By Nikhil Pahwa on Jun 4th, 2014
Last week, I walked into an office building in DLF Cyber City in Gurgaon, the one that has offices for Google and Yahoo, only to find that the security guards at the entrance wanted me to hold up my identity card (I carry my drivers license) in front of a digital scanner, “for security purposes”. I declined, and asked them to explain why. “For security,” I was told, once again. On being asked about what they do with the data, and where it is stored, the guards at the entrance were apologetic, and eventually delegated upwards: they took me to a small one-room office in the basement parking of the building, which looked and felt like a dilapidated government office, and appeared to house the officers in charge of security at DLF Cyber City.
I was taken to the back of the room, where a grey haired man sitting behind a desk told me that I can go in, as long as the executives of the company I was visiting called up to validate my identity. When I continued to inquire about their privacy policy, and how I know that my data is secure, another man stepped up behind me and rudely inquired about how it is any of my business. This policy of scanning identifying documents is new, and the system was put into place only a month and a half ago.
I faced a similar situation while visiting Amazon at the World Trade Center in Bangalore last month. While the building security declined to let me through, the executives I had gone to meet were quite apologetic about the situation, and met me in the building lobby. They had similar misgivings about this data being collected, and understood my point of view of not giving my data.
*
We give our data away online every day – to apps, search engines, social networks, email newsletters and media companies, e-commerce firms, and even if some of them don’t follow guidelines, or keep changing their privacy policies, at least they have one. The Right to be Forgotten is a tricky new idea, but in India, we don’t even have a privacy law. While we give our data away to mobile phone companies and banks, and hope they don’t sell it, the other seemingly innocuous data collection takes place at entrances to office buildings and gated colonies: large notebooks with yellowed pages, and frayed and filthy edges collect names, addresses, mobile numbers and signatures. I have friends who put in fake or incomplete mobile numbers, but what no one asks is – what happens to these registers after they’re filled up? What is their privacy policy? We don’t worry about these things because we’re used to it.
There is data that I put on a business card – name, address, mobile number, twitter handle and mobile number – that I have no issues sharing. Some of it is on MediaNama’s twitter profile. What is important here is that it is my choice, but it is also worrying that we’re in a situation where someone has to make these decisions. I chose not to allow The World Trade Center in Bangalore to scan my ID, and they chose not to let me in. It’s almost like a trade. But there is data that validates my identity, such as my drivers license number, that I don’t want anyone to get access to. I’m willing to show it, if anyone wants to validate it for authenticity, but I certainly don’t want them to copy it. How do I know someone wont be able to copy this digital scan, and create a fake copy of my ID?
There is also some sense of privacy and security in the fact that many of the databases that collect information about us are not connected. This is the danger that the Aadhaar number holds: being used as a primary identifier, it becomes a number that connects multiple databases together. Of course, this is a country wherein the election commission has allowed demographic data to be copied en masse (read this and this).
There are many reasons why the government of India needs to implement a privacy law. The earlier government had drafted a Bill on the Right to Privacy in the hope of curbing the trend of unbridled surveillance and to ensure that there are legal mechanisms for safeguarding individual privacy, to balance the concerns of both individual privacy and state security. Read more about it here.