Mobile Apps Come Under Lens for Violating Data PrivacyTRAI to Work on Privacy Guidelines for Telecom Sector
With increased incidents of cyber breaches and cry for data privacy gaining momentum in the country, mobile applications in India seeking blanket access to phone users' information have come under the lens of the Telecom Regulatory Authority of India. Since so many Indian companies are rushing their mobile app roll outs, breaches are always a concern. Furthermore, breaches and misuse of information may post serious threat to government's Digital India movement. The regulatory body will begin consultation on data privacy and security in the telecom sector. (See: Meru Cabs: Mobile Security Lessons)
See Also: Why CASBs Matter to Cloud Security
The development comes at a time when a debate is on about the right to privacy. On July 21, the Centre told the Supreme Court, the apex court of India, that data of users are integral to the right of life and personal liberty guaranteed under the Constitution and it would come out with regulations to protect the same.
TRAI emphasized that information asked by mobile apps to users should be relevant to its purpose. "There should be a minimal information principle. If an app has nothing to do with your gender or age, it should not seek such information," says R.S. Sharma, chairman, TRAI.
Since mobile apps capture all user data, there needs to be a privacy law protecting the interest of users. However, security practitioners say that in India there are no strong implementation of laws around data privacy, more so for the telecom sector.
"Mobile applications are mainly software installed on hardware. Therefore, they are governed by the IT Act 2000/8 and other laws of the country. However, there are no specific laws made for the telecom sector," says Prashant Mali, advocate, Supreme Court and a cyber law expert.
Sharma noted that discussions are on internally to look at data privacy and security in the telecom sector. Practitioners hope this will ensure that companies take data privacy as a top priority.
TRAI states that any policy can only take shape after discussions with various stakeholders and it's too early to comment on the same.
"In case I am downloading an app and it asks for 20 [personal] information, completely irrelevant and if I don't provide that information, it [the app] does not download...then there should some basis for information that an application can ask for," Sharma recently stated at a symposium.
"If the app owner makes it conditional that the app can be used only if certain information is provided, then it cannot be faulted for collecting the information. However, the disclosure should state that the information collected has to be used for the requirements of the services and not for marketing," says Na. Vijayashankar, a cyber law expert.
However, in reality, information collected by app makers are used for marketing various other products. Many of these companies do not have their own data centers, IT teams or InfoSec specialists, resulting in data travelling to a third party without proper security in place. "Most companies don't even have security clauses in their agreement while sharing data with a third party which is resulting in data leakage," says Ritesh Bhatia, cybersecurity and cybercrime investigations consultant.
Understanding the Law
If users find any fault, they can register a case of cheating under Indian Penal Code leading to seven-year imprisonment to the app owner along with other charges.
Since awareness in India around data privacy is low, Bhatia says, companies and mobile apps take the leeway to collect user information, even if it's not needed. "In most cases the apps track you even after you have uninstalled them," Bhatia says.
Some say the IT Act hasn't gone in the direction of stipulating parameters of due diligence to be done by mobile app service providers.
Practitioners observe discrepancy in the data collection methods by these mobile app companies.
Privacy Guidelines Required
As TRAI works on privacy guidelines for the sector, practitioners say it is not required to re-invent the wheel, but make some amendments to the existing data privacy law.
"I am not in favor of complicating the compliance issues by introducing multiple laws. Objective of creating a deterrence can be done by proper use of ITA 2008 and if required bring some new notification under rules can do the trick," Vijajashankar says.
Bhatia says some ingredients that needs to be part of the privacy law that can help users protect their privacy should include:
- Advance notice about data being collected;
- Users to be provided the choice of sharing the data;
- Applying restraint on the information solicited confining it to the function or use of the app;
- Use/Purpose Limitation - use the info collected only what the sole purpose was while collecting;
- Allowing users to access and correct info collected by the app developers;
- Transparency/Openness on the use of information gathered;
- Disclosure - give to third parties with consent of individual;
"The proposed guidelines should prescribe a clause around legal action taken against the organization which has leaked customer data and not following best security practices," says Mali.