On 8 April 2020, less than a month after the World Health Organization (WHO) announced that the SARS-CoV-2 outbreak was a pandemic, Mareile Kaufmann posted a PRIO blog entitled “Corona Apps – Where Are We Headed?” on the use of digital tools in the “war against corona”, asking what the emerging “digital collective action” really entails. Her post focused on a corona tracking app commissioned by the Norwegian Institute of Public Health, but she also noted how Chinese authorities were using the AliPay payment system and Alipay Health Code to track Chinese citizens who were required to stay in quarantine. “What needs extra attention here is the ways in which the surveillance of movement conducted in one context is used for other purposes over time,” she wrote. Eighteen months later in the pandemic, it is time to revisit corona apps, which have now been launched in many different parts of the world, with a variety of outcomes. We can only scratch the surface and take stock in a post such as this, which is why we summarize the key developments in Norway, India and China to represent a wide range of countries that have adopted Covid-19 tracking apps.
Norway
The Norwegian corona app “Smittestopp” was launched on 16 April 2020. The app was designed for contact tracing and notification of Covid-19 infection in Norway, as well as the collection of anonymous and aggregate data to assess the effect of infection control measures and monitor the spread of Covid-19. In order to do so, the app collected large amounts of personal data about users, including the geolocation of movements and information about users’ contact with each other. The Norwegian Data Protection Authority uttered their concerns that users did not have the option to choose whether they would like to share personal data for just one or several of the app’s purposes. In June 2020, the Norwegian Parliament reached the decision that different types of data collection had to be separated in the next version of the app. The Norwegian Institute of Public Health subsequently stopped the collection of personal data and erased the collected data. On 7 July 2020, the Norwegian Data Protection Authority imposed a temporary ban on the “Smittestopp” app, invoking the European Data Protection Board’s Statement on the processing of personal data in the context of the COVID-19 outbreak and its emphasis on the principle of proportionality: “The least intrusive solutions should always be preferred, taking into account the specific purpose to be achieved. Invasive measures, such as the ‘tracking’ of individuals (i.e. processing of historical non-anonymised location data) could be considered proportional under exceptional circumstances and depending on the concrete modalities of the processing. However, it should be subject to enhanced scrutiny and safeguards to ensure the respect of data protection principles (proportionality of the measure in terms of duration and scope, limited data retention and purpose limitation).”
The Norwegian Data Protection Authority found that the Norwegian Institute of Public Health had failed to document the benefit of the app or establish the necessity of using location data from GPS in contact tracing, which led them to conclude that it is “in conflict with the principle of data minimization”. This conclusion was based on assessments of the technical solutions chosen for the app, and the low level of adoption – only 14% of the population aged 16 or above installed the app.
A new “Smittestopp” app was launched in December 2020, based on the Google and Apple Exposure Notification (GAEN) framework. The new app had been downloaded more than 1 million times by the end of March 2021, while more than 3,000 COVID-19 cases had been registered due to the app, according to key data compiled by the Norwegian Institute of Public Health. On 15 February 2021, an upgrade of this app was linked to the European Federation Gateway Service, which facilitates exchange of data between corona tracking apps in Denmark, Germany, Ireland, Spain, Latvia, Poland, Cyprus, Croatia, Austria, Finland, the Netherlands and Belgium. According to an announcement by the Norwegian Institute of Public Health:
“All countries are joint data controllers for the data that is exchanged.”
The pan-EU and EEA initiative adheres to the European Commission’s Guidance on Apps supporting the fight against COVID 19 pandemic in relation to data protection (2020/C 124 I/01).
India
The corona app commissioned by the Indian government’s Ministry of Electronics and Information Technology is called “Aarogya Setu”. The app was launched 1 April 2020 and was immediately made mandatory for public and private sector workers. Concerns were soon raised about the security of the app, and whether it was a tool for mass surveillance.
On 1 May 2020, 45 Indian organizations petitioned India’s Home Ministry against the mandatory use of the app, raising concerns that in the absence of a legislative guarantee containing a sunset clause, sensitive personal data might be misused for profiling and mass surveillance even after the Covid-19 pandemic was over. In response, the Ministry of Electronics and Information Technology released the app’s Data Access and Knowledge Sharing Protocol, which is the document that defines how sensitive personal data should be handled during Covid-19 monitoring.
Demands for more transparency on the app’s design and source codes continued. As noted by the Internet Freedom Foundation (IFF), there were massive delays in the effective release of Aarogya Setu source codes, and once released, the codes did not match the actual app, and the server-side code was missing. On 19 May 2020, India’s Home Ministry made an apparent change of stance regarding the mandatory use of the “Aarogya Setu” app. However, as pointed out in a June 2020 report by the Centre for Internet and Society, the use of the app remained de facto mandatory. Reaching 127 million downloads, “Aarogya Setu” became the world’s most downloaded Covid-19 app in mid-July 2020.
As Indian legal scholars have pointed out, the risk of privacy breaches and misuse of sensitive health data remain the chief concerns associated with the “Aarogya Setu” app. Moreover, the app is based principally on user disclosure of information, and the accuracy is thus highly questionable. In addition to the “Aarogya Setu” app, numerous Indian states and private entities have launched their own Covid-19 apps. A review of 17 state government apps shows that 3 apps have no privacy policy. In addition, all 17 apps provide for permissions to access data that go beyond the scope of the app’s intended purpose. None of the apps provide any information on how long they will be maintained, and only one makes specific reference to the security measures employed to keep the data secure, including anonymization of data.
In February 2021, India integrated the Aarogya Setu app with the Indian government’s newly created CoWin vaccination registration platform. A review by the Internet Freedom Foundation from March 2021 raises an important point: “Aarogya Setu is likely going to become a permanent part of our health data landscape. With its integration with the CoWIN platform, we are going to witness the further consolidation of personal information datasets that can be used for passive surveillance and may lead to large scale exclusion”.
China
As early as 16 February 2020, Alipay announced that “The national health code is here!” The health code is a feature of a corona app developed by the Alibaba Group enterprise DingTalk and piloted in the province of Zhejiang in eastern China by the Electronic Government Affairs Office of the General Office of the State Council. DingTalk’s health code app is a part of the national integrated government service platform’s response to the need for epidemic prevention and control. It is serviced by Alipay and hosted on the Alibaba Cloud. According to Alipay, the goal of the pilot project was to “accelerate the development of a unified national epidemic prevention and control health code based on the national integrated government service platform”. The system was launched on 11 February 2020 in Hangzhou City, Zhejiang Province, and rolled out in other provinces in the following weeks.
The DingTalk app features a three-color dynamic management system that uses green, red and yellow signals to give citizens Covid-19 alerts. In the DingTalk enterprise resumption app, workers who can see the green code on their mobile device are allowed to resume work, while those who have the red code on their app must stay at home, and those who have the yellow code are required to follow other health regulations, hopefully leading to conversion to a green code when conditions are met. According to Zhejiang Online the DingTalk app reached 10 million downloads on the first day. The newspaper further reported that: “On the one hand, it can ensure that people in densely populated public areas meet the requirements of public health and safety; on the other hand, if an epidemic emerges, companies can quickly warn of possible exposure to the source of infection. Relevant personnel can carry out emergency measures”. As explained by a representative of Alipay:
“The company can monitor the health of their employees in real time, and authorities can assess the company’s risk of resuming work. This method allows healthy employees to go back to work early and lets those who are at risk of infection stay at home.”
DingTalk, the company that operates the corona app, has also developed digital learning solutions for schools during the pandemic. In January 2020, when China postponed the start of the new school semester, DingTalk launched an Online Classroom initiative offering free distance learning tools such as livestreaming and online testing and grading features. According to DingTalk CEO Chen Hang, DingTalk is currently the market leader in China among enterprise chat apps: “The app offers its users secure one-on-one and group chats, as well as audio and video conferencing, data storage and integration with clients’ internal email systems. It also offers smart hardware for the workplace, such as face-recognition attendance devices”.
DingTalk’s Data Protection Office is based in Hangzhou, Zhejiang, but the company has a privacy policy that is available online, in English. DingTalk has customers on several continents. The privacy policy thus has addenda for EEA residents, Japan, California and Australia. Corona apps may be going global in more than one sense.
This brief overview on the rise of tracking apps in Norway, India and China documents that e-governance in the health sector easily expands into various parts of societal life. While this is particularly true for a situation in which the crisis, too, affects most aspects of societal life, information about life as basic as movement and social contact are rarely collected for one purpose only. Even if their use is originally restricted to pandemic control and security governance, information tends to live several lives as it can be dis- and re-aggregated for various purposes. Or as our colleagues have noted:
Digital data are not subject to function creep, but their function is to creep.
We recognize that digital data has swiftly become critical to handling the Covid-19 pandemic. While it is easy to be seduced by the many opportunities e-governance offers, a critical, in depth exploration of such data practices is key to enabling sustainable and careful solutions. The necessity of creating meaningful frameworks for regulating the duration, scope, retention and purpose limitation of data collection in the wake of the pandemic has not only become apparent, but urgent.