On January 13 this year, subscribers of English newspapers in India woke up to full-page advertisements from WhatsApp on the front pages. Earlier in the week, WhatsApp had announced an upcoming change to its privacy policy , which led to growing concerns around privacy among many users, and who started switching over to other messaging services such as Signal and Telegram. This led WhatsApp to issue the advertisements, which committed to protecting the privacy of its users. This unprecedented move by the Facebook-owned company indicates that Indian consumers are becoming more aware and concerned about data protection and privacy — a trend that has become stronger in the recent past.
Platforms and COVID-19
The issue of privacy is crucial for government technology platforms and services as governments typically have a monopoly in providing public services, unlike the private sector. Hence, “porting out” or “digital migration”, as seen in the case of WhatsApp, is not an option. What is needed instead, is an examination of government technological platforms to create better awareness. We saw this in action in the case of Aadhaar (the Government of India’s biometric digital identity platform) and Aarogya Setu (the Government of India’s contact tracing application during the novel coronavirus pandemic).
Since the announcement of the first lockdown on March 24, 2020, at least 35 mobile apps that specifically address COVID-19 were developed by 25 States and Union Territories of India. Of these, 27 mobile apps provide general information on COVID-19 and seven allow tracking of nearby COVID-19 cases. Of all the mobile apps, 15 have a quarantine tracking feature and at least four of these require prior registration with the State Health Department.
An assessment of the 35 mobile applications revealed that 17 mobile apps provide information on COVID-19 hospitals while only three apps provide information on isolation beds. Some of the mobile apps also facilitated the home delivery of essential items, such as groceries and medicines, while seven allowed users to apply for mobility passes.
Still a case of digital exclusion
The development of COVID-19 mobile apps was well-received and perceived as a strong proactive initiative, especially by sections of the population that were digitally empowered. However, as of October, 2020, more than 40% of mobile phone subscribers in India lack access to Internet services. This includes those with feature phones that have no Internet and when added to those with no mobile phone at all, India’s digitally excluded could be more than 50%. Hence, while the creation of mobile applications makes information readily available to those with the technology to access it, it does not solve the problem for individuals and communities that remain excluded digitally.
Also read | What are the concerns around the Aarogya Setu app?
No consistency, privacy issues
The data above implies that the mobile applications developed have not benefited from the standardisation of information and a coordinated development approach. The analysis shows that the various mobile apps on COVID-19 operated by the different State governments lack consistency in terms of the features, functionalities, and frequency of information updates they offer. As information was being updated manually in many of the mobile applications, the data in the mobile application was different from the actual data, leading to multiple sources of truth. Hence, the governments should continue to set up functional helplines, auto-diallers, SMS text messages, and other channels to ensure that the digitally restricted have access to the same information as the digitally empowered — especially during crises such as the pandemic.
Coming back to privacy, most of these State mobile apps also differ significantly on the data privacy they provide, depending on the information or permissions they request from the user. We observed that 31 of the 35 mobile apps request access to location services, nine mobile apps request access to device ID and call information, five mobile apps request access to Bluetooth settings,15 mobile apps request access to the camera, three mobile apps request access to contact information, and three mobile apps even request access to the user accounts on the device.
Comment | Privacy concerns during a pandemic
It seems that these data requests may not meet the two commonly accepted principles of data privacy — necessity (is the data necessary for the mobile application to achieve its goal?) and proportionality (is the collection of data proportionate to the extent to which an individual’s right to privacy is being infringed?). The mobile applications developed could have proactively followed established principles of privacy by design, such as minimal data collection and end-to-end data security. The redundant features of numerous mobile apps of States on COVID-19, duplication of efforts, non-uniformity in data-privacy, and confusion among the end user point toward a larger need for an open, interoperable, application programming interface (API)-based microservices architecture that can integrate (or host) the State digital applications with the central government’s application.
Possible solutions
The adoption of an API-based microservices architecture and federated database structure with an appropriate governance framework could address these issues. It would allow, for instance, Aarogya Setu to integrate with the myriad of State mobile apps to offer both its standard services, that is, contact tracing and real-time information on cases as well as State-specific customised services or sub-applications such as information on hospital beds and grocery shops, among others.
Many countries in Europe have considered moving from an information flow that is centralised to a decentralised information flow for contact-tracing applications. This was largely driven by concerns regarding privacy, as centralised databases can have a higher risk of data leaks and security breaches. Besides, a decentralised information flow, owing to information residing in many individual systems and not in a centralised system, increases the cost while reducing the reward of effecting a successful breach.
Also read | Govt releases backend code of Aarogya Setu to enhance transparency
Several mobile apps of the State governments employ a centralised approach. Hence, in the future, design considerations of these mobile apps should evaluate the need for a centralised approach and ascertain whether the same goals can be achieved through a decentralised information flow.
Given the presence of structured audits that continuously put the spotlight on Government of India-backed technologies, extending the same level of scrutiny to technology platforms developed by the States brings the opportunity of improved public services overall, and the public confidence needed to encourage wider adoption.
Carsten Maple is a Turing Fellow and Professor of Cyber Systems Engineering in WMG at the University of Warwick, U.K. Venkat Goli leads the Centre for Responsible Technologies at MSC (formerly MicroSave Consulting). The article was produced as a part of the India Pandemic Technology Review Project
