Nasscom President Kiran Karnik says, ‘‘Personally, I feel deeply concerned about the obsession we have with ‘security’ (and I am not talking of data security), which seems to provide a cover-all for anything and everything. It seems to permit the government and its multiple security agencies to do anything from tapping telephones to intercepting mail to seeking identity and sites accessed by cyber cafe users. Sadly, the ‘intelligentsia’ is not bothered: this is, after all, ‘other people’s’ problem.’’
Sunil Mehta, Vice-President of Nasscom says, ‘‘As Internet penetration in India increases, e-governance initiatives grow in reach and more and more ‘personal identifiable information (PII)’ becomes digitised, many of us are increasingly concerned about privacy and security breaches. I really believe there should be a genuine public debate in this country among all stakeholders around the kind of privacy laws that we, as citizens, really need.’’
Nandkumar Sarvade, DCP police and IIT engineer, who is currently on deputation with Nasscom (National Association of Software Companies) says, the growth of databases is inevitable, since government itself needs large databases, such as a list of all the citizens, voters, tax payers, vehicle owners, drivers, property owners and so on.’’
‘‘Since information infrastructure is increasingly being controlled by private players, without a legal framework, profit maximisation would remain the primary purpose resulting in exploitation and resale of databases. A legal framework would therefore be required to lay down the rules, within which legitimate data aggregation can be practised.’’
Most experts believe that Self Regulatory Organisation (SRO) is a good start. But Sunil Mehta insists, the ‘‘SROs would have to be carefully designed to give it some real powers to create a code of ethics (and adherence to security standards, self-certified audits, third-party audits), create capacity by training key officials in member companies, investigate and adjudicate breaches and expel members who fail to correct behavioural lapses. This has to be backed by ‘‘a legal framework, which can be triggered off by the SRO in case all else fails.’’
The controversy over biometric identification that is being discussed by a SEBI committee in connection with MAPIN makes the issue of security and efficacy of databases even more relevant.
Sarvade quotes a chilling passage from Simson Garfinkel’s book on databases and privacy, (‘Database Nation: The Death of Privacy in 21st Century’) with specific reference to biometric identification. It says, ‘‘Biometrics are a powerful means to ascertain somebody’s identity, but only for the person or the machine that actually does the measuring. Once a biometric is stored inside a computer, all of the security provided by biometric identification is lost. A stored biometric could easily have been copied from another computer, rather than being directly measured. This is a critical distinction to understand when using biometrics. It is a distinction that is so subtle that it frequently is overlooked by the people implementing and using biometrics-based systems.’’
The direct consequence of copying biometric identification is its misuse with nightmarish consequences for the victim. For instance, the misuse of a credit card only causes monetary losses (which can sometimes have extreme consequences), but the misuse of biometric could falsely implicate a person in criminal activity, which would be impossible to disprove.
Prakash Hebalkar, a leading IT expert, has long been concerned with the issue of Identity Theft. He first raised it in 2002 in connection with the PAN database. He wrote: ‘‘Can you imagine trying to prove to the Income Tax authorities that it was not you who asked for that demand draft payable to the cross-border terrorist, despite your PAN being misused on the draft application to the bank? Or that you did not buy that SIM card for the mobile phone that was used to make extortionist calls? The list could go one ad infinitum, limited only by one’s imagination.’’
Hebalkar believes that Indian criminal law must introduce provisions similar to the US statute, which provides for imprisonment for 20 to 25 years and forfeiture of property for identity thefts. Instead, the fine for a misstatement or misuse of the PAN today is a paltry Rs 10,000.
Interestingly, many experts still believe that our current legal framework, if well enforced, is adequate to addresses violations of personal privacy. To my mind, the current legal framework is rendered ineffective because of the slow legal process and paltry punishments. It is only when there is adequate debate and discussion on privacy issues that the government will recognise the need for an effective legislative framework to protect individual privacy.