[Ed Note : The following is a guest post by Mr. Shailesh Gandhi, Former Central Information Commissioner under the framework of the RTI Act 2005, who has graciously agreed to express his views through this platform]
First Define ‘Privacy’
Category: Privacy
Privacy & Transparency as Complementary Rights: Inadequacies in the Proposed Amendments to the RTI Act
[Ed Note : The following cross – post, authored by Sayan Bhattacharya of NALSAR University of Law, was first posted on the Law School Policy Review. The link to the same can be found here. ]
By leaving essential terms undefined and placing a higher burden to disclose personal information, the amendments proposed by the Srikrishna Committee are defeating the purpose of a right to privacy i.e. to make the state more transparent and the citizen less transparent.
Law Enforcement v. End-to-End Encryption
The age of digital communications with all its power to reach people instantly, anywhere on the globe, still has shortcomings. The instant communications happening all around us through laptops or mobiles involve two crucial processes i.e. encryption and decryption. These two processes are fundamental to the transfer of our voice and messages to the designated recipient anywhere around the world. While data resides on our devices or when it is being transferred, it is susceptible to interception by government or any other third party. Government intercepts these signals of communications, of the people suspected of wrongdoing with judicial permissions but this ability of the governments to gather intel by intercepting communications has hit a wall with the mass use of end-to-end encryption. The E2EE makes it highly improbable if not impossible to intercept such transmission and here lies the bone of contention between law enforcement and the public use of end-to-end encryption.
In a post-Snowden world, there has been relatively more awareness and interest in the right to privacy regarding digital communications; and in knowing when the government can snoop-in on personal conversations. A majority of the communications taking place today are digital and involve two crucial processes i.e. encryption and decryption. Encryption (which is conversion of information into a code) happens when a message/call is initiated. At the same time, decryption (conversion of code back into useful information) happens when the message/call is received by the recipient. There are multiple nuances in this process; both in the technological aspect and the legal aspect.
For quite a while now, WhatsApp chat pages show the message – “Messages and chats are now protected with end-to-end encryption.”. The end-to-end encryption or E2EE (first used in program called Pretty Good Privacy, by Phil Zimmermann in 1991) is a form of encryption that makes it improbable if not impossible to intercept a private conversation. Traditionally, there are 3 instances when a conversation can be intercepted – firstly, from the device of the sender before encryption, secondly, when the information code in is transmission and thirdly from the device of the recipient after decryption.
Cashless Societies: Causes for Concern
A cashless society is no longer a myth but an impending reality, one of the causes for concern is the issue of privacy which this article deals with.
The idea of a cashless society, i.e., ‘a civilization holding money, but without its most distinctive material representation – cash’, is said to have originated in the late 1960s. The transition to go cashless had been slow and steady, but it is now increasing at a rapid pace this last decade. As technology evolves, the shift from a cash reliant to a cashless society is becoming more apparent. At least in the urban society, using ‘contactless payments’ or ‘non-cash money’ is not unheard of. It has been reported that not only did the first debit card possibly hit the markets in the mid-1960s but that in 1990, debit cards were used in about 300 million transactions, showing the rise of the same in today’s society. Before welcoming this change with open arms, we must take care that we do not ignore the security and privacy concerns, some of which will be addressed in this article.
As we are transitioning from a cash-reliant society to a [quasi] cashless society, there are some fears about phones being hacked or stolen, or reliance placed on devices which require batteries or internet – what if either is not available? However, conversely, our cash or wallets could be stolen, destroyed in a matter of seconds, could be misplaced, etc. The only difference is the medium of transaction.
Fear is a factor which inhibits change, however these fears are usually not unfounded. In the year 2014, Target, the second-largest discount store retailer in the United States was hacked and up to 70 million customers were hit by a data breach. Furthermore, 2 years later, it was reported that roughly 3.2 million debit cards were compromised in India, affecting several banks such as SBI, ICICI, HDFC, etc.
Nevertheless, as earlier pointed out, just as financial details present online can be stolen, so can paper money. With each transaction taking place online, the fears of online fraud are present, however Guri Melby of Liberal (Venstre) party noted, “The opportunity for crime and fraud does not depend on what type of payment methods we have in society.” A mere shift in the means of trade will not eliminate such crimes. It is here that I must clarify that a cashless society could be in various forms and degrees, be it debit/credit cards, NFC payments, digital currencies such as bitcoin or even mobile transactions such as M-Pesa.
Bruce Schneier, cyber security expert and author of best seller, Data and Goliath, notes that the importance of privacy lies in protection from abuse of power. A hegemony of the authorities over our information – details [and means] of our every transaction – provides absolute power to the authorities and thus a much higher scope for abuse. Daniel Solove, further notes that abuse of power by the Government could lead to distortion of data; however, even if we believe the government to be benevolent, we must consider that data breaches and hack could (and do) occur.
Cash brings with it the double-edged sword of an anonymity that digital transactions do not provide. A completely cashless society might seem attractive in that each transaction can be traced and therefore possibly result in reduction of tax evasion or illicit and illegal activities; however, though that crime might cease to exist in that form, it could always evolve and manifest itself in some other form online.
One of the concerns raised in this regard is that the government could indefinitely hold or be in possession of our transaction history. This seems to be an innocent trade-off for the ease and convenience it provides. The issue that arises however, as Domagoj Sajter notes, is that every single citizen has become a potential criminal and a terrorist to the government, worthy of continuous and perpetual monitoring. The citizens become latent culprits whose guilt is implied, only waiting to be recorded and proven. The principle of innocent till proven guilty vanishes in the mind of the government.
Furthermore, a completely cashless society places power with the Government with no checks and balances of the same. Advanced technology could disable funding of mass actions, extensive protests and large-scale civil disobediences, all of which are important traits of democratic processes. It is pertinent to remember that Martin Luther King Jr. was tracked by the FBI. Providing the government with more ease in curtailing democratic processes leads to a more autocratic governance.
Consider the following: an individual finds out that the Government or one of its agencies is committing a crime against humanity, and she reports it to the public. Not only could her personal life be excavated to find faults but any support that she would receive in terms of money (in a cashless society) could possibly be blocked by the Government. Minor faults could be listed and propaganda could be spread to discredit her point or deviate the masses’ attention. By controlling the economy, they could wring the arms of the media and force them to not focus on or to ignore the issues raised by her.
Michael Snyder also raises an important point about erasure of autonomy in a cashless society, “Just imagine a world where you could not buy, sell, get a job or open a bank account without participating in ‘the system’”. It need not start with forcing people to opt-in, simply providing benefits in some form could indirectly give people no choice but to opt-in. The Supreme Court of India has noted multiple times that the Aadhar Card cannot be made compulsory (a biometric identity card). However, the Aadhar card has been made mandatory to avail EPF Pension Schemes, LPG Benefits and even for IIT JEE 2017. The Government of India is even mulling making Aadhaar number mandatory for filing of income tax (I-T) and link all bank accounts to the unique identity number by the end of this financial year. The government is concurrently working on developing a common mobile phone app that can be used by shopkeepers and merchants for receiving Aadhaar-enabled payments, bypassing credit and debit cards and further moving to cashless transactions. The Aadhaar-enabled payment system (AEPS) is a biometric way of making payments, using only the fingerprint linked to Aadhaar. These are all part of the measures taken by the Indian government to brute force the Indian economy into a cashless form.
Policing of the citizen is not a purely hypothetical scenario; it has already taken place in the past. In 2010, a blockade was imposed by Bank of America, VISA, MasterCard and PayPal on WikiLeaks. In 2014, Eden Alexander started a crowdfunding campaign hoping to cover her medical expenses, but later, the campaign was shut down and the payments were frozen; the cause being that she was a porn actress. We must also take into account the empowerment that cash provides; consider an individual saving cash from their alcoholic or abusive spouse, or the individual who stuffs spare notes under her mattress for years because it gives her a sense of autonomy. We should take care that in seeking development, we do not disempower the downtrodden, but lift them up with us.
The idea of a cashless society is no longer strange, with multiple corporations and even countries having expressed their interest in going cashless. Harvard economist and former chief economist of the IMF, Kenneth Rogoff in his Case Against Cash argues that a less-cash society [in contradistinction to a cash-less society] could possibly reduce economic crime, he suggests in the same article that this could be executed by a gradual phasing out of larger notes. A cashless or less-cash society is inevitable. In Sweden, cash transactions made up barely 2% of the value of all payments made. The question thus is not about when [it will happen] but what are the safeguards we set up to protect our rights.
For further reading:
1] Melissa Farmer: Data Security In A Cashless Society
https://www.academia.edu/12799515/Data_Security_In_A_Cashless_Society
2] David Naylor, Matthew K. Mukerjee and Peter Steenkiste: Balancing Accountability and Privacy in the Network
https://www.cs.cmu.edu/~dnaylor/APIP.pdf
3] Who would actually benefit from a Cashless Society?
https://geopolitics.co/2016/01/30/who-would-benefit-from-a-cashless-society/
4] Anne Bouverot: Banking the unbanked: The mobile money revolution
http://edition.cnn.com/2014/11/06/opinion/banking-the-unbanked-mobile-money/index.html
5] Kenneth Rogoff: Costs and benefits to phasing out paper currency
Encryption and the extent of privacy
Ed. Note.: This post, by Benjamin Vanlalvena, is a part of the NALSAR Tech Law Forum Editorial Test 2016.
A background of the issue
GCHQ Mass Surveillance in Violation of Human Rights
For the first time since the Investigatory Powers Tribunal’s (IPT) establishment in 2000, a complaint against a UK intelligence agency has been upheld. The IPT, which oversees Britain’s secret agencies, is one of its most secretive and deferential courts. In a judgment last week, the IPT announced that the intelligence-sharing rules between the United States National Security Agency (NSA) and its British equivalent Government Communications Headquarters (GCHQ) governing the exchange of information collected through ‘mass surveillance of internet communications’ were against UK human rights law.
The tribunal ruled that “the regime governing the soliciting, receiving, storing and transmitting by UK authorities of private communications of individuals located in the UK, which have been obtained by US authorities … contravened Articles 8 or 10 [of the European Convention of Human Rights]”. Article 8 of the European Convention on Human Rights (ECHR) confers the right to respect for private and family life and Article 10 of the ECHR confers the right to freedom of expression.
'Skirting' the Law, Part I
(Image Source: https://flic.kr/p/6LUL9s)
This is the first in a two-part series by Deepthi Bavirisetty on the law on upskirt photography in USA, Japan and India. Deepthi is a 4th Year Law student at the National University of Juridical Sciences (NUJS), Calcutta. She is extremely interested in the intersection between gender and technology. She has previously authored a paper on Revenge Porn.
‘Upskirt’ photography, as the term suggests, refers to the voyeuristic practice of covertly taking pictures of women under their clothing without their consent or knowledge. These pictures, labeled ‘creepshots’, are generally pictures of a woman’s private areas. They are then widely disseminated via the internet, infamously through sites such as Reddit and 4chan.
In 2014, the legality of upskirt photography was brought into question before the US Courts across three different jurisdictions –Washington DC, Massachusetts and Texas. The first part of this post addresses the American perspective on the issue. It seeks to illustrate how America would rather err on the side of caution and permit the morally reprehensible acts of upskirt photography than curtail free speech. The second portion of the post looks into the Japanese perspective on creepshots, which is the polar opposite. Japan prioritizes women’s safety above free speech concerns. This portion of the post also looks into the curious phenomenon of cellphone manufacturers taking law into their own hands to regulate upskirt photography. I argue that this is a classic example of Lessig’s adage ‘code is law, law is code’. I conclude by extrapolating where India lies on the legal spectrum with regard to regulating upskirt photography.
'Skirting' the Law, Part II
Facebook’s Acquisitions: A Before and After Comparison of Privacy
For Facebook, it has never been about the profit, but the users. The social network has spent more than $22 billion on acquisitions, which includes $19 billion on WhatsApp exclusively! That is 2000 times the annual revenue of WhatsApp! Other popular acquisitions include Instagram ($1 billion), Oculus ($ 2 billion) and Atlas ($100 million). With recent psychological experiments conducted by Facebook on its unsuspecting users coming to surface, it becomes imperative to understand how our information is being collected, stored or used. In this blog post, I have tried to analyze the privacy policies (before and after) of three of Facebook’s major acquisitions – Instagram, Moves and WhatsApp.
Privacy on Facebook: An Absolute Prerequisite
[Image Source: http://flic.kr/p/86Q3gF]
Social networking websites have taken the Internet by storm in today’s organic society. One such website, Facebook, with over a billion users has often been referred to as the ‘third largest country’ of the world. The rise of Facebook to soaring heights can be credited to first, the intensive monitoring of its users which enables the company to provide them tailor made services, targeted advertising and second, of course to Metcalfe’s Law, which in common parlance means that the more users there are on a social networking site, the more attractive it will be to people who are contemplating joining. In this blog post, I have tried to analyze Facebook’s privacy policies along the lines of the National Privacy Principles. These principles have been comprehensively dealt with by Justice A.P. Shah in his ‘Report on Privacy’, published by the Planning Commission of India. They also closely tie to Organization for Economic Co-operation and Development (OECD)’s Privacy Principles and European Union’s Data Protection Directives.