Growing cyber-risks

India needs strong privacy legislation

Recent revelations about cyber-spying and surveillance have highlighted the multiple lacunae in India’s regulatory regime for protecting data privacy. It has been alleged that a Chinese firm, Zhenhua Data Information Technology, keeps tabs on 10,000-odd Indian citizens. There have also been revelations about Facebook misusing permission granted to the app of its subsidiary, Instagram, to track user-activity. TV channels have also released and sensationalised what is claimed to be WhatsApp messages gathered by Indian security agencies investigating Bollywood celebrities. There are several different points worth noting from the above incidents. One is the lack of specific legislation governing the private data of Indian citizens. The Supreme Court in 2017 affirmed privacy was protected as a fundamental right. But the government has not passed laws to protect the right.

Moreover, the draft privacy legislation suggested by a committee chaired by retired Supreme Court judge B N Srikrishna has undergone multiple amendments at Cabinet level, although it has not yet been presented to Parliament. The revised draft offers no protection against government surveillance. The absence of law leaves the issue of privacy in a grey area. Offences are not clearly defined, and penalties are not prescribed for gathering, disseminating, monetising, leaking, or deliberately publicising private data. If the proposed private data protection legislation and ancillary legislation such as health data management go through in the current formats, the government and all its agencies would remain free to gather, disseminate, and sell private data without the permission, or knowledge, of citizens. However, legislation would in theory at the least offer protection against private entities.

A second point is that every 21st century individual generates a lot of data. Much of this — such as Facebook posts, Twitter data, and location data — is public by default, unless the individual in question actively chooses to restrict access to that. In many instances, individuals who are not cyber-savvy are unaware of the quantity and type of data they generate. Most users give permission to apps and programs to gather data, and use cameras, record locations, and monitor phone calls without bothering to read end user licence agreements. This means a user may install an app while being unaware that the app is monitoring all activity on the device with legal permission. This is an area where citizens have to take personal responsibility.

In addition, users often back up data to cloud servers, without understanding the negative privacy implications. This is, for instance, one way in which end-to-end encrypted communication, such as WhatsApp messages and phone calls, ends up being insecure because the cloud back-up is not encrypted. If it is assumed the WhatsApp messages flashed on TV channels are authentic, there is a deeper cause for worry. This data was supposedly gathered by investigative agencies. It may be legally used as evidence. But evidence should not have been leaked into the public domain. Until the legislative lacunae are addressed, and until citizens become more aware of the privacy implications of granting permission to various apps, the data of Indian citizens will remain highly insecure, with no possible legal redress for misuse. The government should get the relevant laws passed as soon as possible as the rising use of technology will increase the vulnerability of Indian citizens every passing day.