The Dystopian Reality of Data Privacy in India
Updated: Aug 27, 2019
As business tycoon Mukesh Ambani and a fair number of global experts would have you believe, data is the new oil in today's digital economy. It is a valuable resource: driving technology, advertising and trade; with major corporations hankering after sufficient sets of data that can successfully fuel their operations.
Unfortunately, however, the analogy doesn't quite end there.
Like oil, it spills, compromising the identities and sensitive information belonging to unsuspecting netizens. With cases like the Facebook #CambridgeAnalytica scandal fresh in our minds, it is hard to not worry about whose hands are tainting our precious data, and how far we are being allowed to exercise consent with regard to the extraction, processing, distribution and monetising of our data.
In India, a country that comes second only to China in terms of the number of active internet users; the ethical management of user data becomes an intractable problem, raising more questions than there are answers. Unbeknownst to unwitting users of basic online services or even the government-backed biometric identity system Aadhaar, information about their whereabouts, contact details, financial status or even medical conditions are today finding their ways into the hands of marketers and advertisers, ready to be analysed and used for purposes the users are not even aware of, let alone agreed to.
I hereby accept the terms and conditions.
While installing apps on our smartphones and leveraging their snazzy functionalities, it is easy to lose sight of how simply they con us of the keys to our data. Most apps that require a registration do not even ask us to fill in our OTP ourselves. Instead, they skim through our inbox and fill in the correct password so we can simply move on to the next step. Of course, it is convenient, which makes it all the more easy to overlook the fact that these apps continue to enjoy access to our inboxes, photo galleries and contact lists even when we are no longer using them for our own purposes.
Most of us would hastily snatch our phones back if a friend tried to scroll through our photos or messages. We would gasp and protest if our partners or parents demanded access to our location information at all times. Yet, we unquestioningly surrender the access to our private files and information to the prying hands of technology, forgetting that there are real people behind the garb of impersonal machinations, eager to turn us into pawns of their own game. Everytime we skimp on a few minutes and check the "I Agree" box without reading the fine print, we inadvertently become players in a game the rules of which we know nothing of.
Corporate shenanigans sitting behind the screens of these apps then get to work, screening and sorting through our personal data and potentially separating us into different demographics for advertising purposes.
It is hard to come across a millennial who has not, at least once in their life, exclaimed how their phone was spying on them.
Targeted Ads turn up when we least expect them: for example, one can hardly even visit a clinic without being spammed by messages from medicine delivery services or path labs right after. But as it turns out, specifically targeted advertisements, as unnervingly well-timed and creepy they may be, are the least of our problems with #dataprivacy.
I see you, hear you, and control you.
With ambient data collection increasingly becoming the norm for smartphone makers and AI providers, our phones and devices eavesdrop on us even when they are not supposed to be active, passing on bits and pieces of our conversations and exclamations to their corporate owners.
This data is used for advertising, of course, but as I just mentioned, advertising seems to be the most harmless of the lot as far as inappropriate usage of user data is concerned. Demographic information is often used for profiling, which can potentially cause instances of violence and targeted attacks.
As we have already seen with the case of the US Presidential elections, it can be used to shape and influence political decision making, essentially threatening the aspect of free will inherent to the concept of a democratic civil society.
Of course, a smart way to avoid being constantly monitored for advertising and profiling purposes should be to read through the fine print before you hit "I Agree".
However, in reality, users are hardly left with much choice in the matter, as many of these online apps and services refuse to budge unless you hand over the keys to your castle of data to them.
Cases of User Data & Information, compromised!
Now, one would expect government systems to be more considerate and respectful of the users' right over their data, seeing as the state is responsible for its citizens' welfare and not just profit. While they would be right to assume so in theory, the reality is far more scary, at least in India. If the spate of Aadhaar data leaks is anything to go by, even information entrusted to a government entity is no longer safe in the country.
In January 2018, for example, a reporter from The Tribune managed to get her hands on the confidential Aadhaar data of millions of Indians, by shelling out a mere 500 rupees.
State-owned gas company Indane leaked Aadhaar data belonging to its customers, not once, but twice, in the past couple of years.
Aadhaar is only a part of the story when governmental negligence or infringement of data privacy is concerned.
In March this year, a German cyber security researcher found that medical records of 12.5 million pregnant women, including their past abortion status
A stigmatised and controversial issue in conservative quarters of the Indian society was available online, without so much as a password protection. Despite being alerted, the Ministry of Health and Family Welfare took its own sweet time in having it fixed, prolonging the grave breach of doctor-patient confidentiality by around three weeks.
In January 2018, the Lucknow police sifted through phone records and potentially tapped many private conversations of around 10,000 people to identify the two people who had allegedly dumped potatoes in key locations in the city to highlight the plight of potato farmers.
This instance of surveillance by the state, which clearly represents a gross overstepping of boundaries by the authorities, came under little fire for breaching the privacy of so many people without fairgrounds..
I could go on and on about the countless instances of privacy breaches and data leaks, but that would only serve as a repetition of the point the above examples indisputably prove.
Government Regulations & Data Protection Bill
As the government attempts to build a smart and savvy #DigitalIndia, the foundations are leaking at the edges, with users being left with little recourse for grievance redressal. Of course, according to judicial provisions, the users should have enough control over their private data.
After all, the Supreme Court of India did rule in 2017 that the right to privacy is a part of the right to life, and hence a fundamental right every citizen of India is entitled to.
Even though the judiciary has safeguarded the users with regard to their data privacy, India's legislation is still struggling to play catch up.
It has been over a year since the committee led by Justice BN Srikrishna submitted its report for the impending Data Protection Bill, and it is yet to go through the Parliament. If the report itself is anything to go by, the data privacy regime in India is not going to ease our worries anytime soon. Despite borrowing heavily from the General Data Protection Regulation (GDPR) of the European Union, the report leaves out many key components which has only left data protection activists more confused than reassured.
Firstly, the report has failed to determine the issue of data ownership in favour of the users, leaving the question open-ended enough for data collectors to exploit.
Besides, even sensitive personal data, ranging from anything like one's financial information to sexual orientation, has been deemed to be usable by the state without the user's consent for "functions of the state", which can be creatively interpreted by whichever party is in power at a given point of time.
A major issue that the Srikrishna Committee report has spawned is the question of data localisation: the need to store a copy of all sorts of data generated by Indian citizens in India itself.
However, after coming up repeatedly in US-India bilateral trade talks, with US companies lobbying for a removal of that clause, it seems highly likely that this particular provision will undergo a modification before it hits the floors.
A particularly concerning aspect of the proposed data privacy regime is that users are not compulsorily liable to be notified in case of a breach.
The data fiduciaries must only inform the appellate body that will be formed under the impending Act, with no obligation to actually inform the person whose sensitive personal data has been unmasked or leaked in an inappropriate or inadvertent manner.
Even though the report itself seems to be taking a great deal of inspiration from the GDPR, it has a strange provision with regard to data erasure. Under the GDPR, the users from whom the data in question originate, can choose to delete and erase the data they have produced.
However, the Indian counterpart does not establish the right to be forgotten in quite the same way. If an individual opts for data erasure, the data fiduciaries must only agree to no longer use or exchange them: they need not necessarily get rid of the data altogether.
With such shaky foundations in place, the issue of data privacy in India is only likely to get more worrisome by the day, with no respite from the watching eyes of not one, but several Big Brothers encircling users with the lure of services and convenience.
The overarching theme of this modern day dystopia suggests that absolutely nothing is confidential anymore.
Whoever thought dictators and spies were things of the past, didn't realize they just changed zip codes! So, the next time you sit down to watch a scintillating spy thriller, you might want to stop and wonder if your grandchildren won't someday watch an equally riveting film about our modern day spies and data diggers.