Concept of Online Privacy in India

Online privacy, for most of us Indians, is like Coronavirus: If we can’t see it, it probably does no matter to us, unlike god though. We as Indians have never understood the concept of online privacy until recently, may be we are waiting for bad things to happen. Indians love to gossip. Gossip is the reason for evolution for any language(spoken or written).

Background

India has been a very close-knit society. Most of the families are still joint families having 4-20 members. Most of our population lives in sub-urban or rural areas. The social interaction between people so frequent that an information from one household can travel 2-4 blocks by the end of the day. We, Indians, love to gossip. If a person has a running stomach, by the end of the day whole mohalla(local community) will know the news. A kid who got scratch while playing, will be asked about his well-being from all shopkeepers near his house for next few days. Though talking about sex is a taboo but you will get to know who is pregnant and for how many months. Sharing personal information is a cultural thing.

Talking about my running stomach in fine and good to joke about. But in some cultures it is not at all decent. Sharing and referring to someone’s (a third person, who is not acquainted to the person you are talking to) pregnancy is not decent in many cultures. Sometimes an IVF treatment or a cosmetic surgery is something one would like to keep private to self and partner only. We Indians can’t get our head around on what to share & what not to share and with whom to share.

Nowadays information travels faster, you don’t even need to speak to anyone, just write a post about your visit to Nepal with a picture and everyone knows where you are right now. Every culture has gossip built into their daily conversations but we Indians are blessed with it.

Gossip with technology

India, being so populated, attracts lot of technology and social media giants. Since we all got our smartphones for cheaper prices (thanks to capitalism), the flow of information just boomed. Now we have our parents, grandparent sending us morning greetings, GIFs and yes fake news & misinformation. We were never told that what is posted online will remain online forever(in most cases, unless there is digital blackout). So the gossip that was more verbal & written and easily forgotten, presented no harm to anyone is now being saved and probably used to identify you. What started as a service and a means to communicate is now an engagement platform.

What information is private?

Usually while interacting on platforms we hardly think of what we are sharing is private. We want our friends to see it, so, on click and you have posted an update. As a technology professional I think any information that is identifiable like the following must be kept private (source):

  • Personally identifiable information (PII) — Data that could be used to identify, contact or locate an individual or distinguish one person from another
  • Personal health information (PHI) — Medical history, insurance information and other private data that is collected by healthcare providers and could be linked to a certain person
  • Personally identifiable financial information (PIFI) — Credit card numbers, bank account details or other data concerning a person’s finances
  • Student records — An individual’s grades, transcripts, class schedule, billing details and other educational records.

Who is responsible for my data?

Personally, you are responsible for you own data and the information you are sharing. Remember, at the end of the day all social platforms are business. They monetize your information that is not unique to you or could not identify you as an individual . Example:

  • Age
  • City
  • Country
  • Sex

If I represent this information like

#AgeSexCityCountry
123mNew DelhiIndia
220fIstanbulTurkey
356mNairobiKenya
433mGurugramIndia
545fNew YorkUSA
..
500040mJakartaIndonesia
Sample Data

Let us assume the data is from an hypothetical social media platform named Pink August. Pink August started as a social community platform for free. Free platforms are good, everyone likes free stuff. Free in digital world means you are the product. To get revenue, Pink August decided to show advertisements on the site. Obviously advertisers need some parameters to target the audience for the adverts. So Pink August provides them above data to target the audience.

Some data provided to advertisers are these:

  • Male Users
  • Female Users
  • Country Specific
  • City Specific
  • Age range

All of the data can be combined and you can get grouped data like:

  • All males from a country. Ex: gender = ‘m’ and country = ‘India’
  • All males above 30 years. Ex: gender = ‘m’ and age > 30
  • Every user from a country. Ex: country = ‘India’

So many other combinations can be made data provided above. Now you can relate how a data that has nothing to do with you can be used over you as a group. If we combine this data with your other data. Example:

  • Time range of users when they are highest active
  • Your likes on specific content(
    • posts featuring cat videos or animals
    • religious posts
    • Videos featuring violence
  • People you follow
    • Actors/celebrities
    • Music artists
    • Journalists
    • Photographers
    • Public Figure
    • Regional pages
    • Local Pages

Such data can describe your virtual personality. Based on you interactions one can define what kind of person you are what you follow and at what time you are highest active.

Identifiable Data

Identifiable data as name suggest can identify you. Information like:

  • Email/Contact Number
  • Your medical Records
  • Car registration number
  • House Number
  • Bank account number
  • Debit/Credit card numbers
  • Aadhaar or Social Security Number
  • Education Records
  • IP address
  • Device ID/MAC address
  • Bills
  • Device Fingerprint

These are direct and can be simply identify a person in existence. If you combine them with unidentifiable data, someone will have a jackpot of information to identify your personality traits.

Problem

  • Problem is not that everyone is saving data, problem is how secure is the saved data? If the database of Pink August is hacked, what are the chances that a hacker will find your email/contact/address and match with other available records online to identify you as a person. Then send you a phishing email when you are highly active online.
  • Problem is that these social platforms will do anything to earn revenue. They may help political motivations in exchange of getting their app as pre-installed on devices. They may also sell your data.
  • Problem is also linking multiple data to one source. Example: Aadhaar.
    • Aadhaar, a biometric based unique identification number for residents, is now linked to:
      • Bank accounts
      • PAN
      • Passport
      • Mobile networks/Broadband
      • E-wallets
      • Digital Health Card(soon)
        A simple google will get you list of Aadhaar card details lying on web and waiting to be misused.

Rectification

So can a technology company rectify such issues? Since online platforms are business they are very much concerned about their reputation in terms of security and data leaks, but then they also have to earn money. Here are some points where a platform should clearly mention:

  • Platform should provide a complete documentation of:
    • What data is being collected & purpose of collection of data.
    • How is data being saved?
    • How will your data be used?
  • Platform should provide clear consents, age verification before/on buttons and other call-to-actions provided.
  • Transparency of data.
  • List of partners that have access to data.
  • Ability to handle data leaks
  • Ability to handle grievances about data
  • Correction of data.
  • Transfer of data.
  • Ability to completely erase data.
  • Download all of the data(belonging to self)

Indian Context

India is still learning a few things about privacy each passing day.

India is not directly part of any data regulations like GDPR or HIPAA. Though, India does have IT Act that has some point which I think are vague in terms of implementation. Below are the screenshots.

Chapter III point 7
The complete chapter V on securing data

The Personal Data Protection Bill, 2019

Indian government has introduced a bill to protect personal data. The bill is not passed yet and will become act later. The bill has it own flaw that can be exploited with power. Example:

Sharing of non-personal data with government: The central government may direct data fiduciaries to provide it with any: (i) non-personal data and (ii) anonymised personal data (where it is not possible to identify data principal) for better targeting of services.

The Personal Data Protection Bill, 2019

Ending note

India is far from what needs to be done to protect data and provide privacy rights. The Personal Data Protection Bill, 2019 should pass before the launch of Digital Health Cards. Gossip is OK when it is between friends. But when the government and the tech giants are gossiping about you, that is the time when shit hits the fan.

Cover Photo by Jason Dent on Unsplash

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.