Big Brother's Snooping

Are you gay? Brother's sent money from abroad? Planning a trip to Mauritius? Not been keeping well? And you think all this is confidential? Think again.

Beware of those prying eyes — nothing's a secret any more. Law researcher Usha Ramanathan realised that when she visited an enrolment centre dealing with Aadhar, the unique identity number that the government has promised every citizen. "Give me a name," the young man at the centre in north Delhi, run by an NGO, asked her. "Ramesh," she replied. He fed the name into his laptop and it spewed out a list of close to a hundred Rameshs. "Ramesh Kumar," she said, when asked to be more specific. The list became smaller and the enroller clicked on a couple of names to reveal details about them.

The Unique Identification Authority of India (UIDAI) has been claiming that the data collected from individuals while issuing the numbers, which are meant to ensure more efficient delivery of welfare schemes, are confidential. But as Ramanathan's experience shows, they are anything but.

That's not all. Several measures have either kicked in or are on the anvil that will allow the government to keep tabs on all your actions. With all manner of information being digitised and government departments getting increasingly networked, the next time you book a rail or an air ticket or even be caught for jumping a red light, you may come on the radar of intelligence agencies.

Perhaps the most invasive are a set of new rules framed in April under the Information Technology Act. The newly framed rules require private companies that hold "sensitive personal data" like financial information, physical and mental health conditions, sexual orientation and medical records to provide compensation if these are leaked. However, they also state that this information can be shared "without obtaining prior consent" with government agencies for verifying an individual's identity and for the prevention and investigation of crimes. Worse, there is no clarity on which bureaucrat, at what level, can seek this information.

Take also the guidelines for cyber cafés. Cyber café owners need to keep not only photo IDs of computer users but also take a photograph of them. They also have to keep an online and physical log of the name, address, contact number, gender, ID proof, computer number, and log in and log out time of the user. A monthly report of the log register has to be submitted to the registration agency for cyber cafés. If an HIV-positive person visits an AIDS-related website or another person logs on to a gay dating site, the cyber café owner has details of this along with names and contact details. "This is only providing enormous scope for harassment and blackmail," exclaims Sunil Abraham, executive director at the Bengaluru-based Centre for Internet and Society.

Abraham points out that Internet service providers, which provide access to the Internet, already keep a detailed list of sites accessed through their servers. "Getting cyber cafés also to do so is only adding another point of leakage, along with far more personal details."

Cyber café owners are sceptical of keeping the records of their customers' Internet activity in such detail. Says Haroon Rashid, owner of Paris World Cyber Cafe, in Indirapuram, Ghaziabad, "While maintaining the records of the surfers may be good from a security point of view, it has had a detrimental effect on business. There was a certain trust between the café owner and the surfer before the new rules were publicised, but now everybody is watching his back," says Rashid.

Sakshi Singh, a Delhi University student who is a regular at the café, is taken aback when told about the new rules. "I thought that just giving my identity proof was enough. Will they also know what I am writing in my emails? That's not fair," she says.

But clearly, the government thinks that everything is fair when it comes to "security". Says Pushkar Raj, general secretary of the People's Union for Civil Liberties (PUCL), "Privacy is under attack like never before."

But it's not just the government that wants to cock an eye — and ear — at you. Stock market regulator Securities and Exchange Board of India has been pressing for powers to tap phones to curb insider trading. Draft legislation on the Lokpal and prevention of communal violence prepared by civil society activists (the Anna Hazare team and the National Advisory Council, respectively) suggests steps to intercept phone conversations and email. Phone tapping, insists Arvind Kejriwal, a member of the joint drafting committee on the Lokpal Bill, will be an important tool in investigating corruption cases.

"Everything is being seen as an extraordinary situation," says Ramanathan. "Safeguards for the citizen are being done away with in the name of terrorism, national security, corruption, communal violence and welfare schemes."

Yet, the Supreme Court had, in several judgements, said the right to privacy was inherent in the rights to freedom of speech and expression and to life and personal liberty. In 1996, the court, while hearing a PUCL petition challenging telephone tapping, held that it violated the right to freedom of speech and expression. The government, it said, did not have "unguided and unbridled power" and could tap a phone "only at the occurrence of any public emergency or in the interest of public safety".

And in what is a delicious irony, even as the government extends the limits of its power to snoop into the lives of citizens, it is also moving to introduce a privacy law.

There is serious concern that the Aadhar number could end up compromising a lot of personal information, since it will be required for getting anything from welfare doles to a bank account, PAN card, driving licence or telephone connection. "Aadhar will become a gateway to information about a person which is now in various silos," warns Ramanathan.

UIDAI director general R.S. Sharma scoffs at these fears. The UIDAI will merely respond with a yes or no to queries about whether a number belongs to a particular person and will not divulge any information. The only private information it has is the name, gender, date of birth and address, apart from biometrics. "That is already available in your driving licence, election I-card and even with the National Rural Employment Guarantee Scheme," Sharma says.

But registrars through whom the UIDAI will collect information are free to collect any other data, he admits. In several states, Ramanathan points out, information on bank accounts, PAN cards, cooking gas connections and driving licences are being sought. These may be for more efficient delivery of financial aid or other welfare schemes but they do provide scope for information leaks. But Sharma points out that the registrars are state governments, public sector banks and insurance companies. "They have been custodians of information for long," he says, adding that the UIDAI has been giving them technical assistance to maintain confidentiality.

Worryingly, the National Identification Authority of India (NIAI) Bill (which will set up the NIAI that will replace the UIDAI and have statutory status) fails to address some of the privacy concerns that the Aadhar project throws up. The bill allows the NIAI to share information about individuals, with their written consent, with government agencies that deliver welfare schemes. However, an analysis by Delhi-based research body PRS Legislative Research shows there is no clarity on whether the consent should be taken at one time or each time a person avails a service. The bill also allows the NIAI to disclose information on individuals to security agencies in the interest of national security.

It's quite possible, the PRS analysis notes, that intelligence agencies could use Aadhar as a key to search databases like telephone records, travel records and financial transactions. While this could be useful in detecting and investigating crimes, it could also lead to ordinary, law-abiding persons being harassed.

But even this is just the tip of the iceberg. Privacy may be under greater threat once the ambitious National Intelligence Grid (Natgrid), which got cleared by the Cabinet Committee on Security earlier this month, is up and running. It will enable intelligence agencies — mainly the Intelligence Bureau — to mine data on money transfers, bank accounts and credit cards, PAN details, air and rail travel, telephone connections, Internet usage, driving licence and traffic offences, and immigration records in real time for terrorism-related investigations.

The government believes there is need for this because, right now, intelligence agencies have to write to different departments to get information and there isn't adequate sharing of information. "David Headley could make repeated trips to India and then to Pakistan without arousing any suspicion," points out Union home secretary G.K. Pillai. Since most data are now computerised and online, Natgrid can put in queries about suspicious movements and transactions of suspects into various databases and through a process of filtering narrow in on the relevant information.

Security affairs expert B. Raman isn't sure this will work, though he feels that there is a need for modern technology to co-ordinate among departments that hold information. "It is not just about violating privacy. This is impractical," he says, "making the whole country a database is asking for trouble, since there will be an information overload."

That is not the case, counters Pillai. "Natgrid will not indulge in a general fishing expedition. It will be used only for counter-terrorism." It also has more than enough safeguards for privacy, with various levels of authorisation and committees to check misuse. But he concedes that the filtering process of zeroing in on a suspect could see an innocent person also coming under surveillance at least for some time. "There is a certain price to pay for security," he says.

That sentiment finds many takers. "Criminals do not have the right to privacy," asserts Raman. Kejriwal agrees. "Is the privacy of corrupt people more important," he asks. What is important, he says, is to prevent misuse.

A balance clearly needs to be struck between protecting individuals from crimes and ensuring privacy. "That can be done only by keeping safeguards and penalties for violations high," says Pillai.

The impact of the measures on ordinary lives will only be known in the months to come. And then, be afraid, be very afraid.