Deconstructing the dissent around the draft data privacy bill

Let’s take a step back from the constant quibbling between the activists and the government. The interests of a citizen, especially in cyberspace, are aligned with that of neither. I’ve felt so since the beginning of the net neutrality debate.

Praavita writes for The Wire, Can the Aadhaar Act and a Data Protection Act Coexist?

At first glance, the draft data protection bill appears to provide massive exceptions for welfare that seemingly apply to Aadhaar. Section 13 makes the processing of personal data without a person’s consent possible for any function of the Parliament or State Legislature.

So does the GDPR, the magna carta of cyber civil liberties, on “other important public interests, in particular economic or financial interests, including budgetary and taxation matters, public health and security”. Yes, that also includes “national identification numbers” and even “churches and religious associations”. Go figure.

This appears to be the exception allowed for the State to process personal data and looks ominous when you think about the expansion of the Aadhaar into so many aspects of our lives – for welfare programmes, IT returns, for healthcare subsidies, sim cards etc.

Praavita doesn’t objectively explain how did she arrive at such a conclusion, as the article goes on to raise similar objections. Does she really believe that the sole motivation behind the introduction of a bill as seminal as the one being proposed would be this conspiratorial? Could the executive, the legislature and the judiciary even manage such a grand cover-up? These reactionary stances really do disservice to the actual cause of privacy by diluting the real issues.

The Wire‘s staff writes in The Good, Bad and Ugly on India’s Template for How Your Data Will be Protected:

The pro-state or pro-government argument for data localisation is that storing data within a country’s borders prevents it from being spied upon by foreign nations. However, the Justice Srikrishna committee hasn’t gone that far – all it asks is that companies store a copy of Indian citizen data within India. This means the data can still go back to US or China.

This is how you trivialise the debate by merely voicing doubt for the heck of it. Did we ever investigate whether localisation could technically work? Territoriality is impossible to ascertain in cyberspace. Establishing who controls your data at a given instant is a mathematical problem at par with the Fermat’s Last Theorem. Ownership, possession and control over the internet don’t overlap. You may as well localise the whole cyberspace. In fact, half-baked opinions around it could forever balkanise the internet. All roads of data sovereignty lead to a dystopia.

As some privacy experts have noted, this doesn’t appear to be aimed at at protecting Indian data from foreign eyes.

I followed the linked URL. This is what I found:

Really, does this vague tweet best underscore your pièce de résistance?

When you combine this with the fact that there is nothing in the draft bill on reforming India’s mass surveillance apparatus, it becomes concerning.

Can a privacy bill digress to something as expansive as the overhaul of the intelligence machinery? Some experts do believe, however, that it’ll set a precedent for the parliamentary accountability of security agencies.

Additionally, the bill also lays out that the data protection authority will decide if data breaches will be disclosed to the users that have been affected. As The Wire has reported, Indian companies and government agencies are more than happy to be quiet about their lax security standards. Affected users should have a legal right to know if their data has been compromised, as they have in the United States.

The museum of data breaches now lists 5 billion stolen credentials, a little short of the world’s population. Most originate from the U.S. Its stringent data security and breach notification regime hasn’t served as a deterrent. The question you should be asking is whether mandatory disclosure the best bet when a majority of the organisations would never know that they’ve been breached. Hell, even Facebook only stumbled upon a massive breach when its stolen database landed on the darknet — and it paid a ransom. Like Dmitry Alperovitch of CrowdStrike says, “There are two kinds of companies left in America: those that have been hacked and know and those that have been hacked and don’t know it.” Do you want the bill to become another regulatory noose around the neck of the private sector? The lack of research here worries me.

While some of consent exemptions are benign — such as for “journalistic” or “research and archiving” purposes — others deal with what the committee believes are legitimate state needs including “security of the state” and “prevention, detection, investigation and prosecution of contraventions of law”.

What do you make of the blanket exemptions under the GDPR for national security? The metadata collection programmes of France and Germany may make many companies non-compliant. It doesn’t seem to bother them. Why?

Rohan Venkataramakrishnan of Scroll has written an explainer, All you need to know about the Srikrishna panel’s draft data protection law.

Many many other things, as Medianama’s Nikhil Pahwa points out.For example, there is the requirement that all personal data be mirrored and kept on a server or a data centre in India, a provision that critics of the Bill say is aimed primarily at ensuring the government has access to it if necessary.

The same flawed argument around territoriality, or the lack of it, without apprising the readers of its technical complexities. And what’s this urge to link to tweets — which are, by design, impulsive — to build your case?

Sruthisagar Yamunan’s piece for Scroll, Towards a surveillance state: Draft data protection law is a blow to the right to privacy.

The main purpose of the Bill seems to be to protect Aadhaar, the 12-digit biometrics-linked unique identification number currently under challenge before a Constitution bench of the Supreme Court.

Seriously? How did this pass Scroll’s fact-checkers? This is complete debasement of the discourse. Even the activists should be cautious of such alarmist rhetoric as it weakens their position.

Lawyer Chinmayi Arun took to Twitter to point to the problems in the consent clauses.

Okay, if you begin by calling the security apparatus “stasi”, you know things are going nowhere.  Arun further tweets:

3. For the ‘detection’ of an offence
(Same as above but prevention and detection are different so merits its own place on my list)
#DataProtection #Privacy #surveillance

Wrong! Detection and prevention, offence and defense, copyright and censorship, security and surveillance are completely symbiotic and indistinguishable in cyberspace. It’s the foundational non-duality of digitised information that simply can’t be wished away with trenchant critique. Beyond a certain level of complexity, autonomous code simply can’t adhere to the law, but starts creating its own. Arun should have known what Lawrence Lessig predicted 20 years ago. Even code and data are the wrong demarcations; they, too, are dynamically interchangeable especially in Big Data and AI. Figuring out the intent of a computer program is also an exercise in probability. Whether a particular computer program was breaching or merely tweaking a system would become guesswork of sorts. So, along with territoriality, causality, proportionality, and, resultingly, legality also go for a toss.

Amba Kak writes for Scroll in TRAI’s privacy recommendations are a reminder that there is no shortcut to a comprehensive law.

She’s lucid, unbiased and progressive but I’m most disappointed with her. She’s in the best position to highlight the fundamental paradoxes around data security. Rather, this piece relegates nuance to rhetoric.

While TRAI’s views have been largely hailed for affirming that users, not companies, should own and control their own data – this is at odds with some of the substance of its data protection recommendations.

If there was any doubt about what it meant, the broad mandate is spelled out to specifically include “telecom service providers, devices, operating systems, browsers, applications etc.”

We all know by now that Trai is clueless and a polemic around its mandate (browsers!) should be inspired by the Hanlon’s razor: never attribute to malice that which is adequately explained by stupidity. As Dan Kaminsky once said, “Browsers don’t run checklists so that the king isn’t insulted.” Browsers are the very embodiment of the hacker ethic, so a privacy debate around Trai is a non sequitur.

Or the regressive prohibition against “bulk encryption” in clause 37.1. Even as TRAI acknowledges that encryption is critical to online security and calls out the need to update encryption standards, it shies away from recommending the repeal of this condition.

Does a restriction on bulk encryption have statutory backing? Is mass communications surveillance a necessary or proportionate means to achieve the State’s legitimate security interests?

She misses the elephant in the room. What’s our national cryptographic policy? Governments have come a long way from deeming cryptography as munition — restricting it under export control — to funding weak, breakable ciphers that now run the whole internet and the blockchain. The activists here have never fought a crypto war, yet they have things to say about encryption. Do you know what the esoteric Scientific Analysis Group does, or what kind of insular research has been fostered by the RC Bose Centre? Do you know that the NSA has already broken into the encrypted communications of the Indian nuclear weapons authority? This issue is bigger than privacy — it’s existential. We’ve the perfect excuse to make the research on encryption transparent, accountable and robust, but we prefer to skim the surface.

The telecom license prohibits the transfer of accounting or user information to persons or servers outside India; and allows the government to mandate that traffic related to certain entities is localised “for security reasons”. TRAI does not engage with the import of this recommendation on the broader internet ecosystem whether for the large number of companies that do cross-border business, or even use international payment gateways. Instead, it concludes vaguely that overall, the license represents a “fairly robust” framework to safeguard user privacy.

The hackneyed counter-argument around territoriality.  Repeat after me, the perimeter is not the boundary of your network, but the boundary of your telemetry. The biggest challenge in cybersecurity is asset discovery. Most organisations’ data and assets are scattered across systems that they hardly know exist, forget control.

And here’s my parting advice to the new media outlets, borrowed from N. Ram’s James Cameron Memorial Lecture:

[James Cameron] was clear that ‘objectivity was of less importance than the truth’ and ‘the reporter whose technique was informed by no opinion lacked a very serious dimension’. Journalists therefore were professionally obliged to present their ‘attitude as vigorously and persuasively’ as they could, to be set out for consideration, criticism, and debate. Being scrupulous and consistent about this he held to be a vital ingredient of ‘moral independence’; among other things, this involved an ‘attitude of mind that will challenge and criticize automatically, thus to destroy or weaken the built-in advantages of all propaganda and special pleading – including the journalist’s own’.

Also see my technically grounded critique, All roads of data sovereignty lead to a dystopia.