Snooping Through the Screens: Data Protection and Privacy
As we move further into the digital era, our data and privacy become more and more critical. Our data stored on our devices accelerates our life, but at the same time, it can render us vulnerable if it is let into the wrong hands. Understanding that our data is a precious asset and working towards its protection is crucial. Still, most often, we do not realise that the big corporates take advantage of that sometimes to show ads that mislead us and sometimes even by conducting propaganda that leads to massive consequences. This is where data protection laws come in, ensuring that our data is not misused and we become its regulators. Our privacy remains intact in this digital age where everything is being monitored. To understand what is wrong with the status quo, first, let’s take a look at the breaches that have happened and how their frequencies are increasing over time.
BREACHES IN THE PAST
AADHAAR - A lapse in security led to more than 100,000 Aadhaar numbers leaking. One of the web systems used to record attendance of government workers for the Indian state of Jharkhand was left exposed and without a password as far back as 2014, allowing anyone access to names, job titles, and partial phone numbers of 166,000 workers. The data leak was not a direct breach of the central database run by Aadhaar’s regulator, the Unique Identification Authority of India (UIDAI). When Baptiste Robert, a French security researcher, was asked to look at the site, he used less than a hundred lines of Python code to scrape the entire site for downloading photos and the corresponding Aadhaar numbers.
PAYTM MALL - The e-commerce arm of payment giant Paytm suffered a data breach after a hacker group called "John Wick” targeted the company’s PayTm Mall database. The perpetrator of the breach demanded 10 ETH (Ethereum) in cryptocurrency (approximately equivalent to $4,000 at the time.)
‘John Wick’ could upload a backdoor or Adminer on the Paytm Mall application website and gain unrestricted access to their entire database. The perpetrator claimed the hack happened due to an insider at Paytm Mall.
One of the repeated tactics used by this group is to act as a ‘grey-hat hacker and offer help to companies or victims to fix their bugs. A ‘grey hat’ is a computer hacker who looks for vulnerabilities in platforms and systems without the owner’s knowledge and asks for a fee to fix the issue.
A Paytm Mall spokesperson informed the public that a Bug Bounty program was to help resolve the issue.‘John Wick’ has broken into multiple Indian companies and collected ransom from various Indian organisations, including OTT platform Zee5, Fintech Startups, Stashfin, Sumo Payroll, Stashfin, i2ifunding, through other aliases such as ‘South Korea’ and ‘HCKINDIA’.
DOMINO’S - Data of 18 crore orders of Domino's India became public. The hacker even created a search engine on Dark Web- “If you have ever ordered dominos online, your data might be leaked.” Anyone could easily search any mobile number and check a person's past locations with date and time. Hackers gained access to 13 TB worth of data, including 180,000,000 order details containing names, phone numbers, payment details, and a million credit card details.
AIR INDIA - Air India compromised the data of millions of passengers worldwide, containing personal data registered between August 26, 2011, and February 20, 2021. The breached data included the passenger’s name, date of birth, contact information, passport information, ticket information, frequent flyer data, and credit card information. The airline said the breach involved data of 45 lakh passengers being leaked.
These aren't the only instances this has happened in India; the data of JustDial company was leaked in May 2020, UnAcademy, BigBasket, MobiKwik, have also had data breaches. Data breaches don't just mean your private information is available to anyone who wishes to have it but that your information can be weaponized and used to create well-planned strategies with extreme consequences.
CAMBRIDGE ANALYTICA- Working with The Observer of London and The Guardian, the New York Times obtained a cache of documents from inside Cambridge Analytica, the data firm principally owned by the right-wing donor Robert Mercer. The documents proved that the firm, where the former Trump aide Stephen K. Bannon was a board member, misused data obtained from Facebook to build voter profiles.
The Times reported that in 2014 contractors and employees of Cambridge Analytica, eager to sell psychological profiles of American voters to political campaigns, acquired the private Facebook data of tens of millions of users — the most significant known leak in Facebook history. The Times initially reported that Cambridge harvested data from over 50 million Facebook users. But at the bottom of a company announcement about new privacy features, Facebook’s Chief Technology Officer, Mike Schroepfer, issued a new estimate for the number of affected users: as many as 87 million, most of them in the United States. The harvested data of millions of Facebook users was used to spread political propaganda, targeted to specific viewers based on their preferences and the data that has been collected.
PEGASUS SCANDAL- Exposing Thousands of Prying Ears
Pegasus is spyware developed by the Israeli cyber arms firm NSO Group that can be covertly installed on mobile phones (and other devices) running most versions of iOS and Android. Pegasus can read text messages, track calls, collect passwords, location tracking, access the target device's microphone and camera, and harvest information from apps.
Project Pegasus revelations
A leak of a list of more than 50,000 telephone numbers believed to have been identified as those of people of interest by clients of NSO since 2016 became available to Paris-based media nonprofit organisation Forbidden Stories and Amnesty International. They shared the information with seventeen news media organisations in what has been called "Project Pegasus", and a months-long investigation was carried out, which reported from mid-July 2021. And then what came out was shocking. The Pegasus Project involved 80 journalists from numerous media partners. Evidence was found that many phones with numbers in the list had been targets of Pegasus spyware. However, The CEO of NSO Group categorically claimed that the list in question is unrelated to them, the source of the allegations can't be verified as reliable.
Use by India
In late 2019, Facebook filed a suit against NSO, claiming that Pegasus had been used to intercept the WhatsApp communications of several activists, journalists, and bureaucrats in India, leading to accusations that the Indian government was involved. But the shocking revelations of 2021 that called the other nations to action showed an even murkier version of the reality.
Phone numbers of Indian ministers, opposition leaders, ex-election commissioners, and journalists were allegedly found on a database of NSO hacking targets by Project Pegasus in 2021. While the government of other countries have been alarmed by it and are trying to establish trust and accountability, the Indian government has rejected the claims without any proper justification except citing national security.
Use in other countries
Reversing the intended use against criminals, Pegasus has targeted and intimidated Mexican journalists by drug cartels and cartel-entwined government actors. Pegasus software, whose sales are licensed by the government of Israel to foreign governments, was used maliciously to snoop on journalists by Saudi Arabia. Pegasus was also used to spy on Jeff Bezos after Mohammed bin Salman, the crown prince of Saudi Arabia, exchanged messages that exploited then-unknown vulnerabilities in WhatsApp.
The United Arab Emirates used Pegasus to spy on the members of the Saudi-backed Yemeni government, according to an investigation published in July 2021.
Certain nations have been sufficiently focused on contact tracing that methods have been used that would be highly criticized in Western countries. For example, in South Korea, authorities used location data from cell phones, credit card transactions, and CCTV footage to identify potentially infected persons. As noted Jung Ki-suck, the former director of the Centers for Disease Control and Prevention (CDC), “people [in South Korea] are OK with their privacy being infringed for the wider public interest.”
China is another much-cited example: the country’s mandatory applications use facial recognition, biometric data, location tracking, and other data to generate health-status colour codes. An analysis by The New York Times of one of the apps indicated that it appeared to share information with police authorities. Even the basis on which the colour codes are assigned is unclear, while the lack of transparency has been criticised, Chinese authorities are not known for openness.
These breaches and surveillance drives by various governments are repeated warnings that show how vulnerable we are when our data is accessed by people with malicious motives and therefore show the direness of the situation. This is where data protection laws come in to safeguard the users against any threats. We know the importance of laws and regulations to keep society a safe place, and in an age where we spend most of our time on the web, we need to translate the same sense of security in that aspect of our life.
GDPR- GENERAL DATA PROTECTION REGULATION
Lets us take a look at the data protection law that the EU came up with, which is being seen as a benchmark for these laws, and how it empowers the users and changes the power dynamics when it comes to data and privacy.
The General Data Protection Regulation (GDPR) is the strictest privacy and security law in the world. Though it was drafted and passed by the European Union (EU), it imposes obligations onto organisations anywhere, so long as they target or collect data related to people in the EU. The regulation was put into effect on May 25, 2018. The GDPR will levy harsh fines against those who violate its privacy and security standards, with penalties reaching tens of millions of euros. The law replaces the 1995 Data Protection Directive, which has set the minimum requirements for processing data in the EU. GDPR will significantly strengthen several rights: individuals will find themselves with more power to demand companies reveal or delete the personal data they hold; regulators will be able to work in concert across the EU for the first time, rather than having to launch separate actions in each jurisdiction; and their enforcement actions will have real teeth, with the maximum fine now reaching the higher of €20m (£17.5m) or 4% of the company’s global turnover. The core principles of this law are:
Lawfulness, fairness, and transparency: Processing must be lawful, fair, and transparent to the data subject.
Purpose limitation: companies must process data for the legitimate purposes specified explicitly to the data subject when you collected it.
Data minimisation: companies should collect and process only as much data as necessary for the purposes specified.
Accuracy: corporates must keep personal data accurate and up to date.
Storage limitation: they may only store personally identifying data for as long as necessary for the specified purpose.
Integrity and confidentiality: Processing must be done in such a way as to ensure appropriate security, integrity, and confidentiality (e.g. by using encryption).
Accountability: The data controller is responsible for demonstrating GDPR compliance with all of these principles.
GDPR affects every company, but the most brutal hit will be those holding and processing large amounts of consumer data: technology firms, marketers, and the data brokers who connect them.
Even complying with the basic requirements for data access and deletion presents a significant burden for some companies, which may not previously have had tools for collating all the data they hold on an individual.But an immense impact will be on firms whose business models rely on acquiring and exploiting consumer data at scale. If companies rely on consent to process data, that consent must be explicit and informed – and renewed if the use changes.
Apple revealed a privacy dashboard of its own – although the company proudly noted that, unlike its competitors, it does not collect many personal data in the first place, and it need not change much to comply. Google took a different track by quietly updating its products and privacy policies without drawing attention to the changes.
What does it mean for users?
Users now have the power to hold companies to account as never before. If individuals begin to take advantage of GDPR in large numbers by withholding consent for specific data uses, requesting access to their personal information from data brokers, or deleting their information from sites altogether, it could have a seismic effect on the data industry.
Even without user pressure, the new powers given to information commissioners across the EU should result in data processors being more cautious about using old data for radically new purposes. Counterintuitively, though, it could also serve to benefit selectively the dominant players. A new startup may find it hard to persuade users to consent to wide-ranging data harvesting. Still, if a company such as Facebook offers a take-it-or-leave-it deal, it could rapidly gain consent from millions of users.
The UK government has announced plans to reshape the UK’s data laws, such as GDPR requirements, in an effort, it claims, to boost growth and increase trade post-Brexit.
DATA PROTECTION BILL IN INDIA
How is personal data regulated currently in India?
Currently, citizens' usage and transfer of personal data are regulated by the Information Technology (IT) Rules, 2011, under the IT Act, 2000. The rules hold the companies using the data liable for compensating the individual in case of any negligence in maintaining security standards while dealing with the data. By now, it has been concluded that while the IT rules were a novel attempt at data protection when they were introduced, the pace of development of the digital economy has shown its shortcomings. For instance, (i) the definition of sensitive personal data under the rules is narrow, and (ii) some provisions can be overridden by a contract. Further, the IT Act applies only to companies, not to the government.
However, after August 2017, when the Supreme Court held that privacy is a fundamental right, flowing from the right to life and personal liberty under Article 21 of the Constitution, a panel chaired by Justice B. N. Srikrishna was set up to examine various issues regarding data protection in India. The Court also observed that privacy of personal data and facts is an essential aspect of the right to privacy.
The Personal Data Protection Bill was introduced in Lok Sabha by the Minister of Electronics and Information Technology, Mr Ravi Shankar Prasad, on December 11, 2019. It sought to protect the personal data of citizens of India.
The Bill governs the processing of personal data by the government, companies incorporated in India, and foreign companies dealing with the personal data of individuals in India. Personal data pertains to characteristics, traits, or attributes of identity, which can identify an individual.
Data were classified into three types, namely: personal, sensitive personal, and critical data.
A data fiduciary is an entity or individual who decides the means and purpose of processing personal data. Such processing will be subject to a particular purpose, collection, and storage limitations. It states personal data can be processed only for specific, clear, and lawful goals. Furthermore, all data fiduciaries must undertake certain transparency and accountability measures such as (i) implementing security safeguards and (ii) instituting grievance redressal mechanisms to address complaints of individuals. They must also institute mechanisms for age verification and parental consent when processing sensitive personal data of children.
The Bill entitles certain rights to the individual, which include the right to
- obtain confirmation from the fiduciary on whether their data has been processed,
- seek correction of inaccurate, incomplete, or out-of-date personal data,
- have personal data transferred to any other data fiduciary in certain circumstances, and
- restrict continuing disclosure of their data by a fiduciary if it is no longer necessary or consent is withdrawn.
Social media intermediaries who enable online interaction between users and allow for sharing of information whose actions can impact electoral democracy or public order will have to provide a voluntary user verification mechanism for users in India.
Data Protection Authority:
The Bill sets up a Data Protection Authority which will take steps to protect the interests of individuals, prevent misuse of personal data, and ensure compliance with the Bill.
Sensitive personal data may be transferred outside India for processing if explicitly consented to by the individual and subject to certain additional conditions. However, such sensitive personal data should continue to be stored in India. Specific personal data notified as critical personal data by the government can only be processed in India. The companies that do not comply with these regulations will be penalised.
But this law that looks so strong on the paper has been accused of hiding loopholes and being rudimentary by several experts. Some serious questions are raised, like the localisation of personal data might increase the chances of surveillance and block innovation in tech to store this data.
Government processing of data remains an issue even though consent has been given emphasis. The government is exempt in some instances makes the law ineffective. Government can process even sensitive personal data without consent sighting functions of the state seems vague and prone to misuse. Many definitions have been left for DPAI, which will be appointed by the government, which might seem ironic on many grounds. With a history of coming up with bulk data sharing policies and not taking any breaches seriously, the government of India leaves us with a dangling question of whether our data is private or more of a public asset.
What can we do as individuals to keep our details private?
Whenever we are putting data online, try to minimise it, avoid giving any additional information.
Never allow the websites or apps to save your credit card details.
Have different passwords for every website; avoid having patterns.
Use a VPN to keep your location data secure.
Never share your OTP with anyone, EVER.
Keep the operating system of your phone and the software of your computer updated.
Check the URLs of websites so that they start with HTTPS and not HTTP. The ‘s’ stands for secure.
Solutions like changing phones often, using old-school phones, and staying off the internet are not sustainable or viable. Keeping our data private is difficult at an individual level because technology is often used against us. It is the responsibility of our government to devise strict laws to keep us from being vulnerable. Privacy is not a fundamental right yet, which is why data breaches are happening consistently without any severe consequences. When we give someone our data, we should also be able to take back the data. The right to privacy and the right to Retract Data should be provided to everyone as soon as possible to end this prolonged complication.
Designs by – Alok Gouda