23 years and tortured political dissidents.
Before the fall of Ben Ali’s regime in 2011, Tunisia was under constant surveillance, both online and off. Neighbourhood committees were charged with monitoring and reporting back on all political, economic and cultural happenings. The Tunis region, for example, counted 353 neighbourhood committees in 2004, composed of 3,656 members. Meanwhile, on the internet, the police snooped on emails and private messages on Facebook and Twitter. A “keylogger” technology was used to secretly record a keyboard’s activity and Turkish and Russian digital mercenaries were employed to hack opposition and dissident websites, according to the final report published by the Truth and Dignity Commission, which is in charge of Tunisia’s transitional justice process.
Despite this recent history, the public reaction to increased surveillance has ranged from amusement to indifference to endorsement. When robots were deployed to patrol the streets, people shared videos of their strange robot encounters – treating it as a novelty, a toy, not a privacy threat.
Sat in a cafe within sight of the ministry of interior on Habib Bourguiba, an avenue lined with evergreen jacaranda trees, insurance worker Sihem Hlel tells me that she is not concerned about her data, or about the eyes and ears of the ministry across the road. She hasn’t downloaded the virus tracing app E7mi, launched in May, but she says she may do soon since Tunisia seems to be entering a second wave of the pandemic.
“I didn’t think about [privacy] – the past is finished, we are in a new stage,” said the 27-year-old. When I speak to her, Hlel is unemployed and smoking a cigarette. She is one of the many Tunisians that lost her job due to the pandemic so on the forefront of her mind is how the country’s economy can’t bear another lockdown – not how the E7mi app is missing both a sunset clause determining when it will be removed from phones and an indication of whether and when all user data will be deleted once the app is no longer necessary. “All applications have advantages and inconveniences, like Facebook,” she says. “But we are obliged to facilitate the health of our country.”
Surveillance is less and less tangible than before the revolution, but the justifications haven’t changed much, according to Kerkeni, who is sceptical about the utility of the app. “If the police state of Ben Ali monitored us, it was for our own good. [Now] they say it is for our good, it is to stop us from getting the virus.”
When asked whether tracing applications are necessary to fight the virus, Gaddes, of the Data Protection Commission, which authorised E7mi, said “absolutely”. Would he download it himself? No.
Requesting personal data in a flock of misery: the Peruvian case
By Jacqueline Fowks, a stringer for El País newspaper in Peru, writer, and research fellow at the Chair European Culture and Literature of the University of Groningen. She is professor of journalism at the Pontificia Universidad Catolica del Peru.
Lima, Peru – Brazil has the worst Covid-19 figures in South America, followed by Peru, a country of 32 million people, where nearly 47,000 have already died as a result of the virus. After 104 days of lockdown, a measure that has severely mashed the economy, the government launched its national Covid-19 survey in June, describing it as important to “track the behaviour of the corona”, and asked the citizens to help by letting the state track their location using the GPS that comes in the smart phones. Agree? Yes, I don’t want to die and everyone must pool together for the greater good. In April, a national survey found that people were more scared of hunger than the disease. But that changed in May when a poll showed 60% were now more frightened by the virus, even though thousands could barely afford to eat.
The invitation to answer the survey was sent via text message to every mobile user in the country – around 40 million people. I received the SMS on 29 June. At first, I’d felt uncomfortable about sharing my data with a state agency, but since we are in a pandemic, I decided it was my civic duty. Before answering the survey questions, I had to consent to my mobile number, approximate location and questionnaire answers being processed for an analysis. The message also told me I had only 30 seconds to answer each question which wasn’t long to decide if I wanted to share my location. Other questions asked if I had a headache or a fever, or felt short of breath. Over the next two months, I received 13 more messages, asking me to answer the questionnaire. Nobody explained it was necessary to respond more than once, so I didn’t.
The government here does not have a strong record when it comes to managing Peruvians’ personal data. In March, as the country’s strict lockdown forced many people to stay home from work, the state decided to pay subsidies to millions of families with no savings. But the database containing details of the scheme’s applicants – mostly people living in poverty and older people –was hacked by around 500 intruders who used the information there to claim the money at least 1,300 people were entitled to. The state agency responsible for the subventions website preferred to deny the incident ever happened.
Peru is a country with low institutional standards, a large amount of corruption – in both the state and the private sector – and a very tiny, tiny data literacy, even though there are two state desks related to personal data: the Digital Government secretariat and the General Office of Personal Data Protection.
The Digital Government speaker told the state news agency that all the health data collected from the survey has been anonymised and that the information about location will feed the virus heat maps and will also feed another app called “Peru en tus manos” (“Peru in your hands”) that tracks the virus. But some experts say that there is no evidence that the app is being useful and the government is not willing to be transparent. Peru has a law of personal data, passed in 2011, that establishes fines for infractions. Yet, in times of economic crisis and pandemics, who would care if this data is used for other matters?