Where is the debate on data privacy headed?

Even as India pushes for data decryption access from Big Tech for better law enforcement, there is a larger issue of how Big Tech is not quite the paragon of virtue when it comes to upholding user privacy.

If the Indian government does get social media platforms to part with user data, it should remember that with great power over the citizens comes a greater responsibility towards the citizens.

A lot has happened in privacy in recent memory. Perhaps most importantly, Attorney General K.K. Venugopal has argued in the Supreme Court that “They [internet platforms] can’t come into the country and say we will establish a non-decryptable system” and that “terrorists cannot claim privacy”. On the side of Big Tech, corporate products and policies keep moving towards privacy while instances of privacy violations continue to exist.

Google released the next generation of Android earlier this month and included some important privacy protections. Google was then also fined $170 million for violating children’s privacy on YouTube. Google also open-sourced a differential privacy tool on GitHub to help protect private information. Facebook also made news in privacy, announcing a feature called ‘Off-Facebook activity’, allowing access to a summary of activity that Facebook has about you. Facebook then suffered a data leak (phone numbers) of 419 million users. Similarly, Amazon also took a significant step in allowing users to delete their data (voice and transcripts) from Alexa.

What we are seeing here is that India’s idea of a digital world is beginning to diverge significantly from that of global platforms. The Indian government increasingly wants access to data on its citizens for purposes of law enforcement. When communications on platforms are encrypted (end-to-end or otherwise), it is impossible to track what information is being shared unless one has a decryption key. Failure to track fake news on WhatsApp has instigated lynch mobs and resulted in 27 reported deaths in 2017.

The Attorney General is right in asserting that terrorists cannot claim privacy. However, tech does not bend selectively to reflect values. Platforms cannot decrypt messages for the bad guys while keeping encryption available for everyone else. Most companies around the world (not including China) have sided with the idea of privacy in communications. It helps build trust with the user and complements the power of the network effect. If tomorrow, Facebook and the Internet began to target you with ads on the basis of conversations you were having on WhatsApp, you would rightly be concerned. Platforms like WhatsApp (and Telegram, and Signal) are home to some of our most sensitive information. No one would like to, say, discuss their mental health issues with a friend on WhatsApp, only to have medicines recommended to them on every website they visit. Similarly, political protestors who express themselves through peaceful dissent would not like to have their messages read and used against them. Anonymity through encryption can be a shield for terror, but it is also an essential tool for people who may not be able to express themselves freely otherwise.

The fines that Big Tech firms have historically been charged for privacy violations have not been large enough to significantly dent them vis-a-vis the revenues that they are making.

What happens to end-to-end encryption is going to be subject to the beliefs and values held by the people in power. The government has been trying to push its agenda for months. Prior to asking Facebook to help the government in decrypting data, the government had asked intermediaries to enable traceability of messages. This was carried out by the Ministry of Electronics and Information Technology (MEITY) that proposed amendments in the intermediary guidelines in December 2018. The final notification is due to be issued on January 15, 2020. During the same month, the Ministry of Home Affairs issued an order granting powers of “interception, monitoring, and decryption of any information generated, transmitted, received or stored in any computer” to ten Central agencies.

None of this is implying that the government is looking to actively spy on you, but that with great power over the citizens comes a greater responsibility towards the citizens. For instance, when Edward Snowden broke the news of the NSA’s surveillance capabilities, he also stated that employees at the NSA intercepted personal nude photos and shared it with their colleagues, almost as a fake currency. The NSA, in a response to Forbes, neither confirmed nor denied the practice.

Just as governments around the world have not been perfect with their conduct towards privacy, neither has big tech. While companies such as Facebook have supported and implemented end-to-end encryption, they have been repeatedly penalised for privacy violations. Big Tech is moving towards privacy at its own pace. Companies such as Google, Facebook, Amazon, and Apple have very different attitudes towards privacy. That is mostly because around the world, they have not been mandated to comply with a standard set of rules. Countries with huge user bases are yet to come up with data protection laws (read India). And on occasions where laws on data protection and privacy have existed, companies have felt perfectly at liberty to violate them and paying the fines, looking at it as a cost of doing business. Two things work in favour of Big Tech here. Firstly, the fines that they have historically been charged have not been large enough to significantly dent them with respect to the revenues that these corporations are making. Secondly, all of these companies are not transparent in their workings and functioning with privacy. So in all likelihood, not all violations of user privacy are being punished around the world. Thus, every violation escaped is essentially money saved for later fines.

Regardless of all of this, anonymity in communications is worth having and fighting for. In the current version of the Internet, complete privacy in communications is a rare occurrence. Irrespective of where parties stand across the aisle, maintaining end-to-end encryption should be common ground.

This article was first published in The Hindu. Views are Personal.