22 August 2017

Chinese Smartphones Are Our Biggest Vulnerability; Our Citizens’ Data Must Be Stored In India

R Jagannathan

While the government has taken care to ensure that the scrutiny of data privacy procedures is not restricted to Chinese handset makers alone, it needs to ensure that Indian data must remain in India’s legal jurisdiction and control.

The IT and Electronics Ministry’s directive to 21 smartphone companies to share their security procedures and processes with it has not come a day too soon. While the move, given the Doklam stand-off between Indian and Chinese troops in the Sikkim tri-junction, will be widely seen as subtle Indian retaliation (Chinese smartphones dominate the Indian market), the move can be justified on both counts – privacy of citizens’ data, and as pressure against the Chinese.

The reality is that smartphones today constitute the biggest risks to data security – even more than Aadhaar biometrics. As Nandan Nilekani told Mint in a recent interview: “The biggest privacy risk that you have is your smartphone. A billion people will have smartphones as we go forward, their conversations will be recorded, their messages will be read, their location can be identified with the GPS or the triangulation of the towers on a real-time basis. So, for 24 hours a day, you know where a person is. Using all the accelerometers and gyrometers on the phone, you can actually make out if someone is drunk or not. The kind of intrusion of privacy that the smartphone does is order of magnitudes higher.”

If this is the case, not only should smartphone data privacy and security be No 1 on our agenda, but the No 2 concern should be that most of this data may actually be lodged in servers in China – under the probable control of a hostile government.

Given the Chinese belligerence over Doklam, it is necessary for India to start applying counter-pressure, and it has been doing this subtly by imposing anti-dumping duties on Chinese goods. Earlier this month, Chinese tyres were subject to anti-dumping duties, and, according to Chinese media, some 93 items are now subject to Indian anti-dumping duties. The Chinese can’t do much about this, as the trade balance is entirely in their favour, and anti-dumping duties affect Chinese manufacturers more than Indian ones. Our trade deficit is $52 billion in favour of the Chinese, and using this as leverage against China in the Doklam stand-off is exactly what Sun Tzu would have prescribed.

Scrutiny of Chinese smartphone data protection procedures impinge on both areas: trade and security. In a sense, it is even more important than imposing anti-dumping duties on Chinese products entering India.

While the government has taken care to ensure that the scrutiny of data privacy procedures is not restricted to Chinese handset makers alone, it needs to ensure that Indian data must remain Indian legal jurisdiction and control.

Two measures are vital for India to protect its citizens from prying eyes.

One, the government must mandate that all data collected from Indian citizens should be housed in servers in India, and subject to Indian legal jurisdiction. It is not only about China, but also Uncle Sam prying into Indian data resting on US servers. Big US technology platforms like Google and Apple are vulnerable to US government requests for data.

Two, we need to enact our own privacy protection laws, and this law must be accessible to the ordinary citizen in quick time. There is no point in having a law where illegal invasions of privacy take 10 years in courts before justice is done. There have to be quicker remedies, which means two more things: sanctions for sharing of data must not be a bureaucratically determined process where joint secretaries decide whether private data can be shared or not. This process must be cleared by a judicial head with impartial credentials. And, additionally, wrongful sharing of private data should involve quick penalisation of the wrongdoer, with the state paying damages in case culprits cannot be identified easily. A time limit of six months for breaches of data privacy and compensation must be prescribed.

It is worth recalling that even Ratan Tata, who petitioned the Supreme Court in the Niira Radia privacy breach case, is yet to get a final verdict in his favour. If even the rich cannot get justice, what hope is there that the ordinary man will get in from any future privacy law?

No comments: