The gold rush for data mining
Constantly bombarded with hundreds of calls offering management quota seats, a frustrated Parameshwara, a businessman, struggled to trace their source. He thought back to when it began, after he attended an exhibition with his son, a pre-university student, and shared his contact details at various stalls.
Also plagued by incessant phone calls from different numbers offering quick weight loss solutions, a resident of Bengaluru, was bewildered. "As a digital native, I am very protective of my personal data online. So I could not understand how these companies got my number," she says. When she was recounting the incident to a friend, "She asked me if I had downloaded any fitness apps. It was only then that I realised that they had gotten my details through what I thought was a reliable and safe health management application."
These instances are familiar to most mobile phone users, who battle spam calls regularly. Far from just being an irritation, these calls raise serious risks of data breaches, fraud and scams.
It is common knowledge that data brokers sell user information obtained from third-party service providers in the e-commerce, telecom, hospitality, retail and digital media sectors. A simple Google search reveals contact information of working professionals advertised for sale to various stakeholders.
As Prime Minister Narendra Modi said, in the new digital India, “Data is the new oil, new gold.” Every minute, various entities, big and small, are looking for ways to generate and encash data, which includes personal information. With a lack of respect for privacy, this digital ‘gold rush’ has also led to hacking, data breaches and grey markets that sell the data, as well as an increased rate of cybercrime.
“In the digitally transformed nation that we are, there is so much information getting collected, not just by financial entities, but across the spectrum, by edtech, med-tech, health-tech and gov-tech companies. We submit our data to them, without having any idea what it will be used for,” says Pankit Desai, CEO and co-founder of a security solutions firm.
In theory, free and informed consent should form the foundation of data sharing. However, in reality, the concept is rarely respected.
"When you download some apps, you already consent to sharing personal details, even before you open and use them. But this information is hidden in the technical terms and conditions or somewhere in the ‘read more’ section. Without a proper disclaimer, this consent is taken without your full knowledge," says Tejasi Panjiar, Associate Policy Counsel at Internet Freedom Foundation, based in Delhi.
She adds that simplifying the jargon and making disclaimers more accessible and visible is key. Ensuring informed consent also means obtaining it at every instance. If data is being processed for an additional purpose than initially intended, consent must be obtained again.
Another important facet is including opt-out consent, which allows consumers to decline sharing their personal information. However, in many cases, even opting out proves insufficient.
In 2021, the Telecom Regulatory Authority of India (TRAI) introduced a 'Do Not Disturb' (DND) list, a blockchain-based technology that prevents unsolicited calls for registered users. However, a survey of DND list users found that 95% of respondents were still receiving unwanted spam and even fraud calls.
The measures were easily circumvented as telemarketing companies simply purchased new SIM cards to make calls.
The regulations also fall short in addressing the menace of fraudulent calls. TRAI Chairman, P D Vaghela says that it is difficult to find the actual culprit behind such calls and messages, and the regulator is exploring several solutions to resolve the issue.
TRAI is now planning to implement a unified know-your-customer (KYC) database accessible to all telecom operators, equipped with compulsory caller ID, and an artificial intelligence system that detects fraudulent calls. The telecom authority is also discussing serious consequences, including imprisonment for using a false identity while buying SIM cards. Making KYC applicable for all messaging platforms such as WhatsApp is also under consideration.
Data breaches
A more evident and hazardous threat to privacy happens in the form of data breaches, where the information registry of a company or organisation is compromised, exposing user data. This generally happens when hackers steal information through attacks on weak firewalls and digital security systems.
While regulated entities, government agencies and banks may have safeguards against data breaches, the third parties they employ for miscellaneous tasks are not mandated to follow security practices. This includes fintech companies, security firms and BPOs.
“There is not even a requirement for a company to disclose to the user that such a breach has taken place. It is only through media reports that people hear about it. There is no way to know if one’s own records were part of the breach,” says Desai.
Earlier this year, the Aadhaar numbers of over 11 crore farmers were compromised due to improper authorisation protocol on the Prime Minister's Kisan scheme website. In another instance in August 2019, the personal information of about 68 lakh patients and doctors was stolen by hackers from a healthcare website.
In fact, India has one of the highest rates of data breaches. In the first half of 2022 alone, India had the second-highest number of data breaches globally. A 2021 study revealed that data breaches rose by a staggering 352% from the previous year.
Once stolen, data is sold online to the highest bidders. This can include personal identifiers such as banking information, phone numbers, addresses and family details.
Anonymising data
Data breaches and leaks were common during Covid, when many private and public apps collected data as a prerequisite for the provision of services.
The state health department has no information on what happened to health data that was collected by apps and citizen groups. “We had no control over what data was collected and nothing has been done about it,” said an official.
During Covid vaccination, people were asked to register on the Cowin app in order to get the vaccine and the corresponding certification. At this time, a 14-digit unique Ayushman Bharat Health Account ID was created for some users under the Ayushman Bharat Digital Mission (ABDM), an initiative to digitise health data in India. Many opted for this without being aware that an ID was being created, and many remain unaware to this date.
"It happened with a lot of people, including me," Tejasi says, adding that it happened across India.
The ABHD website shows the number of IDs created, with 90.3 lakh in Karnataka alone. However, the state health department sees no security concerns related to these databases.
The government's access and storage to such personal data is especially concerning in light of Karnataka's Open Data Policy, notified last year. The policy allowed private companies to sign an agreement with the government to access public data sets. The government suggested data anonymisation as a solution to mitigate potential security risks.
Experts warn that anonymising data, which involves the scrubbing of personal identifiers from data sets, is sorely lacking as a solution. This is particularly true in a legislative context that lacks a comprehensive data protection act. "Several studies, both national and international, have highlighted the ease with which data can be de-anonymised. Both directly and indirectly, new personal information that has not been shared by users can be deduced by combining several anonymised data sets. Through this process, users can be uniquely identified," says Tejasi.
Last month, the Ministry of Electronics and Information Technology (MeitY) withdrew guidelines for the anonymisation of data, a week after release, citing the need for further consultation on the issue.
Digital governance initiatives like the e-Sahamathi programme will allow the monetisation of data, by creating a sandbox (testing environment) and providing access to private companies. This raises the ethical question whether citizen data can be sold, when consent remains nebulous.
"The premise is to make India rich. The process is to collect people's data and share it with private parties. In this process, we are forced to become a digital society without privacy and anonymity," says Srinivas Kodali, a Hyderabad-based digital rights activist.
Data security bill
The existing legal framework offers little to protect people against privacy breaches. The Information Technology (IT) Act, and the IT rules of 2011 briefly touch on the liability of body corporates, however, it barely covers the subject.
Activists say there is an absence of clear definitions, specific guidelines and provisions. As a result, some multinational companies find ways to exploit the gaps. A research by Viceroy Research Group mentioned that Truecaller, a multinational company, moved its data centres to India in order to allegedly bypass the European Union's General Data Protection Regulation (GDPR) rules. These rules do not allow Truecaller to obtain data from a user's contact list. The firm now earns 70% of its revenue in India.
A data security bill would define what constitutes sensitive data, its lifecycle, as well as regulations for entities collecting and processing this data.
Even though the Supreme Court asserted the fundamental right to privacy in 2019, a data protection bill remains elusive. In August, the central government withdrew the draft Personal Data Protection Bill, promising a more relevant policy.
Dismissing apprehension over the delay, Union Information Technology Minister Ashwini Vaishnav said, even in the absence of a law on data protection, one must not worry about infringement of privacy because the Supreme Court has already declared privacy to be a fundamental right.
The MeitY is expected to put out a revised draft bill for public consultation by the end of this month. It may also need to be scrutinised in a Joint Parliamentary Committee, an official said.
The new Bill will clearly define penal provisions for breach of data and privacy, said the official, adding that it may reach the House in early 2023.
Many stakeholders argue that some form of regulation should have been enacted, to protect citizens at least to an extent. “It may not have been the best but they should have passed it so that there is some safeguard. Right now not having anything is a problem,” says Desai.
(With inputs from Ajith Athrady in New Delhi and Navya P K in Bengaluru)
Deccan Herald is on WhatsApp Channels| Join now for Breaking News & Editor's Picks