Data Privacy Day is an occasion to raise awareness among people on the issue: Prof. SK Shukla
Privacy is a fundamental right and data that is personally identifying people such as name, address, phone number, photos, etc., are all subject to privacy rights, says Prof. SK Shukla.
Today is World Data Privacy Day and we celebrate it for its lofty vision of raising awareness among the public about the best way privacy of citizens can be protected and promoted as well as highlighting the current problems and solutions available thereof. With the pandemic forcing virtually everyone to go digital, privacy has become even more important to implement. To do so today, we have with us from IIT-Kanpur, Prof. Sandeep K. Shukla and he will be providing us his insights on the subject. Here are edited excerpts from a conversation with HT Tech.
Q1. January 28 is World Data Privacy Day. What do you think is the significance of the day?
In India, based on the Puttaswamy case, Privacy is a fundamental right, and data that is personally identifying people such as name, address, phone number, photos, contact list, biometric data of a person -- are all subject to privacy rights. A person should have the right to own, control, and provide discretionary access to that data to parties he/she trusts. State or any corporation or other individuals have no right to breach or extract data without consent of the owner. Further, coercion should also be not legal to obtain data -- and that should apply to the states, corporations or other individuals. Unfortunately, most of these are violated in India daily. I was recently invited to talk at one government and one private university. They requested copies of my bank passbook first page, my PAN card and Aadhaar card. Now, these documents have more information on them than what they require to pay honorarium. Which means due to lack of any standards, laws, and data protection awareness -- they are asking for more information than is required. Similar incidents happen even after the Aadhaar verdict, which expressly prohibits requesting your Aadhaar card for services other than public good distribution and income tax, we get asked for them at various offices -- government or non-government. All this tells me that there is a lack of standards for establishing identity, lack of awareness of the need for data privacy, and also caution about protection of data.
Therefore, a data privacy day should be an occasion to raise awareness levels in people, officials, and corporations. However, such celebrations should have effective communication and not just another celebration like "anti-corruption" day -- where lip service is made with great pomposity but having no effect. So if properly utilized to reach every citizen what are the dos and don'ts and what are the fundamental right and how to emphatically insist on our fundamental rights -- this day can be significant. Otherwise, with lip service -- we get nowhere.
Q2. What is your opinion around the current status of data privacy? In what areas do you feel we are most vulnerable when it comes to data protection?
India has an outdated and inadequate legal regime for privacy even though the Supreme Court judgment in the Puttaswamy case declared privacy as a fundamental right and it is the state's responsibility to protect it.
The IT ACT of 2000, and IT Act Amendment of 2008 are too old, and do not address privacy adequately. Section 43 of the IT act talks about hacking as a crime, unleashing malware as a crime, publishing someone's digital signature without consent as a crime -- but the quantum of punishment seems trivial (1-3 years or minuscule amount of fines). Section 72 talks about breach of confidentiality and privacy in the sense that someone willfully making public records or data without consent of the owner of the data is punishable by meager 2 years of imprisonment and/or Rs. 1 Lakh fine. Section 72A read with Penal code Section 409 talks about breach of trust by a contractor with access to someone else's data. Section 43A of amended IT Act also allows for compensation for privacy breach by third party data fiduciary. Section 85 is a weak attempt to pin liability to corporations for data privacy breaches for lack of due diligence in protecting data. There are also a few data protection regulations for government organizations advising due diligence.
The new data privacy bill has been long overdue and we expected it to be in line with the GDPR. Also domain specific data protection laws such as HIPPA for health data, or federal government data protection laws such as FISMA etc, are not there in India.
Unfortunately, the current data protection bill is giving blanket exception to the government to breach privacy without recourse for those affected. Even the original architect of the Bill, Justice Sri Krishna has spoken out against this aspect of the bill vigorously and according to the news reports, even in the parliamentary standing committee, it seems consent was given along party lines rather than on rationalization. This will put citizens even more in danger, because when the government can breach without recourse, citizens are less secure for several reasons:
1. Once the data is breached by the government by claiming any reason to carry out a surveillance of a person -- the data will be in government servers -- and hence any security breach can put that data in the wrong hands
2. Once data breaching is legal for government servants, rogue government people may even carry out surveillance of people based on their own whims and very little check and balance by a committee outside the government and even courts will be possible.
3. Once the foreign governments know that our not so secure government systems and servers are containing citizen data -- the governments systems become further targeted by them.
So even though we are at a point of no return, and the bill will be passed -- I wish the government addresses these concerns. It is best to bring it to the same levels of safeguards for misuse of the law as GDPR.
So I think the exception given to any data fiduciary -- government or not -- is creating dangerous vulnerabilities.
Also, cyber security practices in the country -- probably with exception in Banking and financial sectors -- are terribly weak. Government schools, colleges and higher education institutes are some of the most vulnerable ones, and we do not do adequate work to address this.
Q3. What, according to you, are some of the steps that should be taken to strengthen India's data privacy.
First, we need a GDPR like law with no exceptions provided for -- even for the government. Only with reasonable proof, and judicial supervision, even the government should be allowed to breach privacy of anyone in the country.
Second, we need security architecture, and security posture -- as without security -- despite the best of intentions -- you cannot keep data safe from breaches. Think about the recent Big Bazar breach, Dominos breach and many others - what punishments did these entities receive from our legal system for endangering customers? We could have at least brought the force of outdated amended IT Act to do something -- but did we? I am not aware.
Same happens when government websites leak information -- even full pdfs of copies of Aadhaar cards -- no legal recourse is possible -- as the judicial system is busy with other crimes, and we do not have the culture to hold organizations accountable.
Pegasus malware was a severe breach of privacy -- an unprecedented incursion into the lives of people. Thankfully the Supreme Court has constituted a committee but it is not clear if the committee will get the answers -- as the authorities did not answer questions in the name of National Security.
So more than technology, we need a change of privacy culture, attitude towards ensuring fundamental rights of citizens, and we need to change awareness levels -- and address the inadequacy in the laws, regulations. Further, the system of criminal jurisprudence needs to change -- as poor people may have no recourse as dispensation of justice is expensive and inadequate in the country in my view.
1. First is awareness -- regular consumer thinks -- what is wrong if people know my location, my movement, my habits, likings dislikes etc -- but they must be aware that this can be used to do psy-ops against the country to incite violence, riots, prejudices and many other things -- and most importantly subvert democracy (recall Cambridge Analytica)
2. Awareness education, advertisement on print and electronic media to increase awareness on the importance of privacy and how to protect privacy is important
3. People should be made aware of Phishing and other social engineering methods used to breach privacy and security
4. People should understand the risk of using cheap mobile phones and apps that have privacy issues
5. Govt should develop apps for mobile that on the mobile itself can rate the privacy of each app downloaded and warn the user against using apps that breach privacy
6. People should be enabled to use encryption based products and all kinds of information they share may be converted to verifiable credentials so that privacy breach surface is reduced drastically -- they should not give printouts and copies of ID cards, Aadhar cards and stuff like that and just prove their identity with verifiable credential form of identity which the government needs to enable
7. Again, first step is wide awareness campaign
Q4. A lot has been said about 5G connectivity. Some have even suggested that it is harmful for humans and the environment. What is your opinion regarding this?
Well, we recently saw an incident of an aeroplane communication interference due to the presence of 5G tower in the vicinity. So it is likely to have effects on aviation infrastructure if caution is not taken.
Some say these are also bad for bees, birds and other animals who actually keep our ecosystem in balance. So those issues must be considered carefully. I am not expert in the physics of 5G but such high frequency might have harmful effects -- but that is just speculation. I guess we need more experimentation.
Q5. Do you think modern smartphones come with any flaws that can compromise a user's data privacy? If yes, how can they be fixed?
Yes, indeed. They can have flaws and implants in the hardware but that is less likely -- but more so in the firmware, and software. We recently tested several phones, and we found these phones communicate with more than 2000 different internet addresses even before you connect it to Google or download any app. What it means is that these phones come with bloatware which are bundled by the phone companies and take money from bloatware makers and thus it makes the phone cheaper. South Korea recently banned bundling of bloatware in phones when they are in their market, and China requires that there be a way to uninstall those bloatware (currently without rooting the phone you cannot remove them). The IPs they connect to -- many of them are malicious IPs. Currently in our lab we are testing what data is being sent by these bloatware to those internet addresses.
We are in touch with the government on this -- and soon there will be regulations that will stop the phone companies from doing this immoral practice -- even if that means consumers pay bit more for the phones. Also, we should have a testing lab for privacy and security of new phones in the market before they are approved to be in the Indian market. Apps should also be tested and rated for privacy and security by some agency so consumers may decide whether to install them.
Q6. Where do you see India headed in 5 years time when it comes to phone connectivity?
Well, 5G is still in pilot phase and we have been talking to regulators to tell them that more security regulation, security audit etc must be required before the operators are to bring 5G in the market. We also have been advocating more experimentation and testing of 5G equipment before they are used in Indian infrastructure. We also believe that 5G will create a larger attack surface -- and also data leakage. So we have to be careful. Cyber Security which is essential to get data privacy -- is not just technology but it is technology, processes and people. Technology you can buy or import, processes you have to develop, enforce, and audit -- which is where we are weak. We let corporations do whatever and then we allow them anyway. People are the weakest point -- as we do not have adequate manpower in cyber security to secure our systems and infrastructure yet and that is changing very slowly -- we need more initiatives. Therefore, I think we should exercise caution - and just because South Korea, Japan etc are embracing new technologies we do not have to jump too. Also, many poorer countries are often duped into accepting new technology without the processes in place for security or other safety checks, and without properly understanding the risks. So we should not follow them either. We should develop adequate security technology, processes, and get adequate manpower before we leapfrog.
Follow HT Tech for the latest tech news and reviews , also keep up with us on Twitter, Facebook, Google News, and Instagram. For our latest videos, subscribe to our YouTube channel.