Securing the right to privacy

On August 11, 2015, a division bench of the Supreme Court recommended that a constitutional bench should determine whether privacy is a fundamental right.

While that outcome would be eagerly awaited, there is an urgent need to restart the stalled process for dedicated privacy legislation as recommended by the Justice Shah committee report in 2012.

Admittedly, the existing provisions under the Information Technology Act and elsewhere do not fulfil the need. This is why consultations have been happening at least since 2009 soon after the IT Act was amended.

Government initiatives such as Digital India and Pradhan Mantri Jan Dhan Yojana can indeed accelerate the process of inclusive and equitable development through citizen empowerment.

The biometric ID, Aadhaar, plays a pivotal role, with 900 million enrolments already and a million being added daily. Beyond the government endeavours, Indians have taken to mobiles and the internet like fish to water and various innovative services have emerged in areas as diverse as farming, education, healthcare, entertainment, and even travel and transport.

All such transactions and interactions leave a digital trail, often interspersed with personally identifiable information such as mobile numbers and income tax PAN as well as with personally sensitive information such as financial and medical records.

In India, banter between strangers such as fellow train travellers exchanging names, occupations, family details, incomes and even marital status, is not unusual but has relatively low risk of misuse as their paths are not as likely to cross as often as Bollywood would like us to believe. However, the risk is significantly higher if you share the PIN (Personal Identification Number) of a debit or credit card, whether out of blind faith or due to ignorance or, for that matter, by clicking on a fake link purported to be from your bank.

The Reserve Bank of India’s approval for eleven payment banks would also imbue a massive shift in digital transactions. In addition, the Internet of Things (IoT) and the draft human DNA profiling Bill would only compound the challenge. All the sensors connected to the internet would keep generating and transmitting data while DNA information would be stored digitally.

Hence, we need to foster end-to-end trust across the digital ecosystem so that what should remain private, remains so. All the same, with so many identifiers and the data deluge, it is not very difficult to identify individuals by interlinking discrete databases and yielding extremely rich profiles of groups and even individuals, thanks to the rapid pace of digitalisation, hyper-connectivity and Big Data analytics. Beyond bona fide usage for national security and law enforcement, such exercises can be misused for intimidation, blackmail and even actual threats, thereby bringing sharp focus on privacy within the realm of public policy.

Security and privacy are often depicted as counterpoints to each other as if one would have to be sacrificed for the other. However, in today’s digital ecosystem, they actually reinforce each other and have a symbiotic relationship. If our data is not secure, then neither is our privacy. Inadvertent disclosure as well as wilful theft of private information through a series of data breaches reported over the last two years account for about a billion records.

These have occurred across all parts and regions around the world — including government agencies, businesses large and small, celebrities and even individuals.

According to the Online Trust Alliance, nine out of ten such breaches could have been prevented if basic cyber security best practices were observed such as installing security software on mobile and computing devices, and using strong passwords, second factor authentication and end-to-end encryption.

However, privacy law should not be so onerous as to cause a chilling effect on innovation. Someone might be willing to share the location data with a map service while on the road hoping to get routing suggestions, but they also should be able to disable the functionality when they do not want their location to be tracked by the map service. User-friendly tools can provide such flexibility.

Obviously, beyond legislation, we need to use technology that enhances security and privacy. But we also need to create awareness amongst the public at large and empower them to make judicious choices in terms of what and when to share specific information and with whom and how.

After all, it would be a misplaced expectation to seek solace and solution in law and technology if people share private information with one and all through the social media, for example, under some inducement.

Such social engineering has become the new vanguard of cyber criminals. Likewise, the underlying principle for data collectors should be minimalism rather than an attempt to collect unnecessary and irrelevant data.

For example, if the over-the-counter reservation forms for railways do not have any field to capture the marital status of the applicant, what is the need for that while creating a user profile before booking a ticket online?

Beyond principle-based legislation, we need an enlightened citizenry and responsible businesses and government agencies, coupled with effective enforcement to secure our right to privacy.

The writer is the director of Government Affairs, India, Symantec