There is nothing like a free lunch, definitely not in the digital world. Hidden behind the veil of surveillance, security, convenience and other such words is a price tag costly beyond reason, but without any dearth of takers, both willing and unwilling. With the first step into the digital world, one gives an unspoken and unwritten consent to managers of this space—read all government and non-government entities—to legitimately or illegitimately feast on data of all kinds. That makes every person here an unwitting kingmaker in a world where data is the king. And, this kingmaker—the one whose data it is to share—is left with little control over who gets access to how much of the pie.

In 2018, the Delhi Police acquired an automated facial recognition software (AFRS) for the purpose of tracking missing children. But in less than a year, reports emerged of the software being employed to identify protesters. This is just one instance that shows how quickly what begins as a legitimate cause can move over to a different arena. Yet, in absence of a law with clear terms, data harvesting in the name of surveillance for security and law and order purposes continues. In 2017, the Chennai police in Tamil Nadu for the first time used the FaceTagr, a facial recognition software, to watch out for “miscreants”. In the same year, the Cyberabad police in Telangana acquired automatic fingerprint identification system for real-time identification of suspects. However, later there were reports of the police collecting fingerprints randomly in public, citing pre-emptive measures to curb crime.

Privacy in Digital India

The government has been aiming to transform the country “into a digitally empowered society and knowledge economy”. But in the space where user data is extracted at every point of contact, questions are being raised on the mechanism to prevent misuse of this information. Increasingly, the world is waking up to the threat of misuse of data and is struggling, clearly in vain, to wrest back the controls.

Besides the voluntary submission of personal data to government institutions to avail of their services and other facilities, a huge amount of database is generated because of the big surveillance network created by the different law enforcement agencies in the country.

Installation of close-circuit television cameras (CCTVs) in public places and face detection software is just one of the many ways this is happening.

“While the Unique Identification Authority of India (UIDAI) collects data directly from individuals, law enforcement agencies (LEAs) collect it obliquely by intercepting communication to preserve national security and public order. Interception by LEAs is governed under the Indian Telegraph Act, 1885 [Section 5(2)], Information Technology (Amendment) Act, 2000 (Section 69), Rule 419A of Indian Telegraph Act, and Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009,” says Kazim Rizvi, a public policy entrepreneur and founder of The Dialogue, an emerging policy think tank.

He adds, “According to the current regulatory framework, the central and the state governments can directly notify the agencies who can conduct an interception of the communication on their behalf.”

Under the information technology rules, no agency or person can carry out interception without the direction and approval of the competent authority, Rizvi points out.

“The competent authority under the rules is the home secretary or joint secretary [in case of emergency during the absence of the home secretary]. The review committee [single committee for both phone tapping and computer data interception] formed under the information technology rules is the same as the one constituted under Indian telegraph act,” he adds.

Where do Governments Keep Data?

According to experts, the central government uses various forms of data management tools to optimally manage data across its lifecycle, especially storage, protection, accessibility, etc.

For instance, the Aadhaar ecosystem has three layers, i.e., infrastructure, data linking and application. The data linking layer is encrypted, while third parties own and use the other two layers.

“Moreover, the Aadhaar data is stored and managed within the central identities data repository. Like PRISM in the USA, to strengthen security post-Mumbai attack in 2008, the Indian government envisioned a similar system called central monitoring system (CMS) and implemented it in 2015,” Rizvi elaborates.

In May 2022, the government published a Draft National Data Governance Framework Policy (NDGFP). This replaced the Draft Data Accessibility and Use Policy which had been released in February 2022 but had to be scrapped. Like its predecessor, NDGFP proposes monetising detailed data sets that have gone through value addition or transformation while keeping the minimally processed datasets accessible for free. Also, NDGFP aims to realise the full potential of digital government by maximising data-led governance and catalysing data-based innovation that can transform government services and their delivery to citizens.

In September 2018, the Supreme Court barred private entities from using Aadhaar for KYC authentication purposes, restricting its use only for government subsidies. But, a few months later, the Cabinet passed an Ordinance allowing banks and telecom companies to use Aadhaar for identity, albeit as an option, making it clear that services could not be denied to those who did not furnish the details. Effectively, users furnish their details without much ado to expedite the delivery of services.

“Besides Aadhaar, the National Crime Records Bureau (NCRB) and other law enforcement agencies collect and shop for criminal data. Local state police departments also hold physical and digital data on missing persons. The process and scope of data collection is still evolving among these agencies. This data is collected and stored in their own data centres and cloud managed by these agencies,” Bikas Jha, senior director-India and South East Asia at RealNetworks, a private firm that provides surveillance software to government agencies, says.

Unlike surveillance data, Aadhaar data is stored permanently and according to the statement made by the minister of state for electronics and information technology Rajeev Chandrasekhar in the Lok Sabha in 2021, even if a person dies, his or her Aadhaar account remains active. This is because there is an integration of data between the Registrars of Births and Deaths and the UIDAI.

With the increase in digital data, physical data usage is shrinking day by day. Experts say that there is no mechanism to keep digital data in physical format as a backup and that it is kept in storage devices on database servers.

Third-Party Vendors and Data Protection

Companies that act as third-party vendors for the governments say that all such providers have appropriate privacy and confidentiality clauses in the contract while working with the same.

“Third-party vendors do not have permission to keep the data outside the control of the government. In addition, vendors and OEMs from countries that share a land border with India are excluded from government contracts,” a private firm engaged with the government in data services said, requesting anonymity.

Companies providing software facilities, like RealNetworks, say that CCTV data is generally collected for post-crime investigation. Automatic number plate recognition (ANPR) cameras are installed on streets for tracking traffic rule violations.

“Facial recognition system software matches the faces collected from CCTV feeds, mobile, body-worn cameras or simple photos with the stored data in servers, mostly those of criminals and missing people,” Jha explains. “Events are created the moment matches are found with subjects of interest. All other event data is purged from storage after a certain period as per the user policy, for example, 7 days or 30 days. This is essential due to limited database server storage capacity,” he adds.

Experts have red-flagged the presence of intermediary agencies like common service centres (CSC) and agents during the data collection stage, i.e. detection and alignment of the facial recognition process. As part of G2C e-governance, the government, with the support of UIDAI, has indicated its intentions to deploy facial recognition as part of its authentication system; however, using CSC for this task brings privacy concerns to the fore, experts feel.

“There is less clarity on the government accountability mechanism and data usage clause. Therefore, it is essential to slate an appropriate monitoring mechanism that must be deployed such that agencies which aid the government in feeding facial blueprints are accountable for their actions,” Rizvi says.

He adds, “Although technologies like facial recognition technology (FRT) and data collected through them are used for national security and preserving state order, they are developed without a data protection regime and robust surveillance reform, which is concerning. The data collected through these means is not safeguarded against misuse; who can access data and whether it is only used for the stipulated purpose is unknown, and measures to prevent and tackle breach and abuse are not specified. The profiling of individuals is happening in silos where, in most cases, citizens never know about the data collection and profiling happening through FRT.”

Experts express concern that there are only a few policies that provide direction on data storage, usage and destruction. “For instance, the DigiYatra scheme talks about data storage and retention to an extent; however, we do not have a legal framework that governs FRT systems in India, like communication interception,” an expert said. DigiYatra platform by the civil aviation ministry facilitates digital processing for passengers at airports with the help of FRT. As per the policy, all data is to be purged from the DigiYatra biometric boarding system (BBS) at the end of a passenger’s journey, but “BBS shall have an ability to change the data purge settings based on security requirements on a need basis” and any “Security Agency, BOI or other Govt. Agency may be given access to the Passenger Data based on the current/ existing Protocols prevalent at that time”, providing exemption for sharing of such data.

The utility of surveillance technology has been proved, but the government needs to convince the general public about the efficacy of its measures to ensure the safety of the data it is entrusted with. Assurances exist in letter, but not as convincingly in spirit. After withdrawing the Personal Data Protection Bill 2019 in August last year, the Centre proposed the Digital Personal Data Protection Bill 2022, seemingly old wine in a new bottle. Until it can provide genuine solutions, digital privacy will continue to be what it has become in recent years—a misnomer.