A recent development involving the Telecom Regulatory Authority of India (TRAI) and the response to it by some Indian companies has left me both concerned and challenged. In November, TRAI asked for submissions from the public on a consultation paper that had some proposals that pose serious potential threat to basic civil rights and liberties of the citizens of the country.
The proposal that really unnerved me was the one that talked about allowing the government unabated access to the user data, including sensitive private information, under the pretext of national security. Companies like Reliance Jio, Paytm (funded by China’s Alibaba), and several others in their submissions to TRAI seemed more than favourable to these proposals.
This has once again brought to the fore the issue of citizens’ right to privacy, as declared by the Supreme Court of India, vis-a-vis government’s wish to subordinate it to any national security concerns.
Related...
The Indian government is not alone in exerting this unequivocal right on citizen’s private information. Several governments around the world have advocated the same. A well-known example is the 2015 Apple Vs FBI case in the US. The US has some of the most strict laws around protecting citizens’ fundamental rights like equality, freedom of speech, liberty and right to privacy. Even so, a school of thought in the US advocates for the government having overriding and absolute right to access citizen’s private data.
The role of US companies in protecting citizen data
There are several differences, however. Foremost is how the private companies involved, Apple and its peers, responded to the issue of the government outreach over their customers’ data privacy rights. Also noteworthy is how the Congress held a hearing in front of the House Judiciary Committee, the government body that covers matters relating to how law and order is enforced in the US, to deliberate on the issue in a thorough, open-minded and well-informed manner.
In the Congressional hearing, Apple argued that any compromise on the security and privacy of the data, however, controlled and regulated by the government, would always remain vulnerable to falling in the hands of bad actors, including terrorists and enemy states. Professor Landau, an independent cryptology expert argued that once the government started subjecting Apple with requests for access to other devices, the process Apple would create in the interest of efficiently complying with those requests, would by its nature be inherently vulnerable to exploitation through interception or perhaps through a rogue employee.
Related...
She also argued that the other side effect of iPhones with weaker security would be that the terrorists and bad actors would simply start using devices and apps created outside of the US with stronger security mechanisms. She, along with Republican Congressman Darrell Issa, instead suggested making FBI more capable by acquiring the expertise it needed for carrying out its investigations, without compelling the private companies to compromise on their security policies towards customer data.
Even in India, while local companies make submissions calling for backdoors against encryption, others such as Facebook-owned WhatsApp have so far repeatedly refused to break their encryption despite the government bringing up issues like national security and child pornography.
There is another important nuance to understand, however, when it comes to the government having unrestricted access to citizens’ private data. And it is perhaps the most important one. Any argument favoring this is based on the premise that the government always acts in the best interests of its citizens. This, however, is not always true and fraught with the risk of reducing the democracy to a more authoritarian rule.
Governments can misuse laws
The US too has seen misuse of such laws all through its history. In 1960s, the government used it to harass and discredit civil rights activists including Rev. Martin Luther King Jr. This might be a reason why the US government did not push for any legislation to force companies to comply with the government requests to share confidential customer data after the Apple Vs FBI episode.
Despite this, the debate is far from over. And hence the need to continue to refine the arguments.
A project work published by the students of the Computers, Ethics and Social Responsibility course at the Stanford University quotes MIT professor Gary Marx on when government’s surveillance of citizens is appropriate. Professor Marx argued that before implementing any surveillance, the proposed methods must be evaluated by asking a number of questions. To summarize, any surveillance carried out should not violate personal boundaries, should have a valid objective, should produce valid results and should have accountability, oversight and redressal built into the mechanism used.
At the same time, something noteworthy has been emerging in the world of network security. And it has an uncanny resemblance to the issue of data privacy in civil societies.
In 2010, John Kindervag, a principal analyst working with Forrester Research Inc. came up with the concept of Zero Trust Architecture of network security for corporations. For decades, companies had worked with a security model wherein the internal or the corporate network, hosting its most sensitive systems and data, were placed in a separate corporate network and it was separated from the external internet by a thin layer of network called the Demilitarized Zone (DMZ).
Related...
In this suboptimal model, only the network entities in the DMZ would have the access to the corporate network. And only the DMZ would be accessible to anyone on the Internet. This architecture was based on a fundamental assumption that those with access to the corporate network could always be trusted. This, however, meant once a hacker was able to breach the DMZ and get into the corporate network, they would have unhindered access to the company’s sensitive systems and data. This is also corroborated by a recent Forrester study that found that 80% of IT security breaches involve privileged credential.
Technology can help safeguard the end user
Zero Trust Architecture is a paradigm shift in how network security is thought about. It is based on some important principles:
- All data and resources are accessed securely, based on user and location.
- Adopt a least-privileged access strategy and strictly enforce access control
- “Always verify,” meaning inspect and log all traffic.
- Add more authentication methods to counter credential based attacks.
- Never trust, always ask for context
These principles closely relate to the requirements called out by Professor Gary Marx for any government overreach with citizens’ private data. The most riveting of these is the last one which, in simple terms, dictates that any secure network system should not trust any user merely based on their location.
In many ways, this is similar to how government’s access to citizens’ private data needs be treated. Assuming that whoever wins the trust of the electorate and “gets into the corporate network of governance” is trustworthy, is a flawed assumption. Moreover, any need for compromising citizens’ liberties needs to go through well-established mechanisms that provide accountability, oversight and redressal. Democracies around the world might do well for themselves by deriving from the idea of “zero trust” in the latest network security architecture to settle this debate around privacy once and for all.
Neelesh Korade is a techie based in the Silicon Valley. As an author, his interests include technology and politics with particular focus on the intersection of the two.