Lax data protection norms and callous understanding of security are making India a prime target for cyber criminals
Data has been declared as the new oil. Much like the early days of oil exploration by companies, there is a rush to secure the most valuable data as soon as possible and extract, or rather mine it, for enrichment. But because data is not a physical asset, protecting it is a lot more complicated than safeguarding oil, gold or anything physical. Data, by its very nature of being amorphous, can reside anywhere and everywhere in the world. One’s data on social networks is based in the United States, or possibly Ireland and maybe even Iceland. But it should not matter where one’s data resides as long as it is safe. Unfortunately, many Governments and intelligence agencies think otherwise. This is why the Indian Government has been insisting that online companies — from social media networks, email service providers and even e-commerce majors — host their data within India. But the fact is that Indian agencies and companies, with possibly the exception of Indian financial services firms, have been very callous with data. Breaches have led to copious amounts of Aadhaar information being inadvertently released. Besides, several Indian mobile applications have had their data stolen. Phishing attacks, which are not quite data breaches, are extremely common in India, given low levels of digital literacy in a nation that is rapidly going online. The recent Global Risks Report released by the World Economic Forum (WEF) highlighted this fact. Of course, this is not to downplay other major risks that India faces, such as the tremendous fear of population displacement due to global warming, but data breaches in our country are extremely disturbing.
In the aftermath of the right to privacy that the Supreme Court upheld, the Government should have urgently come up with a set of laws to enshrine that right. Instead, it is moving after a more draconian set of laws that will intercept and store information, potentially violating the apex court’s ruling. Sure, there is an urgent need to control the spread of malafide information on social media, and there might be the need for the Government to control and register applications available on mobile phones. But it also needs to establish a set of laws that protects user data. While companies should be allowed to make money from user data, these laws should outline what is kosher and what is not. Unfortunately, it appears that there has been no urgency to introduce them unlike the triple talaq Bill simply because, as mentioned above, low levels of digital literacy have meant that most Indians shrug off data breaches. This needs to change and advocates for data privacy should work towards greater digital literacy programmes across the country instead of being talking heads. Because only when millions of Indians demand that their personal information be protected, will it be secured. Instead, India remains the Wild West when it comes to the internet. And until that changes, stories of data breaches and personal information being compromised will remain far too common.