[Reader-list] Sunil Abraham: Freedom from Monitoring: India Inc Should Push For Privacy Laws (Forbes India)

[Patrice Riemens]

original to:
http://forbesindia.com/article/recliner/freedom-from-monitoring-india-inc-should-push-for-privacy-laws/35911/1

Freedom from Monitoring: India Inc Should Push For Privacy Laws
by Sunil Abraham | Aug 21, 2013
More surveillance than absolutely necessary actually undermines the
security objective

I think I understand why the average Indian IT entrepreneur or enterprise
does not have a position on blanket surveillance. This is because the
average Indian IT enterprise’s business model depends on labour arbitrage,
not intellectual property. And therefore they have no worries about
proprietary code or unfiled patent applications being stolen by
competitors via rogue government officials within projects such as
NATGRID, UID and, now, the CMS.

A sub-section of industry, especially the technology industry, will always
root for blanket surveillance measures. The surveillance industry has many
different players, ranging from those selling biometric and CCTV hardware
to those providing solutions for big data analytics and legal interception
systems. There are also more controversial players who provide spyware,
especially those in the market for zero-day exploits. The cheerleaders for
the surveillance industry are techno-determinists who believe you can
solve any problem by throwing enough of the latest and most expensive
technology at it.

What is surprising, though, is that other indigenous or foreign
enterprises that depend on secrecy and confidentiality—in sectors such a
banking, finance, health, law, ecommerce, media, consulting and
communications—also don’t seem to have a public position on the growing
surveillance ambitions of ‘democracies’ such as India and the United
States of America. (Perhaps the only exceptions are a few multinational
internet and software companies that have made some show of resistance and
disagreement with the blanket surveillance paradigm.)

Is it because these businesses are patriotic? Do they believe that
secrecy, confidentiality and, most importantly, privacy, must be
sacrificed for national security? If that were true then it would not be a
particularly wise thing to do, as privacy is the precondition for
security. Ann Cavoukian, privacy commissioner of Ontario, calls it a false
dichotomy. Bruce Schneier, security technologist and writer, calls it a
false zero sum game; he goes on to say, “There is no security without
privacy. And liberty requires both security and privacy.”

The reason why the secret recipe of Coca Cola is still secret after over
120 years is the same as the reason why a captured soldier cannot spill
the beans on the overall war strategy. Corporations, like militaries, have
layers and layers of privacy and secrecy. The ‘need to know’ principle
resists all centralising tendencies, such as blanket surveillance. It’s
important to note that targeted surveillance to identify a traitor or spy
within the military, or someone engaged in espionage within a corporation,
is pretty much an essential. However, any more surveillance than
absolutely necessary actually undermines the security objective. To
summarise, privacy is a pre-condition to the security of the individual,
the enterprise, the military and the nation state.

Most people complaining online about projects like the Central Monitoring
System seem to think that India has no privacy laws. This is completely
untrue: We have around 50 different laws, rules and regulations that aim
to uphold privacy and confidentiality in various domains. Unfortunately,
most of those policies are very dated and do not sufficiently take into
account the challenges of contemporary information societies. These policy
documents need to be updated and harmonised through the enactment of a new
horizontal privacy law. A small minority will say that Section 43(A) of
the Information Technology Act is the India privacy law. That is not
completely untrue, but is a gross exaggeration. Section 43(A) is really
only a data security provision and, at that, it does not even
comprehensively address data protection, which is only a sub-set of the
overall privacy regulation required in a nation.

What would an ideal privacy law for India look like? For one, it would
protect the rights of all persons, regardless of whether they are citizens
or residents. Two, it would define privacy principles. Three, it would
establish the office of an independent and autonomous privacy
commissioner, who would be sufficiently empowered to investigate and take
action against both government and private entities. Four, it would define
civil and criminal offences, remedies and penalties. And five, it would
have an overriding effect on previous legislation that does not comply
with all the privacy principles.

The Justice AP Shah Committee report, released in October 2012, defined
the Indian privacy principles as notice, choice and consent, collection
limitation, purpose limitation, access and correction, disclosure of
information, security, openness and accountability. The report also lists
the exemptions and limitations, so that privacy protections do not have a
chilling effect on the freedom of expression and transparency enabled by
the Right to Information Act.

The Department of Personnel and Training has been working on a privacy
bill for the last three years. Two versions of the bill had leaked before
the Justice AP Shah Committee was formed. The next version of the bill,
hopefully implementing the recommendations of the Justice AP Shah
Committee report, is expected in the near future. In a
multi-stakeholder-based parallel process, the Centre for Internet and
Society (where I work), along with FICCI and DSCI, is holding seven round
tables on a civil society draft of the privacy bill and the industry-led
efforts on co-regulation.

The Indian ITES, KPO and BPO sector should be particularly pleased with
this development. As should any other Indian enterprise that holds
personal information of EU and US nationals. This is because the EU, after
the enactment of the law, will consider data protection in India adequate
as per the requirements of its Data Protection Directive. This would mean
that these enterprises would not have to spend twice the time and
resources ensuring compliance with two different regulatory regimes.

Is the lack of enthusiasm for privacy in the Indian private sector
symptomatic of Indian societal values? Can we blame it on cultural
relativism, best exemplified by what Simon Davies calls “the Indian Train
Syndrome, in which total strangers will disclose their lives on a train to
complete strangers”? But surely, when email addresses are exchanged at the
end of that conversation, they are not accompanied by passwords. Privacy
is perhaps differently configured in Indian societies but it is definitely
not dead. Fortunately for us, calls to protect this important human right
are growing every day.


(This article appeared in Forbes India Magazine of 23 August, 2013)

Bwo Tactical tech's 'In the Loop'