Skip to content

In a rather bewildering tweet today, Madhu Kishwar asked, "Do champions of #RightToPrivacy realise that if 2 women hadn't complained, #babaRamRahim doings in his "Gufa"covered under right to privacy?" The tweet was so absurd that she was met with a barrage of retorts and taunts by people she was taunting.

I guess if we are a country just growing into our rights, there will be a lot of debates of this sort needed, where clear talking will help more than sarcasm at someone's ignorance. It also isn't an alien concept. We have a right to privacy already. Whether it was stated or not, we had protection against someone violating our space. That is how stalking or spy cams or leaking passwords and such is already illegal, even though the right itself was explicitly stated just recently. The world has not changed all that much in terms of what is "right" and "wrong". Privacy cannot make criminal things legit all of a sudden. That was just propaganda to influence the case into denying our right. Even the government now agrees we have a right to privacy. What has changed is for those whose privacy gets invaded by powerful players like big companies or the government (this judgment emerged directly from a constitutional challenge to Aadhaar on the grounds of privacy), who have the power to fudge an unstated right and interpret it to convenience. Now that it is explicit, they will no longer be able to fudge easily.

What the right to privacy will actually entail and exclude as per law will soon be determined, but the general meaning of the term endorses the right of a person to withhold or reveal information about themselves. There is also an implicit requirement that information revealed in confidence must not be shared beyond the purpose it was explicitly authorized for. This is the rock Aadhaar will flounder on - a mandatory and unaccountable database of private information on citizens cannot coexist with even the most shoddily defined privacy. And this 9 judge bench has given a most excellent verdict. But I digress.

Publicly available information is not covered by the right to privacy. For example, board results (because there seem to be a lot of jokes about keeping marksheets private from parents). You may refuse to reveal, but if the information is public, they will have access to it anyway. Certifications (no, the Prime Minister and Smriti Irani's degrees don't get covered by privacy either - they have stated the information themselves, what they are refusing to do is provide proofs for officially filed documents). This also goes for information submitted as proofs, etc. For example, if you have to provide proof of address to start a bank account, your right to privacy does not include starting a bank account without proof of residence. But yes, it definitely includes an obligation on the bank to not share it with third parties or use it for purposes other than verifying your address (for example, sending credit card spam).

As a fundamental right, Ram Rahim still has the right to privacy. Just because he is a convicted rapist does not mean you can make personal and confidential information about him public without his consent (public functions are public). The access to personal information can also be mandated for various reasons - This is where the grey areas lie. You have a right to withhold your bank balance and what you spend your money on from me, but do you have the right to withhold it from the income tax department? The standard understanding is no, because tax is your duty as a citizen. Others, more extreme argue that we voluntarily provide our information to the tax authorities and others don't and choose to be raided instead. The government will, no doubt soon be launching some form of propaganda to create a way to impose Aadhaar in spite of the recent clobbering in court through such grey areas. But it won't be easy, because there really is no way to prove that the information is necessary in the manner knowing income would be directly necessary to assess income tax. It is still not arbitrary or unlimited. you need warrants, to enter and search premises, for example. You can't randomly check whoever you suspect.You have to prove the need for it and get a warrant.

Similarly, your right to privacy is about you having the right to reveal at your discretion what personal information you choose to share. To apply that to sex and rape, it would protect homosexuals, for example. That is why they got all excited about the clarity of the wording. Or at least those who are not engaging in "unnatural sex" in a situation that could be called "public", unless one of them revealed their "crime". Short of homosexuality explicitly being legal, this is considerably better than their previous precarious position of not knowing what boundaries and personal rights they could count on. However, it doesn't protect Ram Rahim from his two victims who complained, because as their personal experience, the victims were perfectly entitled to reveal it to anyone they wished - even if it were consensual. And it wasn't, which makes it a flat out crime. Crimes are mostly private. But if there is enough evidence of it or a complaint, an investigation will attempt to access all relevant information. The most robustly defined right to privacy in the world cannot protect a rapist from conviction if his crime is proved and it cannot prevent an investigation against an accused either. It is a thin edge of what is a legit investigation or ethical whistleblowing and what is a breach of privacy - which is why exposes are so often accompanied by defamation suits.

Right to privacy is a right of persons, not organizations. If it were not the victims and a third party who came to know about the rapes and complained, the action being illegal would make it count as whistleblowing.

Organizations too can have requirements of confidentiality, but they don't have a right to information about them requiring consent to be shared - because they aren't people. Confidentiality requirements of organizations are usually explicit. There are things you can talk about (work timings, coffee maker sucks) and things you can't (trade secrets, business strategies). If the organization was willing to own the rapes as official business of the organization and not a crime that could not be revealed without breaching confidentiality agreements, they are free to sue the whistleblower or the complainants, but a crime that gets exposed remains a crime. An organization that claims it to be its official business would be a criminal organization.

This is also why you have (and need better) whistleblower protection laws - so that confidentiality cannot be used as an excuse to cover up crimes and persecute whistleblowers.

Hope all is clear now.

Since the last few weeks, there has been a sudden uptick of anonymous accounts supporting Aadhaar and dismissing concerns and news of information leaks, security and privacy issues. These accounts were all either created in may or scrubbed of all content and began tweeting afresh in May. Some of them are propaganda accounts that tweet only positives about Aadhaar and/or gloss over issues raised on grounds of law, constitutionality, fundamental rights, privacy, ethics, security, national security and so on.

Here are some of the accounts.

Out of these the @supportaadhaar has been separately claimed by Rashmi Ranjan so far

But there were more serious handles that were created in May, anonymous and interacted specifically with critics of Aadhaar in various ways that ranged from defamation to threats of legal action. For example, these handles.

It did not take us long to figure out what was going on. Prominent handles that had criticized Aadhaar on technical grounds (not lawyers, or political or ethical grounds) were the main targets. It was rapidly obvious that these were fronts for people from the tech community. Likely people profiting from Aadhaar, because it is really not plausible that the abundantly detailed flaws revealed in Aadhaar could not be understood by them.

When one of these handles, @confident_india tangled with Kiran Jonnalgadda, he was able to make an educated guess at its identity and proved it by verifying the troll account against a real phone number. That phone number belonged to the co-founder, governing body member and director of iSPIRIT - Sharad Sharma. The director of iSPIRIT was going around using a fake handle and planting allegations of profiting from criticism of Aadhaar against critics. Planting allegations about them working for foreign intelligence agencies (ironically, MongoDB that Aadhaar uses is funded by the CIA).

Allegations of foreign intelligence affiliations
Who is funded by the CIA Allegations of foreign intelligence affiliations

On a stray note, after these allegations started happening, Nandan Nilekani ("mentor" to this circus) too referred to critics of Aadhaar with vested interests from his real account while promoting that childish data free article asking personal questions related to motivations of aadhaar critics that is replied to here.

Kiran informed several of us about his investigation into this troll (aka director of iSPIRIT, Sharad Sharma) and we independently verified that his number was indeed attached to the fake account, because he knew that once he exposed Sharad Sharma in public, the phone number would immediately be removed and perhaps the anonymous account as well.

He made this video public in a tweet and later blogged about it. Thiyagarajan M, a fellow at iSPIRIT blogged a reply on medium.com as well stating that Sharad had denied the allegations and they would be investigated, while he admits that the presentation Kiran mentions exists and is just a strategy document that does not recommend anonymous trolling. He states that they were aware that some of them had created an anonymous campaign and claims it is not an official campaign by iSPIRIT. As though an official campaign would be put in writing formally.

We are aware that some volunteers and their friends have created an anonymous campaign to Support Aadhaar. This is not a troll campaign, but an informational one. It is also not an iSPIRT campaign.

I am not sure what remains to investigate. If it is about investigating how Sharad can possibly be taken off the hook, it shouldn't need an organization existing because of an authentication based product too long to realize that there really is no sane way.

No official handle related with iSPIRIT has so far published any statement to the best of my knowledge. Sharad Sharma and the troll have both promptly denied to it, of course. Except, in the process of denying that he was @confident_india, Sharad seems to have proved himself to be @indiaforward2 as well! He accidentally tweeted his denial of being @confident_india from the @indiaforward2 handle as well as his real handle, before tweeting the new tweets with his real handle. He deleted the tweets that went from both handles of course, but not before someone quick made a timely screenshot. So here we are.

 

Sharad tweeting as @indiaforward2

The denial from his main handle was read by many, but I don't have a screenshot of it... yet. However, he didn't delete it fast enough. Factordaily updated their reporting of the Sharad Sharma controversy with his denial

Sharad Sharma woke to tweetstorm in Atlanta
Sharad Sharma woke to tweetstorm in Atlanta just like @indiaforward2
Sharad tweeting as himself.
Sharad's denial of trolling from his real account
Sharad's denial of trolling from his real account

My immediate thought about it wasn't even so much that people in power use sneaky, unethical methods to get their way and undermine obstacles, but that the director of a company that is a collective of software developers and who were all defending Aadhaar on grounds of security and privacy were so ignorant about securing something as elementary as an anonymous account!

Once this expose was public, several people independently verified that they too had been able to authenticate access to the troll account with Sharad Sharma's personal number. For example:

 

Rohin Dharmakumar went a step ahead and showed how a mobile phone can't simply be attached to a Twitter account without actually verifying the number.

 

There are also a lot of people unaware of the developments in that country called Digital India who are aghast at what they are discovering. This is what you get for being gullible. Here. Educational. Video published from official iSPIRIT handle. Watch Pramod Varma, Sanjay Jain ex-UIDAI now "volunteer" at the ISpirt that "donates" to Govt and how this serves to avoid oversight by CAG, RTI.

In other words, what you have here is a bunch of private people who are creating products off big data collected from all citizens in a manner that allows them to evade accountability to the citizens for it. They also fund the government, push the expansion of Aadhaar in spite of extensive risks and violations of citizens rights being documented. In spite of the fact that Aadhaar effectively allows any infiltrator to become a "citizen" of the country by facilitating the creation of all documents that a citizen would have. And when the concerns raised get too alarming and there is no coherent defense of them possible, they make fake accounts to go around undermining dissenters so that the imposition of Aadhaar that puts citizens and country at risk may not be challenged.

If you do not speak up for your rights, they will be trampled on by profiteers out to exploit them at any cost.

1

A do not disturb sign at a Gol Course emphasizing private propertyIt took me a while to figure out what the project was. O-sint? Then another source published it without the hyphen. OSint? OSINT! Far from being the code name of some newfangled Op by Delhi Police, it is a term straight out of the US_NSA penchant for alphabet soup acronyms. Right up there with SIGINT, USMIL and CONUS. Another source is of the belief that Osint stands for Open Source Intelligent system or something.

Regardless of what it stands for, some things are crystal.

  1. Cops are not going to give up on collecting intel.
  2. Nor should they. If cops don't monitor openly available intelligence, they are fools. The surprising part is that it took such a long time, while they were ****ing about with privacy invasions.
  3. Corporate puppeteers of the government see this as a money earning opportunity, and there are talks of bids by IT companies. I suppose this will get call centerized, unless smarter people can mess it up.
  4. Fundamentally, Open Source Intelligence is publicly available information. The source of the information is public - open. Get it? Neither cops nor the supposed IT companies do, apparently, because several news reports talk about confusions about the extent to which privacy will be invaded, private websites open to members only, and such things. Clearly non-public info. I think by this point the need to invade privacy must be overwhelmingly compulsive. I don't think any arm of sarkar can bear to not try and find out the color of your underwear.

Now here are the pitfalls. Or in other words, here is why elevated citizens of the world must attempt to wreck this project before it spends too many public funds.

  • Considering the confusions about extent of invasions of privacy on a project named OSINT, it is clear that the cops or their lackeys (or owners, depending on how you see it) monitoring the internet is like the good, isolated, naked tribals of Andaman islands coming to Delhi to protest the Uttarakhand flood. In other words, what the fuck? Notice, no one will question the *right* of the Andamanese to go and protest where they like, just like the cops have their self given right to mess with whoever they want, but it is neither their area of knowledge, nor their normal role in the scheme of things.
  • The talk about purchased data and access to Facebook, etc clearly mean that special, non-public access will be seeked and whatever entity ends up winning the bid will have the kind of access to information that governments get. Yep, a freaking call center will have the comments ou made about your boss when drunk. Bye bye job (or pay - a way will be found to monetize this opportunity. Capitalism works thus). Combine this with the information that a lot of these entities have sister concerns with utilities like phones, electricity and soon banking, your guess is as good as mine what the "collection calls" of the future will be like.
  • And before someone points out that it will be illegal to grab private inormation for the purpose of making threats, well, making threats and harrassment for extortion is illegal already. Not that it stops our revered collection agents. Who is to say that collection departments will not be outsourced specially to IT companies with access to your jugular vein? Surely recovering pending payments (heck random extortion too) will be easier if your deep secrets are known to the guys making threats? Just good business sense, I guess. Not like ethics or rights matter here. This is yet another instance where private entitites are poised to have alarming access to private information about citizens. And this time, it is not even something as inconvenient to use as biometrics.
  • Considering the state of our media house monopolies and mouthpiece politics, who is to protect anyone from those guilty of breaking laws from the firm (and its owners, and sister concerns, and their neighbours, friends and the niece's dog)? Hain? Notice the bright treatment Amaresh Misra got after his death threats and rape threats? Yep. Zero censure. Now we can extend this list to owners of the call centers and whoever else "knows someone's uncle or politician" - this is Delhi we are talking of, after all.
  • Delhi Police setting up the agenda for any online policing is absurd, because they are not internet savvy, they are not democracy or human rights savvy and they are extremely likely to upload porn clips and child torture clips themselves and will probably destroy anyone who objects (they have the password to your jugular, remember?). Delhi Police and law enforcement is already like an axe in the hands of a monkey.

So what can be done? Something clearly needs to be done and neither a Dilli Pulis approach nor a call center approach will be *effective*. I mean imagine a reply like "We are really sorry, but the person who is posting naked photos of you could not be found. Change your passwords and call us again if the problem continues, we live to serve, etc" or worse "girls want their photos admired on porn sites, but say harrassment if someone recognizes them" or something.

A better way would be to create a two step fix that is truly democratic and, actually capitalist as well. Incidentally, it makes no sense for this to be a Delhi Police project. The internet hardly knows boundaries. A national level something that collaborates with CBI/NIA or some such would be better. Or it can be autonomous.

The first step is the creation of a body that is truly familiar with the internet. A good balance of security consultants, coders, bloggers, activists (of all hues), e-commerce/banking specialists and social media ninjas will be ideal. It should be more a collective (as in everyone works hands on and has a specialization) as opposed to sarkari organization of anonymous interchangeable drones (babu-dom). Anyone whose voice doesn't reach a few thousand people a day using the internet should not even be considered (there goes the sarkari crony-capitalist plan).

This collective must be organized to address the variety of security issues on the internet - beyond mere collecting public info (call center method). There is a need for proactive assessments, intuitive support design, assessment of complaints or observed issues, assigning to appropriate action - tracking to real life identities, including organizing brute force retaliation (deleted profiles, bocked accounts or trolling into oblivion) on the internet for entities that cannot be traced to real identities for arrest.

The other step would be to create a bounty system for what Anyonymous calls dox-ing for people whose real identities cannot be traced by regular methods. Post an online bounty to be paid to whoever can provide real identity (with evidence). If the accused is arrested, the money gets paid. If the bounty is paid in bitcoins, far superior talent is likely to be found, not to mention incentive for youth to develop serious skills, awareness and ethics for pocket money. Bounties should also be offered for discovering of online pedophiles, cyber criminals, terrorists and such. Always on the basis of actionable evidence.

Such a system would cost far less than what a corporation would bid (someone has to pay for air-conditioned buildings and every scrap of new tech). It would also engage the most skilful and optimally placed talent in tasks they specialized in, as opposed to 50 hackers backed by a revolving door team of 5000 stenographers and nice voices on phone who take a week to answer email.

Writing this post specifically, because I am normally a vocal supporter of Anonymous and their efforts in freeing the internet. This is one action I do not support.

A few days ago, I retweeted a link to a leak of police data by Anonymous. I should have checked the file first. Contrary to my expectation that there would be important information of interest to the public, it turned out to be a general catalog of complaints made to the police, and while there are enough allegations about all kinds of things, there are unsubstantiated personal views of people filing complaints, and the kind of stuff you would expect to be passing through any police station.

Today,  after reading a news story on the leak, I checked the files again, and am convinced that Anonymous made a mistake. This leak does not serve any purpose of fighting government wrongs against citizens, and puts the private information of a lot of people at risk, since while numbers and emails were redacted, names, addresses and so on were not. In my imagination, this was a part of the fight Anonymous was supporting - to protect privacy, but it clearly seems to have gone awry somewhere.

In the article, Anonymous do mention that they are capable of learning from mistakes and it is my suggestion that they make all efforts they can to delete these files off the internet, communicate whatever vulnerability they used to gain access to the database to the police so that it can be fixed and avoid leaks of personal information in the future.

Crossing boundaries of privacy is not useful in a movement that fights censorship and spying on personal information.