A recent development involving the Telecom Regulatory Authority of India (TRAI) has once again brought to the fore the issue of citizens’ right to privacy, as declared by the Supreme Court of India, vis-a-vis government’s wish to subordinate it to any national security concerns.
In November, TRAI asked for submissions from the public on a consultation paper that had some proposals that pose serious threat to basic civil rights and liberties of the citizens of the country. The proposal that really unnerved me was the one that talked about allowing the government unabated access to the user data, including sensitive private information, under the pretext of national security. Worse yet, companies like Reliance Jio, Paytm (funded by China’s Alibaba), and several others in their submissions to TRAI seemed more than favourable to these proposals.
The Indian government is not alone in exerting this unequivocal right on citizen’s private information. Several governments around the world have advocated the same. A well-known example is the 2015 Apple Vs FBI case in the US. The US has some of the most strict laws around protecting citizens’ fundamental rights like equality, freedom of speech and right to privacy. Even so, a school of thought in the US advocates for the government having overriding and absolute right to access citizen’s private data.
The role of US companies in protecting citizen data
There are several differences, however. Foremost is how the private companies involved, Apple and its peers, responded to the issue of the government outreach over their customers’ data privacy rights. Also noteworthy is how the Congress held a hearing in front of the House Judiciary Committee, the government body that covers matters relating to how law and order is enforced in the US, to deliberate on the issue in a thorough, open-minded and well-informed manner.
In the Congressional hearing, Apple argued that any compromise on the security and privacy of the data, however, controlled and regulated by the government, would always remain vulnerable to falling in the hands of bad actors, including terrorists and enemy states. Professor Landau, an independent cryptology expert argued that once the government started subjecting Apple with requests for access to other devices, the process Apple would create in the interest of efficiently complying with those requests, would by its nature be inherently vulnerable to exploitation through interception or perhaps through a rogue employee.
Professor Landau, along with Republican Congressman Darrell Issa, instead, suggested making FBI more capable by acquiring the expertise it needed for carrying out its investigations, without compelling the private companies to compromise on their security policies towards customer data.
Even in India, while local companies make submissions calling for backdoors against encryption, others such as Facebook-owned WhatsApp have so far repeatedly refused to break their encryption despite the government bringing up issues like national security and child pornography.
Governments can misuse laws
There is another important nuance to understand, though. And it is perhaps the most important one when it comes to allowing the government to have unrestricted access to citizens’ private data. Any argument favoring this is based on the premise that the government always acts in the best interests of its citizens. This, however, is not always true and fraught with the risk of reducing the democracy to an authoritarian rule. There are many examples of this in the world today, the most prominent one being that of Russia.
When this happens, democracy becomes namesake. Power gets concentrated in the hands of few powerful people with the pillars of democracy like judiciary and media playing a subservient role. Infringement of civil liberties is both a cause and an outcome of such a totalitarian regime.
The US too has seen misuse of such laws all through its history. In 1960s, the government used it to harass and discredit civil rights activists including Rev. Martin Luther King Jr. This might be a reason why the US government did not push for any legislation to force companies to comply with the government requests to share confidential customer data after the Apple Vs FBI episode.
Despite this, the debate is far from over. And hence the need to continue to refine the arguments.
What does technology hold for us?
A project work published by the students of the Computers, Ethics, and Public Policy course at the Stanford University quotes MIT professor Gary Marx on when government’s surveillance of citizens is appropriate. Professor Marx argued that before implementing any surveillance, the proposed methods must be evaluated by asking a number of questions. To summarize, any surveillance carried out should not violate personal boundaries, should have a valid objective, should produce valid results and should have accountability, oversight and redressal built into the mechanism used.
At the same time, something noteworthy has been emerging in the world of network security. And it has an uncanny resemblance to the issue of data privacy in civil societies.
In 2010, John Kindervag, a principal analyst working with Forrester Research Inc. came up with the concept of Zero Trust Architecture of network security for corporations. For decades, companies had worked with a security model wherein the internal or the corporate network, hosting its most sensitive systems and data, were placed in a separate corporate network and it was separated from the external internet by a thin layer of network called the Demilitarized Zone (DMZ).
In this suboptimal model, only the network entities in the DMZ would have the access to the corporate network. And only the DMZ would be accessible to anyone on the Internet. This architecture was based on a fundamental assumption that those with access to the corporate network could always be trusted. This, however, meant once a hacker was able to breach the DMZ and get into the corporate network, they would have unhindered access to the company’s sensitive systems and data. This is also corroborated by a recent Forrester study that found that 80% of IT security breaches involve privileged credential.
Zero Trust Architecture is a paradigm shift in how network security is thought about. It is based on some important principles:
- Access level is based on full context that includes who the user is, where they are located, what device they are using and which resource they are trying to access.
- Zero Trust, which means never trust, always ask for context and verify the request
- Enforce use of the lowest required privilege for any access
- Provide “oversight” by inspecting and logging all traffic.
- Add more authentication methods to counter credential based attacks.
These principles closely relate to the requirements called out by Professor Gary Marx for any government overreach with citizens’ private data. The most riveting of these is Zero Trust which, in simple terms, dictates that any secure network system should not trust any user merely based on their location.
In many ways, this is similar to how government’s access to citizens’ private data needs be treated. Assuming that whoever wins the trust of the electorate and “gets into the corporate network of governance” can be entrusted with all of citizens’ private data is, at best, a fallacy. Moreover, any compromise on citizens’ liberties should be an exception than a rule, going through well-established mechanisms that provide accountability, oversight and redressal.
Democracies around the world might do well for themselves by deriving from the idea of Zero Trust to settle this debate around privacy once and for all.
Neelesh Korade is a techie based in the Silicon Valley. As an author, his interests include technology and politics with particular focus on the intersection of the two.