Privacy in the age of Covid-19
Many are asking questions about the extent to which the state is prepared to go to fight the virus
In late April, Prime Minister Imran Khan announced that a programme is being used under the ambit of the Inter-Services Intelligence (ISI) as a means to fortify the contact tracing response during the Covid-19 pandemic, stating,
“The ISI has given us a great system for track and trace. It was originally used against terrorism, but now it is has come in useful against coronavirus.”
This response is part of global efforts to curtail the spread of the pandemic across the world. While various governments are struggling to provide equal and adequate measures of protection and disease control, many are asking questions about the extent to which the state is prepared to go to fight the virus. The question of national intelligentsia utilising their resources and powers to expand their surveillance capabilities at the risk of privacy infringement is a supremely complex one to answer. It is even more difficult when it comes during such a crisis which calls for a proportional response.
While relatively totalitarian regimes like the one in China have expanded their surveillance capabilities due to “necessity”, the notion of the sate mining through personal data is an area of debate in most democracies. For instance, the Patriot Act, which was put in place as a response to the 9/11 attacks, is one of the many measures around the world which expanded state access to private information as part of a crisis response. In fact, international law endorses such concepts if they fall under the criterion of “necessity, proportionality and time frame”. Hence, the pandemic ushers us towards a global digital response aimed at curtailing it on the grounds of necessity and proportionality; however, it’s only reasonable to point out that the nature of the data in question is supremely different from the one which has been accessed previously. Health data, perhaps the most sensitive in the digital sphere, could put millions at risk if it falls into the wrong hands. Therefore, are adequate measures being taken to secure this information?
For many nation states, especially the ones new to the digital arena, the answer may not always be a definitive yes. The Pakistani constitution outlines the right to privacy under Article 14 (1), but under Article 8 (3a),
“The provisions of this Article shall not apply to – Any law relating to members of the Armed Forces, or of the Police or of such other forces as are charged with the maintenance of public order, for the purpose of ensuring the proper discharge of their duties or the maintenance of discipline among them.”
It is important to note that the military and national intelligentsia have a separate mandate to explore and carry out surveillance measures under the National Action Plan. If this is coupled with present privacy laws, which are seemingly loose in nature, it severely deepens the graveness of the problem. Pakistan has already been under fire for a questionable collaboration with foreign surveillance apparatus such as the Canadian company Sandvine. Not only does this raise questions about the nature of the data shared across borders but also, in this broader network of shared technologies, there is no overlooking the security regime if there is an overlap between domestic security policies. It is only reasonable to note that with severe loopholes in the National Institute of Health’s measuring capabilities and a lack of data specialists when corroborating this data, user privacy may already have been infringed upon because of the general lack of a sophisticated digital response.
Given the loose data security protocols, data acquired from third party apps is at stake. With thousands of private forums capturing an accessing public health data such as private laboratories, an enormous amount of data is being captured without sufficient regulation from any regulatory body. The problem is exemplified when the question of transparency arises, with this data being captured alongside no adequate security policy and access to this data by governments as well as private stakeholders. Given Pakistan’s turbulent history with regards to strict data regulation and the Pakistan Telecommunication Authority’s (PTA) measures to curb “grey traffic” by using deep packet inspection, it is evident that the nation’s unfamiliarity with respecting and accessing data is more troubling when more sensitive data is at stake.
For a country that has normalised surveillance and the curtailment of personal data, it is alarming to note that with health data in question, there may be a darker picture under Imran Khan’s rhetoric about “better” contact tracing. For Pakistan, given a general lack of data security mechanisms coupled with loose legal outlines, it is only reasonable to note that data security has already been significantly compromised. While it is true that an unprecedented crisis calls for proportionate action, the reality of Pakistan’s inability to cater to privacy protocols is also something that needs to be recognised and addressed in the state response. Pakistan’s crisis response should not only cater to the obligation that a nation has to provide adequate healthcare to its citizens, but also balance this response taking into consideration the susceptibility of other fundamental rights.