Chennai, TAMIL NADU — One night in lockdown this April, George Kuruvilla was having dinner and watching the news when he fielded a phone call from a prospective supplier who talked up a tracking-wristband and accompanying software to ensure possible COVID-19 patients don’t violate their quarantine.
What followed offers an illuminating insight into how India’s tech companies are turning India into a surveillance state one sales pitch at a time. The COVID-19 pandemic has only accelerated this trend, offering the government the leverage to compel Indians to give up their privacy under the guise of contact-tracing.
For Kuruvilla, the chairman and managing director of Broadcast Engineering Consultants Limited (BECIL), a state-owned company, the call from a tech vendor suggested a new line of business at a time when most of BECIL’s usual clients were running skeletal operations.
Business had slowed to crawl, and Kuruvilla was worried about paying his contractual staff six months into the future. “We have to scale up and do business that is available under the circumstance,” Kuruvilla said.
A patient-surveillance system that could be sold to municipal corporations, private companies and even resident welfare societies and, eventually, central government departments presented a lockdown-proof business opportunity.
“I told my boys, you know, to put out an expression of interest,” Kuruvilla told HuffPost India over the phone in April, explaining that his vendor claimed to be the only person who could provide this tracking technology. “So let’s do our due diligence, let’s not just believe this guy.”
Kuruvilla and his team quickly began to brainstorm. BECIL was set up in the 1990s to roll out cable TV, FM radio, community radio and also Lok Sabha and Rajya Sabha television channels. The company has since pivoted to surveillance — providing state governments cameras with facial surveillance software, drone-based mapping, e-health and online education technologies. BECIL also issues tenders on behalf of other government ministries. In 2018, a BECIL tender to collect the “digital chatter” from all social media accounts of all Indians to build a “360 degree view” of influencers was recalled following a case in the Supreme Court.
“Whatever came into the minds of our people, you know, after discussion, talking here and there, you know, everything was put,” Kuruvilla said, describing the ideation process. “Even we didn’t give too much of a thought because we are not doing a tendering, we just did an expression. So we said, just put in whatever you think is a possibility.”
Kuruvilla said he did not oversee the process as closely as he normally would. Everyone was working from home, and his wife, a school teacher, was using the broadband connection to teach her students online, leaving him with limited cell phone connectivity that works best on his balcony.
The resulting Expression of Interest, an early stage document that can be thought of as a wishlist of system features, reads like an Orwellian nightmare. Kuruvilla expected a handful of companies to respond; over 100 firms eventually did.
The document, which describes possible COVID-19 patients as “suspects”, asks for 33 separate, and increasingly intrusive snooping functionalities including the ability to “Identify a suspect’s behaviour, see what he or she does on specific days of the week, where does he or she order food from, where does the suspect go for regular walks, where does he/she work during the day, where does he/she sleep at night etc.”
Other proposed features include the ability to incorporate billing records, cell phone data and even the ability to integrate with intrusive programs such as Cellebrite, used by police and military forces to unlock and extract cell phone records.
The Expression of Interest might have passed unnoticed but for a widely circulated Economic Times report that claimed the central government was looking to procure thousands of these bands; a claim the Press Information Bureau categorically refuted. Yet, the PIB refuted the narrow claim that the central government was looking to procure the devices, while ignoring BECIL’s actions.
Kuruvilla confirmed to HuffPost India that BECIL is continuing to develop the device.
The Internet Freedom Foundation, a privacy organization, issued a legal notice to BECIL, accusing the company of trying to build an “illegal and constitutional” mass surveillance project. One requirement in the EOI is the ability to “easily Geo-Fence an area of interest (eg Meeting place, airport, mosque, railway station, bus stand etc) and identify all the people present at the location at the time of event” [Item No. 6].”
“We are further alarmed to note the absence of secular language in the framing of Item No. 6 which specifically mentions, “Mosque” that is mentioned in isolation rather than, “place of worship,” IFF noted in their letter, which was published on the organisation’s website.
The Software Freedom Law Center, a legal society based in New Delhi, said in a statement that such a tracker “opens up the possibility of mass surveillance.”
“The pandemic should not be an excuse to introduce a blanket system of surveillance,” it said in a statement. “Many components of the tool included in the tender document go beyond the common requirements of contact tracing and could result in pervasive surveillance.”
Sales Pitch Surveillance
In a conversation with HuffPost India, Kuruvilla was at pains to point out that no orders had been placed by any government department, BECIL was acting on their own initiative and not at the direction of the central government, and the document on their website was an expression of interest and not a tender.
″[This] was perhaps construed by some people as if the government is doing something,” Kuruvilla said. “But it has no connection whatsoever. I can say with 100 percent surety, I’ve not got any instruction from anybody or anybody that you have to do something like this.”
“It is just an expression, meaning you just want to know you know what technologies are available, who are the people, what are the companies, what are the products,” Kuruvilla said.
Yet, Kuruvilla said BECIL was continuing to develop the patient tracking system, and would eventually pitch it to interested parties. The Expression of Interest would be followed by a tender alongside a request for prototypes that can be tested in limited deployments of about 150 devices, he said.
If the devices work as intended to monitor quarantined people and track their temperatures and movement, Kuruvilla said, “We will take the concerned people into the forum for taking their approval,” he said.
The device, which would comprise a band and software that can be customised to the situation, has attracted the attention of several tracking and logistics companies.
For example, Trackerwave, a company in Chennai which provides “real-time location services”, known as RTLS in health-tech lingo, has already developed a COVID19 tracking bracelet, but its original business is providing tracking of equipment and personnel in hospitals, according to V. Pradeep, Trackerwave’s director.
Although the device cannot find people that a COVID19 patient has crossed paths with by itself, the dataset it generates can be integrated with data derived from India’s contact tracing app, Aarogya Setu, to make those links, Pradeep said.
Bangalore-based KaHa Technologies Pvt. Ltd. has also partnered with a California-based company Assisted and Advanced Remote Monitoring to develop COVID19 tracking wristbands and software, and has expressed interest in the BECIL EOI. The company did not respond to an interview request.
Lynkit, based in New Delhi, has a tracking device that may be used to monitor “high-risk” individuals. “We are a technology provider, and our role here is to provide technological solutions to hospitals, public agencies etc. to monitor COVID patients,” said Sadhika Kumar, chief operating officer. “We will not be storing or accessing the data, and all data storage and transmission policies will be as per customer policies.”
Privacy activists have warned that worker and patient tracking is a risky solution, even during a pandemic, as the capacity to surveil may not be easily dismantlable. Such trackers are expensive to develop and deploy, and it is unlikely companies will limit their usage after the pandemic, said Jyoti Panday, researcher with the Internet Governance Project at the Georgia Institute of Technology in Atlanta, Georgia.
Research by the University of Toronto’s Citizen Lab in 2018 on the running app Strava found that location data can provide detailed insights into a person’s life, and the data can end up compromising national security when used by military personnel.
Kuruvilla for his part maintains that “there are no privacy concerns” because BECIL is a state-owned company, rather than a private sector firm. Where most privacy experts have called for a limit on how long such data is retained, Kuruvilla imagines a much longer time horizon as he expects COVID19 to be around for many months.
“If you’re able to collect the data for a longer term ― two years, one year ― then you can have the analytics around it, then you can develop lot of other information, you know, how to help out in such a situation because we don’t know how long it will go,” Kuruvilla said.
The basic health vitals and location will be tracked, similar to Google location tracking with consent, he said. People would be tracked only for the quarantine period, he said: “So, where does the privacy thing come? It doesn’t come at all. You take their permission, no?”
Panday of Georgia Institute of Technology said that many people may not even know how to turn off permissions. “This assumes that everyone has the same level of digital literacy, that everyone knows how to exercise and revoke consent,” she said.
“Consent” can be rendered largely meaningless if users often don’t have a choice. The union government’s controversial Aarogya Setu contact-tracing app for instance, requires perfunctory user consent, but for now downloading the app is mandatory for all public sector employees and private sector employees who work in offices during the current phase of the lockdown.
If the government gets access to consumer or telecom data from companies to integrate into the backend of the wristband, as the EOI suggests it may, this could make corporations “proxies for state surveillance,” Panday said.
“Once you’ve enabled that system where private companies are going to become proxies for state surveillance, it’s not a switch that you can turn off,” Panday said. “No government will want to turn off that switch.”