While much has been written about the violation of privacy, the authors here argue that these surveillance mechanisms survive well beyond their stated timelines and come with no exit policy in place.


WHEN the very existence of a State is threatened, it is the tendency of governments to take hold of excessive powers.  While done in the name of enabling themselves to adequately respond to the threat, these excesses often continue long after the threat is gone.

The COVID-19 pandemic has brought the entire world to a standstill. India’s response involves employing wide-spread surveillance systems to monitor and tackle the crisis, with questionable regulations to back them. The introduction of these systems exposes an underlying lack of State concern for the privacy of its citizens. The Government is laying down the architecture of surveillance, which may like we’ve seen in the past; continue long after the original threat has been eradicated.

In 1896, the Bubonic Plague struck the merchant city of Bombay and very soon spread across India, leaving the British Raj overwhelmed. In response, the Government assumed excessive authority without any safeguards by introducing the Epidemic Diseases Act. The result was a rushed and tyrannical piece of legislation that gave State officials unfettered power, such as dragging people on roads to get the hospital on little to no suspicion. It also absolved the State of any responsibility for acts purporting to be done under the Act.

Measures formulated in the context of addressing such emergencies often outlive the crises, becoming normalized in the process. The ‘Bombay Plague’ set a precedent that justified impulsive policing and brutal State force to tackle epidemics. The law, over a century after its conception, is back in force, providing far-reaching powers to the Government and implicitly sanctioning the often violent excesses of the Indian Police. Hidden behind the gloomy reports of police brutality, is the renewed legitimization of these practices in the name of fighting the coronavirus. Yet, this is not all that is being legitimized.

In response to the pandemic, governments across India have been surveilling citizens by employing apps like Aarogya Setu. The use of these apps is typically coupled with AI-enabled Facial Recognition technologies, for ostensibly innocuous purposes. The supposed trade-off of the right to privacy in favour of dealing with an unprecedented crisis is seen as transient. But this sacrosanct right is fragile and often, easily and silently taken away. The possibility of mass surveillance outlasting the virus, and being the new normal, is increasingly becoming a glaring reality in India.


The new normal


History, and arguably, the present, paints a picture of what this new normal will look like. Besides the Epidemics Disease Act, take for example a more recent reaction after the attacks by militants on September 26, 2008. As the nation stood shell-shocked by the chilling tragedy, India realized that it needed to be more vigilant. Consequently, the government introduced surveillance and intelligence sharing systems like the National Intelligence Grid (NATGRID) and the Crime and Criminal Tracking Network & System (CCTNS). NATGRID was launched to integrate various databases across departments and CCTNS was meant to allow more efficient policing using e-Governance strategies. It enabled multiple police forces and departments to communicate and share useful data. However, these systems were not accompanied by any regulations, statutory or otherwise, governing their dynamics. As a result, they were expanded steadily into extensive mass surveillance systems, and are now a part of the new normal.

The lack of proper regulation allows Governments to collect intrusive data. This data then can be used for law enforcement, enabling governments to normalize oppressive and draconian measures that are violative of a citizens’ fundamental rights. In line with the historical trend, the Indian state has further augmented its architecture of surveillance as part of its COVID-19 response, giving rise to legitimate concerns about the privacy and safety of minorities.


The architecture of surveillance


In the midst of a crisis no one foresaw, the Centre and State governments have resorted to serious intrusive measures for health surveillance. From collecting data and tracking citizens through apps, to using facial recognition technology via drones and CCTV, governments have taken up powers that blatantly infringe upon the right to privacy of the populace at large. Authorities have even turned citizens themselves into spies, asking them to report those whom they suspect of carrying the virus.

The Centre’s contact-tracing app, Aarogya Setu, collects personal data of its users in the form of demographic and precise location data. The demographic data is stored on the central government servers and the locational data is stored on the user’s phone, and deleted after 180 days in ordinary circumstances.  Demographic Data included detailed information about individuals, i.e., their name, phone number, age, sex, profession, travel history. Additionally, Aarogya Setu collects both Bluetooth proximity data and the precise GPS longitude and latitude intercepts, to record locational data. This is unlike the model apps, Singapore’s TraceTogether and MIT’s PrivateKit which strike a balance between individual liberty and the State’s needs This feature allows the Government to accurately pinpoint the location of a user. Experts have suggested that the data collected by the app is backed by weak security protocols and can easily be de-anonymized revealing every small and private detail of an individual.

The unique User-ID generated by the Aarogya Setu App is static and is not changed regularly. In comparison, the TraceTogether’s device unique User-ID is changed every 15 minutes. Which the experts say make it vulnerable to cyber-security intrusions which may lead to sniffer attacks which refer to cybersecurity intrusions to intercept the unencrypted data traffic or data with weak encryption on a network data. The centralised storage of the demographic data under static IDs makes it doubly serviceable for an attacker to have all the information collected by the app in one place under codes that never change.

Further, there have been concerns raised that the data collected by the app can be seeded with other government databases without the citizens ever knowing of it, allowing for the potential profiling and tracking of citizens.

The recent developments around the app, indicate that the Aarogya Setu technology and database will be used post the lockdown, this raises mission-creep concerns that the scope of the app, will be expanded well beyond its original scope the and makes the situation more worrisome. In fact, going far beyond what the government called “voluntary” (quite like Aadhaar), in many cases it is being made mandatory. For instance, Government officials are being mandated to install the app and have it dictate and track their daily movements. Similarly, with the imminent expansion of Aarogya Setu as an e-pass for entry to board public transport vehicles, the supposedly content-driven app becomes an imposition by the government, chipping away at the autonomy of citizens.

The government’s surveillance mechanisms have been augmented by the installation of facial recognition equipped CCTV and drones in several states’ bodies as part of the COVID-19 response. The very presence of these mechanisms can act as a panopticon that creates a chilling effect; individuals at the risk of being surveilled remotely, without their knowledge or consent. The absence of information about who operates these drones and cameras, how the footage is stored and most importantly, the lack of an adequate standard operating procedure governing the lawful usage of these intrusive technologies paves the way for such data being retained in perpetuity for purposes entirely unrelated to disease surveillance.

This worrying addition to the government’s mass surveillance capabilities can be actively used to suppress dissent and opposition, as was seen when the Delhi Police used CCTVs equipped with facial-recognition technology during the anti-CAA protests. The police used these capabilities to identify and imprison the protestors, actively suppressing dissent. To make the contention that coercive state action only becomes stronger with surveillance, one need not look beyond the Indian state’s treatment of the Kashmiri territory.


A not so distant reality of oppression


In Kashmir, the red zones are a little different from the rest of the country. They have been sealed off at many places by creating permanent barricades to demarcate areas, which will likely not be removed after the crisis. These permanent barricades are a physical manifestation of the structure of surveillance – one that makes it easier for authorities to closely monitor individuals, within a confined space and hence allows for greater control over the populace.

Drones are another tool occupying the repository of the authorities to monitor, surveil, and enforce the lockdown and social distancing guidelines.. These drones have been used in the past, pre-emptively against civilians the police feel may take part in protests, subsequently placing them in detention. While coming under a thin veil of ensuring enforcement of the lockdown, the data collected through drones or CCTV with their new capabilities can very well be used to target and track civilians.

Also as part of its COVID-19 response, local authorities in Srinagar have taken it upon themselves to monitor every movement of the citizens whom they call ‘delinquents’ under the allegation of violating lockdown. Harvesting extensive personal data from ATM transactions to ticket information and, all routed through active 24×7 surveillance centers, the administration takes pride in being able to track a civilian in a mere half an hour.

, With no backing by legal or statutory safeguards, the potential for misuse even beyond what is already happening becomes a very probable reality.

The impact of this surveillance, Kashmir’s experience shows, goes beyond the concerns of misuse and security of this data. Kashmir has always been politically unstable in one way or another, and the surveillance capabilities of the state have only worsened its situation recently. The rest of India is on-line for something similar if not something so extreme.  Data surveillance measures are being introduced at a time when the socio-economic and socio-political fabric of the nation is fragmented. These technologies have the potential to exacerbate discrimination and state-sponsored violence against marginalized groups.

The exceptional, yet, permanent measures we take in this crisis strike at the heart of this reality. Despite the end of India’s colonial past, the parallels with the stifling of dissent during the Bombay Plague, could not be more evident.  Yet, to demand radical changes in its approach from a regime that is unwilling to respect rights, will not be easy. The way that we perceive a crisis requires a fundamental shift. In the name of crisis, acquisition of power cannot take place while shrouded under a veil of transient, bona fide steps.



[Ayan Gupta is a first-year student at National Law University Delhi and Rudraksh Lakra is a second-year student at Jindal Global Law School]

Note: This is an opinion piece, and the views expressed are the authors’ own.


The Leaflet