SITUATION REPORT ON

PRIVACY IN A SURVEILLANCE SOCIETY

By

Pavithran Rajan

Introduction and Background

‘The right to privacy is our right to keep a domain around us, which includes all those
things that are part of us, such as our body, home, thoughts, feelings, secrets and
identity. The right to privacy enables us to choose which parts in this domain can be
accessed by others, and control the extent, manner and timing of the use of those
parts we choose to disclose.’ (1)

But we now live in a surveillance society where our privacy is under threat. The
creation, collection and processing of personal data in the electronic and physical
form is nearly a ubiquitous phenomenon. Every time we use a loyalty card at a
retailer, our names are correlated with our purchases and entered into giant databases.
Every time we pass an electronic tollbooth on the highway, every time we use a cell
phone or a credit card, our locations are being recorded, analyzed and stored. Every
time we go to see a doctor, submit an insurance claim, pay our utility bills, interact
with the government, or go online, the picture gleaned from our actions and states
grows finer and fatter. (2)

Our physical bodies are being shadowed by an increasingly comprehensive ‘data

body’. However, this shadow body does more than follow us. It does also precede us.
Before we arrive somewhere, we have already been measured and classified. Thus,
upon arrival, we're treated according to whatever criteria have been connected to the
profile that represents us. (3)

Insurance premiums, for example, can be based on health data that is already
available to insurance companies. If we apply for jobs and do not get them, perhaps
it's because of our qualifications, but perhaps it's because we were deemed to be part
of a high-risk group for developing health problems, and the company doesn't want to
hire employees who might get sick in the future. (4)

Access to large data-sets of personal information is a prerequisite for social control.

Those who hold such data have a crucial tool that allows them to influence the
behaviour of those whose data is being held. Marketing is an obvious example. The
more a seller knows about its prospective customers, the better their needs can be
targeted or manufactured. Marketing involves subtle forms of manipulation: creating
desires at the right moment, in precisely the right way, so that they can be satisfied by
merchants. Similarly, governments want to collect data about their citizens in order to
increase the accuracy of their planning, as well as combat fraud and tax evasion. The
security establishment wants infinite amounts of information about everyone to
combat a growing list of enemies. (5)
 2

The cumulative effect of the culling all this information is that "they" know more than
ever about "us," while we still know very little about them, including who they are
and what they know about us. An increasing number of institutions have the ability to
manipulate us, influence our behaviour, and subject us to specialized treatment in a
wide range of situations (with various degrees of success, control is never absolute
and the claims of the capacities of surveillance technology are often inflated by
vendors promoting their products). (6)

There are many substantial justifications for the right to privacy, yet there are certain
violations of privacy that we are willing to suffer, in order to maintain a proper
balance between the right to privacy and our requirement of security. Like all other
fundamental rights, privacy is not an absolute right. Such interests may include
freedom of speech and the public's right to know, law enforcement or economic
interests. (7) It is difficult to define the right to privacy, since privacy is not purely
legal term. It has psychological, social, cultural and political aspects.

Over the past thirty years in particular, considerable advances in technology have
dramatically increased the powers of the state to carry out surveillance upon its
citizens. This inevitably brings with it the vision of an Orwellian society, where
citizens are constantly under the vigilant gaze and attentive ear of ‘Big Brother’.
Though the allusion to ‘Big Brother’ is a popular modern metaphor for the role of the
State in social control, it ignores the numerous benefits increased surveillance has
brought about. Surveillance does, undoubtedly, have two faces. It can act to curtail
rights through, for example, reinforcing divisions within society, or it can be a vital
tool in preventing and detecting crime. For citizens to accept and consent to certain
forms of surveillance, that is to say its positive face, the state should be accountable
for its actions. It cannot be left with an unfettered discretion to determine why and
where it carries out surveillance on, and on behalf of, its citizens, without some form
of legal responsibility. The governors and the governed should be subject to the law.
(8)

Image: An overlap of Security and Privacy, courtesy from http://security-today.com

 3

The digital environment enables new uses of information: in the ways it is collected,
processed, saved and distributed. These technological changes create, on the one
hand, new business opportunities, and on the other hand, new threats to privacy.
Privacy is seen as a basic human right, constituting an essential element in creating a
safe environment for electronic trade and at the same time is used to disguise criminal
and terrorist activities, and therefore is of interest to the law enforcement authorities.
(9)

Mass surveillance is the pervasive surveillance of an entire or a substantial fraction

of a population. The surveillance is usually carried out by governments, often
surreptitiously, but may also be done by corporations at the behest of governments or
at their own initiative. It may or may not be legal and may or may not require
authorization from a court or other independent agency. Mass surveillance is often
claimed by its proponents as necessary to fight terrorism, to prevent social unrest, to
protect national security, to fight child pornography and protect children. (10) Mass
surveillance is widely criticized as a violation of privacy rights, for limiting civil and
political rights and freedoms, and for being illegal under some legal or constitutional
systems. There is a fear that increasing mass surveillance will ultimately lead to a
totalitarian state where political dissent is undermined by COINTELPRO-like
programs. (11)

One of the most common forms of mass surveillance is carried out by commercial
organizations. Many people are willing to join supermarket and grocery loyalty card
programs, trading their personal information and surveillance of their shopping habits
in exchange for a discount on their groceries, although base prices might be increased
to encourage participation in the program. (12)
Through programs like Google's AdSense, OpenSocial and their increasing pool of
so-called "web gadgets", "social gadgets" and other Google-hosted services many
web sites on the Internet are effectively feeding user information about sites visited by
the users, and now also their social connections, to Google. Facebook also keep this
information, although its acquisition is limited to page views within Facebook. This
data is valuable for authorities, advertisers and others interested in profiling users,
trends and web site marketing performance. Google, Facebook and others are
increasingly becoming more guarded about this data as their reach increases and the
data becomes more all-inclusive, making it more valuable. New features like
geolocation give an even increased admission of monitoring capabilities to large
service providers like Google, where they also are able to track one's physical
movements while users are using mobile devices, especially those which are syncing
without any user interaction. (13)

Global Surveillance – Current Reality

It was a series of detailed disclosures of internal NSA documents in June 2013 that
first revealed the massive extent of the NSA's spying, both foreign and domestic.
Most of these were leaked by an ex-contractor, Edward Snowden. As confirmed by
the NSA's director Keith B. Alexander on September 26, 2013, the NSA collects and
stores all phone records of all American citizens. (14)
 4

It is now clear that the NSA had operated a complex web of spying programs which
allowed it to intercept internet and telephone conversations from over a billion users
from dozens of countries around the world. Published documentation reveals that
many of the programs indiscriminately collected bulk information directly from
central servers and internet backbones, which almost invariably carry and reroute
information from distant countries. Due to this central server and backbone
monitoring, many of the programs overlapped and interrelated among one another.
Some of the NSA's programs were directly aided by national and foreign intelligence
agencies, Britain's GCHQ and Australia's DSD, as well as by large private
telecommunications and internet corporations, such as Verizon, Telstra, Cisco,
Microsoft, Apple, Yahoo, Google and Facebook. (15). Over 70 percent of the United
States Intelligence Community's budget is earmarked for payment to private firms
such as Lockheed Martin (currently the USA's biggest defense contractor), AT&T
(CIA pays AT&T more than US$10 million a year to gain access to international
phone records, including those of U.S. citizens), British Telecommunications(has
granted Britain's intelligence agency GCHQ "unlimited access" to its network of
undersea cables, according to documents leaked by Snowden.). Microsoft has helped
the NSA to circumvent software encryption safeguards. It also allowed the federal
government to monitor web chats on the Outlook.com portal. In 2013, Microsoft
worked with the FBI to allow the NSA to gain access to the company's cloud storage
service (SkyDrive.). RSA Security was paid US$10 million by the NSA to introduce
a cryptographic backdoor in its encryption products. Vodafone granted Britain's
intelligence agency GCHQ "unlimited access" to its network of undersea cables,
according to documents leaked by Snowden. Naturally, all the voice and other data
flowing out of India on Vodafone network, was available to GCHQ(read MI6).

As of today we have no comprehensive policy or law governing electronic collection

utilization or sharing of data which could impede into a citizens private domain. Since
the 1960s, the Indian judiciary, and the Supreme Court in particular, have dealt with
the issue of privacy, both as a fundamental right under the Constitution and as a
common law right. The common thread through all these judgments of the
Indian judiciary has been to recognize a right to privacy, either as a fundamental
right or a common law right, but to refrain from defining it in iron-clad terms.
Instead the Courts have preferred to have it evolve on a case by case basis. As Justice
Mathew put it, “The right to privacy will, therefore, necessarily, have to go through a
process of case by case development.” (Govind v.State of Madhya Pradesh, AIR 1975
SC 1378).

Review of International Practices.

Different geographies across the globe have defined their privacy

requirements, articulating the requirements for the protection of the personal data
and prevent harm to an individual whose data is at stake. The following table
represents the derivation of privacy requirements as articulated by the OECD
Privacy Guidelines, EU Data Protection Directives, APEC Privacy Framework,
Canada PIPEDA (Personal Information Protection and Electronic Documents
Act), and Australia ANPP (Australia National Privacy Principles).(16)
 5

Privacy principles such as Notice, Consent, Collection Limitation, Use Limitation,

Access and Corrections, Security/Safeguards, and Openness cut across these
frameworks. The principle of Enforcement, which APEC calls as Preventing Harm,
is introduced by APEC, EU and the Canadian privacy enforcement regimes. The
EU Data Protection Directive, OECD Guidelines and APEC framework additionally
deal with the subject of Trans-border data flow. Australia’s ANPP specifically
prescribes de-identification of the personal information. (17)

Information Security – The Way Forward

The correlation between privacy and security of the data needs no further emphasis in
a world where global surveillance is the norm. Individual privacy cannot be ensured
when our entire public cyber infrastructure is inherently insecure and open to
snooping. The cyber world, post Snowden, is going to see dramatic upheavals.
‘Security is the only service that cannot be outsourced’ is a truism that sadly has not
been fully understood by the Indian nation. The failure of our strategic community to
foresee the inherent dangers to national security by blindly trusting foreign MNC’s
and allowing our critical infrastructure in the cyber domain to be built on
compromised software and hardware is “the” success of the western Information
Warfare system. Anybody familiar with the serious setback to Iranian nuclear effort
would be aware of ‘Stuxnet’, a malware developed specifically for the purpose, since
their facility was using a European software, weaknes of which could easily be
identified, given the luxury of time and a close source code.

It is now clear that security in the cyber domain can be achieved by (18):-
 6

• Technology, social, economic and other sciences – an interdisciplinary effort

• Large scale actions in indigenous public private partnerships.

• A techno legal ecosystem for a trustworthy Information Society.

• International cooperation for trust in global transaction

All future projects must ensure strong interplay with legal, social and economic
research in view of development of a techno legal system that is usable, socially
accepted and economically viable. A comprehensive review of existing critical
infrastructure and migration to indigenous open source technologies has to be
carried out. Enabling laws to ensure that data generated in India has to be securely
stored within Indian Territory under Indian jurisdiction are enacted.

Conclusion

The Snowden revelations and the surveillance activity carried out by USA and its
allies have led to a global uproar. The intimate relationship between western IT giants
and the security establishments of the West has shaken the very foundation of cyber
space and the global information and communication industry (ICT). The next couple
of years are likely to bring out the repercussions of these yet unfolding revelations.
For other nation states the information leaked so far has revealed that western MNC’s
and their technologies have been leveraged for a competitive advantage for economic
and diplomatic gains by the US intelligence apparatus. The dangers to national
security from the big data stored on the server farms of the giant MNCs are but the tip
of the iceberg.

The majority of global cyber space and communication networks are mostly built
using Western and Chinese hardware and software solutions having proprietary
closed source codes. Although there were constant alarms on the dangers to vital
communications networks by usage of Chinese equipment, the Snowden revelations
have unequivocally brought to the world the dangers of depending on equipment built
using proprietary source codes whatever be its origin. The realization that the global
networking infrastructure built up in the last couple of decades are porous and more
frighteningly can even possibly be not under the control of the user and can be shut
down remotely are possibilities which are now increasingly clear to the entire global
cyber security establishment.

National critical ICT infrastructure has to be based on verifiable open source

protocols is a foregone conclusion post Snowden revelations. Enabling government
policies and legislations for promoting indigenous infrastructure, data storage of the
Indian population under Indian national jurisdiction are the need of the hour. This can
only happen by creating awareness among various stake holders, informed debates in
Parliament and investigations by Parliamentary committees into the deep nexus
between the global ICT industry and elements responsible for policy inputs to the
government for procurement of ICT hardware and software.(The Indians should keep
their fingers crossed and brace for future challenges since all the AADHAR data
hosting is reportedly outsourced and that too to foreign companies.)
 7

The Snowden revelations can be used to leverage this without causing major ripples
in international relations. Networking solutions built on open source technologies are
the future and will see a tremendous growth in the coming years. Organizations and
nations, which adapt faster bringing about enabling laws to adopt open source
technologies, will see increased customer confidence and will have a competitive
advantage over those who are slower to respond.

Bibiliography:-

1. Privacy in the Digital Environment (Haifa Center of Law & Technology, Niva Elkin-Koren, Michael
Birnhack, eds., 2005) (1) (7) (9)

2. Taylor: State Surveillance and the Right to Privacy (8)

3. Privacy is not the antidote to surveillance Felix Stalder (2) (3) (4) (5) (6)

4. https://en.wikipedia.org/wiki/Mass_surveillance#Surveillance_state (10) (11) (14)

5. https://en.wikipedia.org/wiki/Mass_surveillance_industry (12) (13)

6. https://en.wikipedia.org/wiki/Global_surveillance (15)

7. Report on the Group of Experts on Privacy, Govt. of India, Planning Commission (16) (17)

8. Privacy in the Digital Environment The European Perspective, Jacques Bus (18)