COVID-19 – A Reckoning: Rethinking Surveillance in Times of Crisis

The crisis of COVID-19 has led to a global surge in surveillance activities. The World Health Organization, in its guideline for “Global Surveillance for human infection with coronavirus disease (COVID-19)” rolled out implementable steps for nations to track and trace coronavirus infections.¹ In order to figure out mechanisms for contact tracing and to prevent the infections from rising, governments all over the world are deploying digital technologies and tools.² From tracking mobile data, to configuring mobile apps for proximity detection, or using CCTV network footage (in some cases, equipped with facial recognition) and drones to enforce social isolation, there is mass surveillance in effect which has been perfectly normalised.³

The importance and need for surveillance cannot be negated or undermined. The safety and security of the citizens from the virus should indeed be the priority for governments. However, lack of a “sunset clause” to terminate the use of such technologies and the absence of appropriate safeguards to prevent abuse of power in data collection and processing can also not be overlooked. In India, the Central government and many state governments have taken drastic steps for contact tracing and disease surveillance. Many states had previously published a list of patients tested positive of the coronavirus.⁴ Some states and government offices have issued a mandate to download Aarogya Setu, Indian government’s contact tracing application for COVID-19, at workplaces.⁵ The Karnataka government asked for citizens to post geolocation tagged selfies in order to deter and restrict people’s movement.⁶ All these efforts towards surveillance result in massive privacy breaches and overlook the aspect of consent in data sharing.

“The real psychological truth is this: If you’ve got nothing to hide, you are nothing.”

Shoshana Zuboff, The Age of Surveillance Capitalism

Surveillance has been a widely used tool for law enforcement and national security. Its usage in a crisis heightens the risk of surveillance becoming the norm even after the pandemic passes. This article highlights the need to rethink models of surveillance and argues for the establishment of mechanisms of checks and balances to safeguard civil liberties and the universal human right to privacy. Any opaque intrusion mechanism, such as surveillance, without active steps of rollback is harmful for the long-term and therefore must be critiqued and carefully looked into.

Public or Private?

Digital technologies make modern surveillance mechanisms vastly different from traditional surveillance. While traditional surveillance was slow and human labour intensive, technology makes it easier to recognise and scale the effort with precision. The covert and overt, public and private techniques of surveillance lead to creation of power imbalances between the watcher and the one being watched.

A significant change that has come about with the age of surveillance is the difficulty of separating surveillance by governments from that by private and commercial entities. The two are often intertwined and use the same technology and techniques to surveil the users and citizens.⁷ In the US, Google and Apple have teamed up to leverage smartphones for contact tracing in order to reduce the spread of the virus.⁸ It is in this regard that we need to rethink our outdated model of enforcement and regulation of surveillance, where the resulting burden of safeguard falls on the one being surveilled. The solutions to the problem of surveillance can no longer only focus on either state or private corporations distinctly. Any possible solutions must thus take both into account to have common laws that govern them.

In India, 16 states are using drone surveillance to track public movement and to ensure crowd management.⁹ To enhance state capacity, public-private-partnerships are ensuring the adequate availability of such tools at disposal. A legal backing to deploy drones was very recently put in place. The portal, Government Authorisation for Relief Using Drones (GUARD), was set up to “fast-track conditional exemptions to govt agencies for COVID-19-related drone operations.” It can also be used by the government to authorise third-party drone service providers to operate drones on their behalf.¹⁰ Nonetheless, individuals are still at a risk of remote surveillance, without their consent or knowledge. There is also very little information about the drone operatives, and the processing of the data collected. Furthermore, the deployment of drones by law enforcement agencies does not serve the purpose of disease surveillance.¹¹ There is a danger of the data being retained for purposes entirely unrelated to the pandemic.

Is Only Privacy at Stake?

Surveillance is primarily undesired because of its serious ramifications on privacy. But should privacy violations bother us in a crisis? Yes, they must. It is important to safeguard citizens from crises or normal times alike. Right to privacy ensures individual security from potential threats and harms of disclosure. During a crisis, the laws can change but should speak the same language as in any normal situation. A reasonable expectation of privacy by individuals should be met with but there should never be an element of trade-off between privacy and security. India’s right to privacy is not absolute either and can be overridden by a cause that is “just, fair and reasonable.”¹² Any violation, however, must bear the test of legality, legitimate goal, proportionality and procedural guarantees.¹³ However, privacy is not the only concern that surveillance poses.

New technology-based surveillance tools are often employed with the assumption that algorithms and artificial intelligence (AI) are incapable of bias – an assumption that is fallacious. It has been demonstrated in several researches that advanced technologies can suffer from design flaws or employ existing social inputs that have the potential to disproportionately harm minorities.¹⁴ Use of facial recognition technology for surveillance can result in misidentification of individuals. The use of real-time identification systems is more prone to false positives and misidentification.

Surveillance also endangers anonymity and obscurity. While privacy involves hiding information, anonymity involves hiding what makes it personal. The ability to freely participate in activities such as protests, political events, and religious ceremonies without disruption or discouragement is fundamental to any democratic society. Unrestricted surveillance mechanisms and tools often overlook anonymity.

There is also a looming threat of “function creep.”¹⁵ It involves extension of usage of the technology, and the information retrieved by it, from its initial intended cause to a different one.

Use of facial recognition application by the Tamil Nadu police and use of thermal imaging cameras with face recognition capability by the Kerala government to track people during quarantines suffer from all these risks.¹⁶ While it’s stated that principles of security and privacy were considered before deployment, the reality appears to be otherwise.¹⁷ There appears to be a rush to develop mobile applications for surveillance and contact tracing. These applications often bypass concerns of privacy in their design. The mandate to download the Aarogya Setu application comes with a non-compliance risk of job termination, legal fines or even jail.¹⁸ The application itself has embedded surveillance mechanisms with multiple privacy and security risks and insufficient data disclosure policies.¹⁹ These contact tracing applications also undermine the case of “missing individuals” who don’t own a smartphone and there is an underlying factor of these measures not being effective.²⁰

Power and Trust

Linked closely to the issue of privacy is the notion of trust. As highlighted by Rachels, privacy is often held in an inverse relationship to trust such that the more trust exists between two people, the less need there is for privacy.²¹ While this notion of trust might not directly translate to models of surveillance, it highlights the necessity of consent of and choice for the individual. For governments to demand trust from its citizens, they need to ensure mechanisms of accountability and transparency. The fact that civil societies and individuals are resisting the mandate of downloading the contact tracing app can be attributed to their lack of trust in the government because of an absence of such procedures.

A rush to deploy new technologies for surveillance, as the world is witnessing during the coronavirus crisis, can cause unintended harm and result in overboard usage of the same. In order to alleviate concerns, one needs to be skeptical of the government’s intention. The intrusion, albeit normal in current times, can result in potential harm later. There is also very little clarity on disposal of the collected data post the pandemic. Though the absence of a working data protection legislation, in India, complicates the process of accountability, it does not give the government a free pass to adopt intrusive measures in the name of public health.

Power, too, is a recurring theme in surveillance analogies. The act of surveillance gives more power to the surveillant over the surveilled. Control over gathering and distribution of information leads to power imbalances, resulting in potential harm. The balance of power between individuals, or between individuals and groups such as employers or the state, is therefore an important consideration in assessing the dangers of many forms of surveillance.

Creating a System of Checks and Balances

Both surveillance mechanisms and surveillance technology have very few laws governing and regulating them. There are two that primarily enable surveillance in India. The Telegraph Act of 1885 deals with the interception of telephonic conversation and the Information Technology Act, 2000 (IT Act) deals with interception of any form of electronic communication. Any current measure of surveillance implemented during the pandemic is basing its root in the Epidemic Diseases Act, 1987. It gives the government discretionary powers to prevent the outbreak or spread of an epidemic. The terms and specifications of these acts during a crisis remain ambiguous.

Ambiguous rules and procedures, and absence of necessary limits often lead to more harm than good in terms of public safety and law enforcement. Policy debates are often centred around the tradeoff between ‘privacy vs security’ or ‘privacy vs civil liberty.’ This exclusionary choice is rarely necessary.²² It is possible to find ways to isolate the harms from the benefits of digital technologies and tools to establish reasonable checks and limits that preserve the latter while guarding the former. In order to realise the benefits, it is essential to create strong policies that eliminate the risks born from improper use and errors.

In order to ensure checks and balances, it is important to create systems of accountability and transparency. Protecting due process rights, preventing abuse, and curtailing the chilling effects of surveillance would require the government to disclose the purpose of surveillance and the reliability of the systems in question. It is important to maintain transparency for surveillance programs, not just to ensure public trust but to also protect the principles of checks and balances.

For any necessary policies for safeguarding security, there should be restrictions on the building of mass databases of personal information by the government, especially in times of crisis. In absence of safeguard policies, the government could regularly deploy intrusive measures of surveillance and data collection which can further be used to scan, tag and intrude in personal data of individuals for law enforcement. Creation of mass databases of these ‘metadata profiles’ would severely undermine privacy, and risk reducing public participation in sensitive activities.

There must be procedures to keep any collected information safe, to delete information once it’s no longer in use, and to ensure it isn’t used against citizens. There must also be procedures in place to withhold sharing of information with external agents. It is understandable that given a crisis, some temporary adjustment of our digital liberties may be necessary. However, it’s really important that those adjustments be only temporary. The law must clearly state that the consent of the data principal, the individual whose data is in question, is mandatory in the collection and processing of the data. Reciprocal accountability from the side of the government must be put in place that can be used to hold the state accountable for any wrongdoings.

Given such a narrative, one must always question the legitimacy of dissemination of personal information in question. Was such dissemination required or merely desirable? Did the state adopt the least restrictive measure possible? Did the state strike a fair balance between the public interest at stake and the individual’s right to informational privacy? Can the arrangement be rolled back once the crisis is dealt with? If the answer to all of these questions is positive, then intrusions and surveillance of such nature can be temporarily entertained. The least intrusive measure to ensure security must always be favoured over any form of tactical surveillance.

Any attempt to surveil must be backed by the following steps:

1. Prior judicial review
2. Transparent system design and enforcement steps
3. Data collection and retention norms
4. Clearly stating the need of data processing
5. Seeking of individual consent and notifying data subjects before and after the surveillance step

A systematic risk-based management approach is recommended to balance the concerns of national security and privacy on one hand and limited state capacity issues on the other before making a judgement call on whether surveillance is of need.²³

Conclusion

Data and privacy protection are indispensable to build trust and create the necessary conditions for social acceptability of any solution. Any mechanism thus used should empower the citizens rather than control, stigmatise or repress. The promise of technology must be balanced with the imperative to protect constitutional rights and values, including privacy and anonymity, free speech and association, equal protection, and government accountability and transparency.  Accordingly, any accountability mechanism for such a solution shouldn’t be an afterthought but must be carefully planned and designed from the start.

Works Cited

1. “Surveillance, Rapid Response Teams, and Case Investigation.” Accessed May 15, 2020. https://www.who.int/emergencies/diseases/novel-coronavirus-2019/technical-guidance/surveillance-and-case-definitions.
2. Washington, Andrew Roth Stephanie Kirchgaessner in, Daniel Boffey in Brussels, Oliver Holmes in Jerusalem, and Helen Davidson in Sydney. “Growth in Surveillance May Be Hard to Scale Back after Pandemic, Experts Say.” The Guardian, April 14, 2020, sec. World news. https://www.theguardian.com/world/2020/apr/14/growth-in-surveillance-may-be-hard-to-scale-back-after-coronavirus-pandemic-experts-say.
3. “Coronavirus: The Detectives Racing to Contain the Virus in Singapore – BBC News.” Accessed May 15, 2020. https://www.bbc.com/news/world-asia-51866102.
4. Bhardwaj, co-authored by Sanya Kumar, Shrutanjaya. “The Publication of COVID-19 Quarantine Lists Violates the Right to Privacy.” The Caravan. Accessed May 15, 2020. https://caravanmagazine.in/commentary/covid-19-pandemic-quarantine-lists-right-to-privacy.
5. The Indian Express. “Aarogya Setu App Now ‘Mandatory’ in All Workspaces: Govt,” May 2, 2020. https://indianexpress.com/article/india/aarogya-setu-app-now-mandatory-in-all-workspaces-govt-6389799/.
6. “COVID-19: Those in Home Quarantine in Karnataka Directed to Send Selfies Every Hour to Govt | Deccan Herald.” Accessed May 15, 2020. https://www.deccanherald.com/state/top-karnataka-stories/covid-19-those-in-home-quarantine-in-karnataka-directed-to-send-selfies-every-hour-to-govt-819550.html.
7. Richards, Neil M. “The dangers of surveillance.” Harv. L. Rev. 126 (2012): 1934.
8. Apple Newsroom. “Apple and Google Partner on COVID-19 Contact Tracing Technology.” Accessed May 15, 2020. https://www.apple.com/newsroom/2020/04/apple-and-google-partner-on-covid-19-contact-tracing-technology/.
9. “Drone Surveillance COVID-19 – Google Docs.” Accessed May 15, 2020. https://docs.google.com/document/d/1RIjHpbFxHMO71IiowTdZfxWAYsSh8Vt72LJEGPotTKA/edit.
10. “Govt Agencies Can Now Legally Deploy Drones for COVID-19 Surveillance – MediaNama.” Accessed May 15, 2020. https://www.medianama.com/2020/05/223-govt-can-deploy-coronavirus-drone-surveillance/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+medianama+%28Medianama%3A+Digital+Media+In+India%29.
11. Article 14. “Surveillance Without Safeguards In The Pandemic,” April 30, 2020. https://www.article-14.com/post/pandemic-in-india-spurs-surveillance-without-safeguards.
12. “An Analysis of Puttaswamy: The Supreme Court’s Privacy Verdict.” Accessed May 15, 2020. https://blog.theleapjournal.org/2017/09/an-analysis-of-puttaswamy-supreme.html.
13. Ibid.
14. “Technology Is Biased Too. How Do We Fix It? | FiveThirtyEight.” Accessed May 15, 2020. https://fivethirtyeight.com/features/technology-is-biased-too-how-do-we-fix-it/.
15. Winner, L. (1977). Autonomous Technology: Technics-out-of-control as a Theme for Political Thought, The MIT Press.
16. MediaNama. “Tamil Nadu Police Using Facial Recognition App to Track People in Quarantine,” April 3, 2020. https://www.medianama.com/2020/04/223-face-recognition-tamil-nadu-quarantine-coronavirus/.
17. MediaNama. “COVID-19: Kerala Deploys Thermal Imaging Camera with ‘face Detection’ Capability,” May 6, 2020. https://www.medianama.com/2020/05/223-kerala-thermal-imaging-camera-face-detection/.
18. NDTV Gadgets 360. “Aarogya Setu Mandatory for Employees in India, People in Containment Zones.” Accessed May 15, 2020. https://gadgets.ndtv.com/apps/news/aarogya-setu-lockdown-government-guidelines-covid-19-employees-public-private-containment-zones-2222033.
19. Deccan Herald. “Aarogya Setu App Lacks Clear Legal Backing and Limits, Tends towards Surveillance,” May 9, 2020. https://www.deccanherald.com/specials/sunday-spotlight/aarogya-setu-app-lacks-clear-legal-backing-and-limits-tends-towards-surveillance-835692.html.
20. “The Covid-19 Tracking App Won’t Work – Bloomberg.” Accessed May 15, 2020. https://www.bloomberg.com/opinion/articles/2020-04-15/the-covid-19-tracking-app-won-t-work.
21. Rachels, J. (1975). “Why Privacy is Important”. Philosophy and Public Affairs 4.4: 323-333.
22. Curry, Michael R., and David Phillips. “Surveillance as social sorting: Privacy, risk, and automated discrimination.” Privacy and the phenetic urge: geodemographics and the changing spatiality of local practice. London: Routledge (2003).
23. Rishab Bailey, Vrinda Bhandari, Smriti Parsheera, Faiza Rahman. “Use of personal data by intelligence and law enforcement agencies.” August 1, 2018. https://macrofinance.nipfp.org.in/PDF/BBPR2018-Use-of-personal-data.pdf