Overcorrection at the cost of privacy during coronavirus is problematic

This article was first published in Deccan Chronicle. Views are personal.

There are three pillars of crisis management, according to NYU professor Scott Galloway. First, the top guy/girl takes responsibility. Second, acknowledging the issue. Third, overcorrect. When you read it out loud, it seems reasonably straightforward but is a process that should not be taken for granted.

It has taken governments and leaders around the world multiple attempts to take responsibility and acknowledge the issue. Finally, time has come to overcorrect. Six months from now when things are back to relatively normal, measures taken now may look drastic, but that is the point.

However, it is not going to be easy to overcorrect. Even governments have to follow social distancing and may already have limited capacity to deal with a pandemic of this size. Given the pervasive nature of modern technology, it is no wonder that government administrations around the world are going to try and use digital methods to aid their efforts.

China has been ahead of the curve on this. The government has begun using the Alipay app to assign citizens with QR codes based on their risk of exposure to regulate citizen movement. A green QR code means that you are free to move around. A yellow code means a one week quarantine while a red QR code refers to a two week quarantine. In Tamil Nadu, the Police is now using facial recognition to track people in quarantine. At a larger scale, the Union Government of India is using the Aarogya Setu app to help connect Indian citizens to health services.

To most people, it might not make sense to talk about privacy in such times. And on one level, they would be right. It is hard to overstate the seriousness of the situation and dealing with the pandemic comes first. In such emergencies, concerns about privacy come second. Moreover, as a fundamental right in India, privacy exists with reasonable restrictions. Erosions of privacy must be necessary, legal, and proportional. Instead of being suspended, this standard should be upheld. Because as the Union Government (and the larger international community) use facial recognition, or apps such as the one deployed in China, it is crucial to keep in mind that such techniques have the potential to set a new normal by resetting our expectations on personal privacy.

Rahul Matthan has an excellent analysis backed by observations regarding this. Before 26/11, hotels in India would let you drive to the entrance and hand over your keys to the valet. Post the Mumbai attacks, vehicles are mandatorily screened, as are people and the contents of their baggage. As a practice, it seemed important and urgent at the time, and has now become routine.

More than a decade from now, doing so has become the expectation, and it is probably for the best. However, that was 2008, and the difference between now and then is that the liberties yielded today will be a lot more invasive than just vehicle checking at hotels.

For instance, in case of CoBuddy (the app bring used in Tamil Nadu to track people), the app has constant access to the phone’s GPS and continuously checks the location of the phone. The app automatically sends an alert to the Police as soon as the person moves out of the geofence. The Police also sends users prompts 2-3 times a day to verify their faces.

Not all data is created equal. While both facial data and location data are personal and sensitive, the former tends to be more invasive. This is because facial information is permanent and cannot be easily changed. While constant access to people’s location can help determine where they live and their movement patterns, it is easier to change where you go compared to how you look.

The Aarogya Setu app, while admittedly better than (now discontinued) Corona Cavach when it comes to privacy, still collects your name, phone number, age, sex, profession, countries visited in the last 30 days and whether or not you are a smoker (apart from constant access to your location). Compare this with the Singapore government’s app, Trace Together, that only stores your mobile number and a randomly generated ID. Not only are we being subject to invasive apps, lists of infected people with their names and addresses have been made publicly available without their consent.

Given the nature of the crisis and the tech response we have seen, it is evident that two things are happening here. Firstly, there is little regard to data minimization. Governments in India and across the world are collecting more data and accessing increased data points to get a better sense of people’s movements during the crisis. Once your name, age, facial data is shared with the government, it is unlikely to change. Instead, once this crisis is over, the data can be used for purposes it wasn’t collected for.

Secondly, violations of personal privacy are becoming the norm and not the exception. It is now somehow okay to post lists of infected people on WhatsApp groups and to provide facial data to the police 2-3 times a day. Much like the vehicle checks at hotels post the 26/11 attacks, our expectations of privacy are being reset. Only this time, it is being done at scale.

It is fair to say that we live in unprecedented times. But just because we do, does not mean that the necessity and proportionality standards for eroding personal privacy should be suspended. If anything, they should instead be upheld. Because the liberties we give up today, may end up becoming the norm tomorrow.