Sunday, July 24, 2005

Need for an effective privacy policy

Need for an effective privacy policy

Need for an effective privacy policy



SUCHETA DALAL


Posted online: Monday, May 30, 2005 at 0156 hours IST



A natural corollary to the issue of data and databases that we have discussed here over the last two weeks is the question of privacy. For instance, what is the answer to a reader’s simple query: ‘‘Is the personal data on individual’s/corporates safe from unscrupulous elements? What is the privacy policy? Can database agencies be sued if they are hacked and the data misused?’’

Although the right to privacy is enshrined under Article 21 of the Constitution, enforcing this right through consumer action and compensation are tricky issues because the legal process is slow and expensive and the judiciary is niggardly about granting punitive damages. We have already learnt to live with the consequences of stolen data. How else are our mobile phone numbers and addresses available to a variety of marketing companies? But a clear privacy policy becomes extremely vital at a time when the Securities and Exchange Board of India (SEBI) has already kicked off the controversial Market Participants Database (MAPIN) and is now in the process of reviewing it after widespread investor anger.



BrideGroom
18-2526-3031-3536-4546-5099-50





How important is data privacy and the need for a clearly articulated and legislated privacy policy? I spoke to a few experts in the Information Technology (IT) and security industry and found that there is considerable concern among leaders about the security of personal information that is being collated by MAPIN, Cibil (Credit Information Bureau of India Ltd) and the Income Tax department as Permanent Account Numbers (PAN) and the Tax Information Network (TIN). Today, in the absence of clear legislation, there is nothing to prevent personal information from being shared across the board with anybody. Organisations may claim to have an internal privacy policy, but in the absence of clear legislation, they don’t come under any legal obligation.

Nasscom President Kiran Karnik says, ‘‘Personally, I feel deeply concerned about the obsession we have with ‘security’ (and I am not talking of data security), which seems to provide a cover-all for anything and everything. It seems to permit the government and its multiple security agencies to do anything from tapping telephones to intercepting mail to seeking identity and sites accessed by cyber cafe users. Sadly, the ‘intelligentsia’ is not bothered: this is, after all, ‘other people’s’ problem.’’

Sunil Mehta, Vice-President of Nasscom says, ‘‘As Internet penetration in India increases, e-governance initiatives grow in reach and more and more ‘personal identifiable information (PII)’ becomes digitised, many of us are increasingly concerned about privacy and security breaches. I really believe there should be a genuine public debate in this country among all stakeholders around the kind of privacy laws that we, as citizens, really need.’’

Nandkumar Sarvade, DCP police and IIT engineer, who is currently on deputation with Nasscom (National Association of Software Companies) says, the growth of databases is inevitable, since government itself needs large databases, such as a list of all the citizens, voters, tax payers, vehicle owners, drivers, property owners and so on.’’

‘‘Since information infrastructure is increasingly being controlled by private players, without a legal framework, profit maximisation would remain the primary purpose resulting in exploitation and resale of databases. A legal framework would therefore be required to lay down the rules, within which legitimate data aggregation can be practised.’’

Most experts believe that Self Regulatory Organisation (SRO) is a good start. But Sunil Mehta insists, the ‘‘SROs would have to be carefully designed to give it some real powers to create a code of ethics (and adherence to security standards, self-certified audits, third-party audits), create capacity by training key officials in member companies, investigate and adjudicate breaches and expel members who fail to correct behavioural lapses. This has to be backed by ‘‘a legal framework, which can be triggered off by the SRO in case all else fails.’’

The controversy over biometric identification that is being discussed by a SEBI committee in connection with MAPIN makes the issue of security and efficacy of databases even more relevant.

Sarvade quotes a chilling passage from Simson Garfinkel’s book on databases and privacy, (‘Database Nation: The Death of Privacy in 21st Century’) with specific reference to biometric identification. It says, ‘‘Biometrics are a powerful means to ascertain somebody’s identity, but only for the person or the machine that actually does the measuring. Once a biometric is stored inside a computer, all of the security provided by biometric identification is lost. A stored biometric could easily have been copied from another computer, rather than being directly measured. This is a critical distinction to understand when using biometrics. It is a distinction that is so subtle that it frequently is overlooked by the people implementing and using biometrics-based systems.’’

The direct consequence of copying biometric identification is its misuse with nightmarish consequences for the victim. For instance, the misuse of a credit card only causes monetary losses (which can sometimes have extreme consequences), but the misuse of biometric could falsely implicate a person in criminal activity, which would be impossible to disprove.

Prakash Hebalkar, a leading IT expert, has long been concerned with the issue of Identity Theft. He first raised it in 2002 in connection with the PAN database. He wrote: ‘‘Can you imagine trying to prove to the Income Tax authorities that it was not you who asked for that demand draft payable to the cross-border terrorist, despite your PAN being misused on the draft application to the bank? Or that you did not buy that SIM card for the mobile phone that was used to make extortionist calls? The list could go one ad infinitum, limited only by one’s imagination.’’

Hebalkar believes that Indian criminal law must introduce provisions similar to the US statute, which provides for imprisonment for 20 to 25 years and forfeiture of property for identity thefts. Instead, the fine for a misstatement or misuse of the PAN today is a paltry Rs 10,000.

Interestingly, many experts still believe that our current legal framework, if well enforced, is adequate to addresses violations of personal privacy. To my mind, the current legal framework is rendered ineffective because of the slow legal process and paltry punishments. It is only when there is adequate debate and discussion on privacy issues that the government will recognise the need for an effective legislative framework to protect individual privacy.



No comments: