[WSMDiscuss] KOVID-19: 'Aarogya Setu': Hoaxical "Promise" and Unnerving "Threat": Three Excellent Analytical Comments

[Sukla Sen]

[*Why and how the "promise" of 'Aarogya Setu' is a hoax while the "threat"
is unnerving?*

In Singapore with *one-fifth of the population having downloaded the
contact-tracing app* - that, as per the editorial note, at sl. no. II.
below, from a very prestigious international journal, *translates into 4%
probability that when (any) two strangers encounter each other, both would
be having a device with the app installed*.
In India, the proportion of downloading, as of now, is approximately
one-third of that (i.e. one-fifth); one in fifteen having downloaded.
So, *the "probability" would be somewhere next to zero!???*

*Even if the current figure of downloading - i.e. close to 100 million, is
trebled, the probability rating rises to (a huge) 4%!!!*
*And, at what cost to privacy???*

<<Singapore’s TraceTogether app, which now has more than one million users.
Although this amounts to roughly one-fifth of Singapore’s population, it
still means that in any encounter between two randomly chosen people, there
is only a 4% chance that both will have the app. This points to one of the
deepest flaws in digital contract-tracing plans anywhere: the fact that
only a fraction of any population is likely to have the app at all. And
such efforts will miss out anyone who, for any reason, doesn’t have a
smartphone. TraceTogether’s developers have warned in a white paper that
the app is intended to help human contact-tracers — not to replace them.>>

(Excerpted from sl. no. II. below.)

<<Close to nine crore Indians have obediently downloaded the app. There are
a few vital problems, however: it is not voluntary, there are inadequate
data protections built in and the government can use it to trace all your
movements, and not just near Covid-19 patients. And to make matters worse,
the famous French “ethical hacker” who goes by the pseudonym Elliot
Alderson tweeted Tuesday that the app is not safe: he had identified a
security flaw that he would reveal to the government. (Alderson did so 45
minutes later; let’s hope the authorities deploy an effective fix.)

The app, which asks for a user’s age, address, travel history, smoking
history, symptoms and location, calculates the risk of contact with an
infected person on the basis of Bluetooth proximity. It continuously checks
if other people who have downloaded the app are in your proximity, tells
the user how many people have tested positive in the vicinity and how many
in range have flagged themselves unwell.
...
There are obvious flaws in any such app, many flagged by the independent
journal Nature, which points out that “there is scant published evidence on
how effective these apps will be”. Questions abound about accuracy, risks
of hacking, and Bluetooth-related security breaches. It omits those
possibly afflicted persons who don’t have a smartphone, of course, which
excludes people of economically weaker communities. It also risks being
misled by some self-declarations, by confusion if a family member borrows
your phone, or the opposite problem — going the other way and overwhelming
the public health system with false alarms. And, says Nature, one of the
deepest flaws in digital contract-tracing apps anywhere is “the fact that
only a fraction of any population is likely to have the app at all”.>>

(Excerpted from sl. no. I. below.)

<<India, however, has a long-standing public policy (pdf document) in place
that publicly created technology, and in particular, information technology
software, will be openly and publicly shared. Unfortunately, for no
justifiable reason, the Indian government-sponsored app, Aarogya Setu, is
not ‘open’. Examination of the code is forbidden, according to the user
agreement displayed on the Apple and Google app stores (from where the app
can be downloaded), and is accompanied by a threat of prosecution.

All claims about the protection afforded by the app, to either user devices
from malign remote influences, or to the data that should only be used to
inform the user about her risks, have to be taken purely on faith, that the
officials who make such claims are well-informed and have rigorously
audited the tool. Which is, incidentally, two tools, one placed on the app
and the other at some (hopefully; this is also taken on faith – the link
summarises succeeding security analyses of the ongoing versions of the app
and its setup, which cannot identify the actual server or its location)
government-owned server.

And all of this supposed sophistication is walled off from other countries
who, perhaps more desperately than India, need to and want to safeguard
their people.>>

(Excerpted from sl. no. III. below.)

The one at sl. no. I below offers a rather comprehensive overview of the AS.
The one at sl. no. II is a survey and critical evaluation of the
contact-tracing apps being resorted to globally, doesn't touch India, in
particular.
And the one at sl. no. III. below also offers an overall critical
evaluation of the AS, especially focussed on the technical aspects of how
it works.

To repeat, in very brief, the app is meant to be like (much more than) an
RFD tag attached to the phone, monitoring its location and gathering info
as regards which such other devices cross its path - 24×7, without any,
whatever, regulatory mechanism and safeguards in place.
One has, also, to per force share many private details with the central
"monitoring authority".
It's absolutely opaque how it uses all the data gathered.
In return only for some *fictional security* vis-a-vis the dreaded
disease.]

I/III.
https://theprint.in/opinion/shashi-tharoor-aarogya-setu-fits-right-in-with-modi-state-control/416242/?fbclid=IwAR3puftsrLdEYNcXpj9quVNFptWAW4hY35YWlXpcxpjMUJHCczryDqwZFKI

Shashi Tharoor: Aarogya Setu fits right in with Modi govt’s push for
greater state control
The Aarogya Setu app became the Modi government’s weapon of choice
overnight to fight Covid-19. But it can very well outlive the crisis.

SHASHI THAROOR

7 May, 2020 2:40 pm IST

Prime Minister Narendra Modi, Finance Minister Nirmala Sitharaman and
Commerce Minister Piyush Goyal at a meeting to boost investment Thursday |
Photo: ANI
Representational photo | Prime Minister Narendra Modi, Finance Minister
Nirmala Sitharaman and Commerce Minister Piyush Goyal at a meeting to boost
investment

Thursday | Photo: ANI

The announcements have come thick and fast. On 14 April, Prime Minister
Narendra Modi urged citizens to download the Aarogya Setu app, a tracing
app that lets you know if you have been in proximity with anyone who is
Covid-19-positive. Last week, on 29 April, the government issued a circular
stating that it would be compulsory for all government employees to do so.
On Wednesday, India’s 48.34 lakh government employees were instructed to
download the mobile app “immediately” and commute to their offices only
when it showed “safe” status. And on Friday, the Modi government suddenly
decreed that the app was now mandatory for all employees, public or
private. On what basis it could issue such an instruction to non-government
employees was far from clear.

Others started leaping on the bandwagon. Local authorities have been
instructed that all residents in a containment zone are obliged to download
the app. Many Residents’ Welfare Associations have started imposing the
same requirement. Noida went one step further and ordered that anyone in
that city caught without the app would be liable to arrest and a fine. The
Ministry of Human Resource Development has told schools that students’
parents should download the app. Zomato, Swiggy and Urban Company announced
that their employees have to download the app. As evacuations of Indian
nationals from foreign countries began Thursday, passengers were told that
they would have to download the Aarogya Setu app upon arrival.

This little app, using GPS location services, cell-tower proximity, and
Bluetooth, has become, overnight, the government’s weapon of choice for
combating the Covid-19 pandemic.

Also read: Govt ‘thanks’ French ethical hacker who flagged Aarogya Setu,
but dismisses security concern

Rigged with risks
Close to nine crore Indians have obediently downloaded the app. There are a
few vital problems, however: it is not voluntary, there are inadequate data
protections built in and the government can use it to trace all your
movements, and not just near Covid-19 patients. And to make matters worse,
the famous French “ethical hacker” who goes by the pseudonym Elliot
Alderson tweeted Tuesday that the app is not safe: he had identified a
security flaw that he would reveal to the government. (Alderson did so 45
minutes later; let’s hope the authorities deploy an effective fix.)

The app, which asks for a user’s age, address, travel history, smoking
history, symptoms and location, calculates the risk of contact with an
infected person on the basis of Bluetooth proximity. It continuously checks
if other people who have downloaded the app are in your proximity, tells
the user how many people have tested positive in the vicinity and how many
in range have flagged themselves unwell.

There are no global standards for such apps, but China, Hong Kong,
Singapore, and several European countries have deployed comparable apps for
coronavirus contact tracing. Unlike India, however, using them is entirely
voluntary in most countries. Aarogya Setu is not just obligatory but far
more invasive, using Bluetooth, GPS and cellphone tower information in
tandem and relaying data to an external server. There are few explicit
safeguards. There’s also the great danger that the app will be seen as a
“magic bullet” when it is no substitute for a comprehensive testing
strategy, which India is yet to implement.

There are obvious flaws in any such app, many flagged by the independent
journal Nature, which points out that “there is scant published evidence on
how effective these apps will be”. Questions abound about accuracy, risks
of hacking, and Bluetooth-related security breaches. It omits those
possibly afflicted persons who don’t have a smartphone, of course, which
excludes people of economically weaker communities. It also risks being
misled by some self-declarations, by confusion if a family member borrows
your phone, or the opposite problem — going the other way and overwhelming
the public health system with false alarms. And, says Nature, one of the
deepest flaws in digital contract-tracing apps anywhere is “the fact that
only a fraction of any population is likely to have the app at all”.

Also read: I downloaded Aarogya Setu app — the twist in season finale of
Black Mirror lockdown

A surveillance tool
The democratic solution to that problem is to develop public trust in the
app, rooted in transparency, but India hopes to overcome the challenge by
obliging everyone to use its app. Indications are that all future
smartphones in the country will have Aarogya Setu pre-installed. You may
soon not be able to leave home to use the Delhi Metro or get on public
transport without showing you have the app. Combined with existing
government databases, the app will have a synoptic view of its users’
movements and activities. This is why the biggest concerns relate to
privacy and the risk of enhanced – and conceivably permanent – surveillance
of Indian citizens.

We still don’t have a data protection law in the country, though I
personally (and many others) have repeatedly called for one in Parliament.
The government has denied the Parliamentary Standing Committee on
Information Technology, which I chair, the opportunity to review a law that
falls squarely within its mandate, by sending it instead to a select
committee chaired by an MP of the ruling party. Our country has no
meaningful anti-surveillance laws – intrusive interceptions are still
conducted under the 1885 Telegraph Act – and many have expressed the fear
that the war against coronavirus is being used as a pretext to erode the
privacy of Indian citizens and keep tabs on their freedom of movement.

“The coronavirus is a gift to authoritarian states including India,” author
Arundhati Roy told The Guardian. “Pre-corona, if we were sleepwalking into
the surveillance state, now we are panic-running into a super-surveillance
state.”

The web watchdog NGO, the Internet Freedom Foundation, has cautioned that
the app could create a permanent surveillance architecture, and that –
since the government has a blanket liability limitation in its service
agreements and privacy policies — citizens cannot hold the government
accountable or seek judicial remedy. Aarogya Setu’s user agreement states
that the data can be used in the future for purposes other than epidemic
control and shared with government agencies. The algorithm and source code
used by the app are neither transparent nor auditable; there is little
transparency around how the data will be handled, what will be the nodal
department empowered to share the data with other agencies, which
government departments will have access to the Aarogya Setu database, and
how effective the promised “data anonymisation” will be. It is well
established that it is not difficult to identify individuals from
anonymised data sets.

Also read: Aarogya Setu download rate is faster than Facebook. Can it keep
India ahead of Covid curve?

A warning
At a time when the Narendra Modi government has seized powers to enforce
the ongoing lockdown, charged journalists, arrested student protesters,
banned gatherings and severely restricted the functioning of courts,
denying bail to many, there are genuine concerns that the Aarogya Setu app
will play into an unfolding narrative of greater government control.

Failure to install the Aarogya Setu app is punishable under Section 188 of
the IPC (disobedience of an order by a public servant) and Section 51 of
the Disaster Management Act (disobedience of an order by an official
relating to a disaster). There have been no prosecutions yet. But we have
been warned.

The author is a Member of Parliament for Thiruvananthapuram and former MoS
for External Affairs and HRD. He served the UN as an administrator and
peacekeeper for three decades. He studied History at St. Stephen’s College,
Delhi University and International Relations at Tufts University. Tharoor
has authored 19 books, both fiction and non-fiction. Follow him on Twitter
@ShashiTharoor. Views are personal.

II/III.
https://www.nature.com/articles/d41586-020-01264-1?WT.ec_id=NATURE-20200430&utm_source=nature_etoc&utm_medium=email&utm_campaign=20200430&sap-outbound-id=DC5D6DF9E46F47E370B4B407CB3B672F9BB9555A&fbclid=IwAR0fS02JZ_f7-SGOar7iK9vsPeN_Y5mq6DS8UkNBwAByubaI4BL9pb847eY

EDITORIAL
29 APRIL 2020

Show evidence that apps for COVID-19 contact-tracing are secure and
effective
Governments see coronavirus apps as key to releasing lockdowns. In exchange
for people’s health data, they must promise to work together to develop the
highest standards of safety and efficacy.

 PDF version
A man on an escalator looks down at people standing in squares marked on
the floor as part of social distancing measures.
In Singapore more than one million users have downloaded a contact-tracing
app. But in any random encounter between two people, there is only a 4%
chance that both will have the app.Credit: How Hwee
Young/EPA-EFE/Shutterstock

In the toolkit of strategies to stop the spread of SARS-CoV-2, more
countries are reaching for smartphone apps. When phones with such an app
are close together, they exchange information — in some cases creating a
log of who a phone’s owner has been near. These ‘contacts’ will be alerted
if they have been close to an infected person. Such apps can complement a
country’s overall COVID-19 control strategies — including testing, contact
tracing, isolation and social distancing — but they cannot serve as a
replacement for them, or the thousands of contact-tracing teams they
require.

Like any health-care intervention, coronavirus apps need to conform to the
highest standards of safety and efficacy. And yet, despite the pandemic’s
global nature, countries are developing apps independently, and there are
no global standards — which is rightly raising concerns.

Some countries are already starting to use phones to record data, including
names, addresses, gender, age, location, disease symptoms and COVID-19 test
results. For example, users of Australia’s COVIDSafe app, launched last
weekend, will be contacted by health officials if an app user they have had
close contact with tests positive for COVID-19. Germany’s app, which is
still in development, will also use actual test results. Australia is
storing data centrally, but, after much debate, and expressions of concern
from researchers, Germany’s app will store coronavirus data on individuals’
phones. And Egypt’s app, launched earlier this month, uses a phone’s
location services to alert users if they have been near anyone with
COVID-19.

The United Kingdom’s contact-tracing app is to be launched soon and will
require users to describe their symptoms; it is not yet clear whether it
will also link to test results. Data will be stored centrally and users
will allow the health authorities to alert the person’s contacts.


Time to discuss consent in digital-data studies
Use of all of these apps is voluntary, as it should be. In most cases, the
apps are being developed by governments working with technology companies
and researchers. But, considering that citizens are being asked to give up
their personal data, there has been little national public consultation.
Another cause for concern is the fact that there is scant published
evidence on how effective these apps will be at either identifying infected
people who have not been tested or, if widely used, stopping the spread of
the disease. Governments are excitedly pointing out the benefits, but are
saying less about the risks.

Key questions need answers
One serious concern is accuracy. Apps that link to official validated tests
are obviously more likely to give accurate results. An alert based on
self-diagnosis that turns out to be wrong — a false positive — could, of
course, be corrected. But if incorrect information has been sent to a large
group of contacts, it will have caused unnecessary alarm, and could have
wrongly sent people into isolation for weeks.

An equally important concern is privacy. As we have pointed out before, it
is becoming easier to identify individuals from anonymized data sets.
Researchers have shown that it is possible to re-identify individuals even
when anonymized and aggregated data sets are incomplete1.

Researchers are also raising concerns about the decision some countries
have taken to store data centrally. Earlier this month, nearly 300
researchers signed an open letter reminding governments that data stored in
many different places — such as individual phones — are more secure, and
that data stored in one place are more susceptible to hacking.


Why the World Bank ex-chief is on a mission to end coronavirus transmission
And then there’s the communications technology itself. Most apps share
information using Bluetooth, a radio-frequency technology that allows
devices to exchange information at close range. This is convenient, because
most smartphones have it. But it has a history of security breaches that
have been much-reported and studied. Smartphone users are usually advised
to turn off Bluetooth when it is not needed, and especially when in close
proximity to other phone users. But to work, COVID-19 apps need users to
keep Bluetooth running — particularly when they are in public places.

COVID-19 apps have, to some extent, been inspired by the experiences of
South Korea and Singapore — where electronic surveillance methods have
helped to control infections. South Korea, in particular, is regarded as a
model because it avoided severe lockdowns. Some 3 months after the outbreak
spread to the country, only a handful of new cases are being reported daily
and 244 deaths have been recorded in total.

But the foundation for South Korea’s COVID-19 response is a comprehensive
testing strategy, backed by a nationwide network of contact-tracers who
interview infected people and trace their contacts. The strategy includes
the use of phone alerts, but not the Bluetooth apps being developed
elsewhere. More importantly, it is based on a degree of surveillance that
people in many other countries will find hard to accept.

When a person tests positive for COVID-19, a text alert is sent to everyone
living nearby. This alert typically includes a link to a detailed log of
the infected person’s movements — in some cases to the nearest minute.
These movements are reconstructed from public data, such as closed-circuit
television cameras. But the South Korean government is also permitted to
access confidential records, such as credit-card transactions. The data are
then stored centrally by government agencies. At the same time, people’s
movements are anonymized and published online.

Much attention has also been paid to Singapore’s TraceTogether app, which
now has more than one million users. Although this amounts to roughly
one-fifth of Singapore’s population, it still means that in any encounter
between two randomly chosen people, there is only a 4% chance that both
will have the app. This points to one of the deepest flaws in digital
contract-tracing plans anywhere: the fact that only a fraction of any
population is likely to have the app at all. And such efforts will miss out
anyone who, for any reason, doesn’t have a smartphone. TraceTogether’s
developers have warned in a white paper that the app is intended to help
human contact-tracers — not to replace them.

Researchers and policymakers have worked hard over many decades to ensure
that medicines, vaccines and health-care products conform to agreed
standards of safety and efficacy. These often need to be global standards.
COVID-19 smartphone apps are a health-care intervention, too, and will
potentially affect hundreds of millions of lives. But they are being rolled
out without pilot studies or risk assessments being published.

It’s not that digital contact tracing shouldn’t be done, but it should not
be a substitute for human contact-tracing teams; nor should it be seen as a
replacement for necessary COVID-19 testing.

Speed is, of course, of the essence — but so is due diligence and due
process. This includes public dialogue; more involvement from researchers,
including those who study ethics, law and public engagement; and a
cast-iron commitment from governments that the information being harvested
is secure and will only ever be used for the reasons it is being requested.

III.
https://theleaflet.in/unhealthy-bridge/?fbclid=IwAR1HA-HXAIRgT-tqYS18D0f_eWACoMYxhMIryjJ6uBO4Dires2DStjDXsVg

Unhealthy bridge
Disastrous management

Vickram Crishna|

May 6,2020

The Arogya Setu App may soon become compulsory for all of us. It is illegal
to compel users of the smartphone to download the App, how useful is it in
“contact tracing “ and to what extent will the data collected violate our
fundamental right to privacy? These are some of the issues the author
addresses here.


ON May 1, 2020, the Union Home Secretary issued an Order (40-3/2020-DM-I(A)
dt 01.05.2020) asserting that in his capacity as Chairperson NEC, new
guidelines are in effect under the provisions of sec 6(2)1 of the National
Disaster Management Act 2005. The clause merely affirms that the National
Disaster Management Authority, which acts through the National Executive
Committee, is to lay down policies on disaster management.

The guidelines expressly declare, in two separate clauses, that persons in
employment who must attend work at a designated workplace (both in
government service and in the private sector) (Annexure 1 clause 15) and
persons residing in what are called ‘containment zones’ (clause 3-iii.)
must install an app called “Aarogya Setu” or “Arogya Setu” on their phones.

However, the NDMA itself states clearly, clause 72 “overriding effect” that
it supersedes other rules and laws in effect. It does not state that it
overrides the Constitution of India, and there’s an excellent reason for
this.

The Act envisaged the development of a rapid response management system, to
deal with natural disasters and the like, where a national effort would be
needed to cope with a situation that might overwhelm the resources of one
or more states. The Covid-19 crisis is potentially a little different, in
that it hardly respects mere political borders that are frequently
traversed in the normal course, a healthcare crisis whose primary spread is
through ordinary people. But it is not now, and if the situation is
professionally managed, perhaps it will never be an Emergency, that calls
for the suspension of all civil rights.



Unconstituted Authority


The authority of the Union Home Secretary, in any capacity, much less the
provisions of the National Disaster Management Act, 2005, to order people
residing in India to mandatorily allow the government to breach their
personal privacy, is highly doubtful.

What makes it far more objectionable, though, is that there is hardly any
credible reason to believe that this app, or any other app that leverages
the technologies presently built into the modern smartphone, can help a
weak, close to non-existent healthcare infrastructure, to actually deal
professionally and competently with a pandemic that might cross all
boundaries.



Tech Talk


To understand why this is so, one needs to focus on the capabilities, and
then widen one’s scope to see how they might fit into a larger framework.

Firstly, most models of smartphones incorporate several multi-band radios,
mostly capable of two way communications. We are familiar with the phone
application, of course, because it is a phone, and allows people to speak
to one another across great distances, aided by existing communication
networks. But it is also ‘smart’, it has some inbuilt computing capability,
and it uses digital processors to accomplish that. And some of the radios
are digital radios, made to fit in well with non-voice applications, all of
which means that the device can exchange non-verbal communications with
other phones, and also with other computers.

Two of these technologies are Bluetooth and GPS location tools. The first
of these, Bluetooth, is a weak signalling arrangement that allows
non-verbal signalling over short distances, about 10 metres, in fact. It is
used most often to connect the phone’s audio to speakers or amplifiers, and
is quite versatile that way. The other device needs to be digital, of
course, as that is how it is designed to work.

Which means it also connects to other phones. Some people use it to send
photos and other media conveniently between a pair of phones. It isn’t
really quick for this, though, as not just the distance, but the data
throughput is also limited.

The real problem with it is that it was developed to connect easily with
other devices, and sometimes that can boomerang, as other devices within
range can sometimes connect without permission. This is especially so when
the Bluetooth settings invite contacts to connect that way, which is good
if you want your speakers to hook seamlessly with your phone, not so good
if your neighbour downloads your phonebook and anything else, or uploads a
virus/malware that locks up your phone memory and effectively bricks the
phone (the expression dates back to the time when the shape of mobile
phones resembled that of bricks – a phone that didn’t work was basically no
different from a brick).

GPS (global positioning system) location is a different issue, of course.
Just like old GPS devices, the phone is capable of identifying signals from
3 or more satellites orbiting the planet, and can calculate its position on
earth by comparing the signal strengths of each of those connections. This
sounds a bit vague, and unfortunately, it doesn’t get any sharper by
recalling the wonderful assistance provided by a roadmap service. The
reason that works so well is that the phone is preloaded with roadmaps, and
if the phone is moving along, the assumption that it is moving along a road
is really quite reasonable. It doesn’t work at all well when surrounded by
tall buildings and the roads are not a given, and this is not due to any
fundamental failure in the GPS systems. Rather, phones are not, in fact,
dedicated GPS devices, and provide at best a reasonable approximation that
works for most people most of the time.



Contacts trac(k)ing: the genesis


Contact tracing is a specialised field of epidemiology, the study of how
disease spreads. Rapidly spreading infectious diseases are a special case,
fortunately, or else most of the modern world could not have come to be.
Looking at the clear skies, breathing the fresh air, and listening to
birdsong are some hints that, perhaps, Prime Minister Jacinda Arden of New
Zealand is on the ball when she suggests that economic growth isn’t the key
to a successful national strategy for the post-Covid-19 world.

Still, here we are, in the midst of the pandemic, not past it, and this is
a rapidly spreading infectious disease, spread by humans in proximity to
each other. That is the normal state for most modern work and travel, so
dealing with it is a need. The most basic thing about such contagion is
that the spread is based on a mathematical truth called exponential growth.
One person can expose several others, and some of them will get infected. A
few of the infected people will not show any symptoms, but will still be a
risk to others. Many medical researchers believe that recovered victims are
no longer infectious (are immune), but the jury is out on this. Simply
because we do not have the jury system in courts in India does not mean it
doesn’t have a place in the real world. Unchecked, the numbers rapidly spin
out of control, and this is why most countries around the world have locked
down, at tremendous cost and with immense hardship inflicted on many,
almost exclusively the poorest.



The science behind the need


Knowing that it spreads exponentially does not, alas, simply translate into
hard numbers on how many people will be infected, will fall ill, or how
many will die. Only reliably conducted record-keeping can be the basis for
such forecasting, and India does not actually have such a system in place,
either for noting the cause of death, or indeed, for deaths themselves.

But, to understand how to continually assess the state of the disaster as
time goes by, we have this really fine analysis by Nicky Case et al, which
includes dynamic models that administrators and policymakers can use, both
for the national estimates and within much smaller localities, to help
manage the local situation with the least possible dismal immediate and
future consequences.

Some of the numbers that plug into the models (the screens are provided
with sliders, to make using numbers easier) come from contact tracing;
others come from hospitals/health centres and, sadly, from death records.

As can well be appreciated, if people are constantly coming into contact
with others, the spread of disease can be bewildering. However, diligently
keeping track of infected people who move around can take away some of the
mystery. Since the disease might take up to 14 days (this is an educated
guess from global records kept in other countries) to manifest itself, it
isn’t anybody’s fault. And since some people may never show symptoms, but
still be risky, really, fault isn’t the problem here.

But finding fault is something that police systems are unfortunately prone
to do. In fact, the official police force is often publicly tracked in
terms of cases solved, meaning, criminals caught, rather than cases closed,
meaning resolving whether a crime took place at all. Which is still within
the realm of police forces: it is unfortunate when the court of public
opinion starts dealing with healthcare on the same basis, and it is against
the tenets of our Constitution for administrators to start treating
infection vectors (ie people or things that carry infections to others) as
criminals.



Contact tracing: the science


Once the hysteria over the unknown is removed, contact tracing turns out to
be a tedious and often thankless job, trying to find out just who infected
how many others, and then asking those others who else they might have
infected, and so on. And what makes it worse is that eye-witness memory is
hugely unreliable, and gets more unreliable as time goes by. A fortnight is
a long time to remember each journey, each market, each office and exactly
what time of day. It takes expert questioning by trained persons to find
out accurately what a person remembers.

Naturally, technologists leap into this void, and are ready with rosy
promises about the devices carried by many people. They are already being
used by marketing agencies to fine-tune commercial offers (in response to
Unilever founder Lord Leverhulme’s famous doubt about advertising: being
unaware of which half of the company’s advertising delivered actual sales,
and which was money down the drain), evidenced by the billion-dollar
valuations of such businesses as Apple and Google, that many people believe
are technology companies.

In fact, Apple and Google themselves, supposedly fierce competitors in the
smartphone space, have come together to propose standards to be built into
phone operating systems, very often updated for free by users, that will
ease the job of jogging people’s memories about who and when they might
have met particular other people.



The privacy question


Which brings up the elephant in the Covid-19 room: how do you identify only
the people who are risky, and people at risk, without annoying anyone else,
and without stepping on everyone’s (digital) toes?

As ‘everyone’ knows, there are countries where this isn’t actually a
question, and there are countries where the question is brushed under the
table while people are fed stories of dire emergencies. In India, since
privacy is a Constitutional guarantee and not a legal inconvenience that
might be set aside for a while under the Disaster Management Act, it is an
important question, despite what the Union Home Secretary has done.

It turns out that, indeed, it is feasible to uphold public trust in the
intentions and actions of the government and to use smartphones to add some
simplicity and time-saving to the job of contact tracing, without trashing
privacy forever, and this is explained in this clever little cartoon
drawing, also the work of Nicky Case, as it happens.







The case for being open


There is one thing that is fairly clear about this pandemic: it is a global
problem. In fact, that is one of the reasons that we have organisations
like the World Health Organisation (WHO), so that diseases that can
potentially affect all humans can be addressed with solutions that are
created by anybody.

That is why it is important that Apple and Google are working together
openly, to set a standard that will be applicable to smartphones made by
anybody, and used by anybody. It also explains why the Government of
Singapore openly published the code for their own sponsored smartphone app,
TraceTogether, which has been of some use in helping their Health
Department save some time and effort in contact tracing.

It may not have helped much, as not everyone is using the app, and the job
of contact tracing is so difficult. The people who are using it find that
they are (ie their phones are) reporting too many contacts wrongly, which
can add to the work of contact tracers, rather than cutting it down. As a
result, only a fifth of the users have actually had their data used as the
basis for actual contact tracing, and only a fifth of the nation-state have
even become users.

Australia also has an open-code smartphone app, COVIDSafe, and faces
similar problems with slow uptake, as well as wrong leads. But the app,
like the Apple/Google alliance, does not expose users to unwarranted
privacy risks, and several parts of the country are now gaining confidence
for a return to some normalcy, thanks to an overall package of effective
measures (some parts are not, however, which illustrates the complexity of
the health crisis).

The thing is, nobody has actually tried to implement a contact tracing app
before. Smartphones are a new thing, and global infections are fortunately
rare, so this is understandable. But when something is new, it doesn’t
often (actually, almost never) work out of the box. It takes many tries,
lots of public feedback, and the will to improve, to get it right.

Not everyone can afford to do that. But not everyone faces the risk of
having over a billion people in their country fall ill. In fact, that risk
is only faced by two nations in the world today, China and India. The
Chinese government has not had, however, in its 80 years of existence as

a free republic (after the Japanese occupation) had to care much about its
people’s Constitutional freedoms, though, which is a rather different
situation from India.



Open technology for a world that works together


India, however, has a long-standing public policy (pdf document) in place
that publicly created technology, and in particular, information technology
software, will be openly and publicly shared. Unfortunately, for no
justifiable reason, the Indian government-sponsored app, Aarogya Setu, is
not ‘open’. Examination of the code is forbidden, according to the user
agreement displayed on the Apple and Google app stores (from where the app
can be downloaded), and is accompanied by a threat of prosecution.

All claims about the protection afforded by the app, to either user devices
from malign remote influences, or to the data that should only be used to
inform the user about her risks, have to be taken purely on faith, that the
officials who make such claims are well-informed and have rigorously
audited the tool. Which is, incidentally, two tools, one placed on the app
and the other at some (hopefully; this is also taken on faith – the link
summarises succeeding security analyses of the ongoing versions of the app
and its setup, which cannot identify the actual server or its location)
government-owned server.

And all of this supposed sophistication is walled off from other countries
who, perhaps more desperately than India, need to and want to safeguard
their people.



Open world, closed eyes


This is a sad regression to a world of divisiveness by design, to a thought
process that trumpets close-minded thinking, and to a belief that the
government can do no wrong.

It is precisely because of the dangers of such unthinking belief that our
democratic free republic was created with four independent pillars
guaranteed in place, the executive, the legislature, the judiciary and a
free media (‘press’, but that term is too limiting). No single pillar can
stand without being open to question by any and all of the others. Only
with all four pulling against each other, and not supinely giving way to a
supreme executive, can India have a stable system that serves the interest
of the people, for whom it exists.

And therefore, most importantly, vox populi, the voice of the people, is
the fifth pillar, the one that isn’t institutionalised, that brings in
letters questioning actions (under an Act that was originally, before the
recent dilution, meant to ensure that answer would be forthcoming). And
that, until this became unsafe in the wake of the pandemic, brought
housewives to the barricades, calling for justice in the teeth of violent
and divisive forces reminiscent of 1930s Germany.



[Vickram Crishna is a trained engineer and manager, the author’s case
against Union of India and Others, against the operation of the
state-operated technology-based national identification scheme, also
resulted in a definitive judgment affirming the fundamental right to
personal privacy]

-- 
Peace Is Doable




-- 
Peace Is Doable
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.openspaceforum.net/pipermail/wsm-discuss/attachments/20200510/659bc291/attachment.htm>