#
Welcome to the IVM Podcast Network.
#
A few days ago, I was walking down the boulevard
#
when a man in a long black coat and a long black hat
#
wearing dark glasses stepped in front of me and said
#
I know what you did last summer.
#
I was surprised. I told him so. Even I know what I did last summer.
#
The guy seemed surprised by that.
#
He took a deep breath and then he said
#
I also know what you did last evening.
#
He paused. Then he took out his phone and held it in front of my face.
#
There was a picture of me in my underwear and
#
I won't tell you what else was in that picture but I was shocked.
#
How could you get this picture? I will complain to the police.
#
Ha ha ha. He laughed like a maniac.
#
If you go to the police, I will show them what you did last week.
#
He swiped the screen and showed me what I did last week.
#
I freaked out. I am getting out of here, I said. Get away.
#
But as I brushed past him, he laughed and said
#
You can't get away from me. For one thing, you can't run fast enough.
#
You had 18 malai malpuas on Saturday.
#
You have a BMI of 29.2. If you run now, you will be out of breath in 41.3 seconds.
#
Remember what your doctor emailed you a month ago.
#
Your cholesterol level is too high for this.
#
I was angry now. Who are you and how do you know so much about me?
#
He replied. Maybe I am the government.
#
At this point, he whipped off his tall black hat and dark glasses
#
and I saw that he looked just like me. Only a little more handsome.
#
I almost fainted. What shit is this? Who are you?
#
Did you hear me? He said. I am you.
#
I have stolen your identity. You don't exist anymore.
#
You are a ghost at walks. Mu ha ha ha ha ha ha. Mu ha ha ha ha.
#
Welcome to The Scene and the Unseen.
#
Our weekly podcast on economics, politics and behavioral science.
#
Please welcome your host, Amit Varma.
#
Welcome to The Scene and the Unseen.
#
Everyone these days is talking about digital India.
#
Digital India is this. Digital India is that.
#
So much convenience. Let's go cashless. This is heaven on earth. Blah blah blah blah blah.
#
Well, I have with me today on the show a man who would advise caution.
#
Devanshu Datta is a columnist based in Delhi
#
who has written extensively on technology and economics.
#
Devanshu, tell me what are the downsides of digital India?
#
There are two major downsides. One is privacy and the other is data protection.
#
They are not exactly the same thing.
#
Privacy leads into surveillance in the sense that there could be an all-seeing,
#
all-monitoring Netra as it's called system which takes my data, your data, collates our metadata,
#
figures out for instance that we are sitting right here right now
#
using our various locational bits and pieces on the phone
#
and by inference figures out that we must be either doing a podcast or some other kind of recording.
#
That's one level. The fact is that for a modern human being if you're carrying anything like a,
#
let's say a metro smart card or your phone is just switched on,
#
you can be located pretty much to within a hundred meters of wherever you are 24x7
#
which means if that data is put together with other things,
#
for example if you visited a medical lab and you happen to have searched online for let us say HIV tests,
#
it doesn't require a great deal of intelligence and a deep learning AI program could take this and say that
#
well you know we have reason to believe that this man might have been interested in testing for.
#
So sensitive medical information can be inferred even if it cannot be directly proved.
#
If you're using a card to pay for a medical test, a pathological test, then we take that one step further.
#
That's privacy. Let us say we need to define what is private and what is not private in a more clear way.
#
The second thing is criminal use of data.
#
If something like Aadhaar gets hacked, you could first of all shut down a lot of government schemes.
#
Secondly you could do you know fairly nasty things like transfer huge sums of money
#
either into bank accounts or out of bank accounts. You could cause a completely chaotic situation.
#
You could potentially cause identity theft or you could swap identities.
#
For example if your biometric information is swapped with my name and mine is swapped with somebody else's name,
#
you'll have complete hysteria up and down the line.
#
Again it's not very clear A what level of security exists to prevent such malicious acts happening
#
and if something like that happens it's not clear what kind of restitution would be available for an affected entity.
#
It might not be an individual, it could be a corporation which got hit with something like this.
#
So I have two further lines of questioning from there.
#
The first one is fairly trivial but to go back to the privacy point,
#
a lot of common joes say that look the point about privacy matters if say you're a political dissident
#
like you and I might well be and the government wants to shut down your free speech or whatever
#
then it matters that they can see where you are 24x7 and can spy on you.
#
But for the common joe what is the big deal if various bots everywhere are figuring out their preferences
#
and serving them more targeted ads?
#
Well it can run into a problem in the sense that for example if you happen to have a taste for eating beef
#
and you happen to have gone to Goa or Kerala or West Bengal where it is perfectly legal
#
and you have bought and cooked and eaten beef and you come back to Bombay
#
and your neighbour happens to get this information and decides to embarrass you a lot by making it very public.
#
You could run into a social law problem. You might for example have gone to a massage parlour in Delhi
#
which is again perfectly legal and you might have paid the mass use, something extra.
#
Again this is perfectly legal but it is also information that could be potentially embarrassing to you.
#
But really no one else's business if I choose to let, this is one of the points many people make, it is my data.
#
I would like to own it. If I choose to tell Google that hey I happen to be at the crossing of SB Road and Linking Road
#
or I want to know the nearest place where I can buy a bottle of wine, that's fine.
#
I am asking for a certain amount of information and you are welcome to make what you will of that information.
#
But I would like to be in control of my data. I would like to know how much of my data is out there
#
and how much of it is digitally dispersed in different silos and how much of it is available at one spot to one all seeing eye.
#
Again this is an example I am taking from a friend of mine who is fairly wealthy and since he drives an Audi
#
if he commits a minor traffic infraction he tends to get hit for huge sums in bribes.
#
I drive a much less upmarket car and committing the same infractions I get asked for smaller bribes.
#
This is the copper who is going by the fact that well making a judgement call that fine this man is the owner of a very expensive car
#
so he can afford to pay a certain amount more in the way of speed money.
#
Now if the copper actually had access to your PAN number and your IT account he could fine tune his demands in a much more fine grained fashion.
#
He could actually say that well you know I know you have just withdrawn 15,000 rupees from the ATM.
#
And give me 10 as the case may be.
#
So for someone who is into rent seeking this is a feature not a bug it helps him.
#
It is a feature and the point is that it is also a feature which if I was a black hat I would be rubbing my hands with glee
#
because I could be into rent seeking and get into these systems and use ransomware.
#
There is so much you can do.
#
There is so much you can do.
#
Okay my second question is really a two part question.
#
One is that countries which are further down this road than we are,
#
what kind of safeguards typically have they put in place to protect both privacy and sensitive data?
#
And secondly what are we doing wrong?
#
What more should we do?
#
The first thing I think is that you have to see data protection and security as part of your essential infrastructure.
#
It is just as essential as having a good high speed optic fiber line which can run at 20 Gbps or 60 Gbps or whatever.
#
It is as much part of your infrastructure as that.
#
If you put in the security and the precautions right at the beginning it will not be patchwork.
#
It will be much more holistic and it will also be cheaper and more cost effective.
#
Second things other countries have done, you start with the basics.
#
First you define what is sensitive data.
#
Then you define who owns what as in how much of your personal data is actually your personal data
#
and how much of it is stuff that for example your PAN and your IT is known to the government on a need to know basis.
#
They are imposing taxes on you, they need to know your income.
#
However only one specific department of the government needs to know your income
#
that should not be accessible without a warrant to any other random government officer.
#
If there is no need for it, it should not be asked for and it should not be available except under warrant.
#
Second you impose certain basic norms on the guardians of that data.
#
As of now there is no punishment if for example a hospital keeps its medical records unencrypted online.
#
We had an incident last week where somebody downloaded 43,000 PathLive reports in Bombay
#
just to show that it was available unprotected.
#
Now that's sensitive information.
#
It affects insurance, it affects possibly friends and partners of the people who went through those tests
#
and it affects their careers.
#
There is no legal liability for the lab in question because it isn't recognized under law as a breach.
#
You need to impose certain basic security considerations on guardians of this data and that includes the government.
#
In fact the government is the biggest guardian but on banks, on governments, on insurance companies
#
who have to have a lot of sensitive data on hand.
#
So how does the US and European countries handle it?
#
They do have very carefully defined laws as to what is sensitive data
#
which includes things like location which are not considered sensitive even in the most broadest of Indian laws.
#
Your right to privacy does not include location.
#
In fact the government has argued that privacy should not be a fundamental right
#
but location is not even considered sensitive.
#
Your medical records are at least considered sensitive.
#
So nobody has an obligation to protect your location.
#
Google could sell your location if tomorrow somebody wanted to know what does Amit Verma do.
#
Google could say we don't really know but 24x7 this is where he is and this is his weekly routine.
#
Other countries have then imposed certain basic security norms on guardians of that data.
#
They have to be kept in digitally secure vaults.
#
They have to be maintained with that security being upgraded as computer systems improve
#
because obviously yesterday's digital encryption is not good enough to last today.
#
And finally there is restitution in the sense that if data is hacked and put online or there is a breach
#
you can sue and the guardian in question will be forced to pay a certain amount of compensation.
#
There have been class action suits for example every time that credit cards have got hacked in America.
#
Here in October you had four million odd debit cards being hacked across five different banks.
#
The question of restitution does not arise.
#
The banks will at best settle whatever bills happen to be run up by the people who hack those cards.
#
They will issue new cards but they can't be taken to the cleaners as they should be
#
for having kept them in an insecure way.
#
So you need to impose those mandatory safeguards
#
and to punish people who do not maintain those mandatory safeguards.
#
And overall you need a data protection law.
#
We do not have a data protection law.
#
You need of course to define privacy.
#
There should not be a scenario where to take a very famous case near a radio,
#
then radio tapes were leaked.
#
They were supposedly collected as evidence by a wing of the CBI.
#
They leaked. No one has really debated the authenticity of those tapes.
#
People have implicitly agreed that those tapes were by and large authentic.
#
They may have been fiddled with but by and large they were authentic.
#
They were gathered for an investigation which went nowhere.
#
Some 50,000 hours worth of tapes were recorded and they were released.
#
Have you heard of a single policeman being even indicted for this rather than going to jail?
#
There are other laws of evidence.
#
I mean if you walked into a police station and stole evidence
#
which had been gathered in a physical crime.
#
Let us say you took away all the weapons which had been gathered in a terrorist encounter.
#
You would be liable under law. So would the police for letting you have it.
#
There is a much greater laxity because it is data.
#
If the buck does not stop with the Home Minister, does it stop with the Home Secretary?
#
Does it stop with the Commissioner of the Police Department which allowed this to happen?
#
Maybe in a cashless society there is no buck.
#
So I have a further question. Almost all of my data probably is say with big companies like Google and Facebook.
#
Now do they have different policies in different countries to safeguard this data?
#
They do have different policies in different countries.
#
For example, Facebook and Google have run into a lot of problems with the EU
#
because the EU has much higher privacy standards than America even.
#
In certain cases, for example, Russia has insisted that if you are going to be running services in Russia,
#
you have to have your servers located in Russia, which is of course the big state surveillance thing
#
because then they have much more control over being able to suck data out of your servers.
#
But yes, they comply with local privacy laws where those laws exist.
#
Now in India, in fact, it was people from Google who told me that location data is not considered sensitive under Indian law.
#
And in other countries it is.
#
It is of course considered sensitive.
#
I mean it is obviously, I would have thought this is completely self-evident that location data is sensitive.
#
It's only Indian law which for some reason when they made the initial IT Act,
#
presumably they did not think that location was possibly gettable.
#
At that point of time, it wasn't common to be able to GPS.
#
So would it be correct to say that at that point in time when the IT Act was put together,
#
it was more an act of commission because they didn't understand the implications well enough.
#
But then you do need to update an act like that.
#
There will be other unforeseen bits and pieces of data which become sensitive as things get more fine grained.
#
So without specifying what they are, you need to account for the possibility right now.
#
Yes, for example, the whole thing about if I have a phone which is turned on
#
and if I have allowed an app access to my microphone,
#
it is technically quite possible for the app to be recording this conversation as we have it.
#
And while it may not be very easy right now, you have to allow for this possibility.
#
And if you are writing a new law, you have to have let us say a catch-all category
#
which has any data which may become sensitive in future.
#
We are dealing with a science fiction situation that way.
#
So I have a two-part question to follow up on that.
#
Part one is that if you then had to update the IT Act to make laws regarding privacy,
#
would you want to customize them to India or could you just say copy-paste from one of the European countries
#
which has handled it well so far and they would suffice?
#
And the question number two is that what are the obstacles to these kind of reforms in India?
#
Are there any obstacles? Is it just bureaucracy?
#
Is somebody protecting their turf? What's the deal?
#
You could largely, I think, copy-paste from the EU's norms
#
which are the most evolved where these things are concerned.
#
For example, EU even has something slightly controversial, the right to forget,
#
meaning you can ask a search engine to put non-index information about you.
#
You might need to mindfully tweak it for Indian context,
#
but yes, I think that would make a good working template.
#
The second part of this resistance to this, I think, is because of two things.
#
One is there is reluctance on the part of India Inc, of commercial startups, etc.
#
to let these protections happen
#
because right now there are a lot of commercially positive implications
#
to being able to, for example, locate you.
#
Well, Zomato can figure out how many restaurants will deliver to your exact area.
#
Google can figure out whether you are more likely to read military history
#
or books on cooking, for example, two fairly common hobbies.
#
So there is a reluctance to let commerce be impeded by this.
#
And at the government level, I think there is a reluctance to have safeguards
#
put on the government's ability to survey, to track and survey people.
#
For example, in theory, Britain has just put in an extremely regressive surveillance act,
#
which looks a bit odd because Britain also has fairly high privacy safeguards.
#
The point here is that Big Brother can watch you in Britain,
#
but Big Brother also has to get an okay from his Big Brother.
#
So there is a chain of potential consequences.
#
We don't have those safeguards.
#
And I don't think the government would like to have those safeguards.
#
Right now, as it stands, a verbal order from a policeman of, you know,
#
any IPS officer basically can give a verbal order saying,
#
put a tap on these guys, you know.
#
And I suppose this is especially a worry as we get more and more authoritarian.
#
And a classic example of that which comes to mind is the leak about
#
Ishtar Sattelbaad using her credit card to buy alcohol, which is, you know,
#
again a massive breach of privacy and it's besides being completely irrelevant to anything.
#
It is purely an attempt to embarrass somebody who is a critic of the government.
#
And yes, I mean, if her credit card had been used to buy whatever birth control pills or whatever.
#
Again, and the fact is that again that that leak was happened with impunity.
#
Because the government has every right to collect financial information on you,
#
specifically in a case where it suspects that, you know,
#
you have financial improprieties involving a tax, an organization which gets tax breaks.
#
It has every right to collect that information.
#
As the law stands, it also has the right to dump it in public domain in order to embarrass you.
#
If you had a privacy law, this was at an open.
#
In fact, the example you use was open press conferences.
#
It wasn't hush-hush take it out.
#
It wasn't hush-hush take it out the side door.
#
It was so, you know, it has a right to embarrass you.
#
So I have one final question for you.
#
I mean, we are ending this episode on a slightly pessimistic note
#
because it's obvious that there are powerful interests such as the government and big corporates
#
ranged against giving us a kind of privacy and data protection that we might want.
#
But my question to you is that as an individual user and as an individual generator of data,
#
so to say, what can we do as best as we can to safeguard our interests?
#
There's a level of individual security which you can put in
#
to try and see that your own communications are not,
#
for example, use email which has fairly strong encryption,
#
use something like signal or WhatsApp which is end-to-end encryption.
#
Beyond the point, you can't because you're engaged with a banking system.
#
As an example, I've used increasingly in conversations
#
in the last couple of weeks after demonetization happened that,
#
well, you know, as the government says, it is very easy to transfer money into your account
#
using a direct benefit for gas subsidies and M&Riga, etc.
#
It is equally easy to transfer the money out.
#
And assuming you're engaged with the economy in any given way, unfortunately, you are at,
#
without laws, you are entirely at the mercy of the government if it decides tomorrow
#
at its discretion to transfer money out of your account.
#
So a cashless economy in a sense is the end of freedom.
#
It is. In that sense, it is very much the end of freedom.
#
I mean, you're talking about electronic bytes.
#
If there is no law to protect that data, and it might not even be the government,
#
it could be a clever hacker's collective.
#
Devangshu, thanks a lot for being on the show.
#
And in case Big Brother is listening in, hey, Big Brother, what's up?
#
Thanks. You're welcome.
#
Talking to Devangshu made me wonder why I call the show The Scene and the Unseen.
#
In the times we live in, can anything really be unseen?
#
Having said that, in this shallow age of short attention spans, can anything even be seen?
#
Maybe there's no seen. Maybe there's no unseen.
#
That's an apt philosophical note on which to end this episode.
#
Hi, this is Amit Doshi, and I wanted to thank each and every one of our listeners.
#
It's been two years since I founded IVM, and it's been an amazing two years.
#
We wanted to learn a little bit more about who is listening to our shows,
#
and so we put together a short survey.
#
The survey is anonymous, and we aren't going to be collecting any personal information.
#
I would really appreciate it if you could take a couple of minutes out of your day
#
and go to ivmpodcast.com slash survey and fill it out.
#
Thanks, and please keep listening.
#
Hey, man. Just help me out, man. I need some podcasts, man. I haven't had a fix in a week. Just need some.
#
Don't you worry about it. I got podcasts all over you, man. Just go to ivmpodcast.com.
#
You can also find us on Facebook, Twitter, and Instagram.
#
Thanks, man. I'm going to check it out.
