Situation Report On Privacy In A Surveillance Society

_{Pic Courtesy: http://www.cwjefferys.ca}

When pondering over the privacy debate wherein our nation is debating the need for a privacy bill and the need for data storage under Indian legal jurisdiction, I am invariably reminded of illustrations in old encyclopaedias of the early white settlers trading trinkets for native treasure as it has interesting parallels with todays data aggregator MNC’s. The rapidly expanding data generated by our population in its daily activities is mostly stored in data farms outside the country and is being exploited in a variety of ways that has resulted in the MNC’s becoming multi billion dollar enterprises.

On the one hand we have first world countries with tough privacy laws strictly enforced as the citizenry is fully aware of the repercussions and the dangers to not having those laws. On the other hand we have our nation where the citizenry exists right from the Jarawas (a tribe in the Andamans) still in the stone age to a large illiterate/ semiliterate population and a rapidly growing middle class in a bustling democracy that is going to have a 100 % digitised economy by 2020, still debating whether should we have a law to govern privacy !

The arguments are downright silly ranging from that we Indians have a different cultural perception of privacy to our outsourcing industry will suffer etc. If we logically take such arguments to a conclusion, it can also successfully be argued that we should reintroduce sati, untouchability etc and for good measure legalise manufacturing of heroin as all these activities will find some resonance in sections of our population and heroin production can generate huge revenues for our farmers outstripping our outsourcing revenues of 150 billion USD rapidly benefitting a larger section of the population.

The truth is that such thoughts are planted by the representative bodies of our software outsourcing industry that represents the interests of Western MNC’s and their deep state, not of the Indian nation. The outsourcing industry works because of the difference in labour costs in the West and in third world countries. This has nothing to do with the fact that we have no privacy law and in exchange for giving up our citizens interests and endangering our national security is a munificence gifted to us by the West. A case in point is China which has always looked after its national interests but still has the largest outsourced manufacturing sector. The recent over turning of the ‘safe harbour‘ principles by the European Union courts after the Snowden revelations is a pointer in this direction.

A privacy law is a dire necessity especially in the information age as it directly affects the citizens in all fields of human endeavour including the economic, social and political dimensions. At the national level it also has grave national security implications.

I have appended a paper below, which I wrote a couple of years back to give an over view of the issues involved.For those interested in the original paper which also gives a detailed bibliography I shall post a link to the paper which I have posted on Academia.edu.

————————————————————————————————————————————————————–

Introduction and Background

“The right to privacy is our right to keep a domain around us, which includes all those things that are part of us, such as our body, home, thoughts, feelings, secrets and identity. The right to privacy enables us to choose which parts in this domain can be accessed by others, and control the extent, manner and timing of the use of those parts we choose to disclose.”

“ . The creation, collection, storage and processing of our personal data in the electronic form is a ubiquitous phenomenon. Every time we pass an electronic tollbooth on the highway, use a cell phone or a credit card, use a loyalty card at a retailer, our locations are being recorded, analyzed and stored. Similarly when we submit an insurance claim, pay our utility bills, interact with the government, or browse websites, the data collected and inferences gleaned grows finer and our names are then linked with our actions and preferences and stored in giant databases that keep expanding at a geometrical rate.”

“Our physical bodies are thus constantly shadowed by an increasingly comprehensive bubble of data which ensures that before we arrive somewhere, we have already been identified, measured and classified. We are then treated according to whatever criteria have been correlated to the profile that represents us.”

The quantum of vehicle insurance premiums, for example, can be linked to accident or driving data, which would be accessible to insurance companies that could lead to varying premiums. “When we apply for jobs, companies could check our health records to see if we are deemed to be part of a high-risk group for developing health problems, and the company may not want to hire employees who might get sick in the future. Since these checks would be happening in the back ground through specialized service providers who have access to public health data, candidates may not even be aware of the reason for their rejection”

“Organisations who have access to ‘big data’ on personal information have the capability to influence the behaviour of those whose data is being held. Marketing and advertising are obvious examples. The more that a marketing company knows about prospective customers, the better tools they can formulate for targeted marketing. Marketing and advertising are nothing but subtle forms of manipulation, which involves creating desires at the right moment, in precisely the right way, to induce a desire in the minds of the customer. In the same manner, governments collect citizen data for planning, detection of frauds as well as tax evasion. Similarly intelligence agencies collate colossal amounts of data about everyone to combat terrorism.”

“Such all pervasive surveillance and data collection has led to a situation were governments and some large private organisations know more about us while we have only a vague idea of who these organisations are and what they are up to. As a result an increasing number of organisations have the capability to monitor, manipulate and influence us in various situations and with varied motives the dimensions of which are yet to be understood by the vast majority of the global population. Emerging technological discoveries and innovations further complicate this dizzying landscape and have led to a feeling of entire societies and cultures increasingly losing its moorings and spiraling out of control. ”

“There has always been a conflict between a citizen’s right for privacy and his requirement for security. In certain situations his requirement for security would far exceed his desire for privacy. In such situations he would be willing to sacrifice his privacy in order to ensure his security. Privacy is thus not an absolute right.” It is difficult to define the right to privacy, as privacy is not purely a legal term. It has psychological, social, cultural and political aspects.

“Advances in technological capabilities have immensely increased the ability of the state to carry out surveillance upon its subjects. This capability can have both positive and negative fallouts, for e.g., it can be used to curtail rights or it can be a vital tool in preventing and detecting crime. While we cannot ignore the numerous benefits increased surveillance has brought about we have to devise ways and means to ensure that the state remains accountable for its actions. Unfettered discretionary powers could lead to undesirable fallouts. Hence this entire business of surveillance should be carried out within some form of legal frame work with built in oversight mechanisms which are acceptable to society at large.”

Image: An overlap of Security and Privacy, courtesy http://security-today.com

Thus the digital world creates and enables new uses of ‘big data’, in the ways it is collected, processed, saved and distributed. “Improvements in technology has thus created new business opportunities, and on the other hand, new threats to privacy. Privacy, though seen as a basic human right and an essential element in creating a safe environment for electronic trade can also be used to disguise criminal and terrorist activities, thus attracting the attention of police and intelligence agencies.”

“Mass surveillance is nothing but surveillance on a large scale were the foot print covers whole or large part of the populace. It is more often carried out by leading intelligence agencies but may also be indulged in by companies for commercial reasons. We also have examples of large corporations carrying out surveillance on behalf of intelligence agencies. The proclaimed justification for mass surveillance can be from preventing terrorism to fighting child pornography.” “There is a fear that mass surveillance may lead to a situation were information in the hands of wrong people may be used to crush political dissent and undermine democratically elected governments.” “An example of mass surveillance carried out by commercial organizations to obtain data for targeted marketing are the loyalty cards issued by large retail houses by which customers personal data is collated against his shopping habits and preferences in exchange for small discounts.”

“Large corporations like Google and Facebook run programs for collecting user information on a regular basis. Some such programs are AdSense and OpenSocial, which are effectively feeding user information about sites, visited, social connections etc. to Google. Facebook also has similar programs. This data is valuable for those in marketing for profiling users, predicting trends and evaluating web site marketing performance. These corporations, realizing the huge commercial value of this data are becoming increasingly guarded about revealing or parting with this data. With the advent of the smart phone, monitoring capability has got an added boost with features like geolocation. Geolocation has given mobile service providers and other web sites like Google, which uses location services, an enhanced capability of continuous monitoring and recording of location and habits mostly without knowledge of the lay user”.

Global Surveillance – Current Reality

“The extend and reach of US agency NSA’s electronic surveillance tentacles was revealed to a stunned world by an ex- contractor, Edward Snowden, in June 2013 in what is now known as the Snowden Revelations.”. It also became clear, though it was always in the realm of conjuncture, that the NSA had operated a complex web of spy programs. These programs allowed it to intercept internet, fax and telephone conversations from over a billion users from dozens of countries around the world. Published documentation reveals that many of the programs indiscriminately collected bulk information directly from central servers and internet backbones, which almost invariably carry and reroute information from distant countries. Due to this central server and backbone monitoring, many of the programs overlapped and interrelated among one another. NSA was also revealed to have been directly aided by intelligence agencies of UK, Canada, New Zealand and Australia, as well as by large private telecommunications and internet corporations, such as Microsoft, Apple, Verizon, Telstra, Cisco, Yahoo, Google and Facebook. It was also revealed that 70 percent of the United States Intelligence Community’s budget is earmarked for payment to private firms such as Lockheed Martin and AT&T for favors rendered like accessing international phone records. British Telecommunications has done an encore by granting GCHQ (Britain’s intelligence agency) unlimited access to its network of undersea cables. Similarly Microsoft has helped NSA to circumvent software encryption safeguards and allowed the FBI to monitor web chats on the Outlook.com portal. In 2013, Microsoft worked with the FBI to allow the NSA to gain access to the company’s cloud storage service Sky Drive. RSA Security gained USD10 million from NSA to introduce a backdoor in its encryption products. Vodafone similarly granted Britain’s intelligence agency GCHQ unlimited access to its network of undersea cables. Numerous other revelations continue to get published and has completely destroyed International trust in the global ICT industry.

As of today we have no comprehensive policy or law governing electronic collection, utilization or sharing of data that could infringe a citizen’s private domain. Since the 1960s, the Indian judiciary, have dealt with the issue of privacy, both as a fundamental right under the Constitution and as a common law right. The common thread through all these judgments of the Indian judiciary has been to recognize a right to privacy, either as a fundamental right or a common law right, but refrained from defining it. Instead the Courts have preferred to have it evolve on a case-by-case basis.

Review of International Practices.

Various countries have defined their privacy requirements and legislated the requirements for the protection of personal data to prevent harm to citizens in varying manners. The following table attempts to represent the derivation of privacy requirements as articulated by OECD Privacy Guidelines, EU Data Protection Directives, APEC Privacy Framework, Canada PIPEDA (Personal Information Protection and Electronic Documents Act), and Australia ANPP (Australia National Privacy Principles).

Privacy principles such as Notice, Consent, Collection Limitation, Use Limitation, Access and Corrections, Security/Safeguards, and Openness are the common threads which cut across these frameworks. The principle of Enforcement, which APEC calls as Preventing Harm, is introduced by APEC, EU and the Canadian privacy enforcement regimes. The EU Data Protection Directive, OECD Guidelines and APEC framework additionally deals with the subject of Trans-border data flow. Australia’s ANPP specifically prescribes de-identification of the personal information. These are frameworks from which an Indian framework can be derived keeping our national interests in consideration.

Information Security – The Way Forward

The correlation between privacy and security of the data needs no further emphasis in a world where global surveillance is the norm. Individual privacy cannot be ensured when our entire public cyber infrastructure is inherently insecure and open to snooping. The cyber world post Snowden is going to see dramatic upheavals. ‘Security is the only service that cannot be outsourced’ is a truism that sadly has not been fully understood by the Indian nation. The failure of our strategic community to foresee the inherent dangers to national security by blindly trusting foreign MNC’s and allowing our critical infrastructure in the cyber domain to be built on compromised software and hardware is a success of the western IW system. Currently there is no overarching policy governing the collection and use of information by the government. This has led to ambiguity over who is allowed to collect data, what data can be collected, what are the rights of the individual, and how the right to privacy will be protected. The extent of personal information being held by various service providers, and especially the enhanced potential for convergence that digitization carries with it is a matter that raises issues about privacy

It is now clear that security in the cyber domain can be achieved by :-

• Technology, social, economic and other sciences.

• Large scale actions in indigenous public private partnerships.

• A vibrant techno legal ecosystem for a trustworthy Information Society

.• International cooperation, for creating trust in global transactions by transparent processes.

All future projects must ensure strong interplay with legal, social and economic research in view of development of a techno legal system that is usable, socially accepted and economically viable. A comprehensive review of existing critical infrastructure and migration to indigenous open source technologies has to be carried out. Enabling laws to ensure that data generated in India has to be securely stored in Indian Territory under Indian jurisdiction is enacted.

Conclusion

The Snowden revelations and the surveillance activity carried out by USA and its allies have led to a global uproar. The intimate relationship between western IT giants and the security establishments of the West has shaken the very foundation of cyber space and the global information and communication industry (ICT). The next couple of years are likely to bring out the repercussions of these yet unfolding revelations. For other nation states the information leaked so far has revealed that western MNC’s and their technologies have been leveraged for a competitive advantage for economic and diplomatic gains by the US intelligence apparatus. The dangers to national security from the big data stored on the server farms of the giant MNCs are but the tip of the iceberg.

The majority of global cyber space and communication networks are mostly built using Western and Chinese hardware and software solutions having proprietary closed source codes. Although there were constant alarms on the dangers to vital communications networks by usage of Chinese equipment, the Snowden revelations have unequivocally brought to the world the dangers of depending on equipment built using proprietary source codes whatever be its origin. The realization that the global networking infrastructure built up in the last couple of decades are porous and more frighteningly can even possibly be not under the control of the user and can be shut down remotely are possibilities which are now increasingly clear to the entire global cyber security establishment.

National critical ICT infrastructure has to be based on verifiable open source protocols is a foregone conclusion post Snowden revelations. Enabling government policies and legislations for promoting indigenous infrastructure, data storage of the Indian population under Indian national jurisdiction are the need of the hour. This can only happen by creating awareness among various stake holders, informed debates in Parliament and investigations by Parliamentary committees into the deep nexus between the global ICT industry and elements responsible for policy inputs to the government for procurement of ICT hardware and software. The Snowden revelations can be used to leverage this without causing major ripples in international relations. Networking solutions built on open source technologies are the future and will see a tremendous growth in the coming years. Organizations and nations, which adapt faster bringing about enabling laws to adopt open source technologies, will see increased customer confidence and will have a competitive advantage over those who are slower to respond.

In this changed paradigm, government and the civil society need to debate and build legal regimes and practices which are transparent and which inspire trust among individuals, and enhance their ability to control access to their data, even as economic value is generated out of such data for the common good.