Background: An ethical hacker Elliot Alderson reported a vulnerability in the AarogyaSetu COVID-19 tracing app, which could lead to privacy violation of it’s users. Installing this mobile app has been made mandatory by the Government of India for many of it’s citizens.
Why should we worry about privacy in a country like India ?
After all, in India, we discuss salaries, marriages and number of kids with people we meet on train journeys. I would be given odd looks if I asked that of my American acquaintances. As Indians, we give our addresses to grocers and office colleagues with equal ease. None of my American colleagues know where I live. In a small town in India, religion and caste are the first thing the other person will try to guess when meeting for the first time. And if they can’t, they will ask us directly without hesitation and we will tell again without much hesitation. In the US, I don’t even know whether to wish my colleagues Merry Christmas or Happy Hannukah and I wouldn’t dare ask.
That means the concept of privacy is heavily influenced by culture.
So let’s look at privacy and it’s cousin secrecy, which it’s often confused with, in Indian context.
Privacy is what you have in mind when you close your room’s door when changing your clothes. Secrecy is what you do to your Internet banking password – you keep it secret. Privacy is something that you care about when you are texting your significant other/spouse – you want to keep your conversations private. Secrecy is what you would care about when discussing the next big startup idea or maybe something like a government secret.
Privacy is what comes into picture with the details of Prime Minister of India’s personal life and the reasons he made his life choices. Secrecy is what is required for the details of his confidential meetings with RAW and Chief of Defense Staff – national security stuff.
Privacy is what I would worry about if I had a disease like HIV/AIDS or COVID19 which people look down upon. Secrecy is what I would worry about for this website’s server’s password.
Privacy is what is being violated for the girls involved in #BoysLockerRoom incident. Secrecy is what’s violated when Wikileaks published all that stuff.
Do you notice a pattern here ? Privacy is more related to a person whereas secrecy is mostly related to things.
What happens when they are violated ?
When privacy is violated, there is always a loss of dignity involved. When secrecy is violated there is a loss of something more tangible, more physical - money, potential investment or even national security.
What is dignity ? ‘Izzat’ is the word that comes closest in Hindi. But even if the impact might not be as big as Bollywood movies (aka khaandan ki izzat) and honor killings, there is often a loss of face. And depending on what was the private information, it could result in a social boycott.
If someone took a picture of you changing clothes, it could result in embarassment. But, if they took picture of that weird mole on your body and told your colleagues, you might get more angry than embarassed.
And what happens when information about you being infected with COVID-19 gets out ?
Well for a start, people will start talking about you. Then, they might treat you like you are some kind of infectious animal to be avoided. We have seen this in recent pictures. Remember how all news channels talked about Tablighi Jamaat for so many days ? I would worry if my friends and relatives would look down upon me because I have a disease.
Note that violation of privacy is actually illegal because the Supreme Court of India has defined ‘individual privacy’ as a guaranteed fundamental right, even in public spaces.
Well, then why does it matter more in India ?
Because when secrecy is violated, the government, judiciary and police care more in India. If your stolen Internet banking password results in your money being stolen and the bank refuses to refund you, you can go to the banking ombudsman. If my server is hacked because my password is stolen, I can file a complaint with cyber crime branch. If the government’s secrets are stolen, the thief will not only be all over the newspapers but also be jailed under the sedition act.
When privacy is violated in India, the concerns are lower. When activists showed how AADHAR numbers were available as Google search results, the UIDAI told them it doesn’t matter. Forget UIDAI, can you file a complaint because someone shared embarassing pictures of you in an office WhatsApp group ? Let’s say you can. But would you ? Imagine the conversation with a police officer. They have more tangible crimes to worry about so intangible things like privacy and dignity get easily sidelined in India by police and judiciary.
What is the dignity that is afforded to people living on streets? What is the dignity of migrant laborers who are made to sit outside the village and sprayed with disinfectant? Most of India doesn’t care about them as humans as much as they care about them not spreading this disease. But they are citizens of India. Like you and me. And because their dignity is already in danger, it matters more that we care more about privacy and not less in India.
This is after all, completely opposite, to what would happen in a country like Canada or the USA where not only the police and judiciary but also the society in general is more vigilant about any violation of privacy. And being “first world” countries, the dignity allocated to citizens’ privacy is not only guaranteed but protected by strict laws and followed by swift actions.
So how is this privacy important in context of COVID-19? Is someone’s dignity more important than people dying ?
For example, you are using the app with the good intention of helping the country. Suppose, you found that you tested positive for COVID-19 and then reported in the app so as to help in contact tracing. You might be in a hospital for some days and get well and come back. But if someone was able to violate this private information, identify you and then spread the news about you being infected, what would happen ? Social boycott.
Now say your friend, who lives in another city also was found to be positive. And when he knows of the way the society treated you, would he report positive on the app ? Probably not. And this probability of one person not reporting can cost 406 lives!
And hence, because violation of privacy of a patient with COVID-19 can result in a social boycott, people will avoid telling others and reporting on this app when they are infected. This will result in the exact backfiring of the very reason this app was introduced in the first place - aiding testing with tracing. And then, we will have a lot of false negatives.
We saw this in Punjab, Karnataka, Madhya Pradesh, Uttar Pradesh and so many other incidents when people avoided coming out and telling that they had a recent travel history and in most cases they were not even infected.
It has been relatively easy to trace travel history because India’s railways and airlines are heavily regulated by the government and the government can just search last month’s travel records. But how are we going to trace infections if people don’t trust the app and the government, when they are supposed to disclose voluntarily?
And this is why, all of us and the Government of India should care more about privacy in a COVID-19 tracing mobile app in India.
Found this interesting? I did a bit of research with the amazing CHARISMA Lab on robots handling the nuances of social privacy. You can read our paper here.