As geopolitical tensions between India and China increase, India has banned 59 mobile applications developed by Chinese companies. The government’s interim order was communicated via a press release, stating that “these apps were engaged in activities that were prejudicial to the sovereignty and integrity of India, defence of India, security and state of public order,” and citing concerns “relating to data security and safeguarding the privacy of 130 crore Indians.” The Indian government also said it was invoking the power available to it under section 69 of the Information and Technology Act, 2000 (IT Act). Section 69 of the IT act is not designated for data protection compliance but for much wider grounds such as state security.
The move has been criticized as arbitrary, as there is no evidence as to what information has been infringed upon or what data has been compromized. The blanket ban does not allow for a case-to-case inquiry process and deems all of the banned apps as the same in function. Chinese Embassy spokesperson Ji Rong expressed concern that the ban is selectively and discriminatorily aimed at certain Chinese apps on ambiguous and far-fetched grounds, and that it could violate international trade rules.
The ban was praised by nationalists and Twitter was populated with #boycottchina, #59appsbanned and #digitalsurgicalstrike. On July 4, Prime Minister Narendra Modi announced an app innovation challenge to promote Indian platforms. Almost as soon as the ban came into force, domestically developed Roposo and Mitron apps that work like TikTok were being heavily promoted on social media.
Is there really cause to worry about China-developed apps? Where do these concerns come from?
In 2016, the Cyberspace Administration of China (CAC) issued rules for regulating apps for smartphones and mobile devices. These rules were aimed at improving data privacy, cybersecurity and content monitoring. They require network operators to store selected data on servers within China, to monitor and record network operations and maintain logs for a minimum period of six months. Companies like WeChat and Bytedance have to comply with these rules irrespective of where their user base is.
The 2020 ban is not the first time we’ve seen warnings and advisories against the use of Chinese origin apps in India. In 2017, the Indian Ministry of Defence issued an advisory to Indian armed forces and security personnel to remove and uninstall over 42 Chinese apps. The order was based on advice from Indian intelligence agencies, claiming the apps came with the risk of spyware and malware. Among these 42 apps, the caller ID and spam blocking app Truecaller was listed. Truecaller later clarified that it is a Swedish app, rather than one developed in China.
In January 2019, the Economic Times independently commissioned a survey with Arrka consulting, which found that at least six of the ten most popular apps including Helo, UCbrowser and Shareit (all three included in the banned 59) ask for access to camera and microphone, text messages, contacts, sensors and location. According to Arrka co-founder Sandeep Rao, this is 45% more than the usual permissions asked for by the top 50 global apps. The data was found to be shared with third-parties outside of India. The study further stated that these apps transfer data to at least seven agencies outside India. 69% of the data was sent to the US. At the time, Tik-Tok transferred data to China Telecom. In July 2019, Bytedance, the company that owns Tik-Tok and Helo, had announced that it would set up servers in India after it received a notice from the Indian government for allegedly misusing its platforms for “anti-national” activities. The reason for collecting data is not solely to map the identity of the user behind the device. Apps collect a lot of data, however, the developers who keep these apps in shape need to know what other apps were also running, what the network coverage was like, and what level of battery the device was running on when their app crashed. This technical aspect is almost always overlooked when speaking on data privacy issues.
Interestingly, on July 9 2020 the Indian Army asked all its personnel to delete 89 apps including Facebook, PubG (Player Unknown BattleGrounds) and Tinder, owing to “national security” risks. Essentially, this was because in the absence of a robust data protection law, even a US app like Facebook poses the same threats as a Chinese app does. But, as far as armed forces are concerned there is a direct threat to national security as they are privy to sensitive information unlike civilians.
The need for a separate data protection law in India
While the move of banning the Chinese apps is mainly down to geopolitical tensions between the two nations, the concerns for data security are legitimate. The issue is that they’re not specific to China. Market research firm TechARC has shown that there are 502.2 million smartphone users in India and only 6% of users go so far as to add a paid antivirus solution for their phones. In 2019, at least 15 million smartphones were infected with a piece of malware known as Agent Smith, which showed fraudulent ads for financial gain. The coronavirus pandemic has only aggravated cyber crimes and attacks. A large percentage of India’s workforce has moved online and this makes citizens’ e-wallets and private data all the more vulnerable. Speaking to the Economic Times, Lt. General Rajesh Pant, National Cyber Coordination Centre’s chief said that at least 4000 fraud portals were created related to the coronavirus. These sites have lured unsuspecting citizens to make contributions in the fight against coronavirus. A lot of these portals were worded similar to the PM Cares fund to deliberately mislead people.
The laws pertaining to data protection in India in its current form is intertwined with the IT Act. Information Technology Lawyer Aadya Mishra explains, “In the absence of a specific data protection law, there are no standards as to what kind of data constitutes infringement of data and this leaves it very open to interpretation. The rules under the IT Act are very minimal and having a specific law will give more clarity of process and less room for arbitrary actions.” Under the Information and Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 sensitive data includes passwords, financial information like— bank account details, payment instruments, medical records, mental health records and sexual orientation. The Data Protection Bill of 2019 also classifies sensitive information on similar lines, but how many of us know how to protect this information ?
Do we know what is at risk ?
The trouble is most of us do not know how our technology works. As explained by Joe Ondrak, it’s this lack of understanding which causes panic and paranoia. But in addition to this, we often willingly give out this information. Among the apps that were banned, Tik-Tok had around 120 million users in India alone. Soon after, masquerading as a way to bypass the ban, links to a certain Tik-Tok Pro started circulating on Whatsapp and via SMS. Tik-Tok pro, was in fact an APK file with malware that might have gained access to data of unsuspecting users.
Add to this the fact that Indians are constantly giving out personal information at banks, restaurants, malls and through e-commerce portals on a daily basis. There is no way of knowing how all of this data is stored and who has access to it. A 2019 report by the FBI's Internet crime complaint center (IC3) showed that India is the third highest victim of internet crimes in a list of twenty countries. Donna Gregory, IC3’s Unit Chief, has stressed that phishing, and personal data breaches were among the most common in India and the US. The tactics used are as simple as a stranger calling and posing as a bank official, asking for sensitive information like an ATM pin, card number or OTP; and thousands of rupees are instantly siphoned from a bank account. The Indian village of Jamtara has become notorious as the capital for such scams.
With a growing digital infrastructure and with more and more Indians getting online it is important that data is secured by means of a law but, this would mean very little unless there is a parallel growth in digital literacy and a deeper understanding of how data can be misused.