The draft of the data privacy Bill furnished by the Srikrishna Committee is an important first step in bolstering the digital civil liberties of citizens, but it cannot address the systemic weaknesses of cyberspace that are beyond the reach of any single government.
The Brihadaranyaka Upanishad describes the creative principle of the universe as neti-neti — not this, not that. It hints at the subtle symbiosis, the fluctuating nature of opposing forces. Digitised information, too, complies with this inherent non-duality.
In cyberspace, not only are offence and defence mathematically indistinguishable, but this monism of information also binds to the dualities like surveillance-privacy, censorship-copyright, and terrorism-encryption.
It is exactly why the General Data Protection Regulation (GDPR) — the Magna Carta of cyberspace — has blanket exemptions for matters of national security and social welfare under Article 23.
In 2016, French spymaster Bernard Barbier hinted at the existence of an expansive cyber security metadata collection platform in his country. Prone to enthusiasm, he ended up briefing uninitiated school kids on a highly classified operation in which the French traced a cyber intrusion into the Élysée Palace that led them right to the doors of the National Security Agency.
Germany’s domestic surveillance agency BfV, too, has been open about its nationwide programme. In 2017, when stolen cyber weapons linked to the CIA were released by Wikileaks, the BfV issued an impressive dossier just days later that exposed the CIA’s cyber attack infrastructure targeting Germany.
Doing that with such swiftness and precision — that too at the national level — could only be accomplished via a framework that scans, strips and stores every passing packet for months.
True is cyber security guru Dan Geer’s axiom, “With total surveillance, and total surveillance alone, it is possible to treat the absence of evidence as the evidence of absence.”
Such dragnets are not possible without the involvement of the private sector, especially the internet service providers. That may theoretically make many participating organisations non-compliant to the GDPR. Even European policy experts, with whom I discussed this anomaly, expressed bewilderment and surprise.
The GDPR also accommodates derogations for processing activities related to “national identification numbers” and, oddly, “churches and religious associations”.
This really weakens the position of many Indian activists who have linked the draft Bill to the recent controversy around Aadhaar, giving the whole effort a conspiratorial tint. Many of their ill-researched assertions around surveillance do not stand up to scrutiny in light of these facts. The absolutist stance on privacy is not only untenable but also inapplicable as cyber security always relies on certain architectural trade-offs.
One must concede to the fact that privacy really is the bastard child of security, fathered by surveillance. And all roads of data sovereignty lead to a dystopia.
One of the foundational tenets of the draft Bill is that data could somehow be localised.
As American national security kahuna Richard J Danzig postulated, cyber space remains a contested territory. Thomas Dullien, the legendary malware researcher who works for Google, stated at this year’s NATO CyCon conference that ownership, possession and control of assets over the internet necessarily do not overlap because of its decentralised nature.
Even the flow or location of data could only be guessed, not predicted. Establishing who retains it at a given instant is a mathematical problem on a par with the Fermat’s Last Theorem.
So how is the shaky notion of localisation going to get enforced?
A nation-state may exist online as the sum of all the global information flows — across the many millions of interfaces — associated with it at a given moment. Your data is everywhere, but nowhere.
Much of data acts like code now and vice-versa — a little known concept of computer science called homoiconicity. This demarcation is rapidly disappearing in domains like Big Data and Artificial Intelligence. Stripping sensitive personal data from such functionalities is going to get very challenging.
The internet is like a cluster of tectonic plates that are barely held together – having its millions of layers of abstraction which toss your data around. With the onset of the Internet of Things and cloud computing, those layers are now network-enabled.
To establish sovereignty, one would need to replace all the extant interfaces with indigenous ones. From Huawei and ZTE to Baidu and Weibo, China took 20 years to accomplish exactly that — balkanising the cyberspace in the process — culminating with the passing of the draconian Cyber Security Law in 2017.
Until that happens, the one Westphalian precept that would never manifest itself in cyberspace is territoriality.
The draft also proposes the mandatory disclosure of data breaches. A majority of the organisations would never know that they have been hacked. Even Facebook only stumbled upon a massive breach when its database landed on the darknet — and it ended up paying a ransom.
The museum of data breaches, haveibeenpwned.com now lists five billion stolen credentials, a little short of the world’s population. Most originate from the US. Its stringent data security and breach notification regime setup after 9/11 has not acted as a deterrent.
Like Dmitry Alperovitch of cyber countermeasures firm CrowdStrike says, “There are two kinds of companies left in America: those that have been hacked and know it and those that have been hacked and do not know it.”
Such clauses may only add another regulatory noose around the neck of the private sector.
The notion of privacy, brokered with the state via the Hobbesian social contract, is dying. For, even the nation-state struggles to maintain its legitimacy, challenged by a libertarian organ of the world government that is the internet.
The lack of research on the intractable aspects of cyber security is worrisome.
The dissenters are only aggravating the problem by offering blind opposition that is devoid of reasoning and substance. By focusing solely on the present, they could jeopardise our future. It feels as if the interests of a citizen, especially in cyberspace, are aligned neither with that of the government nor with that of the activists.