This article is born from the personal implication of the author Genoveva Galarza with India, where she has worked for five years in social and green projects. Currently she fights for privacy and digital rights with IUVIA.

You can also read this in Spanish.

I remained resistant to smartphones for a long time. It was while living in India, in 2012, when I realized I simply could not do without one. By 2013 everything I did was through my phone data. No more calls, no more SMS. I talked to all my friends, to my landlord, to my work colleagues, and even ordered my water and gas canisters through WhatsApp, got takeaways and called for cabs, even my regular autowallah asked me to message him through the social network.

Even considering issues of internet connectivity in rural areas and a population divided by huge economic and social gaps, India is the second largest online market in the world, with 560 million internet users. Today - and thanks to 4G - the internet penetration rate stands at 50%, an impressive number considering that just six years ago it was 18%.

We all agree that the internet has brought incredible changes to the most depressed communities, mostly in rural areas, grating access to information, allowing communication, easing access to healthcare and education. Having wondered around the Indian social business ecosystem for several years I have seen all kinds of projects using internet to empower communities. But pushing for a higher penetration growth is not just about solidarity or philanthropy, it's an incredibly profitable move: we are talking about a country with 1,300 million people. We are talking, for example, about nearly 400 million WhatsApp users, or 280 million for Facebook.

The Indian prime minister, Narendra Modi, made internet connectivity the center of his 2014 campaign, with his initiative Digital India. Once he won, government and telecom companies together did a lot on strengthening the country's digital infrastructure, getting a billion Indians online, increasing availability of bandwidth and offering the cheapest data plans one could imagine.

All this effort seemed vain when the same government so rapidly started taking connectivity away from their citizens.

2015, the Net Neutrality regulations

2015 was an interesting year for internet rights in India. All of a sudden, after years of accepting with joy all the online stuff like a blessing, we found ourselves talking and reading in mainstream media about something that was new for most: Net Neutrality.

Years before, Indian telecom company directors and spokespersons had been publicly insinuating that they weren't making enough money, while Google and Facebook were thriving thanks to the Indian market. So, decided to take their share, Indian leading telecom companies (Bharti Airtel, BSNL, Vodafone) got rid of neutrality in their networks in order to make profitable agreements with service provider companies. Preferred platforms could now be favored by slowing down the connection to the other services, prioritizing their traffic, or charging users different tariffs and hence encouraging the use of some platforms over others.

Airtel implemented the "Google Free Zone" plan, which allowed users to access Google products free of cost. Airtel also included free access to both Amazon and its Indian competitor Flipkart in its zero-rating plan "Airtel Zero", giving the two giants a great advantage over smaller online retail companies. With the collaboration of Reliance (owned by the richest man in India), Facebook tried to launch its project Internet.Org across India. This "non-profit" initiative, which had already been tested in 5 nations in Africa and South America, claims to take the internet to underdeveloped communities by providing free access to a set of websites through an app called "Free Basics". These sites would of course be pre-selected by Facebook.

All this was done with the compliance of the Department of Telecommunications (DoT) and the Telecom Regulatory Authority of India (TRAI). This institution said that, although these business strategies were against Net Neutrality, they weren't illegal, as India did not have any regulation on that area. The ongoing international conversation about neutrality and digital rights forced TRAI to investigate the matter and release an open consultation paper for public feedback, although it was hidden in a corner of their site and was given little time to respond. The viral campaign Save The Internet and the multiple protests organized by Free Software groups did the rest: finally TRAI ruled in favour of Net Neutrality, considering it necessary for a free and equal internet. Today India has one of the most restrictive regulations on the area.

To the ban of Internet.Org in India, Zucheberg responded "It's not an equal internet if the majority of people can't participate", slammed the door and left.

The internet kill switches

And I never thought I'd say this but hell, Zucheberg was right in his statement! —only a small detail: Internet.Org really offered more risks than guarantees. In 2015, after the Save The Internet victory, Indian internet activists started noticing that government enforced communication shutdowns were growing at a dangerous speed.

In 2016 India had become the country with more internet shutdowns in the world. By march of 2019 there had been more blackouts in that year than in the whole of 2016.

Internet shutdowns have been the result of a variety of reasons, all of them completely unjustifiable. Generally the switch had been pulled during protests and opposition actions (even minor ones), but it has also been common to shut communications on the months prior to elections, or even during examinations as a tactic to prevent cheating. Let's stop here for a minute: according to a report by the Brookings Institution, India lost over US$968 million between July 2015 and June 2016 because of internet shutdowns. Shutdowns that were sometimes enforced to stop people from cheating in an exam.

But in the eye of the storm of internet blockades is Kashmir.

A silenced region

The territory of Kashmir has been submerged in political and military conflict since the partition of India in 1947. As a bit of context, both India and Pakistan claim the entirety of a territory that is currently controlled by India on a 55%, Pakistan on a 30% and China on a remaining 15%. The territory has been through three Indo-Pakistani wars since the British partition, and has triggered numerous protests and separatist movements. Kashmiri civilian population has lived through more than 70 years of heavy militarization and human rights abuses.

The Indian constitution granted special autonomous status to the state of Jammu and Kashmir: This was the Article 370 passed in 1954. One of authors of this constitution was Nehru, an independence activist and the first prime minister of the democratic India. Nehru assured that the fate of Kashmir would be decided by its people through a referendum "held under international auspices like the United Nations". A referendum that never happened. Instead, in August 2019 the special status of autonomy of Jammu and Kashmir granted in 1954 by the Article 370 was revoked by the Indian Government. To control dissent, the government arrested Kashmiri politicians, activists, journalists and educators, sent the the Indian troops to the territory, imposed curfew and shut all phone and internet communications.

The pictures from the limited reporting that has made its way our of this blackout are breathtaking. Armed men from different forces —the Indian military, the Kashmiri police, the counter-insurgency battalions...— surrounding protesters. Protesters holding signs asking for freedom, signs that put to question the famous biggest democracy of the world. And all of it framed by the most traditional Indian urban landscape: a huge tangle of telephone cables covering the house fronts. And seeing those cables I remember what an Egyptian taxi driver told me once when I tried to use a broken seat belt: "Decoration!".

In January 2020 the block was partially lifted and the government allowed access to around 300 sites (banking and education sites, media content such as Netflix or Spotify, or local and international media outlets such as The Hindu, the New York Times or the Washington Post). Also mobile data access has been restored, but only to citizens whose credentials have been verified and only using 2G connectivity. All social media sites remain blocked: it has been eleven months.

As usual, the official justification for this 11-month long blackout is national security. According to government officials, the internet has to remain shut to stop propagation and coordination of terror activities, and circulation of inflammatory material. But how legal is this? Is the government entitled to put the Kashmiris through a year of total isolation?

Anuradha Bhasin, executive editor of the Kashmir Times, filed a petition to the Indian Supreme Court for the information blackout to be lifted. During the judgement it was discussed whether the internet should be understood as a fundamental right. The Supreme Court recognized that, although the Internet access is not mentioned in the constitution as such, it must be understood as something akin to a fundamental right, as its restriction means the direct violation of several of the fundamental rights of India —particularly freedom of speech, freedom of expression, freedom of press and freedom of trade. However, the Supreme Court finally ruled against the petition to lift the block. In a May Supreme Court petition to restore 4G something similar happened: it was agreed that the internet suspension during the Covid-19 pandemic violated the rights to health, education, freedom of speech, freedom of trade and access to justice. And still, nothing was done. Finally the Supreme Court abdicated all responsibility to decide about the internet suspension to a "Special Committee", headed by the ones that pulled the switch in the first place.

The lawful claws of censorship

Being this blockade a nationally and internationally recognized violation of the Kashmiris' fundamental rights, how is it legally possible to keep up with it during such a long time? Before such complex and contradictory situations there's always someone that repeats jokingly the slogan that the country chose for promoting tourism: "Incredible India!". The answer is the Telegraph Act from 1885 —read again: telegraph act— which allows central or state government to restrict or interfere the transmission of messages. That's right: 2020's internet is being regulated under a telegraph-specific law from the colonial era.

The government has also widely used another more recent legislation: the infamous section 66A of the Information Technology Act, that penalizes the publishing of offensive, false or threatening information, added to section 69A, that allows the government to block certain websites in the interest of "sovereignty and integrity of India". Section 66A was declared unconstitutional by the Supreme Court in 2015 (no surprise here), as it was found too vague and imprecise and allowed arbitrary arrests of college students and cartoonists that simply expressed critical views on social media. Fun fact: the Internet Freedom Foundation, an Indian NGO that was born out of the Save The Internet campaign mentioned before, calls this bill a Legal Zombie. Wanna know why? Because even if it was ruled out five years ago, it's still being used today to file cases against internet users expressing dissenting opinions. (1)

One of the worst consequences of the Kashmir blackout has been the inability to report. Journalism has never been easy in Kashmir, but since August 2019 it has become nearly impossible. Journalists did not have access to fact checking tools and channels: there was no internet connection, no phone lines, and the curfew stopped them from moving freely around the territory. Added to the constant risk of being arrested under the Unlawful Activities Prevention Act (UAPA), a repressive anti-terrorist bill that has been widely used to silence journalists and photographers.

It is impossible to write about what is happening in Kashmir: the government of Narendra Modi has done an awesome job silencing the region. The block has slowly (and wisely) been partially loosened up during an ideal moment in which something else took over the Indian and global media: the Coronavirus pandemic. Of the Kashmiri communication blockade we've got tons of isolated and personalized stories that have travelled out of the territory inside hidden USB drives or through 2G phone data. A constellation of tales of authoritarian abuses, arrested journalists, politicians and activists, and an enormous economic damage to all Kashmiris. But no conclusions, no numbers, no retaliations. It's gone from a bad situation to a worse one.

It is important to mention that the Coronavirus pandemic arrived to India not only in the midst of the Kashmiri internet blackout, but also while the government was being heavily criticized for its draconian censorship practices against dissenting population. After passing the Citizenship Amendment Act in December 2019 —a bill that regulates Indian citizenship for illegal migrants of religious minorities except for Muslims (2)— there's been an intense wave of protests that have been repressed by police brutality and the arrest of journalists, politicians, human rights activists and students (3).

The ribbon on top: Covid-19

I have been unfocused during this pandemic. While a background voice repeated global news about one big and common worldwide problem, I became overly conscious about my surroundings, my routines, those of my neighbours. During a global crisis I became more locally focused than ever. The virus entered our society —Spanish, European, privileged— and showed us our weaknesses by wrecking the most underprivileged, leaving the disadvantaged behind, with no space to maneuver and erasing the little voice they had left. It took me some time of self-centered pity to think about the effects of the pandemic in societies with different problems. With tougher problems.

"The pandemic is a portal" was the title that Arundhati Roy, inspiring woman, breathtaking writer, incredible activist, chose for her article in the Financial Times about the crude reality of Covid-19 wrecking Indian society. The pandemic is a gateway between a past full of inequality and abuse, and a future that is yet to be defined. The pandemic is a forced stop, a moment for pause and reflection, a checkpoint to pause and choose carefully what baggage we want to take with us to the other side. "As an appalled world watched", writes Arundhati, "India revealed herself in all her shame —her brutal, structural, social and economic inequality, her callous indifference to suffering. The lockdown worked like a chemical experiment that suddenly illuminated hidden things."

In the middle of one of the trickiest conflicts of Kashmir, in the middle of the darkest wave of anti-muslim institutional violence since the 2002 Gujarat riots. In the middle of an increased military tension with China across the Himalayan border. In the middle of a rise of the far-right international politics, with Bolsonaro and Trump coming to bump elbows with Modi. Right in the middle of such dark times for the Indian lower classes and minorities, Coronavirus has come as a perfect scapegoat for justifying an increasing media censorship.

In March, the Ministry of Home Affairs explained that fake news were the biggest danger in the fight against the coronavirus pandemic. Not misinformation, nor selling Indian protective gear and respiratory machines to other countries, not hunger or poverty triggering mass-migrations to rural areas: fake news. So the government had to control it, and filed a petition to the Supreme Court so that media could only publish government-approved information. Don't worry: it was rejected. However, the arrests to journalists and activists publishing government opposing news —and twits, and social media posts, and pictures— has increased using Covid-19 national health emergency as an excuse.

VOA has tracked how press freedom has suffered internationally during the Covid-19 emergency. In its interactive map you can see 6 press freedom cases in China, 7 in Russia, 8 in United States, 5 in Iran. And 19 cases in India. India is currently ranked 142 out of 180 in the 2020 World Press Freedom Index.

Of course, the dissemination of fake news and the failure of the government in their attempt to control the published information, has made them extend again the block of internet in the region of Kashmir. Several NGOs have pointed out that keeping the blackout in this territory could be extremely dangerous during the Covid-19 crisis, as citizens are unable to get information about the state of the virus in their regions, seek for help, get educated about the new hygiene measures that have suddenly become vital for all.

The largest democracy on earth

At the end of June 2020 TikTok and other 53 Chinese apps were banned in India as a follow-up to the Indo-Chinese conflict in the Himalayan border. Although it is true that TikTok has very serious privacy issues, the anti-TikTok mood that has stuffed Indian social media with celebratory messages has more to do with patriotic and class-related feelings than with privacy. Turns out that the Chinese app had become extremely popular among ostracized communities in India. So much, that it got a nasty term attached to it: "the Indian TikTok Cringe" —you can look it up, although I would advice you not to if you have a minimum class sensitivity. Cringe is the word that a digitized Indian upper class has chosen to describe TikTok reigning content, created by the semi-urban, rural and lower class India. TikTok had reach the goal that was set for the Internet in Modi's Digital India plans: to create a digital space where marginalized people have a voice and can express freely.

But there's no need to bring up more examples to understand the benefits that internet can bring to underrepresented communities.‌‌ And at the same time we keep seeing how Internet connectivity - access and dissemination of information - is the first punching bag when Indians face political conflicts and other crisis, and when they feel the need to oppose the government.

I've lived in India for five years, and probably "we are the largest democracy in the world" is the phrase that I've heard the most —maybe after "in India we treat women like goddess". And I get it, I've rarely seen something as incredible as a two-month long electoral process designed for 1,300 million people. But as the pillars of Indian democracy and the values captured in its constitution slowly collapse (secularism, equality, freedom of press... ), the "largest democracy" phrase doesn't seem to be a badge to show off with pride. India's efforts to control access to Internet as well as its content is one more step towards losing the meaning of democracy.

Notes

(1) See the IFF campaign Zombie Tracker, aimed at tracking cases being filed under the unconstitutional Section 66A of the Information Technology Act: https://twitter.com/internetfreedom/status/1276025885645135873

(2) Again a bit of political context on the side, India has been ruled by the Bharatiya Janata Party (BJP) since the 2014 elections. BJP is a Hindu nationalist right-wing party that is also linked in ideology and origin to the right-wing paramilitary organization RSS. Hindutva (Hindu nationalism) popularity has grown in India in the last 30 years, since a religious dispute for a Muslim mosque built in a sacred Hindu spot triggered a Hindu nationalist violent rally to destroy the mosque. It's complicated. The state of constant oppression and violence that Muslims have faced in the hands of Hindu right-wing nationalists has been disregarded, tolerated and sometimes even verbally encouraged by BJP politicians. But it had never been so blatantly enacted by the laws until the Citizenship Amendment Act of December 2019.

(3) The UN has urged India to release the protesters as they "appear to have been arrested simply because they exercised their right to denounce and protest against the CAA, and their arrest seems clearly designed to send a chilling message to India’s vibrant civil society that criticism of government policies will not be tolerated". Several Indian journalists associations and NGOs have also denounced arbitrary arrests while covering the CAA protests and police brutality, and their phones, cameras, laptops and even vehicles being seized and destroyed by the police.

References

Net Neutrality:

1. "Double standards: Facebook and Google are happy to support net neutrality in US but violate it in India". scroll.in

Internet Shutdowns:

2. "Internet Shutdowns Tracker". internetshutdowns.in

3. "India had more Internet shutdowns in 2016 than any other country". internetfreedom.in

4. "Internet Shutdown in Indian Democracy". ipleaders.in

Kashmir:

5. Supreme Court Proceeding: "Anuradha Bhasin vs Union Of India on 10 January 2020". indiankanoon.org

6. Supreme Court Proceeding: "Foundation for Media Professionals vs. Union Territory of Jammu and Kashmir on May 2020". indiankanoon.org

7. "A violation of right found, but no remedy given". thehindu.com

8. "The Kashmir Blackout". menafn.com

9. "Kashmir’s media survived blackout – but warn of shrinking freedoms". csmonitor.com

10. "In Kashmir, journalists struggle under India’s blackout". cjr.org

11. "No Email. No WhatsApp. No Internet. This Is Now Normal Life In Kashmir". buzzfeednews.com

12. "Supreme Court Verdict on 4G in Jammu and Kashmir Undermines the Rule of Law". thewire.in

Censorship:

13. "How India Censors the Web". Centre for Internet and Society

14. "CAA/NRC: Journalists Covering Protests Face Police Ire Across States". newsclick.in

15. "Stop the witch-hunt of activists and journalists in Delhi and Kashmir and repeal the draconian UAPA!". countercurrents.org

Covid-19 in India:

16. Arundhati Roy: "The pandemic is a portal". ft.com

17. "How India’s government tries to suppress all Covid-19 reporting".  Reporters Without Borders, rsf.org

18.  "Indian Supreme Court denies government request for prior censorship of COVID-19 news". Committee to Protect Journalists, cpj.org

19. "Global: Crackdown on journalists weakens efforts to tackle COVID-19". Amnesty International, amnesty.org

20. "COVID-19: The Hit on Press Freedom". voanews.com

TikTok and chinese apps:

21. "Examining the Legal and Policy Process Behind India's Ban on Chinese Apps". thewire.in

22. "How TikTok’s ‘Cringe’  Empowered Indians More Than FB or Insta". thequint.com

23. "Chasing fame and fun 15 seconds at a time: Why TikTok has India hooked". indianexpress.com

(Read this article in Spanish)

Technology positions itself as the solution for every trouble that societies, governments and corporations face today. It's the great panacea that came to save us all, never mind what kind of problem you have: there always be some technology to solve it. Or not, but who cares?

So what happens when our trouble is a global pandemic in the midst of the 21st century that has transcended borders, overloaded healthcare systems, messed up with governments and institutions and, by 8th of April, has claimed over 80,000 lives? Well, of course, the solution to control such a debacle is, again, technology, this time in the shape of mobile apps. What's the problem? some would ask. Well, the problems are the how, the who, the where and the when for each one of these apps. If we want to have a deep understanding of what is happening with these technologies, we need to review all the solutions that are currently deployed all over the world to tackle the Covid-19 spread. Each country has given a different answer.

China, South Korea and Taiwan

Maybe the wisest thing would be to start off with China, the place of origin of the pandemic. One of the most brutal traits of the way technology has been used in this country has been the lack of a free choice. The app to control the virus outbreak that has been launched by the Chinese government - and developed by Alibaba and Ant Financial - is, to start with, of mandatory download and use for all citizens. The app requires the user to sign up with their personal data and gives them an initial rating determined by their answers to a questionnaire about their current health condition, as well as the possible contacts with other sources of infection that they might have had in the recent past. From there the app - embedded in Alipay or WeChat - allows citizens to scan QR codes in certain controlled checkpoints and issues for them an "access clearance" in the shape of a colour code. Green: everything OK, go. Yellow and red: access denied, the user must be quarantined for seven or fourteen days. This information is, on the other hand, shared back with the government and used to regenerate the access codes of each individual, considering their contact with infected areas or people.

But, how can you impose something like this? How can anyone force you to download, install and use a mobile app? It is as simple as to pack cities and public spaces with mandatory controlled access points: Chinese cities, public transports and roads, everything was filled with QR code checkpoints in record time. To use the metro, the bus, to go to the park, to ride on shared bicycles, to access markets or shopping malls, residential areas... the only possible way not to use this app is to stay at home and to enjoy a huge pantry full of enough supplies for months. In summary: there's no choice.

The high effectiveness of this system is, in part, due to the fact that the Chinese government surveillance infrastructure network was already in place.

To the lack of freedom of choice we must add a worrying situation of centralized hypersurveillance - although local governments aren't forced to impose this app, it has been deployed in over a hundred cities. This situation, however, isn't new, and it's high effectiveness is, in part, due to the fact that the Chinese government surveillance infrastructure network was already in place. The app uses not only the data sent by the controlled access points designed for it, but also the information provided by the transport ministry, the railway service, the Civil Aviation Administration (CAA) and the National Health Commission.

Not far from there, South Korea also launches a mobile app that is immediately portrayed by the media as the transparent and non-authoritarian version of the Chinese approach. The system devised by the Korean is, to start with, of optional use, and it strongly depends on the voluntary participation of its citizens, something that, without a doubt, is a strong bet in eastern societies. This app has been key to de-clutter the telephone networks placed for medical assistance, as they allow the user to book their Covid-19 test and receive their results within 24 hours. However, the app registers their geolocation, which allows the government to observe if the user follows their imposed quarantine time.

South Korea Vice Health Minister Kim Gang-Lip said that "without harming the principle of a transparent and open society, we recommend a response system that blends voluntary public participation with creative applications of advanced technology." Transparency and open society are reassuring keywords for those who worry about the indiscriminate use of personal data. However, transparency can mean a lot of things, and in the case of this app, it comes along with terrifying violations of individual privacy. Apart from the surveillance over quarantine periods - of course punished with fines if those are not followed -, app users also receive frequent messages, sometimes with general information - "remember to wash your hands!" -, but also with specific details about other citizens that have been diagnosed positive for Covid-19. The example reported by The Guardian definitely chills our bones: "A woman in her 60s has just tested positive. Click on the link for the places she visited before she was hospitalized."

Apps dedicated to the control of the epidemic have the potential of behaving like a trojan horse with the excuse of a health emergency.

Even more radical is the Taiwan approach, which tracks telephone signals and alerts authorities when a quarantined citizen moves away from their home or shuts down their device. According to Jyan Hong-wei, Director General of Department of Cyber Security, those who activate the alarm will receive a visit from the police within 15 minutes.

States of emergency

When it comes to countries with conflict situations, individual freedom and rights are in greater danger: apps dedicated to the control of the epidemic have the potential of behaving like a trojan horse with the excuse of a health emergency. This could be the case of AC19, the app deployed by the Iranian government and developed by Smart Land Strategy, the same company that developed other instant messaging apps which were removed from Google Play for collecting, without consent, user data for the Iranian intelligence agencies. Similarly, Israel has been in the eye of the storm for trying to use, over the civilian population and with the purpose of tracking the virus propagation, technology only previously used to spy on Palestinian militants. Although Netanyahu publicly assured that this "carries a certain degree of privacy violation", this doesn't seem to worry much when it comes to tackle a public health emergency as the one we are living now. However, these radical advances over individual liberties are certainly worrisome, specially in a country where the emergency state declared in 1948 during the Arab-Israeli war is still effective today.

Emergencies are convenient, and crisis periods are extremely fruitful to make decisions and pass laws that step over human rights and individual freedom. The writer and activist Naomi Klein speaks about this in her book "The shock doctrine" in terms of economic policy making: while societies are immersed in a state of shock and confusion, it's possible to enforce policies that, in any other moment, would be extremely unpopular.

Europe and its GDPR

The arrival of the virus into the European Union has brought along the conversation about the use of technology for the control of the epidemic in the context of a relatively new General Data Protection Regulation (GDPR). The GDPR has been subjected, for the first time and globally to the whole of the European Union, to the harshest test: an extremely urgent situation in which the 27 countries of the union are assuming an enormous risk, both for their public health and for their economies. Is the GDPR strong enough to keep protecting our fundamental right to protect our privacy?

Emergencies are convenient, and crisis periods are extremely fruitful to make decisions and pass laws that step over human rights and individual freedom.

The case of Spain and the self-diagnosis app deployed by the Community of Madrid (developed by CARTO, ForceManager and Mendesaltaren, and with the support of Telefónica, Ferrovial and Google) can help us answer to this question, both from the perspective of policy on data protection and the assurances that GDPR grants us, and from the perspective of ethics. After its launch, on March 18th, 2020, the app Coronamadrid alerted professionals, particulars and communities that work on privacy issues, who raised their voices in an attempt that was understood, by many, as an unfounded boycott campaign in social media.

The first concern came from a detailed review of the first version of its privacy policy. In order to understand it fully it is necessary to first understand how the GDPR protects our rights during exceptional situations, such as the epidemic we are currently going through. The Spanish Data Protection Agency had already published, on March 12th, a full report analysing the collection and processing of personal data in the context of the virus outbreak, with the purpose of acting as a guideline for public institutions and corporations. On this report, the SDPA clearly states that in such extreme situations, "the processing of personal data [...] still need be done in accordance with the personal data regulation [...], so all its principles still apply". These principles include that the data shall be processed lawfully, fairly and in a transparent manner, collected for a unique specified, explicit and legitimate purpose, and kept limited to what is necessary in relation to the purpose, and as highlighted by the SDPA, "without confusing convenience with need".

In such extreme situations, the processing of personal data still need be done in accordance with the personal data regulation, so all its principles still apply.

The Community of Madrid expressly manifested that the purpose of this app was that one of providing the population with a system for self-diagnosis and, that way, release the congestion of the lines and services of the public health system. But analysing the personal information that this app requires from the user (name and surname, ID number, date of birth, telephone, sex, address and postal code, geolocation data and sanitary information relative to the symptoms associated to the virus) it's evident that this blatantly violates the principle of data minimisation, seriously exceeding the necessary information for the purpose given to this app.

The biggest concern is that the specified purpose might not be, in a future scenario and probably not in a premeditated way, the unique purpose for the gathering of this data, violating this way another of the fundamental principles of the article 5 of the GDPR. It's worth mentioning that, according to this regulation, there are three additional purposes that might always be added to the specified one, as noted in the article 5.1.b of the GDPR: "further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes". However and as explained in the article 89, these side purposes require the data to be further processed in order to assure the users' privacy with anonymisation or pseudonymisation, and always respecting the principle of data minimisation.

We need to contractually compel private companies to not make for-profit use of the data that we, pressed down by the exceptional nature of the situation, have willingly given away. We need the guarantee that this is not going to happen.

The principle of purpose limitation also wobbles when we observe who will have, as stated by the privacy policy, full access to the collected data. The list is potentially endless; apart from logically including the healthcare system and its professionals, it also adds the state security forces, national and international authorities, collaborating companies and all their possible outsourced firms. Do we want the data that we give for public services to be in the hands of private companies instead of in the premises of our public administrations? Where will that information remain when the state of alarm comes to an end? As users, we need to contractually compel private companies to not make for-profit use of the data that we, pressed down by the exceptional nature of the situation, have willingly given away. We need the guarantee that this is not going to happen.

Last but not least we were scandalized to read that, as an answer to how long will this data be stored, the privacy policy replied an ambiguous "as long as necessary", incurring another violation of the fundamental principles in the protection of our right to data privacy: the right to storage limitation detailed in the article 5.1.e of the regulation.

We are lucky to see results: thanks to a critical analysis of this kind of abusive privacy policies by communities and press, the conversation sparks and it encourages - or forces - the companies involved in the development of this software to ask themselves questions that, perhaps because of the urgency of the situation, weren't on the table before. That is why by March 24th we saw published the second version of this privacy policy that, very cautiously and with visible counselling of privacy professionals, now successfully addresses some of the issues described above.

The corporate initiative and our reaction

Of course Google also offers help in the shape of data with their recently launched project called "COVID-19 Community Mobility Reports". This tool allows to consult PDF formatted mobility reports from more than 130 countries, where one can see a variety of charts to understand the change trends of people's mobility towards different categories of places, such as shops, cafes and restaurants, supermarkets and pharmacies, parks, stations, work and residential areas. Each report holds data aggregated by country, as well as the same data broke down by states, autonomies or provinces in some countries, such as Spain, USA, the Netherlands or Italy. This project has been developed with the same technology that allows Google Maps to show us traffic jams or the concurrence of people in shops or pubs.

As a point in favor of the privacy policy of this project (as well as other products by Google), it uses what they call "differential privacy", which anonymizes data by adding artificial noise to the dataset, which makes it practically impossible to identify specific individuals from the data sets. The intention of this project is also theoretically creditable, as it aims to help the different health authorities by contributing data that can be useful while making critical decisions.

It is apparently not seen as a problem that a private corporation, whose sovereignty does not fall into the population's hands, has had no obstacles in anonymizing and publishing private data without following, for example, the principle of data mininmisation.

However, Google's endeavour reveals a serious incoherence in the collective imaginary about data privacy. While DataCOVID, the mobility study that the INE (National Statistics Institute, Spain) is currently working on, has sparked the social alarm and a number ridiculous reactions (like the alerting claim that "the government has legalized geolocalization"), it is apparently not seen as a problem that a private corporation, whose sovereignty does not fall into the population's hands, has had no obstacles in anonymizing and publishing private data without following, for example, the principle of data mininmisation. The scope for Google's data collection is way wider and unlimited in time ("while you use their services") than that of governments and other institutions that have developed specific data analysis for the concrete purpose of this epidemic. Why are we more outraged by a government (which we can democratically replace) that makes a study with a limited and defined purpose than by an international corporation that spies on us day after day for anything that can be profitable?

Singapore: an example of good practices

The last case we want to share is the one of Singapore, that has come forward with a different approach. Instead of replying to the question about where is the population all the time, they try to reply to something way more relevant: who has been in contact in the past with this person that is currently ill? how to trace an origin and a scope for the virus transmission? The app TraceTogether, designed by the team of Digital Services from the Government Technology Agency, parts from two principles very different to the Chinese and Korean approaches: first, all the data is stored locally inside the phone, and second, they use the device's bluetooth instead of the GPS. The idea is that, for this purpose, using bluetooth technology is much more trustworthy, straight-forward, and respectful with the user's privacy.

TraceTogether is pretty simple. Everyone that downloads the app will be asked to set their phone number: this is the only personal information that the government will receive and store, and it will be used to contact users if necessary in an agile and efficient way. Once the app is installed and configured, the user will be asked to enable their bluetooth at all time, so that the device can register anonymised IDs of all the devices that pass nearby and that also have the app installed. When the Ministry of Health detects a new Covid-19 infection, the patient will be required to provide access to the registry of anonymous IDs that have been registered to be in close contact. These devices will then be informed so that the users can self-quarantine. This also allows authorities to track the chain of contagions, find the source and determine effectively the reach of the virus.

Added to the fact that there is no geolocalization nor collection of persona data, Singapore is planning to open-source the code of TraceTogether so that other countries can also use this technology. This app, which respects the principle of minimisation of data described and enforced by the GDPR, is also much more efficient that other approaches due to their decision to use bluetooth, a technology that can register contacts at few meters, precisely the distance at which the virus can be transmitted. Using GPS can instead be troublesome by not considering difference in height, which means that a whole building can be put under quarantine when a case of Covid-19 has taken place only on one floor. In their manifesto, the development team is clear about their intention: "COVID-19 and other novel viruses do not respect national boundaries. Neither should humanity's response. In a globalised world, with high volumes of international travel (until very recently), any decentralised contact tracing solution will need mass adoption to maximise network effects. We believe that TraceTogether and its sister implementations should be inter-operable, and that's what we're building towards."

Legislators, politicians and journalists have been pushed to the edge of a cliff, but we are still on time to correct this trajectory that is uncontrollably driving us to a radical loss of freedom and rights.

So why, if we know about the existence of solutions such as the one from Singapore, working and efficient solutions, open-source and thus auditable, why are European governments (let's aim near) developing solutions way more intrusive and that excessively violate our privacy? Why is the European Union, cradle of the GDPR, the most protective law in matter of privacy all over the world, asking a telecom company for each of its member states the geolocation data of mobile phones? While it's possible to take more transparent approach, one that is also more efficient and less invasive of our personal freedom, Europe seems to be taking - saving the distances - one more similar to the one in China or South Korea. Legislators, politicians and journalists have been pushed to the edge of a cliff, but we are still on time to correct this trajectory that is uncontrollably driving us to a radical loss of freedom and rights. We can still reverse this situation, we can still learn to handle crisis so that, when we face new dangers, we don't have to choose between loosing privacy and freedom for some fictional security.

Concluding

How can we correct this trajectory? There are many different ways to provide tech-based solutions to a problem like this but not all of them are ethical, good and respectful with our rights. Hence we want to offer a humble list of the requirements that we, as data privacy advocates, consider essential in these technology solutions:

• First of all, every developed solution should be open-sourced, that is, the source code must be available for its study, modification and for being used freely. This will enforce apps to be transparent and auditable.
• The data generated by the user should, to the extent possible, be encrypted and stored locally in the user's device.
• The principle of data minimisation should be instinctively incorporated from the very first data collection design phases. "Just in case we need it in the future" must never be a reason for collecting any data.
• Any tech-based solutions must be designed for a unique and transparent purpose, clearly stated in their privacy policy. They must never be opportunist.
• Any data that might allow patients to be re-identified must be stored separately to the rest of the information so that the access to those is minimised.

Covid-19 pandemics will come to an end, but not without leaving us submerged in a profund crisis that will go beyond public health and transform the economy, our society, technology and the way we interact with it. Every crisis has the potential to generate change and allow the enforcement of abusive policies over a society that is immersed in chaos and commotion.

However, every crisis has also the potential to make us understand, revise, lay ethical foundations and rebuild. Every crisis has the potential to give us an invaluable space to make choices, exercise our sovereignty and demand the institutions to work for us, protect our rights and freedom. It is now in our hands to not underestimate the importance of our right to privacy and stop authoritarianism and corporate control from taking what is sovereignly ours.

References

1. "Hungría aprueba una ley que permite a Orbán alargar indefinidamente el estado de alarma por la pandemia". elpais.com
2. "How China is using QR code apps to contain Covid-19". technode.com
3. "China's Coronavirus App Uses Mass Surveillance to Tell Citizens If They Could Be Infected". newsweek.com
4. "Spying concerns raised over Iran's official COVID-19 detection app". zdnet.com
5. "Dos modelos de gestión de crisis luchan por dominar Europa: el chino y el coreano". eldiario.es
6. "Governments around the world are increasingly using location data to manage the coronavirus". theverge.com
7. "'More scary than coronavirus': South Korea's health alerts expose private lives". theguardian.com
8. "Phone location data could be used to help UK coronavirus effort". theguardian.com
9. "Should Location Data Be Used in Battle Against COVID-19?". bankinfosecurity.com
10. "Israel takes step toward monitoring phones of virus patients". apnews.com
11. "Trudeau leaves door open to using smartphone data to track Canadians' compliance with pandemic rules". cbc.ca
12. "Alemania prepara una app contra el coronavirus capaz de monitorizar el pulso o los patrones de sueño". eldiario.es
13. "Política de Privacidad de la aplicación Covidapp, versión 1.0"
14. "Política de Privacidad de la aplicación Covidapp"
15. "COVID-19 Digital Rights Tracker". top10vpn.com
16. "Protecting Civil Liberties During a Public Health Crisis". eff.org
17. "La emergencia viral y el mundo de mañana. Byung-Chul Han, el filósofo surcoreano que piensa desde Berlín". elpais.com
18. "La ingeniosa 'app' de Singapur para frenar el coronavirus que España debería crear ya". elconfidencial.com
19. "El Gobierno iniciará el rastreo de móviles con CCAA y operadoras para combatir el virus". elconfidencial.com
20. "Coronavirus: Singapore develops smartphone app for efficient contact tracing". straitstimes.com
21. "Yuval Noah Harari: the world after coronavirus". ft.com

(Read this article in Spanish)

We have the healthcare understanding that we do today, thanks to science, and of course, technology that implements it.

However, healthcare information is very intimate by definition, and contains information about a person that not only defines them but that can also be transformed into a very powerful weapon in the wrong hands.

Lately, many tech companies that have been focusing on consumer technology, and on providing general services for users have also found that health information and healthcare enhancing devices could also be a profitable business to run.

Tech companies in healthcare

Several companies have lately been shipping devices to monitor your health. You have inoffensive SpO2 indicators that you can just put in your finger, to sophisticated Bluetooth-LE -enabled weigh scales and smart watches with machinery capable of doing a mobile EKG on you.

In particular, you may already know about Google Health, a division where they hope to save your life one day. Aside Google, within Alphabet Inc.'s corporate structure, Verily and Calico list within their "Other Bets" for health-related endeavours.

Google's strong AI divisions, Google Brain and DeepMind, have been collaborating with healthcare providers in order to produce research and tools for better healthcare. However, in order for that to happen, Google has needed to obtain confidential patient data from healthcare providers. In particular, it is known that UK National Health Service trusts have agreements with Google in order to use their technology. Even if their NHS has successfully prevented Google from using such data for other purposes, which is very complex to define, the intelligence gained from such research will be crucial for other agreements that may follow, which may lower the standard for data protection, especially in those jurisdictions where data protection is not a requirement by law.

We know that in the past, even where those regulations where in effect, Google and other tech companies have failed to comply.

Fitbit is also part of the Google corporation (since November 2019). This gives Google the ability to engage a lot of "health data customers", and mine their health information while they busy themselves with EKGs from their expensive OLED-equipped wristbands, like Apple or Samsung do too.

The fact that Google (or any tech company whose business requires them, essentially to "know you") knows a huge amount of information about you cannot be disputed. It probably knows a lot of health information already too:

• Have you ever searched for condoms online, or different contraceptive mechanisms? Then they know you are sexually active.
• If you searched recently a lot about how to differentiate among STIs, you might have had unprotected sex with someone whose sex history you don't trust.

And these state just the obvious.

Complex data mining techniques could be used to exploit much more interesting and intricate patterns on our psychological behaviour which we might have no idea about.

Mixing-in healthcare information

There is a kind of data that is much more sensitive. Do you have cancer? Or maybe a genetic predisposition to coronary diseases? Have you ever had an abortion? Do you suffer from psychological disorders? Have you been diagnosed an early-stage of a terminal condition?

You may think you don't have any of those, and as such, have nothing to hide. But consider you do, for a moment. Maybe at that point you would have something to hide. But then, if you would want to hide the answer when it is true, you should want to hide it also when it's false, because otherwise we could just keep asking until you stop feeling comfortable about answering (and then we'd know!).

Imagine having cancer and promptly finding out via a targeted ad that your specific type of cancer can now be cured. It may not be true, but you will click that link.

Health information is especially sensitive (so much so that the European GDPR mentions it explicitly in Article 9), and by using private information to construct neural networks we are embedding that personal information into the neural network model data. Re-identification of information pieces embedded as part of training sets has not yet been studied thoroughly enough to assert conclusively that it cannot be recovered (and, in some neural network constructions, such as compressor-decompressor units, the idea is precisely to exploit that possibility).

COVID-19

Google has recently published the COVID-19 Community Mobility Reports, a set of reports done using differential privacy from Google users' personal data, using the same data paths and techniques they use for other Maps features, such as traffic estimation. Essentially, users consenting to be tracked about their location. Keep in mind that this is only data that Google already had available, but that they are now publishing in an aggregate form, in a responsible way that does not break their privacy policy while still shedding some light on information (when the number of Google users that are tracked is representative enough of the population).

And, in my opinion, it's great that they do this, and that they have found ways around their own privacy policy to be able to cast lights over their mass collection of information in a useful way to the general public without harming, as far as we know today, any one person specifically.

However, if Google were to be handled even pseudonymous health data, given the database of personal information it has about most of us, re-identification may be very much plausible for their compute power, if such data is not aggregate and is needed for potential treatment advice.

This leaves us with the current pandemic situation of COVID-19 and the different apps to track the pandemic spread. Many private corporations want to help. And that's great. The whole civil society should be helping ourselves tackle this pandemic globally.

However, great care must be taken into account while holding personal health information. In particular, if they are to process personal data, they should be using their publicly known infrastructure. For example, in the case of Google, using their own Google Cloud Platform, instead of the internal Borg, so that they can also open-source all code, frontend and backend of the solution. This could increase public confidence on the solution, and allow outside experts to audit and assess its adequacy.

A decentralized solution that does not hoard data into central, public nor private datacenters, which keeps users sovereign of their possible encounters with COVID-19 -positive patients, would be most beneficial. First, because according to the principle of data minimization within the GDPR, it is not needed to keep a central ledger of who comes into contact with who, but more importantly, because enabling high-detail tracing of such information now can be a huge privacy deal-breaker in the future. Singapore is currently finishing their reference documentation for https://bluetrace.io/, the tool they have deployed which only requires citizens to keep their Bluetooth connection active.

BlueTrace documentation is not yet available, but from the reference documents given to the Singaporean public, it holds your telephone number in a Govt. database in order to call you if they need to trace back to you, as well as some other form of id, which we suspect will be a public key. Every time you come into contact with other people your phones send each other's an attestation that you've been together. If any of you become ill, your app can know which other public keys you were in contact with (and maybe even at which time). When you pass that information to the trace personnel, they can trace the public keys back to their telephone numbers and contact them in order to work the trace backwards, and possibly, advice them whether they should seek medical attention or self-isolate.

Summary

Even though we don't usually share the same information with everybody (friends, physicians, psychologists, employers, law enforcement), it seems that we don't share the same expectations of privacy when talking to non-human services.

It seems that collectively our expectation of privacy when talking to others' machines is as much as if they were intimate to us. At least, with an intensity emotionally related to the activity that the device is doing.

A smartwatch or a phone can seemingly track us everywhere (and track our health and effort through the day and sleep patterns through the night) and the benefit of the tracking seems to outweigh the cost individually, but when things stop to be so, it will already be late to regret it.

(Read this article in Spanish)

We describe IUVIA, a privacy-by-design device and operating system to claim back data sovereignty and agency scaling from individuals to organizations.

Coronavirus: probably, one of the most repeated words lately in the news and even in informal conversations. Tiny SARS-CoV-2 is deadly and global, keeping us awake, worried about friends or family that we may have distant; it's keeping politicians thinking, companies tanking stock, investors losing their minds, patience and trust in the market, employees losing their jobs and most of us confined in our homes.

A different story can be told about our data. When we are at home and enduring social distancing, we make use of the Internet (which can now be clearly seen as an essential service in the first world, on par with healthcare and food) in order to speak to our dear ones. Many "remote-distrusting" companies are now forcefully choosing to make their workforce remote-capable as a last resort before massive lay-offs and even bankruptcy. And it seems to be working for some of them.

This means that many companies who were not prepared have just been forced into the cloud, even those that might have strong concerns about it, in order to survive.

Thus, strongly confidential data is now, unfortunately, much nearer crackers and black marketers. The rush to "remotify" a workforce has meant that unsecured laptops and devices are now accessing protected data without proper safety measures standard for IT remote workforce.

IUVIA came up originally from our own desires to break free from corporate clouds. It has been a long road to establish all the connections and weak spots of open source solutions, and our intention has always been to bridge the gap to provide a cohesive platform about this. Although we had been collaborating and working on the issue on our own, NGI LEDGER was the final piece that allowed us to pool enough resources together to prioritize our work on an idea that we begun to stage years ago within GPUL, a non-profit for free software advocacy and Local Linux User Group in A Coruña, in the northwest of Spain. During this pandemic, we have not needed to rely on anything other than free software services that we could provide as part of IUVIA, and a neutral Internet to connect to them.

Here begins Nothing to Hide, a blogpost from IUVIA at the vertex between privacy and technology, and those aspects that matter to us.

If you've arrived here after reading other published articles, this is the one that tells you that you've reached the last. We hope to publish more soon, and if there is anything you'd specially like us to talk about, please reach out to us via email or the social network of your choosing.

If this is the beginning for you, we invite you to read us. You can expect articles to be written here with honesty, and that we act according to our beliefs, don't think we'll try to trick you or sell you snake oil. Everything you can find here is the result of our experience, education and opinion. If we can interest you, please read on!

If you want to know more about the project, we have an article about it.

Happy reads,