Data bill: The security vs privacy debate
William Pitt, the English statesman, during his speech in the House of Lords in 1763, stated, “The poorest man may in his cottage, bid defiance to all the forces of the Crown. It may be frail, its roof may shake; the wind may blow through it; the storm may enter; the rain may enter; but the King of England may not enter; all his forces dare not cross the threshold of his ruined tenement.”
Such a passionate call for preserving individual privacy against State intervention was rare in the 18th century, but today, it reverberates across democracies, in the backdrop of a contentious debate on individual privacy versus State security. The Supreme Court (SC) judgment, declaring privacy a fundamental right has given fillip to the relentless campaign against infringement of privacy of any kind by the State or business bodies.
It is in this context that the Data Protection Bill, currently being discussed by the Joint Parliament Committee (JPC), is of great significance because it will lay down the contours of privacy of individual data from the prying eyes of the State as well as social media. The sanctity of sensitive personal data cannot be over-emphasised. Individual data has immense economic value too, waiting to be exploited commercially by the corporates through their social media platforms.
Encryption is widely acknowledged as the strongest feature of data protection. Digital banking and financial transactions have increased manifold with the Reserve Bank of India prescribing the encryption standards. The telecom sector, however, is limping along on 40-bit key encryption, which is considered to be low. Both cellular voice and messaging are vulnerable to off-air interceptions, with experts pointing at the weakness of SMS being used as second factor authentication in banking, payments and Aadhaar identification. The Telecom Regulatory Authority of India has rightly recommended an update of regulation policy and is of the view that encryption is a reliable tool which should not be interfered with.
The end-to-end encryption on chat platforms is the most secure method of keeping data safe from hackers and break-ins. The General Data Protection Regulation of the European Union strongly favours use of encryption for protecting individual data. However, security agencies around the world want decrypted data and favour legislation in this regard. The United States, United Kingdom and Australia support a legislation for decryption, while France and Germany are pro-encryption.
The encryption debate has reached the SC, which will deliberate on the matter towards the end of January. The Government of India (GOI) has asked Facebook to decrypt messages, citing national security and asserting that terrorists cannot claim privacy. Tech giants argue that they are not obliged to share the user data and any leeway given to the security agencies will weaken the security architecture and render it vulnerable to hackers and cyber criminals. The government reiterates that Section 69 of the Information Technology Act allows it to issue directives for decrypting any data transmitted or stored in a computer. Earlier, it had threatened BlackBerry with closure in 2012, forcing it to share user data.
The JPC, hence, has a daunting task ahead, balancing the needs of State security against individual privacy. Giving entry to security agencies will compromise the encryption grid and data of millions. The State has to collaborate with tech giants in using the meta-data more meaningfully and for meeting other requirements without breaking the encryption.
The Data Protection Bill also does not touch upon State surveillance methods. Who watches over the watchers? How can an officer of the same rank give permission to another for snooping? And how can another in the same system oversee its justification? Should there be a judicial oversight? The proposed Data Protection Authority (DPA) requires more teeth. The selection committee should include a member of the Opposition and judicial and technical members. DPA also needs to be strengthened by the inclusion of judicial and technical members.
India must give a clear signal to the world that it respects and cherishes individual privacy and freedom of expression, and establish a harmonious balance between the State security and individual privacy of its 740 million internet users.
Yashovardhan Azad is former IPS officer and Central Information Commissioner
The views expressed are personal