Subscribe To Print Edition About The Tribune Code Of Ethics Download App Advertise with us Classifieds
search-icon-img
search-icon-img
Advertisement

Digital privacy law still leaves us watched

Unknown to many the draft Personal Data Protection Bill PDPB and its harbinger the European General Data Protection Regulation GDPR are a crucial departure from how states have guaranteed privacy to their subjects
  • fb
  • twitter
  • whatsapp
  • whatsapp
featured-img featured-img
Intrusions: The law cannot address the systemic weaknesses of cyberspace.
Advertisement

Pukhraj Singh

Cyber Intelligence Specialist

Unknown to many, the draft Personal Data Protection Bill (PDPB) and its harbinger, the European General Data Protection Regulation (GDPR), are a crucial departure from how states have guaranteed privacy to their subjects. They mark a silent defeat against the pervasiveness of sensors that intrude our public and private lives, shifting the onus of accountability from the agents that produce to the agencies that consume.

Advertisement

Digital sweeps of observation

It has become impossible to evade digital sweeps of observation, so much so that the absence of sensorial data makes you an obvious suspect for the security agencies. 

Advertisement

Disconnecting from the grid has its own problems. It was the peculiar absence of digital waste in Osama bin Laden's safe house in Abbottabad that had caught the attention of the CIA. The spatial taxonomy that applied to our logical world, like maintaining personal distance or being let alone, has become extinct.

Collecting data is okay now but profiling individuals is not. The PDPB, too, by design or coincidence, assumes that the morality of identification could somehow compensate for the (il)legality of observation. It is a desperate effort to shift the fulcrum of law from observability to identifiability.

The very architecture of consent depends on defining what the observables are — say, Sensitive Personal Data (SPD) on biometrics, medical history, caste, gender, and sexual orientation, etc. But their compartmentalisation is becoming increasingly nebulous.

The US Defence Information Systems Agency is betting on gait recognition — the way we walk — to authenticate a person. The technology is commercially available. Samsung has applied for a patent that uses blood flows as a means of user verification. Everything, from the way we type, our swipe patterns to our voice can fall under the window of profiling.

The sensors need not be placed in a mobile or within the proximity of the subject. Authentication can now be accomplished from a fair distance. Even if SPD includes new observables, partial chunks captured across a spectrum of sensors could be used to identify an individual while still maintaining compliance with the law.

The surveillance economy

As ingenious methods of profiling come to light, the retrospective cleaning up of databases would become an exercise in futility as the information would have already been digested and excreted by the surveillance economy. 

A cursory look at the rights of a Data Principal (a person as the producer of information) defined in the PDPB tells us how untenable they are in the present, and more so in the future.

A hacker may wake up livid one day to realise that the Right to Be Forgotten impedes political transparency — which is true. She could easily build an archiving system that crawls or crowdsources content in an anonymous fashion and feed it into a block chain — a decentralised, irreversible and unalterable ledger. A machine that will never forget what you did last summer, even if it wants to, could just be a summer project executed in a basement.

Politwoops.eu is a portal that is already recording the deleted tweets of European politicians in direct violation of the GDPR. To maintain compliance, Twitter has recently forced many archiving websites to shut shop, but could this work at speed or scale? Leave aside forgetting, the US could not even take Wikileaks offline for all these years despite launching a global witch-hunt. So potent is the availability of information in cyberspace that it is sometimes deemed as a cyberweapon.

Data monopolies

The Right to Data Portability is largely aimed at keeping powerful monopolies like Facebook and Google in check. In the end, data monopolies thrive on monocultures — the prevalence of a single software or hardware architecture like Windows, Android, iOS, Qualcomm, and Intel, etc. Such mass-market platforms offer broad functionalities to the developerswith barebones production costs - but their bloated feature-set means more vulnerabilities and vendor overreach. 

Facebook is a data monoculture of the higher end. The Right to Data Portability would just liberate the social media and the web layers from the countless many which the internet is made of. Most unknown observables pass under the radar through the numerous overlooked labyrinths.

In an industry where every vendor assumes the worst in the other, running data dragnets with impunity becomes a healthy competition of sorts. No matter where you port your data, the underlying Qualcomm chips, which power billions of mobile devices, may very well capture and relay your location activity to hedge funds or other interested parties. Data portability, too, is an illusion of choice.

The demarcation between functionality and surveillance is eventually going to disappear. As companies become the new countries, our social contract will be recalibrated to insert 'utility' between the dyad of privacy-security. Profiling would be legitimised as an essential service. The law may provide a moral direction, but it cannot address the systemic weaknesses of cyberspace. Stemming from the decentralised nature of the internet, these limitations are beyond the reach of any single government.

Advertisement
Advertisement
Advertisement
Advertisement
tlbr_img1 Home tlbr_img2 Opinion tlbr_img3 Classifieds tlbr_img4 Videos tlbr_img5 E-Paper