Disproportionate Impact of Cyber Espionage in the Global South: India’s Aadhaar Database

Photo credit bluecoat.com

By: Anupriya Dhonchak and Shubhangi Agarwalla

Introduction:

Recently, a Committee of Experts set up in India to draft a law for data protection in the country after enunciation of the right to privacy by the Indian Supreme Court, released its draft bill. The bill comes against the backdrop of a flagship program of the government, the Aadhaar Project the biggest ID database of citizen data in the world. The Project has generated significant privacy and surveillance concerns and justifiably so, invariably and drastically altering the citizen state relationship. Its constitutionality is being challenged in the Indian Supreme Court on multiple grounds, a discussion on which is beyond the scope of this paper. This paper discusses the vulnerability of the database without a remedy in international law due to cyber espionage by foreign states. As a Global South perspective, keeping the citizen at the center it also contextualizes how the lack of political foresight to account for this national security concern makes a casualty of citizens’ control over their data, consent and privacy inasmuch as this data is collected coercively by domestic governments and aggregated richly in a mammoth database heightening its susceptibility to surveillance with impunity by foreign states. The paper argues that International law’s frightful ineffectiveness in tackling this predictable threat has a disproportionate impact on the rights of citizens of the Global South.

Disproportionate Impact on the Global South:

Countries in the Global South, deeply divided by inequalities and with a massive power differential between technocratic governments and uninformed citizens often carry out surveillance sans strong legal, political and social frameworks for protecting privacy, freedom of speech, expression, the right to dissent and protest among many other human rights. This allows the government to unfairly target its citizens and disenfranchise entire groups.  Most importantly, governments in the Global South are better equipped to coercively collect, store and process personal data of citizens without the need to adequately inform them of or factor in the consequences of breach of their personal data. Thus, citizens of the Global South end up having little control over how their data is processed. Further, international law is ineffectual in dealing with the breach of such databases by other state or non-state actors, compromising the informational privacy of such citizens gravely.

Datafication refers to the process by which a person’s life and its aspects are turned into quantifiable data which can be surveilled, tracked, processed and analysed. (Cukier, Kenneth, and Schoenberger, 2013, pg. 28). It was only gradually normalized in the Global North where introspection and action to build in sufficient safeguards also evolved from time to time. This is not to say that big data and its processing is not a potent enough threat for the Global North but only to illustrate the disproportionate impact of lack of safeguards in domestic or international law in the Global South, where governments are routinely deploying and experimenting with technology, charmed by the potential of the ‘digital economy’.

International Articulation of the Right without a Remedy:

The Court of Justice of the European Union (CJEU) ruled for greater protection of personal data of EU citizens in the Google Spain SL case holding that surveillance should not render the right to privacy illusory. Latin American countries have a writ for Habeas Data as part of the region’s data privacy law (Rengel, 2013 pg. 150) to grant a remedy to parties in case of breach (Jeong Ahn, 2009 pg. 1007, 1043). The Supreme Courts of India and U.S.A., among many others, have recognized a right to informational privacy constitutionally preventing the disclosure of citizens’ personal information without their consent. The UNGA, UDHR, ICCPR, ECHR and the Organisation of American States have also emphasized the significance of data privacy and protection of personal data making the right to data privacy a human right of global recognition, arguably according it the status of customary international law on the basis of widespread state practice and opinion juris (Pillai and Kohli, 2017 pg. 3)

Cyber Espionage in International Law:

The well-known Lotus principle is the starting point to determine the international legality of state conduct. In a nutshell, this principle provides that when there is no positive rule that prohibits certain acts, states are free to adopt principles they deem fit. There is no specific international treaty that regulates cyber espionage. The recently released Tallinn Manual 2.0, for example, surveys the realm of all relevant “specialized regimes of international law and cyberspace,” and includes discussion of international human rights law, diplomatic and consular law, law of the sea, air law, space law, and international telecommunications law. None of these categories explicitly set out a regulatory regime for cyber-attacks, cyber-hacking, or cyber espionage. In fact, the Tallinn manual directly acknowledges that some cyber operations, such as cyber espionage, fall under no per se regulations in international law.

Similarly, under Art 17 of the International Covenant on Civil and Political Rights (ICCPR), everyone is guaranteed a right against arbitrary or unlawful interference with her “privacy, family, home or correspondence.” and entitled to the protection of law against such interferences. However, a diverse coterie of privacy and data protection officials representing Switzerland, Japan, Australia, Germany, Burkina Faso, Canada, the United States and 59 other state delegations at the  International Conference of Data Protection and Privacy Commissioners in Warsaw, Poland, agreed on the fact that Article 17 of the ICCPR would require modification for it to cover surveillance. This shows that in its status quo, the Covenant is not violated by surveillance.

In the absence of direct and specific international law on the topic of cyber espionage, based either on right to territorial sovereignty or privacy,  it constitutes an extra-legal activity that is unconstrained by international law. There are two schools of thought advocating this; first is the realist school, according to which espionage ties in with the States right to anticipate an armed attack and act in self-defense. Thus, the States have a right to gather intelligence from hostile states to protect their own interests.

We reject this realist conception of cyber-space because international relations have predicated upon the principle of sovereign equality of States since the inception of the UN Charter. A corollary of this principle is that states should not interfere with the internal affairs of another.  By penetrating the internal discussions of a state, the surveilling state might be thought ultimately to weaken the spied-upon state’s ability to effectively protect its own interests when it seeks to act. The consequence is that even if the state gains useful information regarding a hostile state’s capabilities, a foundational legal rule of the international community is violated.

The second school is functionalist and its proponents believe that espionage increases mutual trust between states and thereby increases cooperation. We also reject this functionalist approach because unauthorized collection of data constitutes a clear transgression of State sovereignty and has the capability of further jeopardizing the potential for international cooperation. Thus cyber espionage bears a significant threat to international peace.

Lastly, it is said that widespread state practice indicates that it is part of customary international law. However, we contend just because espionage is widely practiced, does not make it customary international law unless it is supported by opinio juris. Crucially most states refuse to accept responsibility and deny all involvement. This leads us to conclude that state practice and opinio juris run in different directions when it comes to cyber espionage.

Lack of remedies:

Countermeasures

According to the International Law Commission’s Articles on State Responsibility, which are supposed to reflect customary international law, countermeasures are acts or omissions that would have been unlawful had they not been responding to an internationally wrongful act of another State. However, this is only when the cyber operation is illegal in international law which is not the case with cyber espionage.

In any case, for the countermeasure to be legitimate a state that wishes to employ it will still need to convince other states of the accuracy of its attribution in order to establish the legitimacy of its attack.  However, three specific features of cyberspace lead to attribution problems when it comes to surveillance as well. First, the cyber space allows for anonymity; second, it is possible to commit multi-stage cyber attacks and third, a cyber attack can be launched in next to no time. Prior scholarship has extensively  focused on these technological barriers to attribution, which get compounded in the Global South context because countries of the Global South, like India, lack the technical wherewithal of more advanced States to reliably attribute cyber espionage and thereful will be less able to establish the necessary basis for resorting to counter-measures. The absence of attribution therefore limits institutional and legal solutions.

Treaties

Similarly, it is unlikely that this problem can be solved by entering into treaties. This is primarily because incentive structure for compliance with new international rules will not be reciprocal. Different states would have stronger or weaker incentives to comply with any new rules. Certain nations, like Russia, United States and China have an established existing cyber espionage capacity, and are incentivized to push initiatives that would continue their dominance in the area. This politicization was clearly demonstrated when Russia and China rejected the UN Group of Government Experts Report which was meant to develop State consensus in cyber international law. Thus, an anti-cyber espionage treaty would unlikely be acceptable to these nations while an anti-cyber espionage development stance would be held oppressive by weaker states, who have an interest to invest in more development to shrink the gap in information gathering abilities.

No Domestic Safeguards:

Specific laws protecting the right to privacy are still being written in the Global South, making it an abstract right without a remedy for violation. At the same time, governments are entrenching themselves by experimenting with innovations and governance of surveillance by collecting the data of citizens without their explicit consent, sometimes even blatantly lying to them about its uses. This paper instantiates these concerns through the Aadhaar project of the Indian government.

Aadhaar Project and the threat of a data breach:

The Indian government launched the Aadhaar in 2009, as an optional Project to provide a 12-digit unique identification number to citizens purportedly for a more efficient social benefits delivery system. It is being constitutionally challenged in the Supreme Court of India on multiple grounds, the details of all of which are beyond the scope of this paper. The argument against Aadhaar pertinent to this paper is that big data stored by the government is not completely safe from being compromised by other states or non-state actors in the country and abroad. The database has had numerous breaches with tangible harms to citizens and hackers have attested to its vulnerability, even as the government continues to be stubborn in perpetuating the myth of its safety, which becomes easy to sell to an uniformed citizenry, not abreast with latest technological developments or the threats posed by them.

India is currently reeling under a mandatory Aadhaar ecosystem, now that possession of an Aadhaar number has become a prerequisite for not just availing social benefits by the government but also for purposes, absolutely alien from the ‘Objectives and Purposes’ mentioned in the Preamble of the Aadhaar Act, 2016. It is being used as a compulsory verification tool for multiple purposes such as filing Income Tax returns after the introduction of Section 139AA in the Income Tax Act 1961 by the Finance Act 2017, in flagrant contravention of the core privacy principles of purpose limitation and consent, according to which data must always be collected with the prior consent of the individual and its use must be limited to the purpose for which it was sought. Personal data of citizens was coercively collected on the pretext of only plugging leaks in the welfare delivery system and by making access to these schemes conditional upon the possession of an Aadhaar number. This obliterated the voluntary character of the data collection. Now that the data has been collected, inquiries into whether it was consensually collected or the purposes on whose pretext it was sought, have been deemed outside the purview of the Committee of Experts headed by Justice B.N. Srikrishna, set up by the government to propose a draft data protection law for India. Thus, as the collection in the immediate run up to framing an actual law on data protection is exempt from the requirements of consent, there is no true ‘opt out’ available to the citizens and even where recognized, the burden of all consequences of withdrawal of consent would be borne by the citizens.

Data Localisation compounds the problem instead of solving it

The Committee of Experts has mandated ‘data localisation’ in its draft bill. As per Section 2(13) of the bill a “Data fiduciary” is defined as “any person, including the State, a company, any juristic entity or any individual who alone or in conjunction with others determines the purpose and means of processing of personal data.” According to Section 40 of the bill, all data fiduciaries are required to store at least one copy of the data physically in India, “either on a server or data center located in India”.

This is being criticized widely, and justifiably so, for enhancing the surveillance potential of the state. However, it gives rise to another crucial concern that has escaped our attention. Storage of aggregate data in a mammoth database makes it vulnerable to cyber espionage at the hands of other, more tech-abled states and non-state actors without a corresponding remedy in international law. Given the acceptability and routine practice of cyber espionage in International Law, the Aadhaar database is likely to be compromised without the Indian government, much less the citizens even getting to know about it. Further, in the slight off chance that such knowledge is possible, the remedies in international law to deal with such a breach are either entirely absent or frightfully ineffectual.

The bill leaves disclosure of breach of citizens’ data to the discretion of the Data Protection Authority (Section 32) and predictably, will be misused by Indian corporations and government to remain complicit in a conspiracy of silence, safeguarding their respective reputations. In the Global North, such as the U.S. and the European Union (Article 34, GDPR), the user’s legal right to know is predicated on set standards and not on discretion of executive authorities whose independence from the Central government is suspect, clearly incentive to not let information about such a breach see the light of day.

Ironically, and in what would be an audacious claim in the Global North, data localisation’s purported objective is to prevent cyber espionage by foreign nations on the user data of Indians. However, storing a ‘copy’ in India does not preclude the existence of other copies abroad and therefore, does nothing to serve its stated objective. It is evident that this move is motivated only to make the personal data of citizens easily accessible by the Indian government without interference by foreign governments, more conveniently so as there exists a complete vacuum in the Indian legal framework regarding laws on surveillance reform. Data localisation may pose a national security risk in case data is allowed to flow unrestricted to countries that do not comply with Indian standards of data protection and the solution to this must not be storage of an additional copy of the data in India but restriction on cross border flows of data to countries with lax security norms, as is required by the EU GDPR. However, without going into the perils of surveillance and technological governance that continue to be so outside the imagination of law that there is no inclusion of corresponding safeguards, we discuss the susceptibility of the database to surveillance by foreign states.

Vulnerability of Aadhar

The Central government of India designated Aadhar as a protected system under Section 70 of the Purpose of Information Technology Act 2000. This characterization of the database as critical infrastructure is pertinent because international law recognizes the grave damage to a State’s security when the critical infrastructure is compromised. While the official position of the government is that there are suitable safeguards in place, and that the enrollment data is strongly encrypted, it is impossible to truly secure the entire Aadhar eco-system, which also includes the base infrastructure layer and the end user application layer, both of which are managed by non-UIDAI parties like ICICI bank and Paytm respectively. Indeed, reports of alleged internal breaches to the database already abound. Moreover, a WikiLeaks report has already hinted that the CIA has access to sensitive information in the Aadhar database. The point is simply that information security cannot be seen in binary terms, i.e. secure vs susceptible, because it ignores precedents that testify to the rapidly evolving cyber-threats like the Stuxnet attacks on the Iranian nuclear facilities where the cyber attackers targeted air-gaped centrifuges via four previously undetected vulnerabilities. Moreover, this binary is careless in light of the huge investment potentially hostile states such as China, have been making on their cyber capabilities, including a dedicated special bureau under the intelligence department specifically for cyber intelligence.

A notable instance of Chinese cyber espionage was the ‘Titan Rain’, launched against the United States defense network (including ‘secure’ targets like NASA, the Defense Information Systems Agency, the Naval Ocean Systems Center, and the US Army Space and Strategic Defense Installation) to gain confidential national security information. Clearly China is capable of developing the technology to break into secure India critical infrastructure, if it does not possess it already.

Any hostile state with sufficient cyber capabilities can hack this highly centralized database which is meant to provide Indian citizens access to essential services, and thereby coerce the government to reconsider its military options by exploiting information or inflicting significant financial damage.

Concluding Remarks:

The primary goal of this paper has been to explain how cyber espionage challenges the order-maintaining systems we have relied on for years, and how this disproportionately impacts the citizens of India who have their data stored in a readily available single target without their consent and have no recourse either in domestic law or international law. We have demonstrated how the Aadhaar database, by creating a ‘map of maps’ has made intelligence gathering easier and the cyber-capabilities of potentially hostile states makes cyber espionage on the database a very real possibility. While the Indian government has tried addressing worries about breaches of personally identifiable information, it has conveniently ignored the strategic significance of cyber-espionage on a critical infrastructure. There remains an urgent need to create an enabling framework for the implementation of international law.

About the Authors:

Anupriya Dhonchak is a third year student of National Law University, Delhi. She has interned with Senior Advocate Indira Jaising and researched and provided updates on the Aadhaar proceedings at the Supreme Court. She is interested in public policy spanning criminal law and gender justice, rights based approaches to IPR and Competition law as well as constitutional theory and philosophy.

Shubhangi Agarwalla is a third year student of National Law University, Delhi. At NLUD she has worked with the Legal Services Committee and has served as the Associate Editor of the NLUD Student Law Journal. Her professional interests include constitutional theory and philosophy, and TWAIL.