Ministry of Electronics & IT
“Stealing and Mining of App Data can lead even to unanticipated National Security Risks”
Posted On: 04 JUL 2020 9:48AM
Mumbai, July 4, 2020
The Government of India, on 29th June, 2020, made an important announcement. The Ministry of Electronics & Information Technology banned 59 mobile apps, based on information that these apps threaten the sovereignty and integrity of India, defence of India, security of state and public order. The list of apps which will no longer be available to users in India includes the popular social media platform TikTok, file transfer service ShareIt, social networking service Helo and document scanning application CamScanner. The Government has done this by invoking its powers under Section 69A of the Information Technology Act, as well as relevant provisions of the Information Technology (Procedure and Safeguards for Blocking of Access of Information by Public) Rules 2009.
Stealing and Mining of Data by Elements Hostile to National Security
One of the stated reasons that led to the ban of these apps is the intelligence that some apps have been stealing and surreptitiously transmitting users’ data to servers based outside India. Well, this might make someone wonder: how can transmission of seemingly innocuous data from something like a social networking app threaten the national security and defence of the country?
To gain a better appreciation of the gravity of the issue which may tend to be looked upon as a relatively harmless issue by the lay person, let us hear from Dr. Deepak P., Assistant Professor of Computer Science at Queen’s University Belfast (United Kingdom) who specializes in Artificial Intelligence and Data Ethics. Dr. Deepak explains the sensitivities involved in the use of applications run by firms which are based outside India and who are bound by the laws and regulations prevailing in a foreign country. The data collected by these firms may be stored on servers located outside the country. While such data normally resides in the custody of the company itself, they may have to honour data requests received by governments of those countries. Moreover, many firms have been found to honour such requests, which thereby poses the risk of Indian users’ data getting into powers which could use that information strategically, against our national interests.
Data is powerful. Data Mining technologies have become very advanced today, throwing open many ways in which danger may strike. Dr. Deepak cites the example of online fitness tracker app Strava, a San Francisco based service that uses a mobile phone's GPS to track the subscriber's exercise activity. It enables users to evaluate and compare their performance with each other and over time. In November 2017, the app released a heatmap – a data visualization of 27 billion kilometres of running activity recorded on the app between 2015 and September 2017, containing around 3 trillion data points. Looking at the data, Nathan Ruser, a young international security student at an Australian university realized this can be dangerous. Why? It occurred to him that among the millions of users of the app are military personnel who regularly go for running and jogging. He found that the app data can reveal unknown information about military bases, including the routes taken by soldiers, commonly used exercise routes and patrolled roads. This could hence pose a direct threat to national security.
Another point to bear in mind when thinking of data and information security, says Dr. Deepak, is that we will not typically be able to anticipate the myriad ways in which a data set can end up being used, while the data is being produced or even transmitted. The above example of the running app illustrates this. He gave another example, of what is known as forensic genealogy, wherein genetic information sourced from consumer companies are used to identify suspects or victims in criminal cases. This has been used by police in USA to solve many cases, recalls Dr. Deepak. The DNA profile from the crime scene is uploaded to a public-access database containing genetic information of people. The database enables identification of relatives based on comparison of DNA profiles, thereby helping law enforcement agencies in identifying potential suspects or victims of cases.
The Government of India has said that the compilation of data from mobile apps and its mining and profiling by elements hostile to national security and defence of India is a matter of very deep and immediate concern which requires emergency measures.
Need for More Public Awareness
Dr. Deepak says there is a need for building and promoting greater public awareness on data privacy and data and information security. There has been a phenomenal expansion in our use of digital technologies. While they improve our lives in many ways, it is necessary to be conscious and aware also of the risks they pose and to be judicious consumers of mobile and internet technologies. On this particular decision of banning the 59 mobile apps, Dr. Deepak says that it will be helpful for the government to let citizens know the specific ways in which these apps pose a threat and the details of the process by which the complaints and reports which led to the ban were obtained and examined, to instill public confidence that due process has been followed and required action taken in time. He adds that doing so will also help increase public understanding and participation on this issue, in a deliberative democracy such as ours.
Does the Ban Violate WTO Regime?
The Government of India has said it has invoked the ban to safeguard the interests of crores of Indian mobile and internet users and to ensure the safety and sovereignty of Indian cyberspace. However, the Chinese embassy in New Delhi, has expressed concern regarding the decision, stating, among other things, that the decision “suspects of violating the WTO rules”. Let us listen to Dr. James J. Nedumpara, Professor and Head, Centre for Trade and Investment Law, Indian Institute of Foreign Trade to help us evaluate the validity of this argument.
Dr. Nedumpara says that it would be difficult to establish a National Treatment obligation (i.e., obligation to treat foreigners and locals equally) from India, in terms of its services commitments in terms of the apps. The apps do not specifically come under the schedule of concessions of WTO's General Agreement on Trade in Services (GATS). In his view, the argument that India has violated Most Favoured Nation obligation is also not tenable. In any case, he notes that irrespective of any trade obligations, India's measures squarely fall within the national security exceptions provided under Article XIV bis of GATS. Dr. Nedumpara explains that there has been a clear case of emergency in international relations which has been prevalent at the time the decision has been taken. Further, India has already articulated its security interests in taking the decision. He adds that while the official statements by the two countries do not expressly mention any connection between the border tension and the decision to ban the apps, a sufficiently strong case can be constructed based on the accompanying incidents. Dr. Nedumpara makes it clear that India is hence in a position to prove the existence of all requirements necessary for the invocation of the national security exception under GATS. He however added that recourse to trade exceptions is not called for in the absence of any trade violations.
Dheep Joy Mampilly
(The author is an officer of the Indian Information Service, based currently in Mumbai; e-mail - firstname.lastname@example.org)
(Features ID: 150653)