Analysis | Why collecting call records of COVID-19 patients an intrusion into privacy, and unnecessary

Analysis | Why collecting call records of COVID-19 patients is a major intrusion into privacy, and unnecessary
Representational image: Shutterstock

The developed world has found unacceptable even a minor flaw in the bluetooth-based privacy-guaranteed free contact-tracing software for COVID-19 patients jointly developed by tech giants Google and Apple.

In Google's Android operating system, unlike in Apple's iPhone, the software works only if the location device is switched on, opening the possibility that Google could track the location of the user. Germany, Denmark and Switzerland, which have used the Google-Apple code to develop virus alert apps, have been scandalised and have asked Google to quickly fix the flaw.

At a time when even the idea of a tech giant getting access to the location of a person in the name of pandemic control is considered both repugnant and unethical, Kerala government has asked its police to go ahead and find out not just the location but also ransack the deeply private space of its COVID positive citizens.

Forced entry

The police, in the name of contact tracing, have been asked to collect the Call Detail Record (CDR) of all the infected. Till now, only suspected criminals had found their private space so casually plundered.

A law-abiding Keralite was not even aware that some of her deeply private matters (who she called, messaged, the time and duration of her calls) were being snooped upon by the police. This was revealed only on August 12, when Chief Minister Pinarayi Vijayan said the collection of CDRs had been going on for "some months".

The CDR will include all data related to a phone call except the content: the phone number of the caller, the number of the receiver, the call duration, time of the call, tower location, the equipment type and call type (whether it was a call or SMS).

Fit to snoop on criminals, but COVID victims?

Analysis | Why collecting call records of COVID-19 patients is a major intrusion into privacy, and unnecessary
Representational image: Shutterstock

"It is no one's case that technology should not be used for efficient contact tracing. The problem with CDR is that the information it provides is too inadequate to trace contacts but allows the state, in the form of its police force, deep access into your personal space," a former DGP told Onmanorama.

The CDR is not a proximity-tracing tool, like the Google-Apple software that uses bluetooth radio signals to gauge the near accurate distance between the infected person and others who could have come into contact with her. 

(When smartphones using the Google-Apple code comes within a few feet of each other, they send signals called “identifier beacons” based on unique keys in each of these phones. The signals received are stored in the phones as random numbers. If one of the users is later declared COVID positive, other users who had received the signals from the infected person will be alerted. This does not require any information other than a random encrypted number that theoretically does not reveal, even to the tech giants, anything about the user. The charge now is the location of Android users will be available to Google.)

Forget measuring the closeness of contacts, the CDR-based method does not even provide the benefits of a symptom-tracking tool like the Arogya Setu app that informs users of COVID prevalence in their zone of activity.   

The CDR in comparison is a primitive but a time-tested law enforcement tool, which at the most can deduce whether two people had come within one tower location. But this is no indication that these two have come close enough for either one of them to transmit the virus.

CDR as 'Truth Pill'

However, police sources say the CDR could come in handy if people deliberately lied about their travel history or contacts, or have become too weak to communicate. "If they are not cooperative, we can tell them they have been to this and that place. And if they are too ill, we ourselves can find out the paths through which they had travelled during a specific time period," a top police source said.

This assumes that many in Kerala are inclined to lie and the CDR could then work as a sort of a wonder pill, a 'truth pill'.

This is an argument, in human terms, equivalent to a man high on self-importance but low on common sense. What the administration has ignored, or has refused to acknowledge, is that a CDR-dependent strategy would still require human confirmation to be effective.

If people talk over the phone, even if within the radius of one tower, it is evident that they are still far from each other. Or else they wouldn't have had to converse over their mobile phones.

And the distance between them could be 200 to 500 metres or, in rural areas, even five to six kilometres.

So whether these individuals who have been found talking to each other over phone have come very close, breaking the six-metre safe distance, is something that has to be confirmed by the individuals themselves.

And if they decide to lie or are unable to talk, the CDR would be as useful to the contact-tracer as a page full of mathematical equations in a Lemur monkey's hands.

Tower's eye view

The police argue that the CDR can pick up the travel route, and time of travel, of an infected person and promptly alert people who had been on the path. "But even for this to work, the infected person has to come clean on the mode of travel. It is the infected who has to give the most crucial input of whether she had moved in a two-wheeler or a car or an auto or a bus," a top IT professional who chose to remain anonymous said.

As for highly active individuals moving mostly within a specific location, especially the elderly, there is nothing to be gained from securing their tower locations. They would have been to 50 houses and met hundreds but their tower location, all the time, will be the same.

The persons themselves will have to testify where they had been and with whom they had come into contact during the incubation period of the virus.

The question now is, if the police have to eventually depend fully on the words of the infected, why not just ask the person instead of collecting private information that can lead the authorities nowhere close to the person's contacts.

Private info in police hands

"The problem is not that the CDR is not enough for contact tracing but that the process would leave highly personal information in the hands of the police. What some rogue elements within the force could do with it is anybody's guess," the IT professional said.

The IT Department, in a circular issued on May 18 on how to collect personal information, said all the data collected from the citizens for COVID-19 containment activities should be anonymised before it is shared with any third party, and should be destroyed after use.

"Here there is no third party. The information is used by the party that is collecting it, the police. Since they themselves are collecting it, it is not anonymised either. Also, the public are too experienced to trust the police to destroy the information after use. You cannot call them paranoid if some people suspect that the police would use this data to even blackmail them," the former DGP said.

No need for consent

According to top government sources, the government was well within its rights to collect CDR data. It has invoked Section 69 of IT Act, 2000.

This section allows governments to impose reasonable restrictions on the right to privacy to intercept, decrypt or monitor Internet traffic or electronic data whenever there is a threat to national security, national integrity, security of the state, and friendly relations with other countries, or in the interest of public order and decency.

It is also not necessary to get consent from the individuals. "Only sensitive personal information requires consent," a top government official said. "Call records are personal information but not sensitive personal information as defined under IT (Reasonable Security Practices and Procedures and Sensitive Personal Data) Rules, 2011," the official said.

The comments posted here/below/in the given space are not on behalf of Onmanorama. The person posting the comment will be in sole ownership of its responsibility. According to the central government's IT rules, obscene or offensive statement made against a person, religion, community or nation is a punishable offense, and legal action would be taken against people who indulge in such activities.