Right to Privacy: Does it really exist?

The age-old debate on privacy has raged on for centuries, during which time it caught the fancy of filmmakers, novelists, conspiracy theorists, and who not, but never has it been carved into the touchstone of legislation. The kind of legislation that is in step with the digital times, has realistic ambitions in terms of being able to regulate, apprehend and punish the offenders, while striking a balance between state concerns, and individual rights and being nimble enough to be adoptable. While that's a tall order for any legislation, the rising instances of hacking, data & identity theft, cyber terrorism at an unprecedented global scale will reach crisis levels if the long arm of the law comes up short. It is at this pivotal moment that the Supreme Court finds itself examining privacy laws in India. The WhatsApp case (Karmanya Singh Sareen vs. Union of India) could well do what no moviemaker's imagination has ever been able to achieve, which is to clear the law regarding online privacy. This article does not seek to comment on the merits of the case, but instead explore the various socio-legal dimensions of privacy in today's online society

Right to privacy: Internationally

One of the oldest Constitutions in the world, the American Constitution (1787 AD) has embodied within it, the intangible right to privacy from the earliest of times. 'the right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized'- Fourth Amendment (1791 AD).  Over a period of time, the 4th amendment changed to cover a variety of rights such as right against a forcible blood test, forced handcuffing, and in recent times, electronic surveillance as well.  However in the post 9/11 world, when fear ruled, the US under the Bush Administration passed the Patriots Act in record haste granting the US government, wide ranging powers in respect of surveillance including wire tapping and electronic surveillance. The imaginatively named Providing Adequate Tools Required to Intercept and Obstruct Terrorism (PATRIOT) Act of 2001 underwent amendments on four occasions but in the process only overrode and took precedence over much of the lenient legislation that the US had in place earlier.

In other places of the world such as Europe, the right to privacy grew in prominence and became increasingly  recognized. As early as 1953 the European Convention on Human Rights in Article 8 stipulated  'Everyone has the right to respect for his private and family life, his home and his correspondence.' With time as a broader definition of the right to privacy emerged with greater social media participation, the European parliament passed the General Data Protection Regulations recognizing the right of protection of personal data. One of the few legislations in the world that actually defined personal data, it stated' 'personal data' means any information relating to an identified or identifiable natural person (‘data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;' Passed as a directive in May 2016, it gives the 27 member nations of the European Union time till May 2018 to transpose such directive into their own respective laws.

Looking at other places, Russia has an altogether different approach when it comes to privacy. Commonly known as the Yarovaya Act, a counter-terrorism law that was recently passed by the Russian legislature. The Act provides for storing of phone recordings, text messages and internet traffic up to a period of 6 months and even up-to 3 years in some cases, all in the name of combating cyber terrorism. Till date it is the most stringent piece of legislation. It allows for unprecedented data storage requirements, surveillance of civilians, increases the minimal sentence for crimes, provides penalties for financing international terrorism, allowing for government agencies to access encrypted data from the service provider. Further in many instances access to private civilian data can be obtained without a court order. There is very little scope of appeal and even less protection of civil liberties, since the legislation places the interests of national security before all else. While the criticism it has faced is equally unprecedented, the Russian government has granted time till July 2018, for the new legislation to take effect.   

The United Nations in 1990 through a General Assembly resolution adopted the Guidelines for the Regulation of Computerized Personal Data Files which listed a set of 10 broad based principles that each of the member nations should seek to achieve through its national sovereign legislation.  Arguably the most valid argument against these principles is that in a post 9/11 world where online surveillance and voluntary adoption of social media has proliferated these guidelines have ceased to be relevant and neither have they been replaced or updated to reflect the new digital reality.

Online Privacy: Myth vs. Reality

Broadly it is very clear that prior to 9/11, the right to privacy was mostly regarded as a human right and the debate of online privacy was yet to be ignited. Post 9/11 of course it became equally clear that nothing was off-limits for governments in the sacred name if national security was involved. Simply consider the fact that a government agency like the NSA in America has an estimated budget of more than 10 billion dollars. In fact, the total budget of 16 of America's spy agencies exceeds a total of 56 billion dollars.

Now that online spying, the legal word for which is surveillance is the only agenda, to either prevent or start a war, where do individuals, organizations, countries and governments stand? What protection does an individual have from the misuse of data by a powerful social media organization? What if all your pictures, intimate data, passwords, were stolen distributed online, your twitter account replaced, your FB account compromised, your banking security credentials hacked, usernames, passwords to countless of your online platforms all gone within a matter of seconds, for no fault of yours. Who is to blame for this? Given the ridiculous ease with which today a Yahoo, Facebook, Twitter, Sony, NSA or even a lesser entity such as Zomato can get hacked and the speed with which the hacked information can travel across the length of the world, how do you prosecute? Whom do you prosecute? Questions of jurisdiction, availability of evidence to prosecute, but most importantly the existence of a realistic, plausible actual law that can help to bring to book such offenders are questions that need answers.  

Online privacy it could be argued is a myth. If that sounds like an extreme statement, let's consider some of the 'privacy policies' that many of the social media giants employ. Whatsapp with more than a billion users (that's 1 in 7 people on the planet) states as part of it's terms of usage ' you use our services at your own risk… we are providing our services on an 'as is' basis… we do not warrant that any information provided by us is accurate, complete, or useful, that our services will be operational, error free, secure, or safe, or that our services will function'. The privacy policy of Google fares no better, it collects and stores, your IP address, telephony log information like your phone number, calling-party number, forwarding numbers, time and date of calls, duration of calls, SMS routing information and types of calls, location, GPS, device event information such as crashes, system activity, hardware settings, browser type, browser language, the date and time of your request and referral URL. Of course all this information is all shared and stored in good faith in the servers of a private Corporation to improve the quality of its products and services. So far so good. But what if there a breach, the kind of breaches that we have witnessed in the past, where all we know is the number of affected users? Given the treasure trove of information that is contained online, what recourse in law does the aggrieved party have? If your e-mail id is compromised for no fault of yours, and you are amongst a million such people, are you entitled to litigate? So what if there is no damage in terms of data being stolen (if that question can be answered in the first place), it remains patently clear that the security systems of the Service Provider are weak. What about the Service Provider? Can it choose to litigate? If so against whom, where? Most of the unsuspecting users who sign-up and use the services of such mega corporations have no clue as to their own rights, the rights of others, the legality of any activity that they indulge in online, and what recourse, (other than approaching the local police) do they realistically have? An estimated 3.2 billion people use the internet in one form or the other. That is literally half the world's population, no other service has such global scale and reach. Similarly no other service has such vulnerability and risk. While it is no one's argument that the Internet should be policed. With the ever growing size and capability of the Internet, policing it will take a while to come to terms for most governments.

In this context, is the privacy policy of these service providers just lip service? A smokescreen? How do you enforce such privacy policy? This goes beyond an ideological debate. Today's chaos exists for the very reason that our laws are inadequate, woefully so. Just ask anyone trying to solve a cyber hacking case, through the police (a famous Bollywood actor should know). The cops are from the cyber sleuths that we love watching in the movies. It's pointless to dwell on their 'cyber training', when at times basic office stationery is not there in such cyber cells, let alone adequate number of computers. The police not surprisingly are at the mercy of a Yahoo or a Google. There is absolutely no compulsion for a Yahoo, Microsoft, Facebook or a Google to reply to the countless queries that they receive from all over the world every day. If in Google's 'Court' your complaint counts as trivial, there is nothing that you or the police can do. The service provider's (Yahoo/Google) mail disclosing and leading to IP discovery, geolocation is the actual evidence, and not the sleuthing done by the police. It's like running around in circles. Apple in fact refused to assist the FBI when America's top crime branch asked it for help to crack open the iphone of a terrorist, in search of clues. This is a fantastic example of a Mega Corporation's policy overriding national security concerns and the law in general.

Where do you draw the line between privacy rights of the citizen, national security issues, and the greater good of society. Mobs don't need to assemble anymore, the war is now online. Facebook, Whatsapp or any other social media is today's medium for spreading hate, recruiting terrorists, theft, hacking, or in short everything that you may have seen in the movies. The democracy under which the Internet operates, allows for constitutionally guaranteed rights to become malleable at the switch of technology.    

Is there a solution in sight?

The kind of risk that the Internet exposes each and every user to is beyond a philosophical approach or an ideological debate. When Ransomware, Cryptoware and Malware is more powerful than your software, it's clear that you have a problem. A problem that crosses jurisdictions, involves 'State Actors', mega corporations and to make matters worse which begins at your doorstep. What recent times have proved more than anything else is that cyber terrorism, identity & data theft, are more common than many other white collar crimes. The Indian Government's insistence, to have everything linked to your Aadhar Card will now leave a digital footprint of each and every person. An estimated 1.12 billion Indians have Aadhar cards by now. While the need for Aadhar is easy to justify what happens in the event of a breach? The Central Identities Data Repository, the current custodian of all our biometric information is a treasure trove for terrorists. The Information Technology Act vide the it's amended sections provides for a penalty of Rs. 1 cr (S.43- Penalty and Compensation for damage to computer, computer system, etc) and Rs. 5 crs. upon companies for Compensation for failure to protect data (S.43A). Similar provisions for identity theft (S.66C), dishonestly receiving stolen computer resource or communication device (S.66 B), cheating by personation(S.66D), cyber crimes violation of privacy (S.66E), cyber terrorism all exist. Question is that there is hardly a respectable conviction cyber crimes. It's a bygone conclusion that your local police station is hardly equipped or competent to solve crimes of this nature or complexity. There aren't enough private agencies that can fill this void, the way it has happened with the Western world. The responsibility lies equally with the Government but more with these Companies that hold such proprietary technology that is altering the human landscape. As more and more users adopt technologies that belong to and are run by private organizations, the transfer of real power will mean increased risk that Governments alone cannot solve. There are clearly no easy answers.

While surveillance is undoubtedly necessary, there have to be curbs in the form of legislation to prevent misuse, corporations have to be held responsible for their lapses, but more important perhaps is a global treaty for prosecution and information sharing in the event of the cyber attacks like the one the world witnessed recently. Simple legislation per se will not be enough in terms of protection, the Government will also have to parallelly invest in such technology that can identify, remedy and protect, the new gold that it holds: data.