‘Puttaswamy’ and the fading promise of a right

August 24 has passed, five years since the nine-judge bench of the Supreme Court of India delivered an important judgment in whose case. Justice KS Puttaswamy (Retd.) Vs Union of India, The judgment delivered on that date formally recognized the right to privacy as a fundamental right, stemming from the right to life and personal liberty guaranteed under Article 21 of the Indian Constitution. The Bench also held that the right to privacy is intrinsic to an individual’s ability to exercise bodily autonomy, yet it is not an “absolute right” in itself, given the limitations placed on the right to freedom of expression. are equal. and expression.

an erosion

Five years later, however, the agency’s end-beneficiaries, who had promised recognition of the fundamental right, may feel that the order made as part of the judgment has not been upheld in letter or practice. For example, one can consider the nature of the relationship that is currently shared between consumers and companies. If one looks at how privacy is negotiated now, they will realize that not much has changed since the formal recognition of the right to privacy. The Personal Data Protection Bill, 2021, which had been pending for some time (regardless of how flawed it may have been) was withdrawn earlier this month after an unnecessarily long pause.

Personal data for the price

Meanwhile, the ground reality for citizens has not changed much either. Data security breaches that result in the loss and theft of personal, sensitive data have not been reduced in terms of measurable frequency or their impact. Worse yet, as of today, any individual or business within and outside India is still in a position where, for modest bargaining, they are classified and labeled wherever possible for use by the vast majority of people. You can get personal information for. and consumption.

Data relating to the scale and nature described here are frequently used by some legitimate advertising agencies, unscrupulous telemarketing firms and cybercriminals. Brokers of such data have in fact become so shameless that they have started listing their goods for sale on mainstream e-commerce platforms. This may be done in order to reach more customers who may discover and later purchase the data they provide, but perhaps also in an effort to lend some sort of legitimacy to the unethical and possibly illegal nature of their business. . This status quo leaves the general population open to a range of damages in the form of widespread phishing attacks and financial scams, which inflict access on the attacker’s personal information, as well as other harmful activities, on the attacker possessing critical bits of information. depends. individual.

‘Spy’ from above

Although the threat model to an ordinary user of the Internet in India may only include non-state actors (such as cybercriminals and unscrupulous businesses), individuals with some political and intellectual equivalence have however found themselves concerned about the capabilities of the government. Have got. related; And rightly so, as far as the safety and integrity of their electronic equipment is concerned.

An investigation in January 2022 new York Times lent some credibility to the debate and outrage surrounding the alleged use of Pegasus spyware in India. The investigation revealed that the Indian government had bought access to the Pegasus spyware suite from Israel in 2017 as part of a nearly $2 billion acquisition deal for weapons and miscellaneous surveillance gear. Shocking revelations and allegational evidence in at least one case targeting Indian citizens (allegedly carried out by the Indian government) suggest that Puttaswamy’s decision could be thought of as having any judicial significance. A gross disregard for.

Other ‘crimes’

The recent intervention by the government, aimed at restricting Indian citizens from subscribing to and accessing VPN services, also shows similar disregard. In short, the government has demanded that VPN service providers – most of whom operate in jurisdictions outside India – start collecting and maintaining KYC records on Indian citizens who wish to avail their services.

The kind of information requested to be collected and stored includes common identifiers such as full name, phone number, home address, and more (information that is not typically sought by VPN service providers , and which can only be validated by a potential customer) present a valid identification document to a given service provider), with a small box asking for the “reason” for which a person sought access to the VPN service Of. The justification provided by the government for the request for the collection and submission of presumptive data begins and ends with the mention of the words “national security”.

While needless to say that VPN services in themselves do not enable or significantly advance criminal activity where such a response is required, the government’s position shows that it does not allow an individual to obstruct an individual’s effort. is not above. Their fundamental right to privacy, of which informational privacy is a part. However, this should not be surprising given other privacy-violating offences, and given that the initial position, argued by the then Attorney General, was that “the right to privacy may at best be a common law, but not a fundamental right”. Not guaranteed. Constitution”.

In the light of all this, five years later, it can be said with confidence that the Puttaswamy judgment lapses quite spectacularly for that purpose, and is a pre-emptive step to protect the rights of Indian citizens while ensuring all represents opportunity. Necessary checks and balances to prevent government overabundance and abuse of power.

Karan Saini is an independent security researcher and public interest technologist. He is currently Bellingcat. I am Technology Fellow