Bruce Schneier, in his book Data and Goliath, talks about the “hidden battles to collect your data and to control your world”. In 2015, this notion did not seem so sinister. The nightmare unfolded so slowly that the world missed the horror since. Various kinds of data are used for corporate and government surveillance around the world. This includes location, identity, transaction, activity and communication details. Sources of these data points include desktop computers, email accounts, social media platforms, networks and now the most potent source are our mobile devices.
While most apps initially originated in the US-Europe region, they inherently complied to applicable privacy and security regulations prevalent locally. This, however, changed when apps from regions and countries, with entirely different legal environments, came up. Take for instance, WeChat, which functions differently for a Chinese and its foreign subscribers. It is fully compliant to real-time censorship of the Chinese state which is implemented by the Great Fire Wall (GFW). The Internet has no boundaries, de facto and de jure, hence hundreds of millions of Indians today are subscribers of apps made in the US and China. The Cambridge Analytica scandal has proved beyond doubt that subscriber data can be put to use for sinister purposes, including regime change. Little bits and bytes of data leak information about individuals but if this is aggregated, it can have severe national security implications.
A closer look at the data collected by mobile phone apps would give us a glimpse into the possible threats from a geopolitical perspective. The apps on your cell phone collect data about:
1. Who you are: Which includes biometrics like fingerprints and retina, a person’s physical characteristics and other personally identifiable information.
2. What you do: Your activities like travel and GPS location, a person’s behaviour and movement patterns.
3. What you have: This includes documents and numbers such as a national identity number, passport, bank account numbers, etc.
4. What you know: Entailing information known only to the beholder personally, like personal identification number (PIN), usernames and access tokens.
Recently when governments across the world started to utilise contact tracing for prospective identification of Covid-19 exposure, serious concerns regarding privacy were raised. It is high time that similar questions were asked about hundreds of other apps used by a very large percentage of the Indian population. These questions include, legal and regulatory issues surrounding collection, processing, retention and use of the personal data processed by these apps.
While apps arising out of Europe have to be compliant with General Data Protection Regulation (GDPR), the US tech ecosystem is also democratically regulated (you can go to a court). Data protection principles in totalitarian states like China are highly questionable. Thus, regarding Chinese apps there is no transparency and information about the data subjects’ rights, one knows nothing about principles of consent and other legitimate grounds for the processing of personal data. Similarly, data transfers and processing by third parties is also opaque. This leaves an Indian citizen very vulnerable to exploitation by a totalitarian non-democratic state, which puts surveillance on — and censors — its citizens 24×7.
Looking at the proliferation of the Chinese apps, a single app TikTok has been downloaded by 467 million users in India and boasts of a user base of about 120 million. It was downloaded by 277.6 million users in India in the first 11 months of 2019 alone. Another Helo app is now used by 40,000,000 Indian users. UC Browser, which has been repeatedly flagged for serious data privacy violations, is used by more than 430 million users worldwide, has over 130 million Indian users. The list is endless, and literally hundreds of terabytes of sensitive data is flowing to these Chinese firms on a daily basis.
In a totalitarian state, the lines between government and business interests are opaque. Giants like Apple can resist the US government (supposedly) and decline to share data on the grounds of individual privacy, but the record of Chinese corporations in compliance to data requests by their state is unclear.
The Union Ministry of Electronics and Information Technology (MeitY), as per Section 69 of Information Technology Act (IT Act) is empowered to block public access to any online information under specified circumstances like sovereignty and integrity, defense and security of the state, friendly relations with foreign states or public order or for preventing incitement to the commission of any cognizable offence relating to the above.
The procedure for blocking of websites/URLs is laid down in Information Technology (procedure and safeguards for blocking for access information for public) Rule, 2009. The said blocking by Meity is done in compliance of the court order or on the recommendation of a ministerial committee as specified in the rules. The said rules also make it mandatory for such blocking requests to be given through the nodal officer of such government department.
Blocking such apps during emergency situations are difficult as they work through multiple IP addresses and on different protocols, and hence there is a need for a reasonably good solution to protect national security.
In the area of mobile apps and privacy there is still a serious gap between legal requirements and the translation of these requirements into practical solutions. The requirement of incorporating maximum possible information principles for the collection, use and disclosure of personal information such as accountability, identifying purposes, consent (wherever possible), limiting collection, limiting use, disclosure, and retention, accuracy, safeguards, openness; individual access and challenging compliance does exist.
Existing recommendations to app developers usually provide insights only into what the developers are required to do, without further guidance on how they will be able to fulfil these requirements. It is the requirement of the day that the guidelines by the state should be issued providing recommendations to app developers that shed more light on how privacy requirements can be fulfilled in practice.
Moreover, the understanding of how the apps practically operate is often complex, due to their dynamic environment, reuse of software libraries and interconnection with different networks and systems, thus making it even more difficult to assess their privacy and security characteristics. Although few app developers might maliciously oversee data protection obligations, in many cases poor data protection and security practices are due to lack of awareness, knowledge or understanding (from app developers) on how to practically organise for and engineer privacy and security requirements into their tools.
From a privacy perspective it has to be noted that the knowledge level of a users’ choice of an app could constitute personal data or even sensitive personal data.
Censorship & surveillance
The possibly malicious apps are originating from China, Russia, Pakistan, among others; these are the nations that do not score highly on global indices of Internet freedom. China’s stance to legalise its digital barrier is a step closer to Internet sovereignty. The said “Golden Shield” of China is a giant mechanism of surveillance that blocks hundreds of millions of websites which are not in consonance to the Communist party’s agenda/ control including giants like Facebook, YouTube, Twitter and Instagram. It was also reported by US Officials that eight out of 25 most trafficked sites globally are blocked in China. China has rules that restrict foreign companies from publishing online content and proposed tighter rules requiring websites to register domain names with the Chinese government.
China has even strengthened the control on virtual private network (VPN) providers which allows tunnels under the firewall. VPNs exist at the pleasure of the government. Using VPN service to access blocked websites might attract a trip to the local police station. Google is still blocked in China with alternative local search engine Baidu which has its results heavily censored. As Chinese companies and its apps are spreading beyond the geography of China, the concerns over their activity is coming under scrutiny for tracking, monitoring users across the globe and not restricted to Chinese citizens. Though China is known for censoring content on its platform that would be sensitive in China, such platforms with growing popularity and its existence in the world are expected to follow rules and regulations from Chinese authorities and lead to content surveillance.
During hostilities and conflict between China and other countries, data from these apps will put the Chinese regime to a great geopolitical advantage. It can have a real-time picture of various strategic and tactical initiatives undertaken by the other country for its defence and combat preparedness. Apart from the data gathered in due course of business, deliberate vulnerabilities left in the software and hardware of ubiquitous cheap Chinese smartphones can lead to severe compromise of individuals as well as organisational information. Ill-protected and insecure coding of Chinese operating systems and apps can also allow for further targeted attacks by providing an initial foothold into the victim’s devices. A rapid and thorough assessment of Chinese apps from the point of view of national security as well as individual privacy is the urgent need of the hour.
Time is also ripe to learn from the Dragon; it first blocked the popular platforms, created a sovereign data space, and rapidly innovated to create viable alternatives, which generated trillions of dollars for domestic IT companies. While we may not be able to replicate what it did, we can put brilliant Indians’ minds together to transition from a passive market to a primary producer of cutting-edge technology.
Brijesh Singh is Inspector General of Police, Maharashtra, and Khushbu Jain is a practicing advocate in the Supreme Court.