The rapid growth of India's cyber-population has also led to the escalation of cybercrime. The widespread lack of awareness about data privacy enables online criminals - and so does the lack of comprehensive Indian data-related legislation. The financial intelligence firm, Ultrascan, recently estimated that Indians "donated" over $870 million online in 2013 to scamsters in Advance Fee Frauds of the sort conceptualised by Nigerian con men. In an operation under AFF, thousands of emails are sent out offering large sums. To receive the promised reward, recipients must submit personal details (name, address, bank account number, scans of identity documents, Income Tax Permanent Account Numbers, and so on) and pay a processing fee. The gullible pay - and lose the fees, of course. More dangerously, the data may be used to empty out the victim's bank account and misuse credit cards for purchases, etc. In the most extreme cases, the victim's identity can be stolen and misused, including by terrorists.
Indian surfers seem to be among the world's most gullible when it comes to offering personal data. This trait is confirmed by another survey by the American data storage services provider, EMC Corporation. The global EMC Privacy Index compares the attitudes of consumers. It judges how willing they are to trade personal data for gain, or convenience. In the 2014 survey of 15,000 persons across 15 nations, Indians ranked at the top in terms of being willing to trade data for convenience. Huge amounts of personal data about each Indian are stored online, and such data are growing exponentially. As citizens, Indians offer data, including biometrics for a wide range of government services such as passports, Aadhaar cards, driving licences, registrations of real estate transactions, court affidavits, etc. In accessing medical and financial services, they offer data-sets to other service providers, including many private sector organisations. They collect and offer yet more data in social media activities, in online transactions, and in conducting businesses and professional activities. In addition, national security agencies actively collect data via clandestine surveillance programmes, such as the US Prism, or the Indian NETRA. All those data are stored in databases, government-owned or private, with varying levels of security. Data may sometimes be openly sold. Individuals may also be storing data in devices like laptops, tablets and mobile phones, which are all vulnerable to hacking and theft.
The casual attitude of the average Indian citizen to data privacy is mirrored by a lack of legislation. There is no specific privacy law, although the A P Shah Commission submitted draft guidelines for privacy legislation in 2012. There is no law specific to DNA collection norms. While the IT Rules 2011 identifies some digital data as "sensitive and personal", coverage is patchy. Location data, for example, are not considered private. There are no clear guidelines for safe collection, storage, use, sale and transfer of sensitive data - and, naturally, there are no penalties prescribed for unsafe data-handling processes. It is also not clear what data are admissible as evidence, especially if such data are clandestinely gathered. Nor are there specific safeguards against data forgery, or manipulation.
This is unacceptable, given the possibility of widespread, egregious misuse of an increasingly broad range of digital data. The law must catch up with the technology as soon as possible. The legislation of comprehensive laws and guidelines about data should be a top priority. Ideally, a privacy law to protect personal liberty should also be on the agenda.
