The Indian government’s guidelines for virtual private network (VPN) providers came into force on 25 September, 2022. They mandate, among other things, storing users’ personal data for up to five years. At least three VPN service providers have already left India or shut down their servers here because the provisions harm user privacy.
Recent Indian regulation has tried to include privacy as part of rules governing online behaviour. The recently junked Personal Data Protection Bill, which has been replaced with a new draft, had a detailed section on “privacy by design” that every entity processing personal data had to adhere to. The new draft has no such provisions.
The Supreme Court upheld privacy as a fundamental right in 2017, but governments, both at the Centre and State levels, have often shown little to no regard for individual privacy.
In February 2020, when riots broke out in New Delhi, there were several reports that claimed that rioters had burnt down vehicles belonging to specific people after learning the identity of the owners. A government portal that stores data of all vehicle owners made this possible.
In 2019, the Ministry of Road Transport and Highways introduced what was called the Bulk Data Sharing policy. This allowed the sale of vehicular bulk data, under the Vahan and Sarathi schemes, to private buyers.
The Vahan and Sarathi databases store details of vehicle registrations and driver licences. In theory and intent, these are great and necessary initiatives. This helps traffic police find out owner details, for example, and eventually makes for better governance and compliance.
However, until early 2020, to find out the name and registered address of a vehicle owner, all you had to do was to type in their vehicle registration number in the Vahan portal or app. The open access to the portal’s data facilitated the sharing of this private information.
The controversy over how this information was being misused ultimately led to the Bulk Data Sharing Policy being scrapped later that year. But interestingly, the same ministry had signed a contract with a private firm to access vehicular data as far back as 2014. There is no way to know how any of this data was or is currently being used.
When private entities buy and sell data, they have a commercial motive. But when the government does so, there are many red flags.
The case for anonymising data
The case for monetising anonymised citizen data has been building in India over the past three years. In the now junked e-commerce policy draft that came out in 2019, the idea of anonymised community data for “public good” was first mentioned. The Economic Survey that year suggested monetising citizen data.
In February 2022, the Ministry of Electronics and Information Technology proposed a policy that would allow access to suitably anonymised data to governments, startups, researchers and enterprises. This was junked and replaced with the draft National Data Governance Framework Policy in May 2022. It proposes the setting up of an “India Data Management Office” that “may decide to charge user charges/fees for its maintenance/ services”.
It is important to remember here that India is still awaiting a final data protection law.That means there is little to no legal remedy for a citizen if they want to contest the usage of their data.
The government arguably has the most amount of citizen data. But imagine commercialising the wealth of data from welfare schemes, financial transactions, identity proofs, travel and health records, among others.
The handling of data around the Covid-19 pandemic also offers interesting examples.
In the UK, the National Health Service struck a deal with controversial technology firm Palantir in 2020 to analyse Covid-19 data for a short-term project. The government quietly extended the deal, which eventually led to a lawsuit questioning the intent and use of the citizen health data.
The deal was terminated last year, but it shone a light on anonymisation of data sets. Palantir used a technique called pseudonymisation, which simply means substituting actual names with pseudonyms or aliases. In a technical blog, Palantir explains the challenges of re-identification of people from anonymised data.
In India, the contact tracing app Aarogya Setu, built by the government, was in the news more than once over privacy concerns. Government offices and several private companies had made the app’s use mandatory. So, for the major part of 2020, one couldn’t enter public spaces without showing the app. A large set of data was collected through the app. And it now seems to have transitioned into a “health app for the nation”. There is no telling how our personal health information is being used by the government.
Let’s say a medical company buys this (anonymised) data from the government to market a new drug. In combination with other data sets that match some parameters from Aarogya Setu, like location, age, Covid status, and places visited, it will be possible to target specific individuals based on their medical history, without the person having the slightest idea.
Why care about privacy?
Those pesky insurance company calls you get every day for policy renewal could be because your data was sold to the company. Or a more terrifying scenario could be your private information being used by a radical outfit. Therefore, your personal data is valuable.
Everything we do in our day-to-day life today leaves a digital footprint. And so, if the collection and sale of data continue, anyone can look into your most private activity any time.
To be fair, privacy is also a cultural construct. Europe, for example, is well known for its strict approach to privacy, having learnt a lesson from the horrors of the Second World War. Understandably, it has taken the same approach to online privacy. In India, the concept of privacy is a bit fuzzy, and often not taken as seriously. But with rising awareness and privacy campaigns, this is slowly changing.
However, to make it a more pervasive concept, the idea of privacy needs to become a part of our everyday lives. The first step for parents could be introducing their children to the concept and helping them practise it.
At a more basic level, try to read through the privacy policies of the apps you use, and check if your email was compromised in any known data breaches.
In short, the next time when they ask you to read the offer document carefully, do that.
K. K. Mookhey (CISA, CISSP) is the Founder & CEO of Network Intelligence (www.niiconsulting.com) as well as the Founder of The Institute of Information Security (www.iisecurity.in). He is an internationally well-regarded expert in the field of cybersecurity and privacy. He has published numerous articles, co-authored two books, and presented at Blackhat USA, OWASP Asia, ISACA, Interop, Nullcon and others.