As COVID-19 has spread across Pakistan, questions have been raised about how the Government will tackle the spread of the virus. Across the globe we have seen different approaches to this, varying from comparatively relaxed to extremely stringent.

A popular global approach to health surveillance has been contact tracing^[1], followed by surveillance and testing. Contact tracing is an old public health technique which tracks an infected person by tracing the places they visited and the people they met. In order to stem the spread of the virus, all those who came into contact with the infected person are then tracked down, informed of their contact and told to self isolate, or are immediately tested for the virus. This process goes on with each new case and is supposed to help ‘map’ the virus as it spreads. In some countries, mobile applications have been launched to track the virus and help people see ‘where’ the virus is.

These apps act as a way for governments to warn the public about cases nearby, and also allow people to report themselves as patients, so as to keep the cycle of contact tracing going. While such extensive mapping may be helpful for tracking the disease on the macro level, these apps present on the flip-side, major privacy concerns.

Take for example this detailed account of South Korea’s Patient #10422:

Before being diagnosed, patient #10422 visited the Hanaro supermarket in Yangjae township on March 23 from 11:32 p.m. to 12:30 a.m. The patient was accompanied by their spouse, both wearing masks and using their own car for transportation. On March 27, the pair visited the Yangjae flower market from 4:52 p.m. to 5:18 p.m., again wearing masks. They then had dinner at the Brooklyn The Burger Joint at Shinsegae Centum Mall from 6:42 p.m. to 7:10 p.m. This detailed record can be found, publicly available, on many government websites, and is a testament to the extensive contact tracing carried out by Korean authorities.^[2]

The minutiae of this account goes to show the extent to which data is being collected and observed.

In many instances, the state response has been immediate and comprehensive which hints at the presence of such tech and mechanisms being in place before the pandemic swept the globe, as is apparent from Pakistani PM Imran Khan’s statement: "It (system for tracking and tracing) was originally used against terrorism, but now it is has come in useful against

^[1]https://www.brookings.edu/techstream/how-surveillance-technology-powered-south-koreas-covid-19-response/

^[2]https://www.brookings.edu/techstream/how-surveillance-technology-powered-south-koreas-covid-19-response/

coronavirus."^[1]  This necessitates the inclusion of a detailed data protection and destruction policy to accompany the launch of such apps which mandate the destruction of the data once the health-related utility is over.

At home, our concerns begin from the knowledge that the government of Pakistan is implementing a policy of mapping that involves tracking citizens and their movements. Internationally, there has been debate about the efficacy of contact tracing, however, at the same time, some countries have seen success with this policy. In the context of Pakistan, unfortunately, these measures are accompanied by a lack of trust between the State and citizens. Multiple instances^[2] of citizens' data being leaked from one of the biggest national biometric databases in the world, i.e. the Nadra database, has created a faith deficit. Instances of CNIC and family registration certificates (FRC) information being sold online for as low as $1-2 a piece due to a data leak at a provincial level and possibly national level cement this belief.

The “COVID-19 Gov PK” app, released by the National Information Technology Board (NITB) and the Ministry of National Health Services, has been available for use since early April and has been downloaded with an unsurprising frequency given the alarm among the masses, with a rough estimate of more than 500,000 installations at the time of writing.

The very limited privacy policy (found below) states that it is ‘adhering to social, moral, ethical values, and privacy’ while providing no details of the same and referring to no framework under whose jurisdiction these values are defined and the same goes for the element of privacy.

Given that the app seeks permission for geolocation data of the device it is being used on, and personal medical and geographical data of the user, the policy included within the app is not sufficient or clear on exactly how this data is being processed and who has access to it.

^[1]https://www.aljazeera.com/news/2020/04/pakistan-intelligence-services-track-coronavirus-cases-200424073528205.html

^[2]https://digitalrightsfoundation.pk/drf-condemns-yet-another-breach-of-nadra-database-and-demands-strong-data-protection-legislation/

A rapid evidence review published by the Ada Lovelace Institute in the UK sets out, amongst other measures, the proposal for the formation ‘of a new Group of Advisors on Technology in Emergencies (GATE) to oversee the development and testing of any proposed digital tracing application.’^[1]

We at DRF submit the same and ask that a GATE advisory be created to oversee the development, rollout and implementation of fair and citizen rights-protective technologies to combat the pandemic in Pakistan and that a proviso be extended from the outset as to the limitations, especially in terms of time-frame, be allotted and notified with every new tech measure the governments, both Federal and provincial, take to combat the pandemic.

As more and more of offline life has moved online, the increased activity has subsequently led to more complaints of online harassment and crimes. In light of this, there is no reference to heightened concerns regarding the ‘security’ of the app and the personal data being saved. In a White Paper, titled ‘Decentralized Privacy-Preserving Proximity Tracking’ (D3PT), experts in the field highlighted that centralised databases made about patients are at a higher risk of being attacked and leaked than decentralised ones. The white paper makes the case for a decentralized database since it offers a more stringent security policy and quicker response to any attempted data breaches. A centralized system requires a phone to upload all its contact information onto a central database, similar to what the UK is doing currently. In contrast, decentralized systems cross reference a device’s contact information without uploading it to a central database. This is similar to how the European Union has implemented contact tracing. If intelligent decisions are not made about how this data is saved, attackers can access personal information, malicious actors can target patients and in some cases lead to discriminatory practices being adopted. Already we have seen this happening in Balochistan where COVID-19 positive patients’ medical data was leaked^[2] to reveal their identities which is not only a massive privacy breach on its own but is only made more complicated by the social stigma attached to corona patients.

The White Paper talks about how the transmission of data works in such apps. Most COVID 19 tracking apps have a feature called the ‘Radius Map’ that tells the user if their immediate surroundings have had a reported case of the novel coronavirus. It does this by using bluetooth signals that bounce off of other users of similar apps. Because of this, specific locations of patients can be pinpointed to the average user. The White Paper highlights this as a privacy concern. Additionally, they also highlight the fact that these signals can be manipulated by hackers to create false alerts of nearby COVID 19 patients, spreading panic in an already volatile situation.

More worryingly, the government app does not rely solely on Bluetooth technology but also makes use of location data which makes it more invasive by a significant degree. These concerns are not helped by the fact that the app does not even meet the standards set by tech giants like Apple and Google, who have collaborated together to develop the APIs for coronavirus app development and have released a detailed set of documentation on exposure notification, its framework and cryptography to promote ‘privacy-promoting contact tracing’.

We submit that the Government of Pakistan share detailed SOPs regarding the COVID 19 app launched by them. These should detail their privacy policy in full, addressing data retention and destruction through a clear and unambiguous sunset clause. Also, we maintain that the Government should share with the public as to who exactly has access to this database and strict guidelines regarding data sharing. While we appreciate that this is an unprecedented situation, the Government still must act in a manner that best protects its citizens' data and their right to privacy, a right enshrined in the country’s Constitution of Pakistan. This, to us, includes the maintenance of the right to opt-in in terms of app usage for everyone, even government employees or essential and frontline workers.

The requirement of immunity certificates must also not be made a condition on which citizens’ mobility and access to benefits rests. These immunity certificates are a focus of debate at the moment with several European nations considering issuing ‘passports’ which allow the holder (a recovered COVID-19 patient) access to a social life but also to civil liberties like the freedom of association and movement. These measures have the potential for unprecedented surveillance and control over public life and cannot be made a prerequisite for exercising fundamental and inalienable constitutional rights.

While we understand the imperatives of the public health emergency, it is important that the State establish some boundaries and limitations to their policy, to ensure their citizens have tangible reasons to place their trust and data with them. The current privacy policy contained within the app itself is inadequate to address these queries and cannot be supplemented given the absence of any data protection legislation in Pakistan. We demand also that the apps that are developed to aid the healthcare emergency be open source^[3]. This would not only promote transparency but give a tangible boost to the faith placed in the government’s initiatives for its citizens.

The principle of proportionality is required here, in terms of the strength and effect of the measures being employed. Technology is an asset in these times, however we demand that the increasing centrality of technology be done in a safe, transparent and just manner.

^[1]https://www.adalovelaceinstitute.org/exit-through-the-app-store-how-the-uk-government-should-use-technology-to-transition-from-the-covid-19-global-public-health-crisis/

^[2]https://balochistanvoices.com/2020/03/private-data-of-coronavirus-patients-leaked-in-balochistan/

^[3] Open Source refers to software whose source code is readily available online can also be audited by digital security experts for security standards etc.