In a move that was as unlikely as the partnership between Jesse Pinkman and Walter White in Breaking Bad, rivals Apple and Google joined hands in April to develop an API that would help governments trace and stop the spread of COVID-19.
How does the API work?
The API or Application Programming Interface enables ‘contact tracing’ of the disease by allowing smartphones to log other nearby devices regularly. One thing to note here is that this API is technically a service, so it needs a supplementary app to work. “What we have built is not an app — rather, public health agencies will incorporate the API into their own apps that people install,” the companies said in a release.
However, all of this means very little for those living in India.
Why India can’t use the API
Although the feature has been available in India since the end of May, our contact tracing app, Aarogya Setu, has not linked up with this API and probably never will. The biggest reason being that Aarogya Setu does not meet many of the requirements that Google and Apple have explicitly laid out for apps built by governments and health agencies to protect user privacy.
For instance, the Aarogya Setu app collects user location data, which the Google-Apple API does not allow. And although Google and Apple’s API involves sharing some data with the concerned authorities, it’s done in the form of an anonymous key that resets every fifteen minutes, which again is not the case for India’s contact tracing app. Finally, the API’s use is opt-in, which means users are free to disclose information at their discretion.
This means that we will probably have to rely on Aarogya Setu for contact tracing instead of using an app based on the API that is now a core part of Android and iPhone software.
Are contact tracing apps enabling Big Brother?
As you probably know, many countries have also launched contact tracing apps in the absence of global standards. Governments around the world are strongly encouraging the use of this new tool, with some countries even making it mandatory.
However, these tools, which have several worrying privacy and data security risks, have yet to prove their actual effectiveness.
Take, for example, our very own Aarogya Setu app. This contact tracing app launched by the Indian government has been criticized for several data and privacy risks. The app first came under suspicion when opposition leader Rahul Gandhi raised data security concerns in an early May tweet. Following this, French ethical hacker Robert Baptiste raised the alarm drawing the concerned departments into issuing a statement.
Nevertheless, experts in India have voiced their concerns about government overreach and privacy issues related to the app. The Internet Freedom Foundation, a digital rights organization, called the app a privacy minefield.
One of the major concerns, when any government holds sensitive data on its citizens, is who will have access to all that private information, for what purpose, and for how long. It’s troubling when you think about the possibility of linking data from your phones to other things like health behaviors, consumer habits, genomic testing, credit card data, and more, as all of that data can be used to track citizens in a nefarious way. And with no standard guidelines and weak regulatory frameworks on data protection and privacy, the app leaves us peering into a fog of uncertainty.
The Aarogya Setu app is hosted on a Google server. The app data is hosted by Amazon Web Services, which means that user data is not only in the hands of government officials but private companies as well. The app also has an unclear privacy policy that does not specify which ministry will be handling the app data. This further raises concerns about the type of info being collected on the app, such as smoking habits, name, mobile number, profession, etc. It goes far beyond the data collected in other contact tracing apps. What’s even more troubling is the government has not specified if the data will only be used for pandemic purposes or for how long it will be stored.
What the Indian government should do when collecting these highly sensitive health data from its citizens is take into account their privacy concerns and ensure that the app meets the highest standards of transparency and safety. For a start, they should make the use of the app voluntary, limit the duration of data retention, avoid storing it in a central server, and add a provision that allows users to delete their personal information after a certain number of days.
Although it is quite tricky to strike a balance between using technology to tackle a health crisis while safeguarding the privacy of the people who use it, these are pertinent challenges every government faces. The key here is finding a solution that maintains harmony between government monitoring and the civil rights of its people.