The Indian government recently came out with new guidelines for virtual private network (VPN) providers, which include, among other things, storing users’ personal data for up to five years. People have been up in arms about the implications this will have on user privacy.
If you’re a movie buff, you probably have used a VPN for something as innocuous as accessing Netflix titles unavailable in your own country or even used it at work for sensitive things. While the government has clarified that the new mandates will not be applicable to corporate VPNs, the core issues of personal data collection remain, and defeat the purpose of using a VPN.
In February 2020, when riots broke out in New Delhi, there were several reports that claimed that rioters had burnt down vehicles belonging to specific people after learning the identity of the owners. A government portal that stores data on all vehicle owners made this possible.
In 2019, the Ministry of Road Transport and Highways introduced what was called the Bulk Data Sharing policy. This allowed the sale of vehicular bulk data, under the Vahan and Sarathi schemes, to private buyers.
The Vahan and Sarathi databases store details of vehicle registrations and driver licences. In theory and intent, these are great and necessary initiatives. This helps traffic police find out owner details, for example, and eventually makes for better governance and compliance.
However, until early 2020, to find out the name and registered address of a vehicle owner, all you had to do was to type in their vehicle registration number in the Vahan portal or app. The open access to the portal’s data facilitated the sharing of this private information.
The controversy over how this information was being misused ultimately led to the Bulk Data Sharing Policy being scrapped later that year. But interestingly, the same ministry had signed a contract with a private firm to access vehicular data as far back as 2014. There is no way to know how any of this data was or is currently being used.
Those pesky insurance company calls you get every day for policy renewal could be because your data was sold to the company. Or a more terrifying scenario could be your private information being used by a radical outfit. Therefore, your personal data is valuable.
Everything we do in our day-to-day life today leaves a digital footprint. And so, if the collection and sale of data continue, anyone can look into your most private activity at any time.
When private entities buy and sell data, they have a commercial motive. But when the government does so, there are many red flags.
The case for monetising anonymised citizen data has been building in India over the past three years. In the now junked e-commerce policy draft that came out in 2019, the idea of anonymised community data for “public good” was first mentioned. The Economic Survey that year suggested monetising citizen data.
The Ministry of Electronics and Information Technology recently proposed a policy that will allow access to suitably anonymised data to governments, startups, researchers and enterprises. While the language is vague, the proposal leaves room for monetising certain kinds of data. All data sharing will happen under “national policies and legislation and the recognized international guidelines”.
It is important to remember here that India has been awaiting the final sign-off on its data protection law for nearly four years now. That means there is little to no legal remedy for a citizen if they want to contest the usage of their data.
The government arguably has the most amount of citizen data. But imagine commercialising the wealth of data from welfare schemes, financial transactions, identity proofs, travel and health records, among others.
The recent handling of data around the Covid-19 pandemic also offers interesting examples.
In the UK, the National Health Service struck a deal with controversial technology firm Palantir in 2020 to analyse Covid-19 data for a short-term project. The government quietly extended the deal, which eventually led to a lawsuit questioning the intent and use of the citizen health data.
The deal was terminated last year, but it shone a light on the anonymisation of data sets. Palantir used a technique called pseudonymisation, which simply means substituting actual names with pseudonyms or aliases. In a technical blog, Palantir explains the challenges of re-identification of people from anonymised data.
In India, the contact tracing app Aarogya Setu, built by the government, was in the news more than once over privacy concerns. Government offices and several private companies had made the app’s use mandatory. So, for the major part of 2020, one couldn’t enter public spaces without showing the app. A large set of data was collected through the app. And this can be used without our knowledge.
Let’s say a medical company buys this (anonymised) data from the government to market a new drug. In combination with other data sets that match some parameters from Aarogya Setu, like location, age, Covid status, and places visited, it will be possible to target specific individuals based on their medical history, without the person having the slightest idea.
To be fair, privacy is also a cultural construct. Europe, for example, is well known for its strict approach to privacy, having learnt a lesson from the horrors of the Second World War. Understandably, it has taken the same approach to online privacy. In India, the concept of privacy is a bit fuzzy, and often not taken as seriously. But with rising awareness and privacy campaigns, this is slowly changing.
However, to make it a more pervasive concept, the idea of privacy needs to become a part of our everyday lives. The first step for parents could be introducing their children to the concept and helping them practise it.
Start with your social media accounts. Take some time to understand what permissions you are granting to different apps. And if in doubt, say no. It is also advisable to use chat apps that support end-to-end encryption and browsers that don’t track browsing history. VPNs are a great way to go private on the internet. So it is in everyone’s interest that the new VPN guidelines do not come into force.
At a more basic level, try to read through the privacy policies of the apps you use, and check if your email was compromised in any known data breaches.
In short, the next time when they ask you to read the offer document carefully, do that.
K. K. Mookhey (CISA, CISSP) is the Founder & CEO of Network Intelligence (www.niiconsulting.com) as well as the Founder of The Institute of Information Security (www.iisecurity.in). He is an internationally well-regarded expert in the field of cybersecurity and privacy. He has published numerous articles, co-authored two books, and presented at Blackhat USA, OWASP Asia, ISACA, Interop, Nullcon and others.