The looming question of data privacy

Ever had a conversation on the phone, only to find an ad related to your conversation pop up on a social media platform moments later? Gone on a Tinder date and come back home to find sponsored posts from that particular cafe? It feels like our best friend the smartphone is spying for someone even as we speak.

The issue of privacy breach came to light once again when Union minister for road transport and highways Nitin Gadkari stated in response to a question in the Rajya Sabha on July 10 that the government had given 87 private companies and 32 government entities access to the ministry’s Vahan (vehicle registration) and Sarathi (driving licence) database for a sum of ₹65 crore.

Early in March this year, cybersecurity researcher Bob Diachenko from Germany discovered that over 12.5 million Indian women’s medical records were available online without a password. Despite being alerted, the ministry of health and family welfare took its time to get CERT (Computer Emergency Response Team), the country’s nodal agency for cybersecurity, to fix the issue. Details related to ultrasound scans, pregnancy complications and abortions, among others, were on view for three whole weeks, in a major breach of privacy and doctor-patient confidentiality.

In June 2018, 2.5 lakh students’ names, phone numbers and roll numbers for NEET, the medical college entrance exam, were available for sale online. Aadhaar-related leaks are frequently reported in India, with cooking gas supplier Indane alone blamed for outing millions of numbers through two different leaks.

Data breach: TMC MPs protest in Parliament against the sale of students’ data, demanding preventive laws

Now that individuals, organisations and institutions all have an increasingly active presence on the Web, there is growing concern about the risks posed by the digital footprints we leave behind — namely, the trail of details such as websites visited, emails sent and so on.

An added threat arises when institutions — both public and private — end up compromising user details by not putting adequate safeguards in place. This is why legislators and activists around the world are pushing for laws to secure personal and other digital information, commonly referred to as ‘data’.

However, that may not be all that simple. “A law cannot fix what is broken in technology,” says Srinivas Kodali, a Hyderabad-based independent researcher on open data resources and data protection. He is referring to the nature of the tech industry where data would be the biggest revenue generating source.

How does the breach of data affect the ordinary citizen? Experts say that it may have an impact in different ways: Outed bank details can lead to financial fraud, mark sheets can trigger cyber-bullying, and private information can be the basis for blackmail or other criminal activities. Private data out in the open can also spark psychological problems. And being the target of focused advertising can be a menace. Companies can use a person’s data, such as search history, for instance, to know more about the person, and thereby target him or her with customised ads.

To draw such insights from unstructured data — known as ‘big data’ — we have data science, which is an umbrella term for the algorithms and other analytical processes involved in this. This field has been steadily gaining ground since the turn of the 21st century, with more data becoming readily available as more and more more people go online for work and recreation.

Bringing in change: After the Personal Data Protection bill comes into effect, it will be illegal for private companies to ask for one’s biometric information without explicit consent

The Indian government is taking a leaf out of the book of big corporations such as Amazon and Instagram that monetise people’s data. In the 2018-19 Economic Survey released on July 4, an entire chapter is dedicated to data, titled ‘Of the People, By the People and For the People’. It outlines the various categories of data that the government has, such as administrative (vehicle registration records, land surveys and so on), institutional and transactions (from the digital payment app BHIM, for instance), and talks about monetising them for “public good”.

The government has thus been giving mixed signals on its approach to the question of data protection. On the one hand, it overlooks the risk of misuse posed by data collection mechanisms such as Aadhaar and the sale of private data, and on the other, it is bringing in the Personal Data Protection Bill “to arm the individual with data protection rights”.

Self-help for data safety

As the wait for an effective law continues, individual users are looking at ways to protect their online presence.

Turning their backs on popular applications such as Facebook, Google and WhatsApp, a growing number of people are flocking to alternatives with more safety features such as Duck Duck Go (search engine), Proton Mail (e-mail) and Signal (instant messaging). Then there’s Whoscall for those who are wary of Truecaller, the popular app used to identify unknown callers. A paid service, Whoscall claims to use authorised user data internally, as opposed to third parties. Truecaller makes no such claim, and was misused by Syrian hackers in 2013.

Search giant Google-owned Gmail was found to give data companies and app developers access to private emails, according to a 2018 report in The Wall Street Journal . To prevent unauthorised access, Proton mail provides end-to-end encryption, whereby messages are stored in the form of a code. The company has no access to the user data. To ensure transparency, the software and encryption algorithms it uses are open source, which means any security expert anywhere in the world can inspect them.

Signal also uses encryption and, unlike WhatsApp, does not collect metadata (all information other than the content of the message itself, including location, timestamps, frequently called numbers and so on). WhatsApp sends the metadata to its parent company, Facebook. Facebook Messenger doesn’t automatically encrypt conversations — you have to select the ‘secret conversations’ tab each time.

The more than decade-old search engine Duck Duck Go does not gather IP addresses, search history or other data, nor does it create any user profile. It currently handles around 40 million searches a day, according to The New York Times . It has no ad trackers, which means it will not share your search history with companies that use it to send advertisements based on your search. In 2006, search engine AOL had anonymously released the search logs of over 650,000 users — 19 million searches over a three-month period. A class action suit was brought against the company under the privacy laws in the US to prevent it from saving search history data. Search engines, like any other website, can be hacked, or the user data could be given to law enforcement agencies.

Unlike Google or Bing, US-based Duck Duck Go does not customise search results according to demography. This is important because such demographic information can enable anyone, with the support of a search engine, to manipulate the choices of that population group.

Duck Duck Go has conducted studies on how Google has influenced voter preferences in the US through the use of a ‘filter bubble’. A term coined by Eli Pariser, the internet activist and CEO of popular content website Upworthy, a filter bubble refers to the manipulation of search results based on personal data such as location, search queries and purchase history. The ‘relevant’ results can thus be used to reinforce existing biases and beliefs. Tech companies including Google, Facebook and WhatsApp have been accused of influencing elections, including in India, in this manner.

Better easy than safe?

Interestingly, despite concerns over privacy, Duck Duck Go, which raised $10 million funding in 2018, has only a negligible 0.39 per cent of the market share in search applications.

Kodali blames users’ reluctance to switch to safer alternatives on what is known as the ‘network effect’. “If people around you are using a particular application, then inevitably you end up using the same app. While earlier it was possible to message across platforms like Yahoo Messenger and other IM (instant messaging) services, that option is not available to users anymore.”

Those using Proton’s encrypted mail service face a similar conundrum. As Gurugram-based user Akshay Khandelwal (33) explains, “Unless everyone else in your messaging list uses the service, the encryption won’t work because you’re sending it to other apps such as Google or Outlook, which don’t use that facility. The only places I know where this works is in cybersecurity and tech offices.”

Another drawback in Proton mail is the absence of data storage capacity. “Only 500 MB of available space is a disadvantage, considering all the email attachments one gets,” says Khandelwal. Moreover, since the service is completely encrypted, there is no password recovery possible if one gets locked out.

Big Brother WiFi

Another potential source of threat to data safety are the smart home systems, speakers, car systems and other gadgets that are collectively known as IoT (internet of things) devices. It was long suspected that they collect ambient data — that is, the devices gather information when not in use.

Google recently admitted that its employees were listening to the ambient data collected by the Google Home personal assistant device, purportedly to help improve the AI, or artificial intelligence, software used by them. Since this data is collected without the user’s knowledge, it raises security and surveillance concerns. Criminals can, for instance, potentially hack security cameras to break into homes and offices. Even more terrifyingly, hackers can take control of your unsecured devices and deny you access by taking down portions of the internet through what is known as DDoS (distributed denial of service) attacks.

Today, many offices, apartment complexes and other private institutions use biometric devices to register attendance or for identification, leaving more people vulnerable to data leaks and identity thefts. Some companies are taking it a step further. American co-working space WeWork, for instance, has acquired a tech company called Euclid that calls itself a spatial analytics platform. Tracking over WiFi how employees spend time at the workspace, the idea is to optimise the workspace so that every inch is utilised to the optimum. WeWork plans to sell the software to companies outside the co-working space too.

Says Kodali, “It is difficult to gauge the extent to which data breaches can affect us, since this is still an evolving field, but newer attacks are coming up every day.” He mentions a case reported from Telangana in 2015 where a man hacked into a school’s exam results database and began targeting under-performing students by posing as an education consultant and demanding sexual favours from them. The case came to light after he was finally caught when someone complained to the local police. There are also frequent reports of financial frauds involving the hacking of credit card and banking details from third-party websites.

Explicit consent

The European Union was the first political entity to come up with a regulation for data protection in 2018. Its General Data Protection Regulation (GDPR) will be the primary law governing how private entities protect EU citizens’ data. In India, the Personal Data Protection Bill that is about to be tabled in Parliament categorises data into personal and sensitive, which includes biometrics.

Leading the way: In 2018,the EU was the first political entity to come up with GDPR,a regulation for data protection

Last week, parliamentarians Pinaki Mishra from Biju Janata Dal (BJD) and Jayadev Galla of Telugu Desam Party raised data safety concerns related to the China-based short video platform TikTok. “TikTok was spreading fake news and malicious content within India while also sharing Indian user data with China,” Mishra had said. He later added, “Information and data are the new oil of the 21st century. This is how society is going to be driven forward. So, whoever controls data will be in a powerful position to control our lives.”

Kodali goes so far as to compare giving away one’s data to “giving away one’s free will”.

The government on July 17 issued a notice to TikTok asking it to respond to concerns that it was being used for “anti-India activities”.The platform had earlier been sued in the US for $5.7 million for collecting information such as names, addresses and email addresses from 13-year-olds. After a brief period of ban in India in April 2019, TikTok introduced an age limit, parental controls and limits on its use by teenagers. The company also claims it stores the data of Indian citizens in Singapore and the US, and not China.

Rupal Bisht, a mother of two teenagers in Gurugram, says it is virtually impossible to keep the kids off Instagram, Facebook and other social media apps since all their friends are on them. She has put in some restrictions, though. “I make sure the location settings are off at all times, they aren’t allowed to reveal their location. They access their accounts from my devices, and both have private profiles. I monitor their content for any security concerns.” While the dangers posed to a child’s safety by features such as location tracking cannot be overstated, it’s also a fact that while an adult chooses to give away his data, no such consent is involved in the case of a minor. “This is precisely why the SC has granted permission to children who have an Aadhaar card to delete their numbers, if they so choose, after they turn 18,” Kodali points out.

The Tribune , in a sting last year, was able to obtain the Aadhaar data of a billion people.

Says Kodali, “After the Personal Data Protection bill comes into effect, it will be illegal for private companies to ask for one’s biometric information without your explicit consent.”

In case of a leak, individuals will be able to raise a complaint with an adjudicating officer appointed by a newly constituted data protection authority. The law also envisages measures to avert such leaks in the first place.

Apar Gupta, founder of Internet Freedom Foundation, an organisation working towards net neutrality and online freedom in India, says the bill will have an incrementally positive effect. “Most of us agree to a lot of permissions when installing applications on our phones and other devices. No one probably reads them carefully, but these agreements permit the apps to gather personal data.”

The new regulation will enable people to understand better what kind of information is being taken from us, he says. The app cannot ask for any data that is not required for it to work. For example, an e-mail application on a smartphone cannot ask for access to the microphone unless there is a need, say, to use voice dictation.

“A person will have greater control over their data and where it is stored and utilised,” Gupta says.

The clause specifying that all foreign companies will be required to store the data collected from Indian citizens in India only, has raised a lot of dust.

Says Rama Vedashree, CEO of Data Security Council of India (DSCI), who was part of the Srikrishna Committee that made recommendations to the government for the data protection bill, “Localisation doesn’t essentially guarantee data protection or cybersecurity. There needs to be a framework for privacy and data protection and access to data; where it is stored is not important. Even the EU GDPR does not mandate localisation. Framework with enforcement is the need of the day.”

Analytics for a living

Companies such as Microsoft India have free online courses that allow students, businesses, and legal professionals to familiarise themselves with data compliance, basics of GDPR, and other best practices in security. Data science has generated a slew of new jobs in data analytics and marketing, but with protectionist policies coming in, it remains to be seen how it will impact the big data industry.

Before the GDPR was finalised, a Deloitte study estimated its potential economic impact on the European economy: Reduction of GDP by €173 billion, leading to a loss of 2.8 million jobs in four sectors -- web analytics, direct marketing, online behavioural advertising and credit information (source: Business Line ). In direct contrast, the US has placed restrictions in the form of sectoral regulations to protect privacy while making sure cross-border data flow is not greatly impacted.

Digital locks and keys

Currently, there are several ways in which apps safeguard user data. One of them is two-factor authentication, where users have to provide two different kinds of proofs (say a fixed password and another one-time password or OTP generated in real time) to gain access to the app.

Encryption is an older form of security (think Morse code), however the threat here is from hackers, who are quick to break the code despite advances in cryptography.

The advent of the digital payment system Bitcoins brought with it another form of encryption called tokens. An arbitrarily generated number is substituted for sensitive data such as credit card numbers, bank account numbers, and social security numbers, and this code is stored in a separate database. Non-banking finance companies and credit card companies make use of such tokens. Indian banks and insurance companies have moved towards blockchain technology — where digital information can be distributed but not copied — to protect sensitive consumer data.

Digital footprints are everywhere. It is difficult to visit any website or download an app without sharing some of your personal information, with some even requiring access in real time to do their job (logistics apps such as Uber and Google Maps and social media apps such as Tinder and OKCupid). An important judgement in 2017 in the context of data privacy is the Supreme Court of India’s recognition of privacy as a fundamental right.

Says Kodali, “Businesses have been regularly collecting data from customers and even others who visit them digitally. When you visit a website, you are observable not only by the site but also third-party trackers embedded in the website’s code.”

How does one arm oneself in such a scenario? Says Gupta, “Just like how we decide on a diet that is good for our consumption, one needs to look at a personal internet policy after evaluating one’s needs and concerns. It is always good to choose a service after finding out how much of your personal data it needs. Secondly, one must check whether it is trustworthy based on its past history.”

Gupta points out that the latest version of the country’s data protection bill that has been made public, indicates that businesses will effectively get two years to comply with it. The bottom line is that it is up to the people to remain vigilant and adopt the best strategies to make sure their personal data is safe.”

It is time to look at consumption patterns when it comes to technology, switch to safer alternatives, practise self-control and avoid over-sharing. While technology makes almost every aspect of one’s life more convenient, that comfort comes at a price. If you aren’t paying for a product, or an app in this case, you’re probably the product being sold.

COMMENT NOW