From India to Cyprus, understanding the global debate over virus contact tracing apps

India has been debating "privacy concerns" over the state's Aarogya Setu application

aarogya setu rep Representational image | Twitter handle of Aarogya Setu

In Britain, the state-funded National Health Service (NHS) announced that it was initiating the process with a trial of its new contact tracing app in the Isle of Wight region. The country is contemplating phasing out the lockdown administered due to the COVID-19 pandemic.  .

Council and healthcare workers will be the first to try the app, which alerts users to get tested if they come in contact with someone with COVID-19 symptoms. The rest of the island will be able to download the app from Thursday and if the trial is successful, it could be available UK-wide within weeks.

Concerns have been raised over privacy, though ministers say the app has been designed with all safety provisions. "By downloading the app, you are protecting your own health, you are protecting the health of your loved ones and the health of your community. Where the Isle of Wight goes, Britain follows," said UK Health Secretary Matt Hancock.

Even while India has been debating "privacy concerns" over the state's Aarogya Setu application, countries across the world have been taking to developing similar technologies. Debates over the use of such technology are prevalent in US and Europe, while countries like South Korea, Hong Kong and Singapore were the first to leverage it. 

In the debate, cultural differences do come into play. Intrusive digital tools employed by Asian governments that successfully contained their virus outbreaks won't withstand scrutiny in Europe. Residents of the EU cherish their privacy rights so compulsory apps, like South Korea's, which alerts authorities if users leave their home, or location tracking wristbands, like those used by Hong Kong, won't fly.

Moreover, the use of monitoring technology has historical scars in the continent's psyche, evoking memories of massive surveillance by totalitarian authorities. The European Union has, in recent years, led the way globally to protect people's digital privacy, introducing strict laws for tech companies and websites that collect personal information. 

Who are currently working on developing such applications?

In Australia, more than 3 million people have downloaded such an app touted by the prime minister, who compared it to the ease of applying sunscreen and said "more app downloads would bring about a more liberated economy and society". Utah became the first US state to embrace a similar approach, one developed by a social media startup previously focused on helping young people hang out with nearby friends. Both these apps record a digital trail of the strangers an individual encountered. Utah's goes even further, using a device's location to help track which restaurants or stores a user has visited.

The government of Cyprus is encouraging the voluntary use of a locally developed cellphone application designed to locate people who may have come into contact with someone carrying the coronavirus. That information gets stored in the mobile phone's log file and would be available for users who test positive for the virus to share with public health authorities. The authorities would then use the data to trace anyone who who may have been in close proximity to the infected person.

A competing approach under development by tech giants Apple and Google limits the information collected and anonymises what it pulls in so that such personalized tracking isn't possible. Apple and Google have pushed for public health agencies to adopt their privacy-oriented model, offering an app-building interface they say will work smoothly on billions of phones when the software rolls out sometime in May.

Germany and a growing number of European countries have aligned with that approach, while others, such as France and the UK, have argued for more government access to app data. 

Most coronavirus-tracking apps rely on Bluetooth to locate other phones nearby that are running the same app. The Bluetooth apps keep a temporary record of the signals they encounter. If one person using the app is later confirmed to have COVID-19, public health authorities can use that stored data to identify and notify other people who may have been exposed.

Apple and Google say that apps built to their specifications will work across most iPhones and Android devices, eliminating compatibility problems. They have also forbidden governments to make their apps compulsory and are building in privacy protections to keep stored data out of government and corporate hands and ease concerns about surveillance. For instance, these apps rely on encrypted peer to peer signals sent from phone to phone; these aren't stored in government databases and are designed to conceal individual identities and connections.

Public-health officials aren't even in the loop; these apps would notify users directly of their possible exposure and urge them to get tested.

Debate in India

In India, the debate revolves around the use of Central government's 'Aarogya Setu' application, which was recently made mandatory for a large section of the country's workforce. This resulted in opposition Congress leader Rahul Gandhi dubbing it a "sophisticated surveillance system". He raised "serious data security and privacy concerns" related to the application, which was launched in April. "The Aarogya Setu app, is a sophisticated surveillance system, outsourced to a pvt operator, with no institutional oversight—raising serious data security and privacy concerns. Technology can help keep us safe; but fear must not be leveraged to track citizens without their consent," Gandhi wrote on Twitter.

Aarogya Setu continuously collects data on the location of the user and cross-references it with the Central government database to understand whether the user has come into contact with an infected person.

The issue grew in scope after French cybersecurity expert going by pseudonym Elliot Alderson alleged that there were security flaws in the application, and the privacy of 90 million Indians were at stake.

However, the Centre has denied all the allegations, assuring the application is safe for use. Speaking to Hindustan Times, CEO of MyGov India, the company that developed the app assured that the app only takes basic data. "As we’ve specified in the privacy policy of the app, all personal data is collected only once, and that is encrypted and then a device ID is created and subsequent to that all interactions happens only with the device ID," he said.

Debate in Europe

The battle in Europe has centred around competing systems for Bluetooth apps. One German-led project, Pan-European Privacy-Preserving Proximity Tracing, or PEPP-PT, which received early backing from 130 researchers, involves data uploaded to a central server.

However, some academics have grown concerned about the project's risks and threw their support behind a competing Swiss-led project, Decentralized Privacy-Preserving Proximity Tracing, or DP3T.

Privacy advocates support a decentralised system because anonymous data is kept only on devices. Some governments are backing the centralized model because it could provide more data to aid decisionmaking, but nearly 600 scientists from more than two dozen countries have signed an open letter warning this could, via mission creep, result in systems which would allow unprecedented surveillance of society at large. 

The EU's executive Commission warned that a fragmented approach to tracing apps hurt the fight against the virus and called for coordination as it unveiled a digital toolbox for member countries to build their apps with.

-Inputs from agencies