Living in a data glass bowl

The sponsored post you clicked on your preferred social media site, the information you just entered in the payment gateway while buying an AC, the emails you exchanged with your father this morning… simply mundane exchanges on the internet you’d think. But a deeper look will reveal the scary truth.

“You are the data: You are the queries you ask, the addresses you provide, the emails you answer, the transactions you carry out, the conversations you have. There is an inexhaustible amount of data that we leave online, leaving us vulnerable to various threats,” says Nikhil Pahwa of the internet watchdog Medianama.

Companies like Facebook and Google store the data of every individual user, even deleted ones, in US-based data centres. The exhaustive body of data that these companies have access to is open to surveillance by US intelligence agencies, thereby exposing a huge loophole in our national security. To add to that, companies routinely use the data to harvest our preferences so they can present us tailored content. Targeted ads, location information etc. could also present a 360-degree profile of a user, leaving them vulnerable to surveillance, hackers and the loss of identity.

Last Tuesday, the Court of Justice in the European Union barred US-based companies like Google and Facebook to allow intelligence agencies like the National Security Agency (NSA) a peek into the individual online data of millions of Europeans. It argued that a person’s online data can be used for surveillance if there exists a necessary threat, but the NSA cannot harvest the data of millions of Europeans on the pretext of national or international security.

In India, however, we are in for the long haul. The right to privacy law is in limbo. The Right to Privacy Bill (2014), amongst others, penalises identity theft, requires foreign companies to store data in Indian, and recommends a data protection authority. The bill is currently with the ministry of personnel; who is fine-tuning it currently.

And the recent gaffe with the draft encryption policy, where a leaked draft showed us how the government wants us to store all encrypted data, like whatsapp messages, emails, etc. for over 90 days, has revealed that the government lacks the know-how to deal with such data.

Too much data, too little concern

In May this year, Aran Khanna, a computer science and mathematics student at Harvard, was fired from his internship at Facebook for exposing a major glitch with its messenger. Khanna came up with a plugin called Marauder’s Map that connected user location data, which was exposed by the messenger to find out where a particular Facebook user was located at the moment. One did not need to be friends with the user; a Facebook conversation was enough.

When his app went viral, Facebook revoked Khanna’s internship and updated the messenger. It said the fault lay with Khanna’s app and not the messenger. Khanna, on his part, said his app exposed the dangers of online privacy. “What does this say about privacy protection? Can we reasonably expect Facebook or others with an interest in collecting and sharing personal data, to be responsible guardians of privacy,” he told reporters.

According to cyber security expert Akash Mahajan, cyber threats due to available user information is inevitable, it is just a matter of when. “Large scale data analysis can be used to glean insights about patterns, traits of a large number of people in a particular geographical location,” he says. The US’ NSA, the hackers in China, Israel, Iran, France and Britain’s GCHQ are some examples of surveillance bodies, he adds.

“Several countries routinely conduct mass surveillance, and there are highly sophisticated attackers for hire. Many companies also engage in corporate espionage for financial, strategic gains. Some groups engage in misinformation or propaganda by manipulating data patterns,” Mahajan states.

And it’s not just internet companies like Facebook. Government data agencies like the UIDAI that deals with the Aadhaar are also collecting data. As per government statistics, 92 crore people are registered with the UIDAI for Aadhaar. “The data is collected by UIDAI (thumb prints and iris scans) are collected by private companies in private computers,” says Supreme Court advocate Rahul Narayan, a counsel arguing against the mandatory use of Aadhaar for utility services like LPG connection and opening a bank account.

This week, the Supreme Court also referred to a larger bench the plea of the central government, the Reserve Bank of India, Securities and Exchange Board of India (SEBI), Telecom Regulatory Authority of India (TRAI) and states like Haryana and Gujarat to extend the voluntary use of Aadhaar to other services. When the apex court bench takes a decision on the issue, it will also serve as a precursor to the state’s stand on the right to privacy.

Privacy or national security

There needs to be a fine balance between individual privacy and national security. India needs better safeguards, says a research fellow of the Institute for Defence Studies and Analyses (IDSA), who did not wish to be named. “The government should not worry about policies as much as it should worry about safeguards — of both individual privacies and national security.”

According to Medianama’s Pahwa, the time is ripe for a bill on privacy. “Companies like Google and Facebook are sitting on a mine of data, and what they do with this data is every bit of our concern because the data is about us. Will we be allowed to recall that data, or remain anonymous? We need to have control over our own data.” He adds that the draft national encryption policy, which invited the outrage of several users for its implausibility, may be ill-designed, but is nevertheless important.

Former Data Security Council of India (DSCI) head Kamlesh Bajaj, who was part of the Justice Shah Commission on the Right to Privacy, argues that a modern society needs to have a certain amount of surveillance. “But that surveillance, as the European Union rightly suggested, should be targeted surveillance so that we can stop the US from dipping into the data of an Indian citizen at will… The state needs to ensure that targeted surveillance is done to curb crimes, and does not let blanket surveillance leave us vulnerable. But, we need to have a data protection law first.”

User cannot be the loser

Cyber security expert Mahajan says that any huge body of information is a threat to security and privacy. “As soon as there exists a large storage of data, like the NSA data center in Utah, there will be people who will want access to that data. Be it for personal gain, strategic advantage or in the case of Wikileaks as a political statement. Safe storage of such data is a challenge, whether it is for the government of India or the NSA,” he stresses, pointing that US government agency OPM lost more than five million biometric records to online attackers despite sophisticated measures.

Pahwa says that problem with huge data bodies like the one collected for Aadhaar is that we may never be sure of if a future government turns rogue. “Without adequate safeguards, our data is exposed to, at the very least, phishing attempts,” he says. “And what is the guarantee that a future government, or in fact, the current one does not use it against us for any purpose that suits it.”

In Mahajan’s view, the government should also allow for companies to have data centres in India, so they can start storing the data of Indian users in the country. Microsoft said recently while launching its cloud services and the first three data centres in India that the data of Indian users will be governed by the Indian laws.

Mahajan adds that the government should allow for safe and secure tools. “Be it digital contracts, online e-commerce, e-tendering etc. worldwide standards will allow us to compete, take part in global commerce and communicate freely,” he says. “Get serious about telecommunication security in India and get the telcos to start encrypting GSM calls and messages to the minimal levels as per global standards.”