In a conversation at the IEThinc event on ‘Data Protection and Privacy: Where Are We in India & What’s the Future?’ experts talked about issues such as where does Aadhaar stand in the light of Supreme Court’s privacy judgment, impact of data protection on the economy of internet, and the legal framework India needs. The panel — comprising legal researcher Usha Ramanathan, MediaNama editor Nikhil Pahwa, deputy director general at Department of Telecommunications G N Nath, and project head (Future of Finance Initiative) at Dvara Research Malavika Raghavan — discussed such issues at length. The discussion was moderated by Shruti Dhapola, Assistant Editor, The Indian Express. Edited excerpts:
In the context of Aadhaar, there are fears that it can become a surveillance tool, especially with it being made mandatory. Where do citizens reconcile? And, what are the government’s plans when it comes to protecting citizens’ data both from the State and corporations?
Nath: When you look at Aadhaar, it is just the identity of a person. You have many sectors where services are availed, be it banking or telecom. You would find that the first thing you do there is filling an application form where you write your name, address, fathers’ name, telephone number. Those are the details you give everywhere. So, you give your identity that I am the person who wants to avail this service. And then there are silos that are created for you. One thing what Aadhaar does is that it’s a number which has information about you. One should present this Aadhaar number; what you are doing is you are saying the information is with your database and I would not be re-filling all the information. So, giving away your identity has been there since we began availing the services. The problem is that when we have different silos, we don’t know how to link up a person. For example, I could be having four or five bank accounts; one saying G N Nath, another saying Narendra, or whatever and I could have four different accounts and no one would know. I could make four different land deals and no one knows about that, too. So, what Aadhaar does is that it links up the person to all that he does. If we are comfortable with that or not is what we have to deal with.
Protecting Aadhaar database is one part of it. The data does not travel but is validated. Basic information, such as name, is translated for populating the application that is there. How you protect Aadhaar database is an important part and the latest state-of-the-art technology is being used to protect it. Regarding protection of citizens’ data that is collected, we have licensing as to how the data being collected is to be protected in telecom licences. For example, whatever customer data is acquired by service providers, or those that come to the providers, is supposed to be retained within the country and not go out. We have clauses, if that data gets compromised or due diligence is not exercised, penal clauses can kick into action and they are liable for all of that. So, different sectors have their own understanding how the customer data is to be protected. How customer data that is there while provisioning services has to be protected. That is already there and on a continuous basis, measures are being taken to see controls are adequate to ensure that data is secure. Having said that, we see customer data getting breached in some countries but regular security measures have to be there for protection.
What sort of legal framework does India need for data protection? What would be the ideal approach? Should we follow European model, which is quite strict, or do we need something more in between?
Ramanathan: The UID (unique identification) can’t skip one and pass on, it has to pass through me. What happened in UID is that the government went to court and said in this case that people of the country have no right to privacy. That’s what alerted us. We hypothesised it all along but we didn’t know it wasn’t the planning that privacy was to be sacrificed. This told us what the intention was. Also, other cases were going on in the court that told us so. And, at the same time, the government had gone to the Supreme Court and said that privacy is the fundamental right (FR) of citizens and we have to protect it and so, don’t strike down the provision of defamation. It’s an admission by the state that the UID project cannot survive the interest of privacy. There is a way where we are put on mat and asked: Why do you need privacy, are you criminal, etc, but the person who wants to take away privacy has to answer that. The way in which the Supreme Court has answered the question if we have privacy or not, is significant, that they brought up the ADM Jabalpur case from the Emergency in data era definitely to overrule it although it no longer is a good law. But, they said they do not want any doubt about it. So, privacy is about what our FRs have become in the last 70 years.
Pahwa: We have to realise today that we are in an era where there has been a market failure in data protection and privacy. Our privacy is being traded and so the talk from the industry (technology) is let’s self-regulate (us). We (citizens) have little choice over who collects data, how they store it, how they transfer it and all that is a consequence of lack of a privacy law in this country and whatever specific privacy statutes are there, no one acts upon them to protect people’s privacy. There is a fatalism coming in everywhere that as citizens we are giving data everywhere, we have no more choice, problem with consent mechanism. What we have seen is there is no informed consent and no genuine consent whether it is a state as in the case of Aadhaar or there is an operator taught to click next, next to take your consent even though they have not asked for your consent on many things.
If we go for stricter data protection law will it negatively affect the internet economy? Arguments made by corporations is that you cannot have strict laws and also have a vibrant internet economy because a lot of these companies are built around data and services do rely on data. So, is it possible to have a sustainable internet without giving up privacy ensuring that citizens’ rights remain?
Raghavan: I think the answer is yes. In many discussions, there is a certain kind of exceptionalism about this debate which is not necessarily the case. We are in a country which is a 70-year-old democracy but we can learn a lot from countries globally and data debate is certainly not new. We are second or third generation for this kind of jurisdiction. I work in a policy research project. So, we went out and spoke with an entire bunch of companies to understand. We were on a panel with someone from BankBazaar.com. He, the chief data officer, was talking about data not just as oil but data needs to be seen as risk for a company’s perspective. So, in that sense, it is an interesting space because for once, it’s not always that incentives of the consumer and the provider are misaligned. It’s quite different in that sense and from their perspective, the larger the data set they hold, the difficult it is for them if they are looking at data security.
Mozilla is an interesting example. They run a browser and every piece of information they collect, they also check for user benefit, besides looking at company benefit. This information is needed to get the job done. So, you need to look at benefits and harms in order to understand relevance.
Data is definitely power and there is mistrust happening now in the light of Aadhaar and other significant things. We also have a WhatsApp case going on in the Supreme Court.
Pahwa: One of the things to remember when we look at technology and data is that silos are good, they are useful. It means when things get compromised, people do not get compromised as a whole. What’s happening right now, which is the worry, is that the consolidated data base is being created the way government has worked on it. That does not seem secure. There was a case: An engineer in Bengaluru found NIC (National Informatics Centre) was running access to CIDR (Central Identities Data Repository) on http instead of https, which is a rookie mistake to make when it comes to running any app or site because the connection is not secure. The person who is able to plug in to that can allow people to check the status of their data or get copies of their data from CIDR. But, it’s sheer incompetence or compromising people at fundamental level. Silos are good as Aadhaar gets linked to things, while linking it together to multiple databases, vulnerabilities increase, as one factor of identification is equal across all of those. If you have federated ID’s using sometimes the driving licence or sometimes the Aadhaar mean if any identifier gets compromised only a part gets compromised which means you can then look to change it. The other problem with it is it’s a single number which is permanent. It’s like having a permanent e-mail address and a permanent password in your fingerprint and your fingerprint gets compromised when I touch this mug, anyone can copy it and now you have a situation where government departments have published people’s Aadhaar numbers, when 130 million, which is four services, about 210 websites in all, that data is gone forever. I was able to find that data via Google search and that’s just rank incompetence. So, do not take people’s data if you cannot keep it secure. The constant refrain we have been hearing since last year is that it’s secure. It’s not. Biometrics are the easiest to be compromised as you leave fingerprints everywhere you go. With a high-resolution photo, even the iris can be cloned. Also, the e-KYC mechanism increases vulnerabilities for citizens as once data leaves UID and goes to things like Jio, you have seen they have not been able to keep it secure like in the case of the website magicapk.com.
There are vulnerabilities in having one central database. What is your response?
Nath: You have taken the case of magicapk.com. I have seen what the case is about. It’s not that it’s access to a data that pertains to a company. It’s just that at the point of sale, the person who provides for recharge, they have to have access to the person’s name, telephone number. So, this person gets information so that it can enable this person to get recharged. This agent leaks information to somebody else and that person has accessed it from some other location. He prepares a script for that so that whenever I put a telephone number, the name and address would come. So, people would go there put in any telephone number and corresponding name and address would come up. That’s what happened in magicapk.com. There was compromise in terms of leakage of credentials of the person to whom it was given. It had nothing to do with Aadhaar database.
The concern on linking UID to multiple services, I know, will have problems with privacy. Database regarding a bank is maintained by the bank, database regarding PAN (is maintained) by the income tax department, database regarding telephone connection by respective telephone companies. They were earlier linked with my name, which I could modify, so that there was no common linkages. Now, I have a unique ID and the database the bank is maintaining is as per the unique ID which is corresponding to my name. All these databases are not linked together. It is the unique ID with which I am able to identify the information that is there. It’s not that there is common database for banks and aviation, etc. There is another database of the unique ID which says that it has the following features name, address and biometrics. Earlier, authentication was photo and name, while now there is biometrics. We had authentication mechanism for signatures and photos, which have their own lacuna. I have a document with a signature I don’t know whether document is authentic or not, with biometric I know it’s genuine. The concept that all of the databases are one common database there is not true. Respective databases are maintained by different entities. Earlier, it was linked to a name, now it is linked to a number and that number attributes are stored in separate database. That’s the architecture we have. Vulnerabilities come about because of the digital age we are in. There are flexibilities that come from use of digital services and they come with vulnerabilities, too.
Ramanathan: If you have laws and rules preceding innovation, we might lose innovation. I am reminded of a discussion we had in the 1990s when liberalisation was brought in where economists told us economics has nothing to do with the Constitution of India. Technology people are telling us more or less the same thing now. The last time we had a discussion and they said the EU has stringent regulation on privacy. If there is that kind of stringency, it will be very difficult to innovate. It’s much better to do the American way. The question we had in return was: What happened over past 20-30 years is these companies became powerful in relation to our data and monopolistic in a way that they have turned the concentration of both data and wealth. I am not sure that’s the route we want to go.
We need to have a law that looks at data protection from the point of view of the citizens. Technology is going to be changing every couple of years. So, what sort of laws do we need every few years to keep up with it? What should we be looking at when we talk of data protection? Do we need strong regulations? Or do we take it as it goes?
Nath: Data collection has been happening for years. Doing a business needs to collect information, how do I do a resale, a cross-sale, these are concepts that need data. So, it’s been there for long. With internet and processing, the scaling up that can happen is creating the concerns. Privacy is required, data processing is required. This is a problem the whole world is trying to address. Corporations that have collected data, the way they are using it is a concern. And, corporations collecting lot of data happened during earlier times. With Artificial Intelligence (AI), it’s quite easy to have a haystack and find a needle in it.
Raghavan: I don’t necessarily agree though. I think data protection is much more than surveillance. In the US Homeland Security Department, there is an excellent paper where they talk of the numbers of terrorists who were tracked with both human and AI.
Nath: The rate at which AI is developing, what you were talking last year is not relevant today. Random data that was collected earlier did not make sense but now, they do.
Raghavan: We have lot of mathematical associations which have released statements that it’s not true that our algorithms know how to use this data.
Nath: Earlier, you were not concerned with what you were doing with the random data you were collecting, but now, the cause of concern is we should be knowing why is one collecting data. We should be looking at the fact that the data we are collecting is relevant to the purpose for which data is being collected. The proportion of data collected should be looked into within the framework.
Raghavan: We are going back to a list-based approach. In our country, currently we have a list where this sensitive personal information is collected. Challenge of big data is that you don’t need a list anymore. We have come to a point where we say whether genetic are sensitive or not. But parking that for a moment, I think why do we have this law, what are the objectives of regulation? If you are saying it is to give people agency and to protect them from harm then it’s a great time to have national conversation but what is the harm we want to prevent because I do think the difference between paper files and I think in literature it’s called the “safety of obscurity”. It is that when you digitise this there is limited safety of obscurity. Again, I think there are great benefits to having large data assets. I use Google Maps every day, Uber every day. So, it would be ridiculous for me to say that I don’t want technology-based services. But, we know we can build these technologies both hardware and software in a way that doesn’t collect relevant information and people are doing it right now.
Nath: Apps is an unregulated market. Now, I have an app that does not need access to my microphone, etc. It’s an app for alarm. So, these are things that are being looked at, not that they are not being looked at.
Pahwa: I agree with you. My base point for algorithm piece is just because at this point in time, we don’t know necessarily what an algorithm is going to do, this is a conversation happening globally about the ethics of algorithm and effectively regulating how algorithms function. So, we need to have that conversation now because the first point I made was of market failure when it comes to data collection, second was the fatalism that exists in the market. So, I am saying we should not be fatalistic about it and look at ways and means of ensuring that citizen’s rights are protected through data privacy consultation.
Ramanathan: There is a reason to why the European Union has taken a position. I think it’s because they respect their citizens. State has to make a decision whether it has to protect citizens or if it is only for corporate interest. That’s a kind of decision that has to be made. Second thing, surveillance is not the only thing about data but I too think that surveillance is an important part of it but it’s not only surveillance, its tagging tracking, profiling.