The Interplay between Cybersecurity, Digital Privacy and Digital Surveillance

by Ranjeev Joseph

Introduction

DATA – This is not just a 4-lettered word Hackers use it to make money illegitimately; Corporations use it to make money legitimately;

Governments use it to keep a check on threats, which may range from dissenting activists to hardcore terrorists, all in the name of national security, garnering legitimate mass support.

Knowing that data is accessed, stored, processed, analysed, harvested and, not to forget, sold, the undeniably 21st Century way of becoming a Billionaire[1], is completely legal and is the oxygen for Big Tech fire, whether the effectiveness of the rest of the solutions like greater transparency, greater control, right to be forgotten, revoking consent, etc. will help the purpose of people being more in control of their data, is something only time will tell. Until then, however, we can’t just wait and watch.

CYBERSECURITY

Cybersecurity is only genuinely possible at the User’s end. Nobody is safe from bad actors, whose expertise, capabilities, access to better hardware and software have increased manifold during the pandemic period, most notably due to unprecedented unemployability levels and perhaps a deep sense of avenging the world for their job loss. Strong regulation, however, potentially ensures better levels of encryption and data security architecture as lack of adherence to compliance could lead to hefty penalties or even cancelling of relevant licences, which may not solve the issue as seen after some Big Tech giants continued unethical practices even after paying enormous fines[2], but would surely have a positive outcome over expected results en masse.

Due to the increased permeability of high-speed Internet and improved rural penetrability, particularly due to campaigns under Digital India, most notably Reliance Jio, it is estimated that almost 820 million will use smartphones by the end of 2022.[3] It is also estimated that there was a 37% increase in cyberattacks in India in Q1 2020 as per a Kaspersky Security Network report.[4] Cybercrime naturally increases with the network being laid wider as more and more first-time users most technologically not as bright, not as educated, and not as inquisitive on the nuances and nitty-gritties of altering their not-so-privacy-friendly default settings to help them be more in control of their lives. Protecting your data from hackers, crony capitalists, and not to forget the ever-so-snooping government is still considered to be a First World problem, similar to worrying about parking one’s yacht.

In the recent Twitter hack, privacy activists stated that there exists no end-to-end encryption architecture in private messages.[5] The consequence of such an event occurring again could be devastating[6] as it could be used to sway elections or declare war-like intimidation, which would have real-life consequences, even resulting in a nuclear fallout.[7] Most small and medium businesses aren’t even aware of the dangers of such backdoor vulnerability.[8]

Observing how UPI platforms have multiple minutely-regulated aspects to be considered before being permitted to open their respective shutters in India, it is surprising to note that the same approach has not been taken for the same User’s data when WhatsApp was permitted to operate. Taking a look at the Holy Trinity of Tech and their “exclusive centibillionaire club”[9], one could easily estimate the monetary value of User’s personal data, which, when linked together to form a beautiful chain of information, seems irresistible to the palate of the average advertising Joe. As the recent social media hate-filled[10] campaign against minorities[11] in India has proven, having no regulation equals a breeding ground for all kinds of human rights violations.

The UN ought to have a Convention on Cybersecurity and Informational Privacy Protection that would ensure signatories establish best practices for the welfare of cyber-citizens who inherently have no borders in this small online global village. Cybersecurity Units of most Law Enforcement Agencies in India hardly have any technical experts or personnel with formidable domain knowledge, and a Central Bureau of Cybersecurity on the lines of the CBI also does not exist as of yet, indirectly giving a green channel to incumbent and beginner-level data mining  bad actors.

DIGITAL PRIVACY

Today, Cache is the new cash – Data is the new oil. Oil was considered to be black gold, and now Data is the intangible oil that is flowing freely with absolutely zero viscosity. Selling a private piece of information to further one’s company policies, based solely on profiteering over said piece or even otherwise, looks like an unwritten modus operandi of those offering absolutely free services to even the remotest parts of the globe. There exists more saleable data on the Internet than on any Bank’s custody, then why are there strong regulations only on Banks? Is that solely due to monetary dealings? As discussed earlier, the value of personal data is much more than money in all banks combined. The ultra-strict General Data Protection Regulation[12] (GDPR), the current gold standard for Data Protection, has set the Data Protection/Privacy benchmark for the world; however, it is only currently applicable for companies having headquarters in the EU and/or having access to EU citizens’ data.

Google uses its AdSense Crawler[13] mechanism to reach out to more and newer web-pages so as to maximise its tracker outreach when it comes to collecting YOUR data to sell to its bundle of registered Advertisers, who in turn try to display to you “Targeted Ads”[14] much to your disinterest. Nobody really knows how low can Marketing modus operandi stoop; however, all this is totally legal, hence, nobody can drag them to the curly-white-haired-wig-wearing guys. In one targeted marketing research experiment, the general merchandise stores-operating company- Target[15] offered new-mother related coupons to a pregnant high-school student just by analysing her buying habits since months.[16] Such kind of targeted advertising is not only shockingly creepy at the very outset, but also grossly unethical just to ensure there is a higher value in one of their corporate sales charts. Marketing Mad Men have been doing this[17] for ages; however, due to the smartphone now being like our own body’s appendage, such “Filter Bubbles”[18] tend to occur where Algorithmic Censorship creates a comfort zone dessert desert, where “relevance” is not the primary criteria to embody an organic web viewing experience, rather personalisation of factors/criteria is the main goal so as to create personalisation even in the information we are greeted with.[19] This makes people more in disagreement with the opinion of others, creating a more divided world with radically-opposing ideas. When there is no mutual agreement on anything, nobody progresses. This puts a question mark on the very notion of every Democracy in jeopardy, considering the digital world is borderless.

Globally, Privacy Policies of all Data Controllers ought to have a word-limit and must be in simple English and preferably languages mostly-spoken so as to ensure Users actually know exactly what they are about to consent to, giving them genuine power over the repercussions of the provision of their consent and a confident veto power. Anonymisation/Pseudonymisation metadata is anyways identifiable – e.g., a person named Rahul can be anonymised as ‘XYZ123!@#’ and this “new name ID” is easily trackable and mergeable[20] as seen with Google Customer Match.[21] Furthermore, Intellectual Property law does not generally treat personal information as property. Most personal information, such as names, addresses, phone numbers, and social security numbers are facts. Facts are not copyrightable. You can’t patent personal information, and it certainly isn’t a trade secret.[22]

“Information is powerful, but it is how we use it that will define us” states one Google advertisement[23]; however, how Google uses our information is something we all must ponder upon instead of letting it get away with tracking, compiling, and whatnot[24] to auction off your data to the highest bidder[25] and have the last laugh.

DIGITAL SURVEILLANCE

Privacy, understood through the golden prism of Articles 14, 19 and 21 of the Constitution of India, vehemently includes the Right to be Left Alone. We buy or dream of buying expensive Homes not just for Security, Comfort and as an Investment, but also to have Privacy from the rest of the world. When there is unanimous agreement that no one should peep or enter into our homes, not even the police without a warrant, why isn’t it the same for our personal lives, made up of bits and pieces online? We are virtually living our lives virtually and this is the last place where we want monetising voyeurists to satisfy their vested interests..

When one is stalked online, it is called Cyberstalking, but when many are stalked, it is known as ‘Surveillance’. This technically makes Surveillance come comfortably under the ambit of Cyberstalking,  however no crimes can technically and legally be committed by governments on its own citizens in the name of “national security.” There have been instances where a Cyberstalker successfully located his victim by enhancing the reflection in her eye in a selfie.[26] Such levels of snooping could easily be scaled up to an organisational level if the government decides to do so. The “almost mandatory” and foolishly self-declaratory Arogya-Setu[27] application’s intrusive permissions were uncalled ever since the COVID-19 lockdown late March 2020 – The rough database already created, and the few pores here and there can be filled by the data available through the AadharPAN-Bank Account database to have one consolidated list which has the potential to be abused. There ought to be more transparency from the government and more privacy for citizens and even non-citizens and not the other way around. The populist “give up your privacy for a larger cause” narrative has been made the new norm so that sceptics would be made to appear as dissenters. The trade-off is not Privacy vs. Cybersecurity as is widely felt but an organically cohesive Privacy with Cybersecurity approach. One need not let go of their privacy to feel safer on the Internet.

Location can be triangulated even when the device is on “flight mode”[28] – Justification? To offer a more “personalised experience” These extreme levels of privacy-violations just goes to show what all Big Tech corporations could and would do to mine your data and monetise it. The government could easily use this data to snoop on so-called “anti-nationals”. One must note that such labels can be used for anyone under the Sun whom the government sees as a threat to their current regime.  The corporations it chooses to turn a blind eye to become the very tools of their authoritarian vested interests.  It won’t be too far when democratically-chosen governments start putting people behind bars for “Thoughtcrimes” as rightly-predicted in the dystopian Orwellian Classic – 1984 which would be made to be believed to be Utopian on the pretext of “national security.” – A wrong means to a right end does not justify it.

The ongoing pandemic has proved that no government in the world is genuinely keen on dialling down on their Surveillance. They have newly-legitimised powers to trace, track, and control and have also already begun abusing these powers. Power, once possessed, is almost impossible to get rid of.[29] The forthcoming 5G transition has raised questions on its architecture compromise where software-as-a-service (SaaS) would be eventually replaced by anything-as-a-service (XaaS), translating to an evolved threat landscape, along with the rise of the Internet of Things (IoT).[30] The micro-technology used in drones is well-established and can work through machine learning through Artificial Intelligence (AI) which pushes society slowly and gradually towards a Black Mirror-like dystopian reality. Privacy protects us from abuses by those in power, even if we’re doing nothing wrong at the time of surveillance.[31]

We live in an era where smartphone cameras are not covered and microphones cannot be physically shut as everything is digital and not mechanical and knowing that data mining is the common goal of the Cyberhacker, the Big Tech Giant and the Surveillant, it is no surprise that the Regulator-maker is itself the Surveillant and would dilute the Data Regulation statutes in their respective countries to ensure that the Big Tech firms, on their behalf, could perform the mining from the Users legally and hand it over to the government as and when they raise a request. This legitimising of data access or mining to be having vested interests for eavesdropping governments all over the world is what is keeping the world from having the Privacy they so badly deserve.


[1] Bhogi, V. (2019, July 02). Why Zucks and Bezos are the 21st Century’s Rockefellers. Retrieved September 26, 2020, from https://www.linkedin.com/pulse/why-zucks-bezos-21st-centurys-rockefellers-vamsi-bhogi

[2] Patel, N. (2019, July 13). Facebook’s $5 billion FTC fine is an embarrassing joke. Retrieved September 26, 2020, from https://www.theverge.com/2019/7/12/20692524/facebook-five-billion-ftc-fine-embarrassing-joke

[3] ETTelecom (2020, July 09). India to have 820 million smartphone users by 2022 – ET Telecom. Retrieved September 26, 2020, from https://telecom.economictimes.indiatimes.com/news/indian-to-have-820-million-smartphone-users-by-2022/76876183

[4] IANS (2020, May 25). 37% increase in cyberattacks in India in Q1 2020: Report – ET CISO. Retrieved September 26, 2020, from https://ciso.economictimes.indiatimes.com/news/37-increase-in-cyberattacks-in-india-in-q1-2020-report/75962696

[5] Opsahl, G. (2020, July 17). After This Week’s Hack, It Is Past Time for Twitter to End-to-End Encrypt Direct Messages. Retrieved September 26, 2020, from https://www.eff.org/deeplinks/2020/07/after-weeks-hack-it-past-time-twitter-end-end-encrypt-direct-messages

[6] Schneier, B. (2020, July 18). The Twitter Hacks Have to Stop. Retrieved September 26, 2020, from https://www.schneier.com/essays/archives/2020/07/the_twitter_hacks_ha.html

[7] Newton, C. (2020, July 16). The massive Twitter hack could be a global security crisis. Retrieved September 26, 2020, from https://www.theverge.com/interface/2020/7/15/21325708/twitter-hack-global-security-crisis-nuclear-war-bitcoin-scam

[8] Imperva. (2019, December 29). What is a Backdoor Attack: Shell & Trojan Removal? Retrieved September 26, 2020, from https://www.imperva.com/learn/application-security/backdoor-shell-attack/

[9] Evans, J. (2020, August 07). Top billionaires: Who are the world’s richest people? Retrieved September 26, 2020, from https://www.theweek.co.uk/people/57553/top-billionaires-who-richest-person-world

[10] Laub, Z. (2019, June 07). Hate Speech on Social Media: Global Comparisons. Retrieved September 26, 2020, from https://www.cfr.org/backgrounder/hate-speech-social-media-global-comparisons

[11] Al Jazeera. (2019, October 30). Facebook a ‘megaphone for hate’ against India’s minorities. Retrieved September 26, 2020, from https://www.aljazeera.com/news/2019/10/facebook-megaphone-hate-india-minorities-191030184750344.html

[12] Intersoft Consulting. (2019, September 02). Official Legal Text : GDPR. Retrieved September 26, 2020, from https://gdpr-info.eu/

[13] Google. (2020). About the AdSense ads crawler. Retrieved September 26, 2020, from https://support.google.com/adsense/answer/99376

[14] Google. (2020). About audience targeting. Retrieved September 26, 2020, from https://support.google.com/google-ads/answer/2497941?hl=en

[15] Forbes. (2020, September 25). Target (TGT). Retrieved September 26, 2020, from https://www.forbes.com/companies/target/

[16] Hill, K. (2016, March 31). How Target Figured Out A Teen Girl Was Pregnant Before Her Father Did. Retrieved September 26, 2020, from https://www.forbes.com/sites/kashmirhill/2012/02/16/how-target-figured-out-a-teen-girl-was-pregnant-before-her-father-did/

[17] Duhigg, C. (2012, February 16). How Companies Learn Your Secrets. Retrieved September 26, 2020, from https://www.nytimes.com/2012/02/19/magazine/shopping-habits.html

[18] Pariser, E. (2011, March). Beware online “filter bubbles”. Retrieved September 26, 2020, from https://www.ted.com/talks/eli_pariser_beware_online_filter_bubbles?language=en

[19] Walasek, A. (2019, February 28). Algorithms, filter bubbles, and how personalization can change your perception. Retrieved September 26, 2020, from https://www.e-point.com/blog/algorithms-filter-bubbles-and-how-personalization-can-change-your-perception

[20] The Guardian. (2012, January 25). Google user data to be merged across all sites under contentious plan. Retrieved September 26, 2020, from https://www.theguardian.com/technology/2012/jan/25/google-merge-user-data-privacy

[21] Google. (2020). Customer Match – Advertising Policies Help. Retrieved September 26, 2020, from https://support.google.com/adspolicy/answer/6299717?hl=en

[22] Catalyst Considerations. (2008). When Did My Personal Information Become Your Property? Retrieved September 26, 2020, from https://securitycatalyst.com/when-did-my-personal-information-become-your-property/

[23] Google Search Stories. (2011, September 19). Zack Matere: Growing Knowledge. Retrieved September 26, 2020, from https://youtu.be/OE63BYWdqC4

[24] Google. (2020). How ads are targeted to your site. Retrieved September 26, 2020, from https://support.google.com/adsense/answer/9713?hl=en#

[25] Google. (2020). About Smart Bidding. Retrieved September 26, 2020, from https://support.google.com/google-ads/answer/7065882

[26] BBC News. (2019, October 10). Stalker ‘found Japanese singer through reflection in her eyes’. Retrieved September 26, 2020, from https://www.bbc.com/news/world-asia-50000234

[27] MeitY. (2020). The Aarogya Setu Data Access and Knowledge Sharing Protocol, 2020. Retrieved September 26, 2020, from https://www.meity.gov.in/writereaddata/files/Aarogya_Setu_data_access_knowledge_Protocol.pdf

[28] Stack Exchange. (2014, August 14). Is it possible for a phone to be transmitting even while turned off and the battery removed? Retrieved September 26, 2020, from https://security.stackexchange.com/questions/65382/is-it-possible-for-a-phone-to-be-transmitting-even-while-turned-off-and-the-batt

[29] Crabtree, J., Kaplan, R. D., Muggah, R., Naidoo, K., O’Neil, S. K., Posen, A., K. Roth, B. Schneier, S. M. Walt, Wrage, A. (2020, May 16). The Future of the State. Retrieved September 26, 2020, from https://foreignpolicy.com/2020/05/16/future-government-powers-coronavirus-pandemic/

[30] Karopoulos, G. (2019). Security and Privacy Challenges in 5G Networks. Retrieved September 26, 2020, from http://www.charisma5g.eu/wp-content/uploads/2016/07/Security-and-privacy-challenges-in-5G-networks.pdf

[31] Schneier, B. (2006, May 18). The Eternal Value of Privacy. Retrieved September 26, 2020, from https://www.schneier.com/essays/archives/2006/05/the_eternal_value_of.html

About the Author

Ranjeev is a L.L.M student at Jindal Global Law School, Jindal Global University, Sonipat.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s