August 24 has passed, marking five years since a nine-judge Bench of the Supreme Court of India delivered a crucial judgment in the case of Justice K.S. Puttaswamy (retd.) vs Union of India (2017). The judgment delivered on that date formally recognised the right to privacy as being a fundamental right stemming from the right to life and personal liberty, guaranteed under Article 21 of the Indian Constitution. The Bench also held that while the right to privacy is intrinsic to an individual’s ability to exercise bodily autonomy, it is still not an “absolute right” in and of itself, placing limitations in a manner similar to those placed on the right to free speech and expression.
Five years later, however, the once eventual-beneficiaries of the agency that the recognition of the fundamental right had promised may realise that the order delivered as part of the judgment has not been upheld in letter or in practice. For example, one can consider the nature of the relationship that is currently shared among consumers and companies. If one looks at how the negotiation of privacy is placed now, they would realise that not much changed following the formal recognition of the right to privacy. The Personal Data Protection Bill, 2021, which had been in the offing for quite some time now (despite how flawed it may have been) was withdrawn earlier this month after an unnecessarily long period of stagnation.
Personal data for a price
Meanwhile, the ground reality for the citizenry has not changed much either. Data security breaches which result in the loss and theft of personal, sensitive data have not reduced in terms of measurable frequency or their impact. Even worse, as of today, any person or business within and outside India is still in a position where, for a slight bargain, they can procure the personal information for a vast majority of the people, categorised and labelled neatly wherever possible, for use and consumption.
Data concerning the scale and nature described here is used most often by some legitimate advertising agencies, unscrupulous telemarketing firms, and cyber criminals. Brokers of such data have in fact become so brazen where they have taken to listing their goods for sale on mainstream e-commerce platforms. This may be done in a bid to reach more customers who can discover and subsequently purchase the data they provide, but perhaps also in an attempt to lend some kind of legitimacy to the unethical and possibly illegal nature of their trade. This status quo leaves the general populace open to a range of harm in the form of elaborate phishing attacks and financial scams aided by the attacker’s access to personal information, as well as other harmful activities which rely on the attacker possessing key bits of information about an individual.
‘Spying’ from above
While the threat model for a general user of the Internet in India may only comprise non-state actors (such as cyber criminals and unscrupulous businesses), individuals with certain political and intellectual affinities however have found themselves worrying about the capabilities of the Government in this regard; and rightly so, as far as the security and integrity of their electronic devices are concerned.
An investigation in January 2022 by The New York Times offered some credence to the debate and outcry that had existed around the alleged use of the Pegasus spyware in India. The investigation revealed that the Indian government had purchased access to the Pegasus spyware suite in 2017 as part of a roughly $2 billion acquisition deal for weapons and miscellaneous surveillance gear from Israel. The alarming revelations and the planting incriminating evidence in at least one case, targeting Indian nationals (alleged to have been carried out by the Government of India) reveals a blatant disregard for any jurisprudential significance the Puttaswamy judgment might have been thought to carry.
The recent interventions by the Government which aim to restrict Indian nationals from subscribing to and accessing VPN services shows a similar disregard, too. Summarily, the Government has demanded that VPN service providers — most of which operate in jurisdictions outside of India — start collecting and maintaining KYC records on Indian nationals who seek to avail their services.
The kind of information requested to be collected and stored includes general identifiers such as full name, phone number, home address, and more (information which generally is not sought by VPN service providers, and which may only be validated by a potential customer having to furnish valid identity documents to a given service provider), along with a small box asking for the “reason” for which an individual sought access to the VPN service. The justification provided by the Government for the request to collect and furnish data predictably begins and ends with a mention of the words “national security”.
While it need not even be said that VPN services in and of themselves do not enable or significantly further criminal activity in a way where such a response would be warranted, the Government’s position demonstrates that it is not above placing hindrances in an individual’s effort to exercise their fundamental right to privacy, of which informational privacy is a part. However, this should not be surprising given other privacy-infringing transgressions, and considering that the initial position, argued by the then Attorney General was that “the right of privacy may at best be a common law right, but not a fundamental right guaranteed by the Constitution”.
In light of all of this, five years later, it can be said confidently that the Puttaswamy judgment has missed the mark quite spectacularly for the objective that was sought, and that it represents a foregone opportunity to protect the rights of Indian citizens while ensuring all of the checks and balances necessary to prevent Government overreach and abuse of power.
Karan Saini is an independent security researcher and public interest technologist. He is presently a Technology Fellow at Bellingcat