Making do with a mere watchdog

Amandeep Singh Kapoor
Indian Police Service                     

Perhaps no time is more opportune than the present for security agencies to raise the flag. Justice B.N. Shrikrishna is seeking the views of stakeholders on a law for data protection and exceptions thereof. This process is enmeshed in the matrix of the recent decision of the Supreme Court validating the right of privacy of citizens, and also the stance of cyber-ecosystem visible during the recent push for net neutrality. This has made waters turbulent for agencies involved in balancing security with access.

A government white paper explicitly recognises that the power of the data controller has increased vis-à-vis the individual because of processing of personal data. Data protection regulations are meant to protect individuals from the abuse of power resulting from the processing of their personal data. Law enforcement agencies must be taken in the loop to avoid a mismatch in real time.

To put things in perspective; data leaks from data controllers can cause “ransomware” incidents —seeking ransom by keeping valuable information captive. This can result in chaotic losses to the victim. A recent survey by a data advisory firm found that 70 per cent of Indian mobile apps don’t take explicit consent during installation and rampantly share data with third parties.

Also there is the problem of objectionable content at a time when virtual private networks hide the user’s name and credentials, and is largely posted on servers installed outside India. There are mobile applications that allot virtual numbers or allow the use of dark web or onion routers, which are a delight for hackers and organised criminals. Hence, it is not possible to contact the user posting objectionable content. Also data processors, especially telecom service providers, have cloned multiple SIMs using Aadhaar copies of earlier customers. The police has encountered examples of extreme omissions in cases of kidnapping for ransom. Telecom operators have denied or delayed information such as IP address (which they are mandated to provide in a timely and pre-defined manner) leading to the killing of the hostage. So there is need to plug such acts of omission.

  This brings forth the question of contours of a regulatory mechanism. The sine-qua-non of secure, vibrant and democratic cyberspace should be a robust, enforcement architecture. It should be overarching on both cyberspace (where personal data is shared and hence the playing field of data controllers and data protection authorities) and telecom sector, which in India is an internet service provider. 

The problem is there is no overarching regulator in this crucial space. A symptom of this syndrome is that two wings of the government — the ministry and the regulator — are simultaneously issuing stakeholder’s consultation process on the same issue.  

Contrast this with a similarly crucial service sector of the aviation industry and observe its legal teeth: The Director General of Civil Aviation (DGCA) is an overarching regulator administer responsible for the security of both air and ground handling through the Bureau of Civil Aviation security (BCAS). It administers the Aircraft Act, 1934, and rules with clear liability fixed in crisp penalties (even jail terms are substantial, along with first time fines). Very logically, there is a penalty for the abetment of offences and even attempted offences. If this is impressive, consider this: the DGCA periodically issues aeronautical information circulars & civil aviation requirements and the failure to comply with these circulars is punishable with imprisonment of six months and fine. 

In cyberspace, where Moore’s Law operates (broadly the processing speed doubles every two years), similar power needs to be vested even in the pen of regulator which issues statutory regulations before the new technology makes the old one redundant. This body should be having real teeth — a hound rather than a mere watchdog.

In an era where data is the new oil, it is time we realise that its spilling would be even more catastrophic than oil spills of blue waters. If cyberspace was a stage in space-time where servers and waves come together to create magic, then the greenroom is agog with activity. The air is expectant with a power-packed “act”. Hoping a secure cyber commons is delivered.

(The views are personal)