Issue 7

“Mark as Read” to “Mark has Read”: Privacy Policies in India

Debayan Gupta

One thing is very clear: individual-level policies are insufficient. Most people do not (and cannot be expected to) have a deep understanding of privacy issues – just like we don’t all have a deep understanding of food safety norms. Some kind of aggregated negotiation tactic, then, appears to be the only solution.

There are three imponderables when it comes to Privacy: the definition of privacy in today’s data-is-the-new-oil world, how to balance the desires of the individual and the powers-that-be (government or local law enforcement), and how to actually implement and enforce these ideas, once we’ve come up with them. In short, it wouldn’t be too wrong to say that we don’t really know what we’re doing when it comes to privacy!

Further, there’s usually a dichotomy proposed between privacy and security: you can have privacy, but that means criminals/terrorists would be able to operate without the government being able to track them. So, if you want to have security from all these evil people, you must consent to let the government snoop on your data as well.

This is actually a common thing: to protect the population from the wiles of food producers, the government sets up certain standards that these producers must obey. The government may send inspectors to check upon the processes followed, and then punish producers who do not conform. Here, however, every single one of us is a producer.

Fortunately (or otherwise) this relentless production of data by individuals is mediated by companies like Facebook, who collate and process this data, profiting from the detailed profiles they build of us in the process. So, it might be possible to regulate things simply by applying the regulations on these corporations instead of at an individual level. But it also means that there are now two entities (albeit with somewhat different incentives) who may want to read what we write, i.e., the government and the corporation. One thing is very clear: individual-level policies are insufficient. Most people do not (and cannot be expected to) have a deep understanding of privacy issues – just like we don’t all have a deep understanding of food safety norms. Some kind of aggregated negotiation tactic, then, appears to be the only solution.

Given that the government (an entity interested in seeing our data) is the one representing the population in this negotiation, civil society must be extremely vigilant about what the details are. Many people (loosely) propose some structure of the following nature: private messages between individuals must remain secret, both from the government and the corporation. However, if the government comes to the corporation with a warrant, the latter must hand over the data. This last bit, of course, is impossible in an “end-to-end encrypted” system, where only the sender and receiver can read information.

WhatsApp’s recent change is an interesting nuance in this 40,000-ft view. Your private messages in WhatsApp are still end-to-end encrypted and unreadable to anyone but the parties directly involved: nothing has changed on that front. What many may not have noticed, is that WhatsApp actually makes two different apps: one for private use, and one for businesses. WhatsApp’s new policy allows them to look only at communications with these business accounts.

Note that WhatsApp could already look at the metadata: they would know, for example, that you had been chatting with a number of mattress companies (but might not know what kind of mattresses you were looking for). Facebook could then advertise mattresses on your feed. With this new policy, WhatsApp can share data about your interactions with business accounts, so that Facebook can find and suggest the exact kind of mattress you were looking for. As far as changes in privacy go, it’s actually rather minor. Your private messages are just as private as before.

As discussed above, even an end-to-end encrypted system can reveal a lot about one’s preferences and behaviour; this is actually the main difference between WhatsApp and Signal. They use the exact same set of encryption protocols; WhatsApp provides more services (e.g., it is rolling out payments in India), but retains metadata. Signal retains no metadata whatsoever. It just knows the time you last logged in and some other basic information, nothing more, and backups are encrypted. In either case, your actual chats are end-to-end encrypted and cannot be seen by anyone else; this is with the notable exception of backups: unencrypted backups (WhatsApp does not have an option to encrypt) can be read by Google or Apple (and thus by a government with a warrant).

Any state regulation on these encryption and privacy policies would be incredibly difficult, and that’s without getting into the international nature of the problem (what happens with software written in Germany that facilitates a chat between a Japanese citizen and an Australian citizen, with the latter physically residing in India?). I think the short answer is “non-starter”. 

Perhaps the nearest we can get is a set of minimum standards, some rules about consent, and privacy scores. Such consent rules are also hard to frame, e.g., “a corporation cannot access any data belonging to a user without direct, time-limited consent, with sufficient granularity (not all-or-nothing options)”, but we have a lot of good lawyers who I am sure can do a much better job of this than I! In the short term, however, the best idea is almost certainly privacy scores, calculated by an independent government agency, providing something like a star rating to companies operating in India: this could be one way to provide citizens with the information they need to choose what is right for them. 

Debayan Gupta is currently an Assistant Professor of Computer Science at Ashoka University, where he teaches a course on security and privacy as well as an introductory programming class. He is also a visiting professor and research affiliate at MIT and MIT-Sloan. 

We publish all articles under a Creative Commons Attribution-Noderivatives license. This means any news organisation, blog, website, newspaper or newsletter can republish our pieces for free, provided they attribute the original source (OpenAxis).

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s