Thoughts on Surviving Surveillance and More

On the need for a privacy law and the importance of sound technological design to preserve both privacy and transparency.

There is a common perception these days that privacy is no longer a serious concern for most people. That is a myth that needs to be quickly debunked. If that were true, people would be sharing more detailed personal information with abandon. But no matter who it is, there is always some personal data that they do not want to put out in the public domain. That is the real definition of private information. To varying degrees, everybody believes in some form of privacy.

The fact that people share information more freely online is not indicative of a shift in our attitude towards privacy. It just points to another important right that has become more prominent in recent times: the right to publicity. In many ways then, private information is like currency in the attention economy. Each of us should be able to decide how much of it we want to spend and where.

Any system we devise then to protect an individual’s right to privacy cannot impede on his or her desire to share. They may willingly choose to share information with the government or the private sector and that is their prerogative. However, the problem arises when they are not completely aware of what can be done with this information.

In theory, most people know the risks involved in sharing personal details online. But until they have an actual negative experience as a result – stalking, identity theft or a bank account being hacked – it remains a peripheral concern. A good analogy would be that of a cigarette smoker who is completely aware of the risks of lighting up but only feels compelled to do something about it following a cancer diagnosis. Awareness, in both instances, does not lead to prevention.

This is where regulation can come in to protect individual interests. Many people choose not to wear seat belts but the government doesn’t depend on accidents to change this behaviour. Instead, it uses a more proactive approach based on enforcing laws mandating seat belt use.

A good privacy law has to do two things. It needs to be built around protecting the rights of citizens but it should also provide a more uniform landscape for corporations to operate in. There is tremendous opportunity for monetization of personal information today. However, corporations may not be willing to take risks in developing products to take advantage of this opportunity in the absence of a predictable legal environment.

There are already about fifty sectoral laws in India covering media, healthcare, banking, e-governance and more. But they have been developed at different points in time and don’t follow the same standards. Many are also outdated.

What we need now is a horizontal layer and an omnibus law that will be administered by the Office of the Privacy Commissioner. This law should avoid going into too much detail and steer clear of niche rules for different sectors. Managing the nuances of areas as varied as Fintech and HR can be achieved through a system of co-regulation under which each industry is encouraged to come up with its own set of rules and standards. The Privacy Commissioner can examine these for compliance with the spirit of the law and, in some cases, suggest tweaks to improve their efficacy.

The purpose of the law is to provide a high level framework, largely consisting of principles issued by the privacy regulator. Beyond that, a co-regulatory process will ensure that we don’t over-regulate industry and stifle innovation.

The right to privacy is a fundamental right for individuals but so is the right to transparency. In India, the latter is enabled by the RTI and the expectation it has created is that the government shares data with its citizens. Privacy, on the other hand, needs secure technology in order to be protected. A project like UIDAI bills itself as a unique identity database but creeps into the realm of surveillance with its use of biometric technology. Its primary design flaw lies in the fact that all its information resides in a centralized database that is essentially a honey pot for hackers. Even if the information is sealed, there is a price for access that may tempt an insider. And given that the data can be tampered with, the design of UIDAI is not good for either privacy or transparency.

These issues are rarely debated because UIDAI is a pet project of techno-utopians. When it comes to technology, this group believes that more is better than less, expensive options are likely to work better than cheaper ones, and complex is preferable to simple. This is not always true but techno-utopianism is an ideology that is increasingly hard to counter.

The reality is that surveillance, whether through UIDAI or another system, is an important and inescapable ingredient in national security. It’s a bit like salt in cooking. You need tiny amounts to truly appreciate the various flavours of security but, if you go overboard with it, you may actually undermine it. Once we have all the necessary elements of a privacy law in place, then surveillance can happen in a targeted fashion. However, mass surveillance under which everybody is surveilled at all times is never justified.

In a democracy, privacy, security and transparency are all equally important. With the right legisla-tive framework and technological backbone, we can have them all.

Sunil Abraham is the Executive Director of the Centre for Internet and Society, a Bangalore-based research organisation.