Government Sidesteps Questions on Privacy Rights

Replying to a question asked in the Rajya Sabha on July 31, Union Telecom Minister Ravi Shankar Prasad admitted the government was aware of a suspicious injection of code into the Airtel 3G network in the country, originating from an offshore Israeli company, in June this year. In response to a follow-up question, also asked by independent MP Rajeev Chandrasekhar, Prasad added that his ministry had sought a “detailed report” from Bharti Airtel.

The instance of code-injection that Chandrasekhar referred to concerns a script that was injected without the permission of Thejesh G.N., a Bengaluru-based engineer, into his blog and which subsequently loaded advertisements on the page. Thejesh had uploaded snippets of the code onto GitHub, which was met with a takedown notice from Flash alleging that they made up “proprietary” material.

According to Prasad, Airtel’s report maintains the code was inserted to “be made aware of the data usage in terms of megabytes used” – a defence Airtel presented in a public statement following The Wire’s report in June. However, experts remained unconvinced then because any script that tracked data usage would have no need to load advertisements on the pages it was inspecting. In fact, they had expressed suspicion that Flash was displaying advertisements to make money for Airtel.

Flash’s website states that it provides monetisation services to its clients, while a press release from 2014 notes that Airtel is Flash’s client – as is Vodafone. The latter ISP has also been spotted injecting third-party software into browsers without users’ permissions. Despite this broader context, Prasad’s reply indicated he was satisfied by Airtel’s response to his ministry’s ‘probe’.

In fact, Chandrasekhar’s third – and last – question invited a specious answer from Prasad: “Will the Minister … be pleased to state whether the Ministry believes that there is an urgent need to enact a privacy legislation to protect the rights of citizens vis-a-vis the various official databases of Government which collates information about citizens?”

Mindful of its implications for a constitutional right to privacy, this question has been asked to the government at various times only to receive answers ranging from evasive to dissenting. This time was no exception.

Prasad replied in detail about there already being legislation to ensure Internet and telecom service providers’ databases were secure, especially against information irrelevant to the provision of their services as well as against data theft. He also invoked Sections 43, 43A and 72A of the Information Technology Act 2000 to describe, first, that any collectors of personal information must provide a privacy policy and, second, the compensation available for victims of data-theft – effectively circumnavigating the question of a government-operated database.

Most recently, talk of such a database has arisen with the Department of Biotechnology’s pushing a Human DNA Profiling Bill – earlier planned to be tabled in the monsoon session of Parliament – which will set up a database of DNA profiles derived from people charged with criminal offences, missing people, unknown dead people and from volunteers.