Privacy protection: India seems to be going the NSA-PRISM way, when it comes to surveillance

By Anita Gurumurthy and Amrita Vasudevan

It is a well known fact that privacy laws in India are not taken that seriously. We all register on social media websites and use their apps. But barely anyone of us bother to read through the terms and conditions. And social media sites could end up taking advantage of the fact. Most times knowingly (we know that the free service comes at the cost of our data and attention), and at times unknowingly (when data is shared with authorities). Recently, it was learned that social media sites such as Facebook, Instagram and Twitter were sharing data with third party apps such as Geofeedia. This is a location-based analytics platform that was used by American law enforcement agencies as a surveillance tool to track and monitor protest activity.

Contract - driven interactions

In the Indian context, there is little protection for such an activity by a third party site. India does not have data protection regime (apart from the limited Sensitive Personal Data Rule, 2011 - but this is limited to only certain kind of data that is listed and does not cover photos, messages, contact lists, etc., available on social media sites). In the absence of such a regime that most countries in the North have, our interactions with social media apps are only contract driven - that is, bound by the dense and often overlooked Terms of Service, which we just 'accept' with a click.

These agreements are boiler plate - and there is no room for negotiation. Take for instance, Uber's user agreement where the user gives up total control over data through royalty-free licenses that Uber grants itself, through its terms and conditions. Please note that this is a "worldwide, perpetual, irrevocable, transferable, royalty-free license with the right to sublicense, to use, copy, modify, create derivative works of, distribute, publicly display, publicly perform, and otherwise exploit in any manner” user data. This actually means that what Uber then does with the data for commercial gain is something we write off just by downloading the app and beginning to use Uber.

In the National Privacy Principles developed by the Group of Experts on Privacy lead by Justice Shah, Principle 6: Disclosure of Information Principle states that: A data controller shall not disclose personal information to third parties, except after providing notice and seeking informed consent from the individual for such disclosure.

Thus, reiterating the fact that if we had data protection legislation - it would give us some standing with respect to use / misuse of our data.

Who's responsible?

But coming back to the case of Geofeedia sharing data available via Facebook and Twitter's APIs with law enforcement authorities, who could misuse it to fulfill their purposes, who would the ultimate onus lie with? Is it Geofeedia who is to be held accountable or is it the original social network which is sharing its APIs with third parties which are then using it for their own purposes.

There are different situations here - one is social media companies providing of data to law enforcement agencies, and the other is sharing of data for commercial purposes.

With respect to first kind - in India we seem to be going the NSA-PRISM way with respect to surveillance by setting up the Central Monitoring System (CMS). Unlike earlier surveillance regimes, CMS will not require the intervention of any communication/ internet service provider (ISP), and can directly monitor communications in real time. There are no legal safeguards against misuse of communication information, or frameworks of accountability of law enforcement agencies. At this point since we do not know what the data retention guidelines (that are expected to be issued) will look like - but the consequences of a CMS can be chilling.

I don't think we can say what effect the guidelines will have on the CMS, but if the government has direct access to communications and need not go through the intermediary at all, then these retention guidelines seem futile. Especially since the CMS requires no trigger for surveillance. Communication service providers are subject to licensing conditions that require direct access to communications without a warrant.

On the other hand, Section 67C (under which the retention guidelines are to be issued) is very wide, and does not provide circumstances under which data may be retained. The guidelines that are imminent could provide some clarity, and also limit the duration for which social networks can retain user data.

On commercial sharing of data- as stated earlier, in India we are at the mercy of the copious T&C that we sign on to, to be able to access the benefits of the platform. The advertising model for revenue generation that most internet companies rely on requires the collection of user data to target their advertisements. Essentially, services that are given to us ‘free’ - like Facebook, Gmail, Twitter or Uber are being subsidised by our data.

Privacy policies are fluid

Sometimes, privacy policies are altered post clicking ‘accept’ in ways that compromise the users’ privacy. (Again, you just don't have any other option except to opt out), and often, when such alterations happen, terms of use deem the continued use of the application as acceptance of revised privacy policies.

WhatsApp had post its acquisition by Facebook suddenly announced changes to its privacy policy which would allow it to share user data with Facebook. Two students had challenged WhatsApp’s revision to its privacy policy before Delhi High Court. The Court dismissed the petition insisting that users could opt out by deleting their accounts.

When a similar challenge was mounted before the authorities in UK, Facebook had to put a pause on their data sharing - and this was because of its strong data protection policy. Under the UK data protection law, the company has to inform the authority established under the Act of any changes in the use of user data. In the case of WhatsApp, the UK authority objected to such sharing.

When Windows 10 was launched, users were allocated an advertising ID for targeted advertising and data collection by Microsoft's personal assistant, Cortana. What we see is that a decision on whether or not to trade my privacy for a service is not left to the user. Privacy experts and human rights activists have been arguing that a better approach to managing targetting should be to allow consumers to opt into services. But this is something that commercial interests have really opposed. For instance, in the US, when Senator Ellen Corbett from California introduced a bill to give consumers greater control over their private data by making the default setting on social networking sites privacy compliant - Facebook, Google, Skype, and Twitter banded together to oppose it.

We need a data protection law that contains the national privacy principles that the justice Shah committee had listed and we do require a regulatory authority to be set up that can implement the law. Till that happens, we are are the mercy of the terms and conditions of apps and services that we accept.

Anita Gurumurthy and Amrita Vasudevan are with IT for Change, an NGO in Bengaluru that works at the intersection of digital technologies, development and social justice.


Published Date: Jan 13, 2017 10:07 am | Updated Date: Jan 13, 2017 10:07 am