Update (April 22 10:23 am): The academics have released a new website — https://www.esat.kuleuven.be/cosic/sites/contact-tracing-joint-statement — to allow more researchers to sign up. At the time of updating the story, 177 more people had signed the statement, bringing the total to 480.

Contact tracing apps that allow “reconstructing invasive information about the population should be rejected without further discussion”, 303 scientists and researchers from across the world said in a joint statement. Arguing that such apps could “result in systems which would allow unprecedented surveillance of society at large”, they warned that the effectiveness of contact tracing apps is “controversial” and these apps can be “repurposed to enable unwarranted discrimination and surveillance” in the absence of privacy safeguards. Five academics from India, including Prof. Manoj Prabhakaran who wrote Internet Freedom Foundation’s submission in the WhatsApp traceability case, have also signed the statement.

The researchers have recommended four interoperable, open source, privacy-preserving decentralised methods: DP-3T (Decentralised Privacy-Preserving Proximity Tracing), TCN Coalition, PACT (Private Automated Contact Tracing) (MIT), and PACT (University of Washington).

Since government of India has released its own contact tracing app, Aarogya Setu, it becomes important to assess the effectiveness of digital contact tracing and its effect on privacy. The joint statement proposes four principles that must be adopted by contact tracing apps:

  1. Purpose limitation: Limit the use of such apps to “support public health measures for the containment of COVID-19”. The app “must not be capable of collecting, processing, or transmitting any more data than what is necessary to achieve this purpose”. Aarogya Setu is guilty of mission creep as it now allows users to make UPI payments to PM CARES Fund, retain copies of movement e-passes, and in future will have a registered directory of Suraksha Stores, that is, kirana stores that will be sanitised by consumer goods companies and the Indian government.
  2. Transparency and data minimisation: Protocols, their implementation, and provision of sub-components provided by companies must be available for public analysis. How, where, and for how long data is processed and stored must be documented “unambiguously” and data collected should be minimal. With Aarogya Setu, there is lack of clarity about data deletion and account de-registration.
  3. Always chose the most privacy-preserving option, or else provide sunset provision: When it is not possible to opt for the most privacy-preserving option, it must be clearly justified with sunset provisions. Aarogya Setu’s privacy policy has no sunset provisions.
  4. Such apps must be voluntary and must require explicit consent of the user. The design should allow users to switch the app off and delete all data when the current crisis is over. Even though Prime Minister Narendra Modi and the Ministry of Home Affairs (in its lockdown guidelines) suggested the use of the app, Prasar Bharati and Central Armed Police Forces have already mandated their personnel to download the app. Even though the app requires user’s consent, researchers have noted that the app turns on Bluetooth access before users agree with the app’s Terms of Use, rendering consent useless.

Read: Resolution passed in European Parliament demanding transparency on contact tracing apps; lessons for Aarogya Setu


Problems with contact tracing apps

  • GPS location not accurate enough, undermines privacy: Unlike Bluetooth-based solutions, GPS-based contact tracing apps lack “sufficient accuracy” and carry privacy risks as the GPS data is sent to a centralised location.
  • Mission creep into surveillance infrastructure: The signatories acknowledge that while some Bluetooth-based proposals respect individuals’ right to privacy, others enable government/private surveillance through “mission creep”.
  • Creation of social graph threatens privacy: Systems that allow states to access and process “social graphs” of who someone has physically met over a period of time should be “rejected without further discussion”.

Read: #NAMA: Aarogya Setu’s privacy risks and challenges to effectiveness


Ways to improve contact tracing apps

  • Decentralisation is the way forward: “[H]ighly decentralized systems have no distinct entity that can learn anything about the social graph. In such systems, matching between users who have the disease and those who do not is performed on the non-infected users’ phones as anonymously as possible, whilst information about non-infected users is not revealed at all.” In a resolution passed on April 17, the European Parliament also said that generated data must not be stored in centralised databases.
  • Apple-Google contact tracing infrastructure is a good move that does not collect private information on users. It is supported by “teams building the privacy protective schemes” “as it simplifies — and thus speeds up — the ability to develop such apps”. However, the letter decried attempts to pressurise the companies to open up their systems so that they can capture more data.
  • Privacy preserving by design that is subject to public scrutiny is essential, not an expectation that the apps will be managed by a “trustworthy” party.

Read: #NAMA: How Aarogya Setu can be improved


Read our extensive coverage of Aarogya Setu and contact tracing apps here.

***Update (April 22 10:23 am): Updated with details of website. Originally published on April 21 at 5:52 pm.