 Hello and welcome to NewsClip. In the light of the Cambridge Analytica data mining scandal, today we have with us Rishabh Bailey to discuss data protection in India. Thank you for joining us. So Rishabh, my first question is, how easy is it to manipulate people's behaviour using their metadata? Well, firstly metadata essentially means all the information that is around the specific content that you might have sent. So if I sent you an email, the time I sent the email, how it's going through the various nodes of the internet and so on. Now this information can actually reveal a fair amount about a person ranging from where the person is to various habits about the person and so on. Using this data you can actually build up a profile about a person. Now whether you can actually use this information to manipulate people or not is a question, is something which is not necessarily certain yet. There's been more and more research happening over the last decade in particular into areas like behavioural economics and essentially how you can use data to try and skew people's way of thinking or change their opinions. Experts seem to be divided on how effective this actually is but clearly attempts are being made and more and more processes are being refined so that as time progresses you're going to actually find more and more methods of tinkering with the way people see and deal with information. So this would also include formulating algorithms to generally bring people to adopt a particular mode of behaviour? That's possible. Just for example, two years ago the Nobel laureates in economics were Cass Sunstein and a colleague of his who wrote on the theory of nudging. And this is essentially a way in which you can control people's behaviours using cues, environmental cues essentially. So how you can architect environments to make sure people behave in particular ways and this is of course much easier to architect an environment when you're online. So you have websites and so on which are designed to gather as much information about a person as possible for a variety of reasons. Most commonly of course the reason is marketing and advertising because companies want to know not only that they are targeting the right people but how effective those advertisements are. So corporates are essentially leading this whole sort of research into data mining though of course there are social uses as well as we've now seen with the Cambridge Analytica case. Okay so now in the context of India is in terms of the privacy of an individual is the right to privacy judgment at present the only law that sort of guarantees a right to privacy of an individual? No actually the right to privacy judgment the Puttaswamy judgment what that did was recognize the right to privacy as a fundamental right which places it you know within article 21 of the Constitution. We do have separate privacy related statutes and legislations or laws in specific sectors whether it's banking related to healthcare so on and so forth but we don't have an overarching data protection legislation as of now. Our government has been trying now for nearly a decade virtually to put in place data protection regulation I mean about five or six years ago we had the APSHA committee which presented its report saying that we must adopt privacy data protection legislation as soon as possible they laid out principles which are largely based on the European data protection directive at that time and now we have the Sri Krishna committee which is currently looking into the issue and is supposed to formulate a law or make recommendations to government with regards to a law. So there's also been a data protection bill which has been sort of doing the rounds of you know in draft form for quite a few years. The problem however is at the moment if you're talking specifically about information technology in the internet the IT Act contains some very sort of bare provisions that deal with the issue of information security. So for example section 43A which was introduced in I think the 2008 amendment to the Act casts an obligation on a person or a company dealing with sensitive personal information to not be negligent in protecting that information they're supposed to take reasonable security practices put in place reasonable security practices failing which they can be held liable and forced to pay compensation. Of course the provisions and we also have a certain set of rules of reasonable security practices and procedures rules which are notified under the IT Act which laid out very minimal and bare guidelines on what anyone who is collecting information online must do. There is however clearly a need to strengthen our regulatory regime in this regard. We've seen the you know multiple cases of misuse and unauthorized use of information this just being the recent example because it's related to political parties being sort of the most highlighted but it's clearly an urgent need as we move towards a more and more digital sort of environment for the government trying to push you know cashless transactions this that and the other of putting in place you know strict privacy regulation. And so how would a state theoretically regulate say data mining because you need not actually access a user's specific data to just learn their behavior or their online behavior in the sense say someone logs into Facebook creates a Facebook account they will give up quite a large amount of personal information then their online behavior on Facebook downloading various apps or taking surveys here and there can also add to the information. There are multiple ways in which a government can approach this as we've already said there must be some overarching privacy regulation data protection regulation that puts in place a minimum requirement of a fairly high standard I would argue which ensures that people who are dealing with this kind of information have responsibility to not just protect the information they that they've already collected but to ensure that the information that they're collecting is actually necessary for the work that they're doing that is not just collecting as much information as they can get and then they will figure out what to do with this. So there are certain basic principles so limiting the purpose of collection ensuring that once you know that purpose has been fulfilled that the data is removed there are various steps that can be taken. Now there are broadly two sort of parts that the government could choose in this regard one is to sort of follow the informed consent regime in which in which case you essentially cast the onus on the individual user to be responsible for his or her information so you ensure that there's a legal regime that says I must tell you what I will do with this information and give you all the information about this but then it's your call to decide whether you want to still continue using my product or not as a user. Arguably that situation is not ideal in certain situations because of course we know that in a country like India informed consent can be a huge problem and sort of bigger and more daily context you know let alone on the internet where most people don't read privacy policies don't understand how these things work and so on and that is where the whole the concept of privacy by design comes in which is where you ensure that systems are built in such a way that they automatically protect privacy without putting the onus on the person or on the user concerned to make that decision at every point of time because that's really not always possible. I would argue therefore that a law needs to have a mix of both these sort of approaches. So in the case of say informed consent most of the end user license agreements or generally any agreement which requires a degree of informed consent it's written in a very legal manner which I mean most people with limited legal knowledge would have difficulty in understanding so I suppose informed consent in this context would mean that the language used would also be torn down into a manner that the people can understand. Absolutely no I completely agree with you that most people in fact would not have read these sort of long privacy policies that Google, Facebook and the likes put out and which means that they really don't know what is happening with their data which is what allows for these kind of practices as indulged in by Facebook and Cambridge Analytica. The issue however is slightly complicated because firstly not only do we as sort of users need to become more aware of these kind of practices just as you are with any new technology coming you need to learn what the problems with that might be and so there's a certain social and educational aspect to this as well. However there is clearly a need for the law to also recognize this problem and put in place solutions so for instance in Europe what the data protection authorities there recommend is putting in place layered notices so what that essentially means is that you have some very basic information right up front and that allows you to click through and find out more and more about specific topics without putting everything into one place so that you're sort of you know just just blown by an information overload. So the idea is to try we need to find new and new ways new ways in which you can present this information to the public in easier formats they've also for instance been attempts to create standardized and tiered sort of rating systems for websites as well so you will have an independent company that evaluates the privacy practices of a particular website and you know you might have a little logo on just as you do for various other standards in you know sort of more in physical life you know you'll have an ISI kind of standard kind of thing which says that this is how far they go to protect your privacy which might then mean that you don't actually have to read through the entire document of course as with most legal documents at the end of the day they are complicated so which is why you need to find a way to you know explain them to the public better. And so as far as data mining goes I mean of course you have the whole idea of the privacy issue that this information can be used in various ways but are there positive uses? Oh definitely for starters we've been talking more and more about artificial intelligence and artificial intelligence is essentially built using large quantities of data that are gathered so that's just one sort of use of of course that could be good or bad in itself but that's just one use data mining is used can be used for a variety of things whether it's doing social science research or whether it's finding about you know disease control how energy is used I mean there are there are a multiplicity of uses that it can be put to and it will be and is already being put to you know whether it's to improve how football players you know see the game and how you view statistics in a sport to how electricity grids are commissioned and you know made more efficient and so on and so forth. The issue is however designing specific systems in each context which makes sure for instance that the information on which you're basing it can be anonymized we know that that is really really tough to do properly because very often there have been various studies on this information even if supposedly anonymized can be you know reconnected to what it was originally supposed to be so these are sort of problems that we will have to deal with then there are also ethical issues involved as we've clearly seen in the Cambridge Analytica instance is it fair and is it right to you know target target people sort of subconscious or unconscious behaviors to what extent can you push these kind of these kind of things because it's been argued by Cambridge Analytica for instance that advertising itself is not illegal so in in this case if we're sending targeted advertisements why is that a problem so these are broader conversations that we need to have because these are clearly things that are going to affect society and our polity our economics at a very very large scale so it's essential that we have sort of bigger conversations and ensure that also there's some sort of international consensus on how to deal with these issues because these aren't issues that are located or specific to any one country we've seen the last U.S. election of course was also you know there's this whole cloud about how the Trump campaign news Cambridge Analytica as well we've seen the same thing in India I remember during our last elections there was lots of news about how Google may or may not influence our elections as well just in terms of how they populate search results and so on or what you know suggestions they suggest in the search tool so there are clearly questions about individual autonomy how we deal with technology as a society and it'll be interesting to see how we as a country progress in the next few years particularly given as I said our governments push to ensure more and more digital in our daily lives so in this context would the potential harm outweigh the positive uses or how can it really be balanced I don't think we're ever going to be in a situation where we can say data should not be used the question is how is it used in what context is it is it used and for what purposes is it used and so therefore putting in place a proper legal regime which ensures that as a user firstly you have some amount of control over what is being done with your information ensuring that you are the one in control of your information as opposed to various other people or you know you might have given this information to that's also important so I don't think it's a question of do you can't make a generalization about whether the you know harms outweigh the benefits of isa versa it's a question that has to be seen in specific contexts dependent on what the final goal is with the increases in computing power of course it means that you'll have the ability to shift through larger and larger amounts of data which could you know lead to wonderful you know whether you're talking about social science research you know and so on you might find new things new interesting in things about how people interact so there's great scope and you know to find new information in this information this sort of new world of data that we're living and it's a question of how do we ensure that the worst practices are removed while still allowing some form of innovation and entrepreneurship to progress yeah thank you oh it's been a pleasure that's all the time we have today thank you for watching news click and we hope to see you soon