Thursday, January 12, 2012

Hack, Just Don't Pretend It's Something Else

I read this piece in Mint and laughed. No, not at the reporting but at the naivete/brazenness of the government that it exposes.

Here's the short version. The government wants to pass a Privacy law that will require all internet-based services (Google, Facebook, Skype, etc) to locate their servers in India. Why? It gives two reasons. One, that data of Indian citizens will remain within the country "to guarantee privacy". Two, that investigative agencies will get "ready access to encrypted data on their servers".

The story supplies quotes from (anonymous) government officials to explain their logic.

On the data privacy angle: "At present, we do not have a law that governs leakage of individual data aboard (sic). So the [proposed] privacy Act will not serve any purpose if data is leaked or made public abroad". 

On the Intel access to servers front, they supply an example. "NIA had written to Yahoo seeking details of accounts used to send emails claiming responsibility after the Delhi serial blasts on 13 September 2008.
According to government officials, Yahoo’s server is located in the US and the time frame for getting such information from outside India’s jurisdiction is 45 days."


Let's start with the obvious contradiction. Dear GoI, don't pretend this is about privacy when it's really about hacking. What data privacy are you talking about if our own intelligence agencies can hack into my mailbox or Skype calls at will? Yes, I mind if the NSA is reading my emails. I also mind if R&AW or the IB are reading my emails. Especially since I'm not involved in any illegal or unlawful activities.

Here's another absurdity. The government will put the onus of relocating servers within India on the service companies or they will face legal action. This is bizarre in two respects.

First, what if the service user is a NRI working with a non-Indian MNC who spends half the year in the UK? Where should his data be hosted? India? The UK? Switzerland?

Second, it is obvious the government lacks imagination. Does it believe terrorists only use popular social media & email sites? For example, I can record terror instructions in an MP3 format and upload them to, an internet radio service. Or I can prepare bomb-making manuals and upload them to, a file storage site. Will the government require EVERY SINGLE internet service to relocate its servers to India? Will it chase down and prosecute EVERY SINGLE internet service that doesn't do so?

Here's my takeaway. I understand the need to to hack at will. If it prevents terror attacks, by all means do it. Now, hacking servers located abroad can create a major diplomatic situation. Just like this alleged incident. So don't get caught.
Just don't pass laws that dress up your attempts to hack as an effort to increase data privacy. And certainly don't waste taxpayer money prosecuting internet companies with limited Indian subscribers in an attempt to force them to relocate their servers.

No comments:

Post a Comment

Be respectful to others here or your comment will be deleted.