Matthan - Privacy 3.0: unlocking our data-driven future

PRIVACY 3.0

Unlocking Our
Data-Driven Future

RAHUL MATTHAN

For Ahalya and Dhruv

CONTENTS

I n 2017, Aadhaar, the Government of Indias grand plan to provide a unique digital identity to the 1.3 billion people living in the country, exploded.

It was fast becoming evident that not only was Aadhaar not going to remain optional as originally advertised, it was also going to become ubiquitous. The government had already made Aadhaar linkage mandatory to avail of certain schemes run through the Public Distribution System (PDS) and the LPG distribution scheme. During the course of the year many more services got added to that list. The government told regulated entities like banks and telecom companies to get all their customers to link their accounts to Aadhaar by the end of the year. As a result, customers began to be bombarded, almost on a daily basis, with messages to link their accounts to avoid disruption of services. But as much as the central government was forcing government agencies and regulated entities to ensure that their users linked their Aadhaar numbers to their accounts, the real spike in Aadhaar usage came as a result of the actions of the private sector.

In 2016, the Unique Identity Authority of India (UIDAI) had notified the Aadhaar (Authentication) Regulations, establishing a framework within which private enterprises could utilise its identity architecture for their transactions. Shortly thereafter, both the Reserve Bank of India (RBI) and the telecom regulator introduced amendments in their Know Your Customer (KYC) regulations allowing Aadhaar-enabled e-KYC to serve as a substitute for the cumbersome manual authentication process that was being followed. Relying solely on Aadhaar-based paperless SIM activation, Reliance Jio, the countrys most recent entrant into the telecom sector, was able to create a world record by crossing 16 million new subscribers in its first month of operations.

Aadhaar was being used everywhere by fleet taxi operators to on-board their drivers, by payment banks to enrol new customers and by bike sharing companies to authenticate their users. A number of futuristic business cases were being actively evaluated, including the use of Aadhaar-based paperless travel at airports, where boarding passes would be completely done away with and all we would have to do was show our fingerprints at all the checkpoints in the airport, all the way to the boarding gate and on to the aircraft.

But even as enthusiasm for Aadhaar was growing, opposition to it rose to a crescendo. Activists, lawyers and politicians of every hue demanded the cancellation of the project, calling into question the technology, the fact that it had been implemented without legislative backing, and that rather than providing benefits to the poor it was resulting in exclusion. They claimed that the sinister motive behind linking anything and everything to the Aadhaar database was the creation of a giant panopticon to watch over us and monitor our every move. There was a real fear that we had already slipped into an Orwellian dystopia where the State has a record of everything we do, where we go and who we meet.

An increasing number of instances were coming to light where the flaws in the technology were being exposed. In one instance, a company that was supposed to provide enrolment services developed a programme that used a stored biometric to conduct multiple transactions without the need for human intervention. Both these instances turned out to be far more innocuous than originally reported but they tapped into the rising consternation around the vulnerability of one of the largest government databases of personal identity on the planet. There were rumours that the foreign companies that provided the biometric algorithms that were used in the enrolment process were leaking personal information out of the country to the foreign governments under whose jurisdiction they were based, giving rise to an unreasonable fear of an invisible foreign hand.

Never before had a single technology so radically polarised the nation. On the one hand, there were those who were excited by the many opportunities that had opened up, now that they had access to a digital identity that was capable of frictionless interaction across multiple services. On the other, the doomsayers only saw all the harms that would arise if this powerful technology was misused. These two extreme views controlled much of the narrative around Aadhaar but neither of them was entirely correct. Done right, Aadhaar had the potential to be the defining technology of this generation. Done wrong, it could set the country back decades.

Opposition against Aadhaar was largely focused on the privacy implications of the project. It might have been a bit more muted if we actually had in place a full-fledged privacy law. Or if somewhere in our judicial history we had recognised personal privacy as needing protection under the law. Not only were we among the very few countries in the world that did not have a privacy law, a few years previously, while defending the Aadhaar project, the attorney general of the country had argued that India had no such thing as a fundamental right to privacy.

How did we get here? What twist of fate, what curious combination of unfortunate circumstances led the largest democracy in the world to function for seven decades without a privacy law to the point where the highest legal officer of its government refused to even acknowledge its existence as a basic and natural human right?

As much as this is not a book about Aadhaar, it would not have come to be written but for it. As a technology lawyer, I have always had more than a passing interest in privacy and its implications on technology. But my interest has been limited to interpreting the law as it applies to my clients. Aadhaar made me examine how changing technology influences our notions of privacy and called into question many of my long-held beliefs about how data must be regulated.

We are so obsessed with the harms that can befall us if our privacy is violated that we have designed our laws to prevent that from occurring at all costs. As a result, our privacy laws are restrictive, designed to prevent us from doing anything that could even accidentally result in such damage. It has made us overly cautious to the point where we have begun to miss out on the benefits that technology can offer. But technology rarely heeds to legal restrictions. Innovation has always proceeded apace despite the attempts of the law to restrain it. Every time technology found a new way to inveigle itself into our personal space, we have so enjoyed the benefits that it brought that, rather than prohibit it, we have adapted our privacy regulations to account for it.

Aadhaar made me wonder whether we are, once again, at one of those crossroads in the evolution of privacy jurisprudence where there is a need to re-examine the laws that currently govern us to see if there might be another, smarter way to protect our personal privacy.

To do this I felt I needed to better understand the origins of our current notions of privacy to see if there is something in its past that will inform its future. This book is the product of that research. It attempts to provide some explanation for how we have come to our current notions of personal space and individual privacy, starting from early human tribes in whose egalitarian social structures privacy was all but non-existent, all the way down to our data-driven present where it seems there is little we can do to conceal our thoughts and actions from those around us.