DemonEtiZation and India’s loss of Privacy in the Digital Age
“Data is the new oil”.
What British Mathematician Clive Humby prophesied in 2006, Narendra Modi has realized in 2016. There is no denying that we are firmly in the age of data and will be remembered by history as such. Personal data is the new oil of the internet and the new currency of the digital world.
India found itself in the throes of an unprecedented social experiment on November 8 after Prime Minister Modi announced that Rupees 500 and 1,000 currency notes would no longer be recognized as legal tender. Apart from ferreting out “black money” the second primary objective was to transform India into a digital economy. It is the second reason this essay is concerned with.
According to World Bank figures, about 354 million Indians, 27 percent of the population, are connected to the internet. Only 12.81 percent of this population, 45 million, reside in rural areas. A forced transformation into a cashless economy with little preparation and no acknowledgement of the concerns is worrisome for the population that is connected to the internet as well as the population that is not.
Issues of information privacy, security, surveillance and data based discrimination crop up immediately that are directly related to and arise out of digital transactions. Modi’s nudge to the country in the direction of digital transactions through the internet also makes it easier for government surveillance. Cashless transactions made through the online route or even by swiping our debit/credit cards turn into digital records that in turn become data to be stored in a server.
What does this mean? Digital footprints.
Whether it is Paytm, Flipkart, Amazon, Bookmyshow, Uber or online electricity payments, any transaction made electronically has a permanent record. This makes it enormously easier to keep track of people’s spending and consumption as compared to cash transactions.
The data contained in the online purchase of a movie ticket, for example, is substantial. A record of a transaction contains data about the person, the commodity/service purchased, the type of card used, the date and time of transaction, the person’s location, age, gender and the type of phone or laptop used. Now imagine a million people doing the same across India’s dozen big cities on a daily basis. Suddenly a website or mobile app has a treasure chest of data of millions of people scattered across the country. What happens to this data? This data is then mined. It is put through a rigorous churn of algorithms to identify patterns, trends and habits. A lot of the mined data is used by marketing companies to understand consumer behavior in order to sell the information to third parties and deliver targeted advertisements to individuals connected to the internet.
The rise of big data has been rapid and disruptive. Since the dawn of the new millennium the world's technological capacity to store information grew from 54.5 exabytes (1 EB equals 1 billion gigabytes) in 2000 to a staggering 1,200 exabytes by 2014. It is reported that 5 exabytes contain ‘all words ever spoken by human beings’. A logical progression of this explosion has been data mining – the algorithmic process of sifting through enormous amounts of data to detect patterns and correlations.
This kind of data is being put to incredible new uses through data mining with the assistance of inexpensive computers memory, powerful processors, smart algorithms, clever software and math that borrows from basic statistics. This, in turn, has led to tens of millions of profiles of people connected to the internet and those behavioral profiles sorted into hundreds of databases, classifications and segments based on spending and consumption patterns. This is where issues of privacy, surveillance and discrimination arise.
Digital transactions and violation of privacy
Big data is valuable and worth a lot of money. This is because once mined and analyzed, it provides extensive predictive information about individuals and their tastes, preferences, opinions, behavior, spending and consumption habits. At present, people making electronic and digital transactions through websites and apps have little idea what information exactly is being collected about them and what is being done with that, or for that matter, who has access to all that information and who is buying and selling the same. Any financial information is always sensitive and data mining can reveal information about how much we spend, what we spend on and even what income brackets we fall under. Coupled with Aadhar and PAN cards, this treasure trove of financial data could also provide an easy way for government surveillance.
Even as demonetisation thrusts cashless transactions through e-wallets, banks, and apps upon the people, there is a serious lack of clarity on how these financial technology (fintech) companies handle customer data and how it is shared with other entities. In the absence of a privacy controller body in India, the vagueness surrounding the handling of sensitive information of millions of Indians are at risk. Furthermore, neither has the government released any statements regarding these concerns nor has it disclosed whether financial information collected by fintech companies like PayTm is being shared with the government.
Going Cashless and Security Concerns
Currently only provisions under Section 43A of the Information Technology (IT) Act spells out the laws of data protection of individuals. There are currently no laws dedicated to digital transactions. While the Reserve Bank of India sets privacy and security standards for banks, fintech companies like PayTm, Mobikwik and Freecharge, which operate as digital wallets, fall under the Non-Banking Financial Corporation (NBFC) category, and are excluded from the RBI rules. In the absence of RBI rules, a customer losing money in an online transaction or finding her information compromised will have to rely on section 43A of the IT Act which places little liability on the data collecting companies.
The implementation of the law in this enforced age of cashless transactions needs to be strengthened urgently. In 2011, the government eventually issued eight rules under Section 43A which were based on principles of privacy that have been implemented around the world three decades ago. These provide fleshed out definitions of “sensitive personal data or information” and includes “financial information” within its ambit. Despite placing responsibilities on data collectors, requiring them to gain consent of individuals prior to using their data and restricting the transfer of data only to third parties who have similar standards of compliance, there is little accountability so far. However, in the event of loss of money or sensitive information through a hack or misuse, the data keeping company, to avoid liability, has to simply demonstrate the “implementing and maintaining reasonable security practices and procedures.”
The lack of transparency and information regarding ethical data practices means very little information is available to the people about what goes on with their financial information behind the bright screens of their smartphones. Research by Bengaluru-based think-tank, Centre for Internet and Society (CIS) shows that some of India's largest technology companies still do not comply with Section 43 A. "We have a minimal data protection law in our IT Act and that will apply to all the Fin Tech players. But our ISPs and Telcos don't comply with Section 43 A, so you can imagine in the FinTech sector the compliance will be even lower," said Sunil Abraham, Executive Director at CSI to a newspaper.
The Road Ahead
As more Indians adopt digital routes to make transactions as warranted by demonetization, the Modi government owes the country greater clarity regarding the protection of their privacy and security. The Watal committee headed by former finance secretary Ratan Watal has made several recommendations to the center. The government’s push for cashless transactions must be backed by a legal framework that keeps pace with the ground realities and to do so, the committee on digital payments has pushed for urgent legislative steps. A dedicated law towards digital transactions is imperative.
Moreover, Under Section 43 A there are provisions to allow a sector to form a consortium that mutually agrees to set security standards, which all players must adhere to and is valid in the court of law during dispute resolution. In the absence of clear laws governing digital payments this move is encouraged by experts as governments often lack the bandwidth to define sectoral specific laws. Finally, a mandatory cybersecurity audit of fintech companies to ensure the protection of personal data and adequate security measures to prevent misuse or hacks.
The present BJP led government would do well to encourage transparency in the handling of data and usher in an environment of data ethics and data protection which respects its citizens’ right to privacy, security and dignity in the digital age.
Sushovan Sircar is a masters candidate at the Communication, Culture & Technology program in Georgetown University, Washington D.C. His concentration is on cybersecurity policies, information privacy, surveillance and big data. Prior to his masters the author worked as a reporter with The Telegraph newspaper in Calcutta for three years. He also earned an MA in journalism from Jamia Millia Islamia University, New Delhi.
(Disclaimer: The views expressed are the personal opinion of the author and do not express views of GU India Ink)