30 Under 30 2024

Freedom from Monitoring: India Inc Should Push For Privacy Laws

More surveillance than absolutely necessary actually undermines the security objective

Published: Aug 21, 2013 06:42:31 AM IST
Updated: Aug 16, 2013 01:49:23 PM IST
Freedom from Monitoring: India Inc Should Push For Privacy Laws

I think I understand why the average Indian IT entrepreneur or enterprise does not have a position on blanket surveillance. This is because the average Indian IT enterprise’s business model depends on labour arbitrage, not intellectual property. And therefore they have no worries about proprietary code or unfiled patent applications being stolen by competitors via rogue government officials within projects such as NATGRID, UID and, now, the CMS.  

A sub-section of industry, especially the technology industry, will always root for blanket surveillance measures. The surveillance industry has many different players, ranging from those selling biometric and CCTV hardware to those providing solutions for big data analytics and legal interception systems. There are also more controversial players who provide spyware, especially those in the market for zero-day exploits. The cheerleaders for the surveillance industry are techno-determinists who believe you can solve any problem by throwing enough of the latest and most expensive technology at it.

What is surprising, though, is that other indigenous or foreign enterprises that depend on secrecy and confidentiality—in sectors such a banking, finance, health, law, ecommerce, media, consulting and communications—also don’t seem to have a public position on the growing surveillance ambitions of ‘democracies’ such as India and the United States of America. (Perhaps the only exceptions are a few multinational internet and software companies that have made some show of resistance and disagreement with the blanket surveillance paradigm.)

Is it because these businesses are patriotic? Do they believe that secrecy, confidentiality and, most importantly, privacy, must be sacrificed for national security? If that were true then it would not be a particularly wise thing to do, as privacy is the precondition for security. Ann Cavoukian, privacy commissioner of Ontario, calls it a false dichotomy. Bruce Schneier, security technologist and writer, calls it a false zero sum game; he goes on to say, “There is no security without privacy. And liberty requires both security and privacy.”

The reason why the secret recipe of Coca Cola is still secret after over 120 years is the same as the reason why a captured soldier cannot spill the beans on the overall war strategy. Corporations, like militaries, have layers and layers of privacy and secrecy. The ‘need to know’ principle resists all centralising tendencies, such as blanket surveillance. It’s important to note that targeted surveillance to identify a traitor or spy within the military, or someone engaged in espionage within a corporation, is pretty much an essential. However, any more surveillance than absolutely necessary actually undermines the security objective. To summarise, privacy is a pre-condition to the security of the individual, the enterprise, the military and the nation state.

Most people complaining online about projects like the Central Monitoring System seem to think that India has no privacy laws. This is completely untrue: We have around 50 different laws, rules and regulations that aim to uphold privacy and confidentiality in various domains. Unfortunately, most of those policies are very dated and do not sufficiently take into account the challenges of contemporary information societies. These policy documents need to be updated and harmonised through the enactment of a new horizontal privacy law. A small minority will say that Section 43(A) of the Information Technology Act is the India privacy law. That is not completely untrue, but is a gross exaggeration. Section 43(A) is really only a data security provision and, at that, it does not even comprehensively address data protection, which is only a sub-set of the overall privacy regulation required in a nation.

What would an ideal privacy law for India look like? For one, it would protect the rights of all persons, regardless of whether they are citizens or residents. Two, it would define privacy principles. Three, it would establish the office of an independent and autonomous privacy commissioner, who would be sufficiently empowered to investigate and take action against both government and private entities. Four, it would define civil and criminal offences, remedies and penalties. And five, it would have an overriding effect on previous legislation that does not comply with all the privacy principles.

The Justice AP Shah Committee report, released in October 2012, defined the Indian privacy principles as notice, choice and consent, collection limitation, purpose limitation, access and correction, disclosure of information, security, openness and accountability. The report also lists the exemptions and limitations, so that privacy protections do not have a chilling effect on the freedom of expression and transparency enabled by the Right to Information Act.

The Department of Personnel and Training has been working on a privacy bill for the last three years. Two versions of the bill had leaked before the Justice AP Shah Committee was formed. The next version of the bill, hopefully implementing the recommendations of the Justice AP Shah Committee report, is expected in the near future. In a multi-stakeholder-based parallel process, the Centre for Internet and Society (where I work), along with FICCI and DSCI, is holding seven round tables on a civil society draft of the privacy bill and the industry-led efforts on co-regulation.
The Indian ITES, KPO and BPO sector should be particularly pleased with this development. As should any other Indian enterprise that holds personal information of EU and US nationals. This is because the EU, after the enactment of the law, will consider data protection in India adequate as per the requirements of its Data Protection Directive. This would mean that these enterprises would not have to spend twice the time and resources ensuring compliance with two different regulatory regimes.

Is the lack of enthusiasm for privacy in the Indian private sector symptomatic of Indian societal values? Can we blame it on cultural relativism, best exemplified by what Simon Davies calls “the Indian Train Syndrome, in which total strangers will disclose their lives on a train to complete strangers”? But surely, when email addresses are exchanged at the end of that conversation, they are not accompanied by passwords. Privacy is perhaps differently configured in Indian societies but it is definitely not dead. Fortunately for us, calls to protect this important human right are growing every day.

(This story appears in the 23 August, 2013 issue of Forbes India. To visit our Archives, click here.)

Post Your Comment
Required, will not be published
All comments are moderated
  • Vikram K

    Great read!!

    on Aug 27, 2013
  • Rufo Guerreschi

    Congrats for a a bright, deep and comprehensive analysis of the policy priorities in regard to large-scale surveillance abuses, and the civil rights AND economic rational for India to promote adequate policies, which may very well apply to Europe. He furthermore convincingly argues how privacy and security are no zero-sum-game, but a prerequisite one of the other, as I also argued in a recent post. Privacy is a necessary but non sufficient condition of individual, collective and business security. I believe though that “privacy by policy”- through appropriate laws and Terms of Use, even if perfectly implemented – may unfortunately end up creating just a dangerous smoke in the mirror, unless such laws also embed solid clauses inspired to the paradigms of “security by design” and “security through transparency”. Service and technology providers, public and private, beyond a certain size, should be mandated to regularly submit, for review by experts AND anyone, all software, hardware, and especially procedures that affect in any way the security, privacy and authenticity levels of their offerings. Such offerings would be evaluated according to regularly updated guidelines, managed by independent oversight boards, the ability of hardware, software and procedures – as well as the actual intensity and quality of independent security review – to intrinsically and inherently guarantee that the actual levels match the stated levels, at present and any given time in the past. In fact, intrinsic “privacy and security by design”, devoid of any need for trust, was the core invention at the basis of the engineering of democratic political regimes, exemplified by the rule concerning proper ballot-box democratic voting procedures. Just as the International Institute of Democratic and Electoral Assistance for decades has provided crucial and largely independent assistance and review for governments electoral processes world-wide, it could be advisable to promote the constitution of a similar – but even more independent and extremely competent – international body that may provide similar assistance, review and certification processes to improve and assess the actual levels of security, privacy and authenticity of communication service offerings by large public and private providers. Rufo Guerreschi, Exec. Dir. Open Media Cluster Founder of the User Verifiable Social Telematics Project I made a blog post out of this comment: http://www.rufoguerreschi.com/2013/08/23/for-an-international-institute-of-privacy-and-security-assistance/

    on Aug 23, 2013