The age-old debate on privacy has raged on for centuries, during which time it caught the fancy of filmmakers, novelists, conspiracy theorists, and who not, but never has it been carved into the touchstone of legislation. The kind of legislation that is in step with the digital times, has realistic ambitions in terms of being able to regulate, apprehend and punish the offenders, while striking a balance between state concerns, and individual rights and being nimble enough to be adoptable. While that's a tall order for any legislation, the rising instances of hacking, data & identity theft, cyber terrorism at an unprecedented global scale will reach crisis levels if the long arm of the law comes up short. It is at this pivotal moment that the Supreme Court finds itself examining privacy laws in India. The WhatsApp case (Karmanya Singh Sareen vs. Union of India) could well do what no moviemaker's imagination has ever been able to achieve, which is to clear the law regarding online privacy. This article does not seek to comment on the merits of the case, but instead explore the various socio-legal dimensions of privacy in today's online society
Right to privacy: Internationally
One of the oldest Constitutions in the world, the American Constitution (1787 AD) has embodied within it, the intangible right to privacy from the earliest of times. 'the right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized'- Fourth Amendment (1791 AD). Over a period of time, the 4th amendment changed to cover a variety of rights such as right against a forcible blood test, forced handcuffing, and in recent times, electronic surveillance as well. However in the post 9/11 world, when fear ruled, the US under the Bush Administration passed the Patriots Act in record haste granting the US government, wide ranging powers in respect of surveillance including wire tapping and electronic surveillance. The imaginatively named Providing Adequate Tools Required to Intercept and Obstruct Terrorism (PATRIOT) Act of 2001 underwent amendments on four occasions but in the process only overrode and took precedence over much of the lenient legislation that the US had in place earlier.
In other places of the world such as Europe, the right to privacy grew in prominence and became increasingly recognized. As early as 1953 the European Convention on Human Rights in Article 8 stipulated 'Everyone has the right to respect for his private and family life, his home and his correspondence.' With time as a broader definition of the right to privacy emerged with greater social media participation, the European parliament passed the General Data Protection Regulations recognizing the right of protection of personal data. One of the few legislations in the world that actually defined personal data, it stated' 'personal data' means any information relating to an identified or identifiable natural person (‘data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;' Passed as a directive in May 2016, it gives the 27 member nations of the European Union time till May 2018 to transpose such directive into their own respective laws.
Looking at other places, Russia has an altogether different approach when it comes to privacy. Commonly known as the Yarovaya Act, a counter-terrorism law that was recently passed by the Russian legislature. The Act provides for storing of phone recordings, text messages and internet traffic up to a period of 6 months and even up-to 3 years in some cases, all in the name of combating cyber terrorism. Till date it is the most stringent piece of legislation. It allows for unprecedented data storage requirements, surveillance of civilians, increases the minimal sentence for crimes, provides penalties for financing international terrorism, allowing for government agencies to access encrypted data from the service provider. Further in many instances access to private civilian data can be obtained without a court order. There is very little scope of appeal and even less protection of civil liberties, since the legislation places the interests of national security before all else. While the criticism it has faced is equally unprecedented, the Russian government has granted time till July 2018, for the new legislation to take effect.
The United Nations in 1990 through a General Assembly resolution adopted the Guidelines for the Regulation of Computerized Personal Data Files which listed a set of 10 broad based principles that each of the member nations should seek to achieve through its national sovereign legislation. Arguably the most valid argument against these principles is that in a post 9/11 world where online surveillance and voluntary adoption of social media has proliferated these guidelines have ceased to be relevant and neither have they been replaced or updated to reflect the new digital reality.
Online Privacy: Myth vs. Reality
Broadly it is very clear that prior to 9/11, the right to privacy was mostly regarded as a human right and the debate of online privacy was yet to be ignited. Post 9/11 of course it became equally clear that nothing was off-limits for governments in the sacred name if national security was involved. Simply consider the fact that a government agency like the NSA in America has an estimated budget of more than 10 billion dollars. In fact, the total budget of 16 of America's spy agencies exceeds a total of 56 billion dollars.
Now that online spying, the legal word for which is surveillance is the only agenda, to either prevent or start a war, where do individuals, organizations, countries and governments stand? What protection does an individual have from the misuse of data by a powerful social media organization? What if all your pictures, intimate data, passwords, were stolen distributed online, your twitter account replaced, your FB account compromised, your banking security credentials hacked, usernames, passwords to countless of your online platforms all gone within a matter of seconds, for no fault of yours. Who is to blame for this? Given the ridiculous ease with which today a Yahoo, Facebook, Twitter, Sony, NSA or even a lesser entity such as Zomato can get hacked and the speed with which the hacked information can travel across the length of the world, how do you prosecute? Whom do you prosecute? Questions of jurisdiction, availability of evidence to prosecute, but most importantly the existence of a realistic, plausible actual law that can help to bring to book such offenders are questions that need answers.
Where do you draw the line between privacy rights of the citizen, national security issues, and the greater good of society. Mobs don't need to assemble anymore, the war is now online. Facebook, Whatsapp or any other social media is today's medium for spreading hate, recruiting terrorists, theft, hacking, or in short everything that you may have seen in the movies. The democracy under which the Internet operates, allows for constitutionally guaranteed rights to become malleable at the switch of technology.
Is there a solution in sight?
The kind of risk that the Internet exposes each and every user to is beyond a philosophical approach or an ideological debate. When Ransomware, Cryptoware and Malware is more powerful than your software, it's clear that you have a problem. A problem that crosses jurisdictions, involves 'State Actors', mega corporations and to make matters worse which begins at your doorstep. What recent times have proved more than anything else is that cyber terrorism, identity & data theft, are more common than many other white collar crimes. The Indian Government's insistence, to have everything linked to your Aadhar Card will now leave a digital footprint of each and every person. An estimated 1.12 billion Indians have Aadhar cards by now. While the need for Aadhar is easy to justify what happens in the event of a breach? The Central Identities Data Repository, the current custodian of all our biometric information is a treasure trove for terrorists. The Information Technology Act vide the it's amended sections provides for a penalty of Rs. 1 cr (S.43- Penalty and Compensation for damage to computer, computer system, etc) and Rs. 5 crs. upon companies for Compensation for failure to protect data (S.43A). Similar provisions for identity theft (S.66C), dishonestly receiving stolen computer resource or communication device (S.66 B), cheating by personation(S.66D), cyber crimes violation of privacy (S.66E), cyber terrorism all exist. Question is that there is hardly a respectable conviction cyber crimes. It's a bygone conclusion that your local police station is hardly equipped or competent to solve crimes of this nature or complexity. There aren't enough private agencies that can fill this void, the way it has happened with the Western world. The responsibility lies equally with the Government but more with these Companies that hold such proprietary technology that is altering the human landscape. As more and more users adopt technologies that belong to and are run by private organizations, the transfer of real power will mean increased risk that Governments alone cannot solve. There are clearly no easy answers.
While surveillance is undoubtedly necessary, there have to be curbs in the form of legislation to prevent misuse, corporations have to be held responsible for their lapses, but more important perhaps is a global treaty for prosecution and information sharing in the event of the cyber attacks like the one the world witnessed recently. Simple legislation per se will not be enough in terms of protection, the Government will also have to parallelly invest in such technology that can identify, remedy and protect, the new gold that it holds: data.