Better security in Data Protection Bill can avoid Arnab-like episodes

Incidents like the recent leak of WhatsApp chats of journalist Arnab Goswami and immunity given to government security agencies to access private data, call for a stronger law which secures personal information from pilferage

Anonymous is a decentralised international activist- and hacktivist collective | Representative Photo: iStock

In all probability, the Personal Data Protection Bill, 2019, perhaps in a somewhat updated version, would be tabled when the budget session of the parliament convenes. Some recent developments have posed fresh issues to be effectively addressed by it.

WhatsApp glitches

One is the leaked WhatsApp conversation of Arnab Goswami with the former CEO of Broadcast Audience Research Council (BARC). While there may be other incriminating information offering prima facie evidence for filing criminal charges against Goswami in that leaked 500-page WhatsApp chat, the Opposition chose to highlight Goswami’s utterance that “something major is going to happen” three days ahead of Balakot, alleging that he was privy to maters of sensitive military decisions.

The ruling party sources, however, defended Goswami saying that it is normal for an editor to anticipate a major retaliation for Pulwama and the leaked chat does not show that the Republic TV chief was necessarily privy to specific Balakot information. Anyway, in such sensational controversies, the content hardly matters. For many people the more serious issue is different: that the message is a leaked WhatsApp text makes it sound much more “authentic” and a high-impact message than its actual content.


Likewise, the leaked WhatsApp messages of actors Rhea Chakraborty and Deepika Padukone in the Sushant Singh Rajput episode created no less a sensation and led to their summoning by the Narcotics Control Bureau (NCB) for questioning. It showed that there is a huge sensationalism-hungry audience in the social media to lap up the leaked WhatsApp messages about the personal affairs of actors which have much more impact than their work.

Even when the public is thrilled with such sensational leaked information, concern is growing that WhatsApp leaks like a sieve. These episodes as well as the recent controversy over the weak data protection in WhatsApp have triggered an exodus of around 18 million WhatsApp users to Signal and a smaller but sizable number to Telegram. From the point of view of survival of these messaging apps, this is no small affair, as they are also moving into digital commerce. Data leakage risk is perhaps among the biggest business risks faced by tech and e-commerce firms as much as the national security risk faced by the state when it comes to leakage of sensitive security-related information.

Related news: How personal data is at risk in Haryana’s family identity scheme

After the controversy broke out, WhatsApp has issued a feeble clarification, claiming that the messages exchanged through WhatsApp are end-to-end encrypted and they won’t share them with Facebook which owns WhatsApp and which has a record of selling personal information of users. Well, of what use is this re-assurance if there is only verbal assurance by WhatsApp that it would not share the data with its own owner? How WhatsApp messages leak despite end-to-end encryption?

Is data safe against security agencies?

What more can the government do to curb hacking of personal information? Especially to rein in government security agencies themselves from the temptation of unauthorised pilfering of data and misusing them for political motives. For instance, when the WhatsApp conversations of Rhea Chakraborty and Deepika Padukone got leaked into the public domain, it was widely believed that the NIA itself had done that to embarrass the opposition-led Maharashtra government. Likewise, when Arnab Goswami’s conversation with the former BARC CEO was leaked, the needle of suspicion pointed to the rival Mumbai Police.

What is of concern is that the personal WhatsApp conversations of citizens can be tapped by the security agencies themselves and that too in cases where no major state security issues are involved. The citizens’ right to data security should protect them from the surveillance regime of the state itself. For instance, in the draconian Bheema Koregaon case, the security agencies reportedly spent $500,000 to hack the phones of activists by employing an Israeli private cyber intelligence firm NSO Group that used its Pegasus spyware to hack the phones of around two dozen activists. The matter came to light when Citizen Lab, the University of Toronto’s cyber security group, employed by the WhatsApp itself to investigate the breach of its data by the Israeli NSO Group, alerted the activists. Based on Citizen Lab’s findings, WhatsApp even filed a lawsuit against the Israeli NSO Group.

Forget hacking, the security agencies can take all your data quite lawfully. According to data security researcher Karan Saini, “If the security agencies can take you for “questioning” with your device, with the available technology “cloning” of all your data can be done in five minutes.”

Nowadays courts have started accepting electronic records, including digital voice records, as evidence subject to their meeting conditions laid down in Section 65B of the Indian Evidence Act. More specifically, in Ram Singh and Others vs. Col.Ram Singh case of 1985, the Supreme Court laid down the conditions under which electronic voice records (like WhatsApp chat) could be admissible as evidence. Hence, this is an added incentive for state agencies to breach personal data security.

Immunity from laws

Data security presently falls mainly within the ambit of Information Technology Act. But the IT Act, under its provision 69 in Chapter XI empowers the government to “direct any agency of the appropriate government to intercept, monitor or decrypt…any information generated, transmitted, received or stored in any computer resource”. To reinforce such sweeping powers further, the Modi government on December 20, 2018, exempted 10 intelligence and security agencies from the purview of this act and permitted them to freely “intercept, monitor and decrypt ‘any information’ generated, transmitted, received or stored in ‘any computer’.

Related news: Why Wikipedia is worried about provisions in Data Protection Bill

When the concerned right to privacy activists moved an RTI petition to get the specific reasons for such an order, the Union Home Ministry refused to give reasons saying that it was “top secret” information! So there are no safeguards against such sweeping powers.

In fact, Chapter XI of the IT Act that lists out the offences doesn’t mention data interception and pilfering without consent as an offence at all but lists only the punishment for tampering of original records, sending offensive, obscene and sexually explicit messages, for receiving stolen computer resources, and for identity theft and so on. Even when it comes to right to privacy, the IT Act acknowledges only violation of bodily privacy as an offence.

Is new data bill strong enough?

The much-delayed Personal Data Protection Bill, expected to be tabled in the coming budget session, doesn’t have sufficient specific provisions to safeguard personal data like WhatsApp data.

Saini says, “In fact, the government itself doesn’t want very stringent provisions for data protection because then the government intelligence agencies themselves cannot access the data in an unauthorised manner. Forget hacking; they can simply take you for “questioning” and can drain all the data from your devices. So you need some extra protection.”

“There is no specific law or legal provision under which a citizen can take WhatsApp to court if her/his conversation or data has been hacked by a third party because WhatsApp doesn’t promise such protection in the first place. But Signal promises that and that’s the advantage with Signal. Also even if some agency forcibly “seizes” your device they cannot retrieve the data if you use Signal as it is password protected. WhatsApp offers no such protection. But unfortunately the earlier 2019 version of the Personal Data Protection Bill did not offer protection even for password. So the protection offered by Signal also has its legal limits,” Saini adds.

However, a citizen can take WhatsApp to court as being primarily liable for breach of trust as it is supposed to safeguard the personal data of the users, opines Kumaraswamy, a prominent lawyer in Chennai.

Related news: Ambiguities haunt personal data protection bill

“Still, we should demand that an exclusive statute be brought by the government to protect electronic data like the WhatsApp data. Or, the Personal Data Protection Bill should include such provisions,” he adds.

(The Federal seeks to present views and opinions from all sides of the spectrum. The information, ideas or opinions in the articles are of the author and do not reflect the views of The Federal.)