Lack of effective legislation to protect personal data and the government’s efforts to monitor communications contribute to rising unease
Surabhi Agarwal, Leslie D’Monte & Sahil Makkar
Share on facebook Share on twitter
New Delhi/ Mumbai: Late last year, 24-year-old Max Schrems of Vienna, Austria, asked the world’s largest social networking site Facebook Inc. for a copy of every piece of information it had collected on him since he had created an account with it two years earlier.
Schrems was delivered a CD packing a 1,222-page file—roughly the length of Leo Tolstoy’s panoramic War and Peace, one of the longest novels ever written.
The data included information Schrems had deleted, but had been stored in Facebook’s servers, according to ThreatPost, a publication on information technology (IT) security run by Kaspersky Lab, a leading maker of anti-virus software.
Had Schrems been a resident of India, he could not have known how much personal information Facebook had on him. Every person in the European Union (EU) has the right to access all the data that a company holds on him or her. India has no such privacy law, yet.
When the world’s largest online company Google Inc. changed its privacy policy in March making personal information more vulnerable, it immediately came under the scrutiny of both the US and the UK governments. But India has no teeth to handle such a situation; the changes by Google do not fall within the purview of the country’s Information Technology Act, 2000, minister of state for communications Sachin Pilot told the Rajya Sabha on 30 March.
While India, too, may need a law to protect its people from being exploited by companies—51 million of Facebook’s 900 million users are from India—many Indians also fear the possibility of the government monitoring personal information under the garb of protecting the nation.
Experts cite the government’s preoccupation with intercepting all forms of digital media communication—via phones, emails or social networking sites—to avoid a repeat of the November 2008 terror attacks in Mumbai, but say this could be misused.
“There is a clear indication now that the government of India wants to use Internet censorship as a tool for political power,” said cyber law expert N.A. Vijayashankar, who runs cyber law information portal Naavi.
With the digital world awash in personal data, according to a report by the World Economic Forum (WEF) titled Rethinking Personal Data: Strengthening Trust, published in collaboration with The Boston Consulting Group, the scope for abuse of personal information is bound to increase.
Every day, people send 10 billion text messages and post one billion entries on blogs or social networking sites, it said. In addition, with about six billion mobile telephone subscriptions globally, it is now increasingly possible to track the location of nearly every person on the planet, as well as their social connections and transactions.
Mobile phones are not the only devices recording data. Web applications, cars, retail point-of-sale machines, medical devices and more are generating unprecedented volumes of data as they embed themselves into our daily lives. By 2015, one trillion devices will be connected to the Internet, the WEF report said.
And as companies develop more tools to collect and analyse user data, there are increasing concerns of how data on people are being collected, used, shared and combined, both by governments as well as by private companies.
In India, though Internet penetration is a dismal 10%, it is expected to leapfrog with the advancements in mobile telephony.
Debate gets hotter
On 17 May, the government’s pledge to review its plans to introduce curbs on Internet freedom persuaded the opposition parties to join the treasury benches in defeating a statutory motion that sought to annul the country’s IT (intermediaries guidelines) rules, 2011.
The motion in the Rajya Sabha came on a day when activists hacked the websites of the Supreme Court and the ruling Congress party to register their protest against the government’s bid to curb online access after several video-sharing websites were banned by a legal order.
The government’s various attempts to regulate Internet content have been construed as efforts to impinge the individual’s freedom of speech and expression.
The privacy debate gained scale when the government launched the unique identity number scheme in 2009 to store biometric data of the nation’s entire population in a central database. The scheme, known as Aadhaar, is increasingly being linked with public and private delivery services.
Another government programme known as the Natgrid project wants to connect the databases of airlines, banks, telecom operators and other private and public sector companies to arm investigative agencies with real-time information.
And the National Population Registry aims to not only collect biometric data on residents, but also to map information on citizens under 15 data fields, including driving licence, ration card and voter identity details.
Critics argue that the government, with these programmes, is trying to have access to everything a citizen does in his or her private life. The leak of tapes last year containing conversations of lobbyist Niira Radia with senior journalists and corporate honchos including Tata group chief Ratan Tata has only heightened the privacy debate.
The government is now setting up a central monitoring centre for the lawful interception of telephone calls to ensure the proper documentation of each call monitored to minimize the possibility of illegal interceptions. According to the home ministry, the government monitors some 10,000 phone calls daily, mainly to prevent terrorist activities.
What has added to the fears of the critics was the government asking Research In Motion Ltd to make it possible for security agencies to intercept the handset maker’s popular BlackBerry Messenger service. The government has made similar requests to Google and Skype, which allows users to make free calls over the Internet.
According to Google’s Transparency Report, between January and June 2011, the company received 68 requests from governments spanning 358 items to remove content across its various properties. Only one pertained to national security, and 236 items related to criticisms of governments on Google’s social networking platform, Orkut. Google complied with about half of the requests.
Barun Mitra, director of the Liberty Institute, said there is no way the entire Internet can be regulated. “The question then is whether you have a sufficiently robust system to restrict the source from the start or you are going to fight the battle under technology control. Because controlling the technology would be just like saying that the printing press was a bad idea.”
Security or Big Brother?
Privacy advocates say that government policies masquerading as security measures actually gag free speech and expression.
Recent measures appear to support such concerns: In December, Union minister for communications and technology Kapil Sibal said the government would evolve “guidelines” for social media companies, after these companies refused to remove what the government called “objectionable content”, some of them pertaining to Congress president Sonia Gandhi. What followed were criminal proceedings against Facebook and Google in the Delhi high court.
“In the garb of national security, individual political parties are trying to promote their interests. They are trying to stifle public opinion,” said Naavi’s Vijayashankar.
In April, Ambikesh Mahapatra, a Jadavpur University professor, was arrested after he allegedly circulated cartoons on the Internet spoofing West Bengal chief minister Mamata Banerjee and Mukul Roy, now Union railway minister.
When the government reacts in unreasonable ways, such as in the Mahapatra incident, “people start revolting against all regulations, even the reasonable ones,” said Vijayashankar.
But government officials argue that systems designed to monitor communications over digital media are critical for preventing large-scale cyber attacks and terrorism.
“Why is everybody coming after the government for gagging free speech and monitoring them when it is actually trying to help protect the citizens against cyber attacks,” argued a senior official of the department of electronics and IT, which is directly involved in decisions regarding the digital media. The official did not want to be identified.
“We need to have systems in place through which we can get lawful interception on real-time basis,” said another official, who, too, did not want to be named. “Be it any service, we need lawful access to it. One can always build safeguards or checks and balances, but we do not want to be caught in a situation like the 26/11 Mumbai terror attacks. We do not want any interference in intelligence gathering.”
Amitabh Singhal, former director of the National Internet Exchange of India and an independent telecom consultant, believes the problem lies with how the government has been communicating its plans.
“People say they have a right to privacy, but also demand that the government protect them. The point of friction arises when the government says that to carry out my mandate, I will step on your toes, and citizens come back and say, sorry you cannot do this,” Singhal said. “It will always seem like the government is trying to bear down on its citizens. But there is no escaping it.”
Need to close legislative gap
Citizens the world over and privacy advocates are increasingly making a noise about companies and governments invading their online and real lives. After Facebook responded to Schrems’ request for information it had on him, he launched a legal project called Europe vs. Facebook.
Following this, around 40,000 users (many of whom had filed complaints with the Irish Data Protection Commission, too) made use of their rights to access information Facebook had on them, according to Schrems’ website.
The UK government’s emphasis on protecting its citizens’ privacy helped.
India is still at the drawing board on having a robust legislation that can protect its citizens not just against any misuse of their personal information by companies, but also against any exploitation by the government.
Work on India’s Privacy Bill started about two years ago, but it’s still in the initial stages of being drafted.
With the Internet Protocol Version 6 being gradually introduced, everything from watches, phones, cars and traffic lights will eventually be connected to the Internet.
“Everybody will be part of the grid in a way which you can’t even think of now,” said Singhal. “So this debate is going to be interesting. There is no question asking whether we like it or not, we have to be part of it.”
The department of IT official agreed that as the government steps up interception, there could be “some bit of exploitation”. He agreed, though, that interceptions should not become a norm. “The government listening to your phone everyday should not become a norm. That’s why the Privacy Bill is very important.”
India is debating the inclusion of privacy as a fundamental right in the Privacy Bill, which could prepare the country to deal with exploitative changes in the privacy policies of firms.
Many countries have privacy laws to protect their people from any misuse of personal information by their governments or companies.
The US government has outlined a comprehensive Privacy Bill of Rights that aims to give individuals more control over how personal information about them is used on the Internet.
Europe proposed a data protection regulation in January that will, if it becomes law, require Internet companies to obtain explicit consent from consumers on the use of their personal data and even delete the data forever if requested.
In India, under the IT Act, only one section deals with the breach of privacy or confidentiality, according to cyber law expert and Supreme Court lawyer Pavan Duggal.
“Even Section 72(a) under the amended IT Act 2008 does not deal with concepts like data privacy. So when a company ostensibly infringes on privacy of its users, be they individuals, companies or even the government, there’s precious little that the authorities can do since there’s no Act to deal with it,” he said.